Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(184)

Unified Diff: sandbox/win/src/restricted_token_utils.cc

Issue 810083002: Added a new process mitigation to harden process token IL policy. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: sandbox/win/src/restricted_token_utils.cc
diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc
index 93b212efaf3cd1597261874614368137f12d480c..5bd27f85962626863c9cd73e54295d53ee207f9a 100644
--- a/sandbox/win/src/restricted_token_utils.cc
+++ b/sandbox/win/src/restricted_token_utils.cc
@@ -342,4 +342,68 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
return SetTokenIntegrityLevel(token.Get(), integrity_level);
}
+DWORD HardenTokenIntegrityLevelPolicy(HANDLE token) {
+ if (base::win::GetVersion() < base::win::VERSION_VISTA)
cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 seven
forshaw 2014/12/19 08:30:00 Done.
+ return ERROR_SUCCESS;
+
+ DWORD last_error = 0;
+ DWORD length_needed = 0;
+
+ GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+ NULL, 0, &length_needed);
+
+ last_error = ::GetLastError();
cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 Mixing :: style for calling windows apis. Looks at
forshaw 2014/12/19 08:30:00 Done.
+ if (last_error != ERROR_INSUFFICIENT_BUFFER)
+ return last_error;
+
+ std::vector<char> security_desc_buffer(length_needed);
+ PSECURITY_DESCRIPTOR security_desc =
+ reinterpret_cast<PSECURITY_DESCRIPTOR>(&security_desc_buffer[0]);
+
+ if (!GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+ security_desc, length_needed,
+ &length_needed))
+ return ::GetLastError();
+
+ PACL sacl = NULL;
+ BOOL sacl_present = FALSE;
+ BOOL sacl_defaulted = FALSE;
+
+ if (!GetSecurityDescriptorSacl(security_desc, &sacl_present,
+ &sacl, &sacl_defaulted))
+ return ::GetLastError();
+
+ for (DWORD ace_index = 0; ace_index < sacl->AceCount; ++ace_index) {
+ PSYSTEM_MANDATORY_LABEL_ACE ace;
+
+ if (GetAce(sacl, ace_index, reinterpret_cast<LPVOID*>(&ace))
+ && ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+ {
cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 381 bracket in the previous line?
forshaw 2014/12/19 08:30:00 Done.
+ ace->Mask |= SYSTEM_MANDATORY_LABEL_NO_READ_UP
+ | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
+ break;
+ }
+ }
+
+ if (!SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+ security_desc))
+ return ::GetLastError();
+
+ return ERROR_SUCCESS;
+}
+
+DWORD HardenProcessIntegrityLevelPolicy() {
+ if (base::win::GetVersion() < base::win::VERSION_VISTA)
+ return ERROR_SUCCESS;
+
+ HANDLE token_handle;
+ if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER,
+ &token_handle))
+ return ::GetLastError();
+
+ base::win::ScopedHandle token(token_handle);
cpu_(ooo_6.6-7.5) 2014/12/18 21:05:36 isn't there a base/ helper for doing 399 to 404 ?
forshaw 2014/12/19 08:30:00 Not that I could see in code search. The only user
+
+ return HardenTokenIntegrityLevelPolicy(token.Get());
+}
+
} // namespace sandbox

Powered by Google App Engine
This is Rietveld 408576698