Added a new process mitigation to harden process token IL policy.

sandbox/win/src/restricted_token_utils.cc

Index: sandbox/win/src/restricted_token_utils.cc
diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc
index 93b212efaf3cd1597261874614368137f12d480c..5bd27f85962626863c9cd73e54295d53ee207f9a 100644
--- a/sandbox/win/src/restricted_token_utils.cc
+++ b/sandbox/win/src/restricted_token_utils.cc
@@ -342,4 +342,68 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
   return SetTokenIntegrityLevel(token.Get(), integrity_level);
 }
 
+DWORD HardenTokenIntegrityLevelPolicy(HANDLE token) {
+  if (base::win::GetVersion() < base::win::VERSION_VISTA)

[cpu_(ooo_6.6-7.5), 2014/12/18 21:05:36]

seven

[forshaw, 2014/12/19 08:30:00]

Done.

+    return ERROR_SUCCESS;
+
+  DWORD last_error = 0;
+  DWORD length_needed = 0;
+
+  GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+    NULL, 0, &length_needed);
+
+  last_error = ::GetLastError();

[cpu_(ooo_6.6-7.5), 2014/12/18 21:05:36]

Mixing :: style for calling windows apis. Looks at the this file and settle to
the most common style.

[forshaw, 2014/12/19 08:30:00]

Done.

+  if (last_error != ERROR_INSUFFICIENT_BUFFER)
+    return last_error;
+
+  std::vector<char> security_desc_buffer(length_needed);
+  PSECURITY_DESCRIPTOR security_desc =
+      reinterpret_cast<PSECURITY_DESCRIPTOR>(&security_desc_buffer[0]);
+
+  if (!GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+                               security_desc, length_needed,
+                               &length_needed))
+    return ::GetLastError();
+
+  PACL sacl = NULL;
+  BOOL sacl_present = FALSE;
+  BOOL sacl_defaulted = FALSE;
+
+  if (!GetSecurityDescriptorSacl(security_desc, &sacl_present,
+                                 &sacl, &sacl_defaulted))
+    return ::GetLastError();
+
+  for (DWORD ace_index = 0; ace_index < sacl->AceCount; ++ace_index) {
+    PSYSTEM_MANDATORY_LABEL_ACE ace;
+
+    if (GetAce(sacl, ace_index, reinterpret_cast<LPVOID*>(&ace))
+        && ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE)
+    {

[cpu_(ooo_6.6-7.5), 2014/12/18 21:05:36]

381 bracket in the previous line?

[forshaw, 2014/12/19 08:30:00]

Done.

+      ace->Mask |= SYSTEM_MANDATORY_LABEL_NO_READ_UP
+                |  SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
+      break;
+    }
+  }
+
+  if (!SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
+                               security_desc))
+    return ::GetLastError();
+
+  return ERROR_SUCCESS;
+}
+
+DWORD HardenProcessIntegrityLevelPolicy() {
+  if (base::win::GetVersion() < base::win::VERSION_VISTA)
+    return ERROR_SUCCESS;
+
+  HANDLE token_handle;
+  if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER,
+                          &token_handle))
+    return ::GetLastError();
+
+  base::win::ScopedHandle token(token_handle);

[cpu_(ooo_6.6-7.5), 2014/12/18 21:05:36]

isn't there a base/ helper for doing 399 to 404 ?

[forshaw, 2014/12/19 08:30:00]

Not that I could see in code search. The only users of OpenProcessToken then
used to to get the user SID or the token IL and never returned the token
directly. 

+
+  return HardenTokenIntegrityLevelPolicy(token.Get());
+}
+
 }  // namespace sandbox