sandbox/win/src/policy_broker.cc - Issue 937353002: Adding method to create process using LowBox token in sandbox code.

Side by Side Diff: sandbox/win/src/policy_broker.cc

Issue 937353002: Adding method to create process using LowBox token in sandbox code. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Removed sid.h/.cc Created 5 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <map>	5 #include <map>

6	6

7 #include "sandbox/win/src/policy_broker.h"	7 #include "sandbox/win/src/policy_broker.h"

8	8

9 #include "base/logging.h"	9 #include "base/logging.h"

10 #include "base/win/pe_image.h"	10 #include "base/win/pe_image.h"

(...skipping 69 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
80 for (size_t i = 0; i < sizeof(g_nt)/sizeof(void*); i++)	80 for (size_t i = 0; i < sizeof(g_nt)/sizeof(void*); i++)

81 DCHECK(reinterpret_cast<char**>(&g_nt)[i]);	81 DCHECK(reinterpret_cast<char**>(&g_nt)[i]);

82 #endif	82 #endif

83 return (SBOX_ALL_OK == child->TransferVariable("g_nt", &g_nt, sizeof(g_nt)));	83 return (SBOX_ALL_OK == child->TransferVariable("g_nt", &g_nt, sizeof(g_nt)));

84 }	84 }

85	85

86 #undef INIT_GLOBAL_NT	86 #undef INIT_GLOBAL_NT

87 #undef INIT_GLOBAL_RTL	87 #undef INIT_GLOBAL_RTL

88	88

89 bool SetupBasicInterceptions(InterceptionManager* manager) {	89 bool SetupBasicInterceptions(InterceptionManager* manager) {

90 // Interceptions provided by process_thread_policy, without actual policy.	90 // Interceptions provided by process_thread_policy, without actual policy.
	rvargas (doing something else) 2015/02/27 20:16:34 What's the change here? The first three intercepti What's the change here? The first three interceptions are still handled by process_thread_policy, but not the others... rvargas (doing something else) 2015/02/28 01:10:05 Looks like you missed these comments. Show quoted text On 2015/02/27 20:16:34, rvargas wrote: > What's the change here? The first three interceptions are still handled by > process_thread_policy, but not the others... Looks like you missed these comments. Shrikant Kelkar 2015/02/28 01:55:41 Done. Show quoted text On 2015/02/28 01:10:05, rvargas wrote: > On 2015/02/27 20:16:34, rvargas wrote: > > What's the change here? The first three interceptions are still handled by > > process_thread_policy, but not the others... > > Looks like you missed these comments. Done.
91 if (!INTERCEPT_NT(manager, NtOpenThread, OPEN_TREAD_ID, 20) \|\|	91 if (!INTERCEPT_NT(manager, NtOpenThread, OPEN_TREAD_ID, 20) \|\|

92 !INTERCEPT_NT(manager, NtOpenProcess, OPEN_PROCESS_ID, 20) \|\|	92 !INTERCEPT_NT(manager, NtOpenProcess, OPEN_PROCESS_ID, 20))
	rvargas (doing something else) 2015/02/27 20:16:34 Nit: this requires {} (and below) Nit: this requires {} (and below)
93 !INTERCEPT_NT(manager, NtOpenProcessToken, OPEN_PROCESS_TOKEN_ID, 16))

94 return false;	93 return false;

95	94

96 // Interceptions with neither policy nor IPC.	95 if(!INTERCEPT_NT(manager, NtOpenProcessToken, OPEN_PROCESS_TOKEN_ID, 16) \|\|

	96 !INTERCEPT_NT(manager, NtOpenThreadToken, OPEN_THREAD_TOKEN_ID, 20))

	97 return false;

	98

97 if (!INTERCEPT_NT(manager, NtSetInformationThread, SET_INFORMATION_THREAD_ID,	99 if (!INTERCEPT_NT(manager, NtSetInformationThread, SET_INFORMATION_THREAD_ID,

98 20) \|\|	100 20))

99 !INTERCEPT_NT(manager, NtOpenThreadToken, OPEN_THREAD_TOKEN_ID, 20))

100 return false;	101 return false;

101	102

102 if (base::win::GetVersion() >= base::win::VERSION_XP) {	103 if (base::win::GetVersion() >= base::win::VERSION_XP) {

103 // Bug 27218: We don't have dispatch for some x64 syscalls.	104 // Bug 27218: We don't have dispatch for some x64 syscalls.

104 // This one is also provided by process_thread_policy.	105 // This one is also provided by process_thread_policy.

105 if (!INTERCEPT_NT(manager, NtOpenProcessTokenEx, OPEN_PROCESS_TOKEN_EX_ID,	106 if (!INTERCEPT_NT(manager, NtOpenProcessTokenEx, OPEN_PROCESS_TOKEN_EX_ID,

106 20))	107 20))

107 return false;	108 return false;

108	109

109 return INTERCEPT_NT(manager, NtOpenThreadTokenEx, OPEN_THREAD_TOKEN_EX_ID,	110 return INTERCEPT_NT(manager, NtOpenThreadTokenEx, OPEN_THREAD_TOKEN_EX_ID,

110 24);	111 24);

111 }	112 }

112	113

113 return true;	114 return true;

114 }	115 }

115	116

116 } // namespace sandbox	117 } // namespace sandbox

OLD	NEW

« sandbox/win/src/app_container_test.cc ('K') | « sandbox/win/src/nt_internals.h ('k') | sandbox/win/src/policy_target.cc » ('j') | no next file with comments »