sandbox/win/src/restricted_token_utils.cc - Issue 810083002: Added a new process mitigation to harden process token IL policy.

Side by Side Diff: sandbox/win/src/restricted_token_utils.cc

Issue 810083002: Added a new process mitigation to harden process token IL policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 6 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <aclapi.h>	5 #include <aclapi.h>

6 #include <sddl.h>	6 #include <sddl.h>

7 #include <vector>	7 #include <vector>

8	8

9 #include "sandbox/win/src/restricted_token_utils.h"	9 #include "sandbox/win/src/restricted_token_utils.h"

10	10

(...skipping 324 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
335 HANDLE token_handle;	335 HANDLE token_handle;

336 if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,	336 if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,

337 &token_handle))	337 &token_handle))

338 return ::GetLastError();	338 return ::GetLastError();

339	339

340 base::win::ScopedHandle token(token_handle);	340 base::win::ScopedHandle token(token_handle);

341	341

342 return SetTokenIntegrityLevel(token.Get(), integrity_level);	342 return SetTokenIntegrityLevel(token.Get(), integrity_level);

343 }	343 }

344	344

	345 DWORD HardenTokenIntegrityLevelPolicy(HANDLE token) {

	346 if (base::win::GetVersion() < base::win::VERSION_VISTA)
	cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 seven seven forshaw 2014/12/19 08:30:00 Done. Show quoted text On 2014/12/18 21:05:36, cpu wrote: > seven Done.
	347 return ERROR_SUCCESS;

	348

	349 DWORD last_error = 0;

	350 DWORD length_needed = 0;

	351

	352 GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,

	353 NULL, 0, &length_needed);

	354

	355 last_error = ::GetLastError();
	cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 Mixing :: style for calling windows apis. Looks at Mixing :: style for calling windows apis. Looks at the this file and settle to the most common style. forshaw 2014/12/19 08:30:00 Done. Show quoted text On 2014/12/18 21:05:36, cpu wrote: > Mixing :: style for calling windows apis. Looks at the this file and settle to > the most common style. Done.
	356 if (last_error != ERROR_INSUFFICIENT_BUFFER)

	357 return last_error;

	358

	359 std::vector<char> security_desc_buffer(length_needed);

	360 PSECURITY_DESCRIPTOR security_desc =

	361 reinterpret_cast<PSECURITY_DESCRIPTOR>(&security_desc_buffer[0]);

	362

	363 if (!GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,

	364 security_desc, length_needed,

	365 &length_needed))

	366 return ::GetLastError();

	367

	368 PACL sacl = NULL;

	369 BOOL sacl_present = FALSE;

	370 BOOL sacl_defaulted = FALSE;

	371

	372 if (!GetSecurityDescriptorSacl(security_desc, &sacl_present,

	373 &sacl, &sacl_defaulted))

	374 return ::GetLastError();

	375

	376 for (DWORD ace_index = 0; ace_index < sacl->AceCount; ++ace_index) {

	377 PSYSTEM_MANDATORY_LABEL_ACE ace;

	378

	379 if (GetAce(sacl, ace_index, reinterpret_cast<LPVOID*>(&ace))

	380 && ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)

	381 {
	cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 381 bracket in the previous line? 381 bracket in the previous line? forshaw 2014/12/19 08:30:00 Done. Show quoted text On 2014/12/18 21:05:36, cpu wrote: > 381 bracket in the previous line? Done.
	382 ace->Mask \|= SYSTEM_MANDATORY_LABEL_NO_READ_UP

	383 \| SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;

	384 break;

	385 }

	386 }

	387

	388 if (!SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,

	389 security_desc))

	390 return ::GetLastError();

	391

	392 return ERROR_SUCCESS;

	393 }

	394

	395 DWORD HardenProcessIntegrityLevelPolicy() {

	396 if (base::win::GetVersion() < base::win::VERSION_VISTA)

	397 return ERROR_SUCCESS;

	398

	399 HANDLE token_handle;

	400 if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL \| WRITE_OWNER,

	401 &token_handle))

	402 return ::GetLastError();

	403

	404 base::win::ScopedHandle token(token_handle);
	cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 isn't there a base/ helper for doing 399 to 404 ? isn't there a base/ helper for doing 399 to 404 ? forshaw 2014/12/19 08:30:00 Not that I could see in code search. The only user Show quoted text On 2014/12/18 21:05:36, cpu wrote: > isn't there a base/ helper for doing 399 to 404 ? Not that I could see in code search. The only users of OpenProcessToken then used to to get the user SID or the token IL and never returned the token directly.
	405

	406 return HardenTokenIntegrityLevelPolicy(token.Get());

	407 }

	408

345 } // namespace sandbox	409 } // namespace sandbox

OLD	NEW

« sandbox/win/src/process_mitigations.cc ('K') | « sandbox/win/src/restricted_token_utils.h ('k') | sandbox/win/src/security_level.h » ('j') | no next file with comments »