Add UIPI support for sandbox alternate desktop

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
+#include <sddl.h>
+
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
 #include "sandbox/win/src/filesystem_policy.h"
 #include "sandbox/win/src/handle_dispatcher.h"
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
@@ skipping 51 matching lines @@
 }
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
 
 // Initializes static members.
 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
 HDESK PolicyBase::alternate_desktop_handle_ = NULL;
+IntegrityLevel PolicyBase::alternate_desktop_integrity_label_ =
+    INTEGRITY_LEVEL_SYSTEM;

[rvargas (doing something else), 2014/06/13 19:46:11]

nit: Shouldn't we use _LEVEL_LAST here? It shouldn't matter but it seems like a
better default.

[jschuh, 2014/06/13 22:29:36]

Done, but it makes the conditional below a bit more complicated.

 
 PolicyBase::PolicyBase()
     : ref_count(1),
       lockdown_level_(USER_LOCKDOWN),
       initial_level_(USER_LOCKDOWN),
       job_level_(JOB_LOCKDOWN),
       ui_exceptions_(0),
       memory_limit_(0),
       use_alternate_desktop_(false),
       use_alternate_winstation_(false),
@@ skipping 426 matching lines @@
 
 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
   DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
                                        integrity_level_, PRIMARY);
   if (ERROR_SUCCESS != result) {
     return SBOX_ERROR_GENERIC;
   }
 
+  // If we're launching on the alternate desktop we need to make sure our
+  // process has an integrity label that can access it. So, we lower the label

[rvargas (doing something else), 2014/06/13 19:46:11]

label -> level

[jschuh, 2014/06/13 22:29:36]

Fine, but you have to deal with the ire of Bell and LaPadula.

[rvargas (doing something else), 2014/06/13 23:18:47]

no me asusta el acertijo!

+  // on the desktop if needed.
+  if (alternate_desktop_handle_ &&
+      integrity_level_ != INTEGRITY_LEVEL_LAST &&
+      alternate_desktop_integrity_label_ < integrity_level_ &&

[rvargas (doing something else), 2014/06/13 19:46:11]

_label_ -> level

[rvargas (doing something else), 2014/06/13 19:46:11]

... then this would be 
alternate_desktop_integrity_label_ == INTEGRITY_LEVEL_LAST

[jschuh, 2014/06/13 22:29:36]

Done, but that's not quite how it works due to the integrity level ordering.

[rvargas (doing something else), 2014/06/13 23:18:47]

Yeah, I got that... the way I was reading this condition was:
if we are using another desktop and
we are setting an integrity level ('cause it's not the default) and
alternate_desktop_integrity_level_ has not been initialized (because it is a
static and we don't want to reinit over and over)
... and, BTW, if we are not elevating the integrity level of the desktop
then... set IL.

However, that last condition looks to me more like an assert than something to
keep up front in the condition. That's why I suggested moving the last one to
what I thought to primarily mean (thinking we could just DCHECK inside the if).

Why do you want to keep both checks for ad_il_ and not for il_?. It feels weird
to me to be checking the relative values of integrity levels, especially at this
point. If we want to do it, shouldn't we do that explicitly somewhere else,
preferably close to where the policy is set instead of process creation?

Now it looks like you want to allow moving the IL of the desktop with new policy
instances... if that's the case we should move away from statics.

+      base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
+    static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
+                  "Integrity level ordering reversed.");
+    result = SetObjectIntegrityLabel(alternate_desktop_handle_,
+                                     SE_WINDOW_OBJECT,
+                                     L"",
+                                     GetIntegrityLevelString(integrity_level_));
+    if (ERROR_SUCCESS != result) {
+      ::SetLastError(result);

[rvargas (doing something else), 2014/06/13 19:46:11]

nit: I don't think we promise a last error.

[jschuh, 2014/06/13 22:29:36]

Done.

+      return SBOX_ERROR_GENERIC;
+    }
+    alternate_desktop_integrity_label_ = integrity_level_;
+  }
+
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.
     if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
       return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
 
     *initial = INVALID_HANDLE_VALUE;
     return SBOX_ALL_OK;
   }
 
@@ skipping 171 matching lines @@
 
   // Finally, setup imports on the target so the interceptions can work.
   return SetupNtdllImports(target);
 }
 
 bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
   return handle_closer_.InitializeTargetHandles(target);
 }
 
 }  // namespace sandbox