Add UIPI support for sandbox alternate desktop

sandbox/win/src/sandbox_policy_base.cc

Index: sandbox/win/src/sandbox_policy_base.cc
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index 711fafc006acd0c2462b05b65e215983aa40556b..9a8cc956a94113fe59d45430ade7fd1289f85645 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -4,6 +4,8 @@
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
+#include <sddl.h>
+
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
@@ -75,6 +77,8 @@ SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
 // Initializes static members.
 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
 HDESK PolicyBase::alternate_desktop_handle_ = NULL;
+IntegrityLevel PolicyBase::alternate_desktop_integrity_label_ =
+    INTEGRITY_LEVEL_SYSTEM;

[rvargas (doing something else), 2014/06/13 19:46:11]

nit: Shouldn't we use _LEVEL_LAST here? It shouldn't matter but it seems like a
better default.

[jschuh, 2014/06/13 22:29:36]

Done, but it makes the conditional below a bit more complicated.

 
 PolicyBase::PolicyBase()
     : ref_count(1),
@@ -521,6 +525,26 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
     return SBOX_ERROR_GENERIC;
   }
 
+  // If we're launching on the alternate desktop we need to make sure our
+  // process has an integrity label that can access it. So, we lower the label

[rvargas (doing something else), 2014/06/13 19:46:11]

label -> level

[jschuh, 2014/06/13 22:29:36]

Fine, but you have to deal with the ire of Bell and LaPadula.

[rvargas (doing something else), 2014/06/13 23:18:47]

no me asusta el acertijo!

+  // on the desktop if needed.
+  if (alternate_desktop_handle_ &&
+      integrity_level_ != INTEGRITY_LEVEL_LAST &&
+      alternate_desktop_integrity_label_ < integrity_level_ &&

[rvargas (doing something else), 2014/06/13 19:46:11]

_label_ -> level

[rvargas (doing something else), 2014/06/13 19:46:11]

... then this would be 
alternate_desktop_integrity_label_ == INTEGRITY_LEVEL_LAST

[jschuh, 2014/06/13 22:29:36]

Done, but that's not quite how it works due to the integrity level ordering.

[rvargas (doing something else), 2014/06/13 23:18:47]

Yeah, I got that... the way I was reading this condition was:
if we are using another desktop and
we are setting an integrity level ('cause it's not the default) and
alternate_desktop_integrity_level_ has not been initialized (because it is a
static and we don't want to reinit over and over)
... and, BTW, if we are not elevating the integrity level of the desktop
then... set IL.

However, that last condition looks to me more like an assert than something to
keep up front in the condition. That's why I suggested moving the last one to
what I thought to primarily mean (thinking we could just DCHECK inside the if).

Why do you want to keep both checks for ad_il_ and not for il_?. It feels weird
to me to be checking the relative values of integrity levels, especially at this
point. If we want to do it, shouldn't we do that explicitly somewhere else,
preferably close to where the policy is set instead of process creation?

Now it looks like you want to allow moving the IL of the desktop with new policy
instances... if that's the case we should move away from statics.

+      base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
+    static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
+                  "Integrity level ordering reversed.");
+    result = SetObjectIntegrityLabel(alternate_desktop_handle_,
+                                     SE_WINDOW_OBJECT,
+                                     L"",
+                                     GetIntegrityLevelString(integrity_level_));
+    if (ERROR_SUCCESS != result) {
+      ::SetLastError(result);

[rvargas (doing something else), 2014/06/13 19:46:11]

nit: I don't think we promise a last error.

[jschuh, 2014/06/13 22:29:36]

Done.

+      return SBOX_ERROR_GENERIC;
+    }
+    alternate_desktop_integrity_label_ = integrity_level_;
+  }
+
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.