Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include <sddl.h> | |
| 8 | |
| 7 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 10 #include "base/callback.h" |
| 9 #include "base/logging.h" | 11 #include "base/logging.h" |
| 10 #include "base/win/windows_version.h" | 12 #include "base/win/windows_version.h" |
| 11 #include "sandbox/win/src/app_container.h" | 13 #include "sandbox/win/src/app_container.h" |
| 12 #include "sandbox/win/src/filesystem_dispatcher.h" | 14 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 13 #include "sandbox/win/src/filesystem_policy.h" | 15 #include "sandbox/win/src/filesystem_policy.h" |
| 14 #include "sandbox/win/src/handle_dispatcher.h" | 16 #include "sandbox/win/src/handle_dispatcher.h" |
| 15 #include "sandbox/win/src/handle_policy.h" | 17 #include "sandbox/win/src/handle_policy.h" |
| 16 #include "sandbox/win/src/job.h" | 18 #include "sandbox/win/src/job.h" |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 68 } | 70 } |
| 69 | 71 |
| 70 namespace sandbox { | 72 namespace sandbox { |
| 71 | 73 |
| 72 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level; | 74 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level; |
| 73 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations; | 75 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations; |
| 74 | 76 |
| 75 // Initializes static members. | 77 // Initializes static members. |
| 76 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; | 78 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; |
| 77 HDESK PolicyBase::alternate_desktop_handle_ = NULL; | 79 HDESK PolicyBase::alternate_desktop_handle_ = NULL; |
| 80 IntegrityLevel PolicyBase::alternate_desktop_integrity_label_ = | |
| 81 INTEGRITY_LEVEL_SYSTEM; | |
|
rvargas (doing something else)
2014/06/13 19:46:11
nit: Shouldn't we use _LEVEL_LAST here? It shouldn
jschuh
2014/06/13 22:29:36
Done, but it makes the conditional below a bit mor
| |
| 78 | 82 |
| 79 PolicyBase::PolicyBase() | 83 PolicyBase::PolicyBase() |
| 80 : ref_count(1), | 84 : ref_count(1), |
| 81 lockdown_level_(USER_LOCKDOWN), | 85 lockdown_level_(USER_LOCKDOWN), |
| 82 initial_level_(USER_LOCKDOWN), | 86 initial_level_(USER_LOCKDOWN), |
| 83 job_level_(JOB_LOCKDOWN), | 87 job_level_(JOB_LOCKDOWN), |
| 84 ui_exceptions_(0), | 88 ui_exceptions_(0), |
| 85 memory_limit_(0), | 89 memory_limit_(0), |
| 86 use_alternate_desktop_(false), | 90 use_alternate_desktop_(false), |
| 87 use_alternate_winstation_(false), | 91 use_alternate_winstation_(false), |
| (...skipping 426 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 514 | 518 |
| 515 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { | 519 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
| 516 // Create the 'naked' token. This will be the permanent token associated | 520 // Create the 'naked' token. This will be the permanent token associated |
| 517 // with the process and therefore with any thread that is not impersonating. | 521 // with the process and therefore with any thread that is not impersonating. |
| 518 DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, | 522 DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, |
| 519 integrity_level_, PRIMARY); | 523 integrity_level_, PRIMARY); |
| 520 if (ERROR_SUCCESS != result) { | 524 if (ERROR_SUCCESS != result) { |
| 521 return SBOX_ERROR_GENERIC; | 525 return SBOX_ERROR_GENERIC; |
| 522 } | 526 } |
| 523 | 527 |
| 528 // If we're launching on the alternate desktop we need to make sure our | |
| 529 // process has an integrity label that can access it. So, we lower the label | |
|
rvargas (doing something else)
2014/06/13 19:46:11
label -> level
jschuh
2014/06/13 22:29:36
Fine, but you have to deal with the ire of Bell an
rvargas (doing something else)
2014/06/13 23:18:47
no me asusta el acertijo!
| |
| 530 // on the desktop if needed. | |
| 531 if (alternate_desktop_handle_ && | |
| 532 integrity_level_ != INTEGRITY_LEVEL_LAST && | |
| 533 alternate_desktop_integrity_label_ < integrity_level_ && | |
|
rvargas (doing something else)
2014/06/13 19:46:11
_label_ -> level
rvargas (doing something else)
2014/06/13 19:46:11
... then this would be
alternate_desktop_integrit
jschuh
2014/06/13 22:29:36
Done, but that's not quite how it works due to the
rvargas (doing something else)
2014/06/13 23:18:47
Yeah, I got that... the way I was reading this con
| |
| 534 base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) { | |
| 535 static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED, | |
| 536 "Integrity level ordering reversed."); | |
| 537 result = SetObjectIntegrityLabel(alternate_desktop_handle_, | |
| 538 SE_WINDOW_OBJECT, | |
| 539 L"", | |
| 540 GetIntegrityLevelString(integrity_level_)); | |
| 541 if (ERROR_SUCCESS != result) { | |
| 542 ::SetLastError(result); | |
|
rvargas (doing something else)
2014/06/13 19:46:11
nit: I don't think we promise a last error.
jschuh
2014/06/13 22:29:36
Done.
| |
| 543 return SBOX_ERROR_GENERIC; | |
| 544 } | |
| 545 alternate_desktop_integrity_label_ = integrity_level_; | |
| 546 } | |
| 547 | |
| 524 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { | 548 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
| 525 // Windows refuses to work with an impersonation token. See SetAppContainer | 549 // Windows refuses to work with an impersonation token. See SetAppContainer |
| 526 // implementation for more details. | 550 // implementation for more details. |
| 527 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) | 551 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) |
| 528 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | 552 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; |
| 529 | 553 |
| 530 *initial = INVALID_HANDLE_VALUE; | 554 *initial = INVALID_HANDLE_VALUE; |
| 531 return SBOX_ALL_OK; | 555 return SBOX_ALL_OK; |
| 532 } | 556 } |
| 533 | 557 |
| (...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 705 | 729 |
| 706 // Finally, setup imports on the target so the interceptions can work. | 730 // Finally, setup imports on the target so the interceptions can work. |
| 707 return SetupNtdllImports(target); | 731 return SetupNtdllImports(target); |
| 708 } | 732 } |
| 709 | 733 |
| 710 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 734 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 711 return handle_closer_.InitializeTargetHandles(target); | 735 return handle_closer_.InitializeTargetHandles(target); |
| 712 } | 736 } |
| 713 | 737 |
| 714 } // namespace sandbox | 738 } // namespace sandbox |
| OLD | NEW |