Chromium Code Reviews Chromium Code Reviews
Issue 937353002:
Adding method to create process using LowBox token in sandbox code. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include <sddl.h> | |
| 8 | |
| 9 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 10 #include "base/callback.h" | 8 #include "base/callback.h" |
| 11 #include "base/logging.h" | 9 #include "base/logging.h" |
| 12 #include "base/win/windows_version.h" | 10 #include "base/win/windows_version.h" |
| 13 #include "sandbox/win/src/app_container.h" | 11 #include "sandbox/win/src/app_container.h" |
| 14 #include "sandbox/win/src/filesystem_dispatcher.h" | 12 #include "sandbox/win/src/filesystem_dispatcher.h" |
| 15 #include "sandbox/win/src/filesystem_policy.h" | 13 #include "sandbox/win/src/filesystem_policy.h" |
| 16 #include "sandbox/win/src/handle_dispatcher.h" | 14 #include "sandbox/win/src/handle_dispatcher.h" |
| 17 #include "sandbox/win/src/handle_policy.h" | 15 #include "sandbox/win/src/handle_policy.h" |
| 18 #include "sandbox/win/src/job.h" | 16 #include "sandbox/win/src/job.h" |
| (...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 303 ResultCode PolicyBase::SetDelayedIntegrityLevel( | 301 ResultCode PolicyBase::SetDelayedIntegrityLevel( |
| 304 IntegrityLevel integrity_level) { | 302 IntegrityLevel integrity_level) { |
| 305 delayed_integrity_level_ = integrity_level; | 303 delayed_integrity_level_ = integrity_level; |
| 306 return SBOX_ALL_OK; | 304 return SBOX_ALL_OK; |
| 307 } | 305 } |
| 308 | 306 |
| 309 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) { | 307 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) { |
| 310 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) | 308 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) |
| 311 return SBOX_ALL_OK; | 309 return SBOX_ALL_OK; |
| 312 | 310 |
| 313 // Windows refuses to work with an impersonation token for a process inside | |
| 314 // an AppContainer. If the caller wants to use a more privileged initial | |
| 315 // token, or if the lockdown level will prevent the process from starting, | |
| 316 // we have to fail the operation. | |
| 317 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) | |
| 318 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | |
| 319 | |
| 320 DCHECK(!appcontainer_list_.get()); | 311 DCHECK(!appcontainer_list_.get()); |
| 321 appcontainer_list_.reset(new AppContainerAttributes); | 312 appcontainer_list_.reset(new AppContainerAttributes); |
| 322 ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_); | 313 ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_); |
| 323 if (rv != SBOX_ALL_OK) | 314 if (rv != SBOX_ALL_OK) |
| 324 return rv; | 315 return rv; |
| 325 | 316 |
| 326 return SBOX_ALL_OK; | 317 return SBOX_ALL_OK; |
| 327 } | 318 } |
| 328 | 319 |
| 329 ResultCode PolicyBase::SetCapability(const wchar_t* sid) { | 320 ResultCode PolicyBase::SetCapability(const wchar_t* sid) { |
| (...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 470 SE_WINDOW_OBJECT, | 461 SE_WINDOW_OBJECT, |
| 471 L"", | 462 L"", |
| 472 GetIntegrityLevelString(integrity_level_)); | 463 GetIntegrityLevelString(integrity_level_)); |
| 473 if (ERROR_SUCCESS != result) | 464 if (ERROR_SUCCESS != result) |
| 474 return SBOX_ERROR_GENERIC; | 465 return SBOX_ERROR_GENERIC; |
| 475 | 466 |
| 476 alternate_desktop_integrity_level_label_ = integrity_level_; | 467 alternate_desktop_integrity_level_label_ = integrity_level_; |
| 477 } | 468 } |
| 478 | 469 |
| 479 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { | 470 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
| 480 // Windows refuses to work with an impersonation token. See SetAppContainer | 471 NtCreateLowBoxToken CreateLowBox = NULL; |
| 481 // implementation for more details. | 472 ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox); |
| 482 if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_) | |
| 483 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER; | |
| 484 | 473 |
| 485 *initial = INVALID_HANDLE_VALUE; | 474 HANDLE token_lowbox = NULL; |
| 486 return SBOX_ALL_OK; | 475 const SECURITY_CAPABILITIES& capabilities = |
| 476 appcontainer_list_->GetCapabilities(); | |
| 477 | |
| 478 OBJECT_ATTRIBUTES obj_attr; | |
| 479 InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL); | |
| 480 | |
| 481 NTSTATUS status = CreateLowBox(&token_lowbox, | |
| 482 *lockdown, | |
| 483 TOKEN_ALL_ACCESS, | |
| 484 &obj_attr, | |
| 485 capabilities.AppContainerSid, | |
| 486 capabilities.CapabilityCount, | |
| 487 capabilities.Capabilities, | |
| 488 0, | |
| 489 NULL); | |
| 490 if (!NT_SUCCESS(status)) { | |
|
rvargas (doing something else)
2015/02/24 01:01:49
nit: no {}
| |
| 491 return SBOX_ERROR_GENERIC; | |
| 492 } | |
| 493 DCHECK(token_lowbox); | |
| 494 ::CloseHandle(*lockdown); | |
| 495 *lockdown = token_lowbox; | |
| 487 } | 496 } |
| 488 | 497 |
| 489 // Create the 'better' token. We use this token as the one that the main | 498 // Create the 'better' token. We use this token as the one that the main |
| 490 // thread uses when booting up the process. It should contain most of | 499 // thread uses when booting up the process. It should contain most of |
| 491 // what we need (before reaching main( )) | 500 // what we need (before reaching main( )) |
| 492 result = CreateRestrictedToken(initial, initial_level_, | 501 result = CreateRestrictedToken(initial, initial_level_, |
| 493 integrity_level_, IMPERSONATION); | 502 integrity_level_, IMPERSONATION); |
| 494 if (ERROR_SUCCESS != result) { | 503 if (ERROR_SUCCESS != result) { |
| 495 ::CloseHandle(*lockdown); | 504 ::CloseHandle(*lockdown); |
| 496 return SBOX_ERROR_GENERIC; | 505 return SBOX_ERROR_GENERIC; |
| (...skipping 243 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 740 break; | 749 break; |
| 741 } | 750 } |
| 742 | 751 |
| 743 default: { return SBOX_ERROR_UNSUPPORTED; } | 752 default: { return SBOX_ERROR_UNSUPPORTED; } |
| 744 } | 753 } |
| 745 | 754 |
| 746 return SBOX_ALL_OK; | 755 return SBOX_ALL_OK; |
| 747 } | 756 } |
| 748 | 757 |
| 749 } // namespace sandbox | 758 } // namespace sandbox |
| OLD | NEW |
