Add UIPI support for sandbox alternate desktop

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
+#include <sddl.h>
+
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
 #include "sandbox/win/src/filesystem_policy.h"
 #include "sandbox/win/src/handle_dispatcher.h"
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
@@ skipping 51 matching lines @@
 }
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
 SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
 
 // Initializes static members.
 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
 HDESK PolicyBase::alternate_desktop_handle_ = NULL;
+IntegrityLevel PolicyBase::alternate_desktop_integrity_level_ =
+    INTEGRITY_LEVEL_LAST;
 
 PolicyBase::PolicyBase()
     : ref_count(1),
       lockdown_level_(USER_LOCKDOWN),
       initial_level_(USER_LOCKDOWN),
       job_level_(JOB_LOCKDOWN),
       ui_exceptions_(0),
       memory_limit_(0),
       use_alternate_desktop_(false),
       use_alternate_winstation_(false),
@@ skipping 426 matching lines @@
 
 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
   DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
                                        integrity_level_, PRIMARY);
   if (ERROR_SUCCESS != result) {
     return SBOX_ERROR_GENERIC;
   }
 
+  // If we're launching on the alternate desktop we need to make sure our
+  // process has an integrity label that can access it. So, we lower the label
+  // on the desktop if needed.
+  if (alternate_desktop_handle_ &&
+      integrity_level_ < INTEGRITY_LEVEL_LAST &&
+      (alternate_desktop_integrity_level_ == INTEGRITY_LEVEL_LAST ||
+       alternate_desktop_integrity_level_ < integrity_level_) &&
+      base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
+    static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
+                  "Integrity level ordering reversed.");
+    result = SetObjectIntegrityLabel(alternate_desktop_handle_,
+                                     SE_WINDOW_OBJECT,
+                                     L"",
+                                     GetIntegrityLevelString(integrity_level_));
+    if (ERROR_SUCCESS != result) {
+      return SBOX_ERROR_GENERIC;
+    }

[rvargas (doing something else), 2014/06/13 23:18:47]

tiny nit: this should not have {} but I see them also at line 525 :(

+    alternate_desktop_integrity_level_ = integrity_level_;
+  }
+
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.
     if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
       return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
 
     *initial = INVALID_HANDLE_VALUE;
     return SBOX_ALL_OK;
   }
 
@@ skipping 171 matching lines @@
 
   // Finally, setup imports on the target so the interceptions can work.
   return SetupNtdllImports(target);
 }
 
 bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
   return handle_closer_.InitializeTargetHandles(target);
 }
 
 }  // namespace sandbox