Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(94)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 937353002: Adding method to create process using LowBox token in sandbox code. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressing comments on earlier patch. Created 5 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/sandbox_win.h ('k') | sandbox/win/src/app_container.h » ('j') | sandbox/win/src/sandbox_policy_base.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/base_switches.h" 9 #include "base/base_switches.h"
10 #include "base/command_line.h" 10 #include "base/command_line.h"
11 #include "base/debug/profiler.h" 11 #include "base/debug/profiler.h"
12 #include "base/debug/trace_event.h" 12 #include "base/debug/trace_event.h"
13 #include "base/files/file_util.h" 13 #include "base/files/file_util.h"
14 #include "base/hash.h" 14 #include "base/hash.h"
15 #include "base/path_service.h" 15 #include "base/path_service.h"
16 #include "base/process/launch.h" 16 #include "base/process/launch.h"
17 #include "base/strings/string_util.h" 17 #include "base/strings/string_util.h"
18 #include "base/strings/stringprintf.h" 18 #include "base/strings/stringprintf.h"
19 #include "base/win/iat_patch_function.h" 19 #include "base/win/iat_patch_function.h"
20 #include "base/win/scoped_handle.h" 20 #include "base/win/scoped_handle.h"
21 #include "base/win/scoped_process_information.h" 21 #include "base/win/scoped_process_information.h"
22 #include "base/win/windows_version.h" 22 #include "base/win/windows_version.h"
23 #include "content/public/common/content_client.h" 23 #include "content/public/common/content_client.h"
24 #include "content/public/common/content_switches.h" 24 #include "content/public/common/content_switches.h"
25 #include "content/public/common/sandbox_init.h" 25 #include "content/public/common/sandbox_init.h"
26 #include "content/public/common/sandboxed_process_launcher_delegate.h" 26 #include "content/public/common/sandboxed_process_launcher_delegate.h"
27 #include "sandbox/win/src/process_mitigations.h" 27 #include "sandbox/win/src/process_mitigations.h"
28 #include "sandbox/win/src/sandbox.h" 28 #include "sandbox/win/src/sandbox.h"
29 #include "sandbox/win/src/sandbox_nt_util.h" 29 #include "sandbox/win/src/sandbox_nt_util.h"
30 #include "sandbox/win/src/sid.h"
30 #include "sandbox/win/src/win_utils.h" 31 #include "sandbox/win/src/win_utils.h"
31 #include "ui/gfx/win/direct_write.h" 32 #include "ui/gfx/win/direct_write.h"
32 33
33 static sandbox::BrokerServices* g_broker_services = NULL; 34 static sandbox::BrokerServices* g_broker_services = NULL;
34 static sandbox::TargetServices* g_target_services = NULL; 35 static sandbox::TargetServices* g_target_services = NULL;
35 36
36 namespace content { 37 namespace content {
37 namespace { 38 namespace {
38 39
39 // The DLLs listed here are known (or under strong suspicion) of causing crashes 40 // The DLLs listed here are known (or under strong suspicion) of causing crashes
(...skipping 486 matching lines...) Expand 10 before | Expand all | Expand 10 after
526 527
527 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper. 528 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
528 // Just have to figure out what needs to be warmed up first. 529 // Just have to figure out what needs to be warmed up first.
529 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) { 530 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
530 // TODO(cpu): Add back the BaseNamedObjects policy. 531 // TODO(cpu): Add back the BaseNamedObjects policy.
531 base::string16 object_path = PrependWindowsSessionPath( 532 base::string16 object_path = PrependWindowsSessionPath(
532 L"\\BaseNamedObjects\\windows_shell_global_counters"); 533 L"\\BaseNamedObjects\\windows_shell_global_counters");
533 policy->AddKernelObjectToClose(L"Section", object_path.data()); 534 policy->AddKernelObjectToClose(L"Section", object_path.data());
534 } 535 }
535 536
537 void AddAppContainerPolicy(sandbox::TargetPolicy* policy) {
538 if (base::win::GetVersion() < base::win::VERSION_WIN8)
539 return;
540
541 std::wstring unique_sid;
542 sandbox::Sid sid(::WinBuiltinAnyPackageSid);
543 unique_sid = sid.GenerateUniqueSubAuthoritySid();
544 policy->SetAppContainer(unique_sid.c_str());
545 }
546
536 bool InitBrokerServices(sandbox::BrokerServices* broker_services) { 547 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
537 // TODO(abarth): DCHECK(CalledOnValidThread()); 548 // TODO(abarth): DCHECK(CalledOnValidThread());
538 // See <http://b/1287166>. 549 // See <http://b/1287166>.
539 DCHECK(broker_services); 550 DCHECK(broker_services);
540 DCHECK(!g_broker_services); 551 DCHECK(!g_broker_services);
541 sandbox::ResultCode result = broker_services->Init(); 552 sandbox::ResultCode result = broker_services->Init();
542 g_broker_services = broker_services; 553 g_broker_services = broker_services;
543 554
544 // In non-official builds warn about dangerous uses of DuplicateHandle. 555 // In non-official builds warn about dangerous uses of DuplicateHandle.
545 #ifndef OFFICIAL_BUILD 556 #ifndef OFFICIAL_BUILD
(...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after
762 } 773 }
763 774
764 return false; 775 return false;
765 } 776 }
766 777
767 bool BrokerAddTargetPeer(HANDLE peer_process) { 778 bool BrokerAddTargetPeer(HANDLE peer_process) {
768 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 779 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
769 } 780 }
770 781
771 } // namespace content 782 } // namespace content
OLDNEW
« no previous file with comments | « content/common/sandbox_win.h ('k') | sandbox/win/src/app_container.h » ('j') | sandbox/win/src/sandbox_policy_base.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698