Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(50)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/filesystem_policy.cc

Issue 909373004: Sandbox: Add support for file system policies that use implied device paths. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Helpers Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/file_policy_test.cc ('k') | sandbox/win/src/win_utils.h » ('j') | sandbox/win/src/win_utils.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <string> 5 #include <string>
6 6
7 #include "sandbox/win/src/filesystem_policy.h" 7 #include "sandbox/win/src/filesystem_policy.h"
8 8
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/win/scoped_handle.h" 10 #include "base/win/scoped_handle.h"
11 #include "base/win/windows_version.h"
11 #include "sandbox/win/src/ipc_tags.h" 12 #include "sandbox/win/src/ipc_tags.h"
12 #include "sandbox/win/src/policy_engine_opcodes.h" 13 #include "sandbox/win/src/policy_engine_opcodes.h"
13 #include "sandbox/win/src/policy_params.h" 14 #include "sandbox/win/src/policy_params.h"
14 #include "sandbox/win/src/sandbox_utils.h" 15 #include "sandbox/win/src/sandbox_utils.h"
15 #include "sandbox/win/src/sandbox_types.h" 16 #include "sandbox/win/src/sandbox_types.h"
16 #include "sandbox/win/src/win_utils.h" 17 #include "sandbox/win/src/win_utils.h"
17 18
18 namespace { 19 namespace {
19 20
20 NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle, 21 NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle,
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
71 namespace sandbox { 72 namespace sandbox {
72 73
73 bool FileSystemPolicy::GenerateRules(const wchar_t* name, 74 bool FileSystemPolicy::GenerateRules(const wchar_t* name,
74 TargetPolicy::Semantics semantics, 75 TargetPolicy::Semantics semantics,
75 LowLevelPolicy* policy) { 76 LowLevelPolicy* policy) {
76 base::string16 mod_name(name); 77 base::string16 mod_name(name);
77 if (mod_name.empty()) { 78 if (mod_name.empty()) {
78 return false; 79 return false;
79 } 80 }
80 81
81 // Don't do any pre-processing if the name starts like the the native 82 if (base::win::GetVersion() >= base::win::VERSION_WIN7) {
82 // object manager style.
83 if (0 != _wcsnicmp(mod_name.c_str(), kNTObjManPrefix, kNTObjManPrefixLen)) {
84 // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the 83 // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the
85 // infrastructure to normalize names. In any case we need to escape the 84 // infrastructure to normalize names. In any case we need to escape the
86 // question marks. 85 // question marks.
87 if (!PreProcessName(mod_name, &mod_name)) { 86 if (!PreProcessName(mod_name, &mod_name)) {
88 // The path to be added might contain a reparse point. 87 // The path to be added might contain a reparse point.
89 NOTREACHED(); 88 NOTREACHED();
90 return false; 89 return false;
91 } 90 }
92 91
93 mod_name = FixNTPrefixForMatch(mod_name); 92 if (_wcsnicmp(mod_name.c_str(), kNTDevicePrefix, kNTDevicePrefixLen)) {
94 name = mod_name.c_str(); 93 mod_name = FixNTPrefixForMatch(mod_name);
94 name = mod_name.c_str();
95 }
96 } else if (!_wcsnicmp(mod_name.c_str(), kNTDevicePrefix,
97 kNTDevicePrefixLen)) {
98 // Device paths in policy are not supported before Windows 7.
99 return false;
95 } 100 }
96 101
97 EvalResult result = ASK_BROKER; 102 EvalResult result = ASK_BROKER;
98 103
99 // List of supported calls for the filesystem. 104 // List of supported calls for the filesystem.
100 const unsigned kCallNtCreateFile = 0x1; 105 const unsigned kCallNtCreateFile = 0x1;
101 const unsigned kCallNtOpenFile = 0x2; 106 const unsigned kCallNtOpenFile = 0x2;
102 const unsigned kCallNtQueryAttributesFile = 0x4; 107 const unsigned kCallNtQueryAttributesFile = 0x4;
103 const unsigned kCallNtQueryFullAttributesFile = 0x8; 108 const unsigned kCallNtQueryFullAttributesFile = 0x8;
104 const unsigned kCallNtSetInfoRename = 0x10; 109 const unsigned kCallNtSetInfoRename = 0x10;
(...skipping 317 matching lines...) Expand 10 before | Expand all | Expand 10 after
422 } else { 427 } else {
423 // Start of name matches NT prefix, replace with escaped format 428 // Start of name matches NT prefix, replace with escaped format
424 // Fixes bug: 334882 429 // Fixes bug: 334882
425 mod_name.replace(0, kNTPrefixLen, kNTPrefixEscaped); 430 mod_name.replace(0, kNTPrefixLen, kNTPrefixEscaped);
426 } 431 }
427 432
428 return mod_name; 433 return mod_name;
429 } 434 }
430 435
431 } // namespace sandbox 436 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/win/src/file_policy_test.cc ('k') | sandbox/win/src/win_utils.h » ('j') | sandbox/win/src/win_utils.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698