sandbox/win/src/sandbox_policy_base.cc - Issue 937353002: Adding method to create process using LowBox token in sandbox code.

Side by Side Diff: sandbox/win/src/sandbox_policy_base.cc

Issue 937353002: Adding method to create process using LowBox token in sandbox code. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Added platform checking Created 5 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sandbox/win/src/sandbox_policy_base.h"	5 #include "sandbox/win/src/sandbox_policy_base.h"

6	6

7 #include <sddl.h>	7 #include <sddl.h>

8	8

9 #include "base/basictypes.h"	9 #include "base/basictypes.h"

10 #include "base/callback.h"	10 #include "base/callback.h"

(...skipping 292 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
303 ResultCode PolicyBase::SetDelayedIntegrityLevel(	303 ResultCode PolicyBase::SetDelayedIntegrityLevel(

304 IntegrityLevel integrity_level) {	304 IntegrityLevel integrity_level) {

305 delayed_integrity_level_ = integrity_level;	305 delayed_integrity_level_ = integrity_level;

306 return SBOX_ALL_OK;	306 return SBOX_ALL_OK;

307 }	307 }

308	308

309 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {	309 ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {

310 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)	310 if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)

311 return SBOX_ALL_OK;	311 return SBOX_ALL_OK;

312	312

313 // Windows refuses to work with an impersonation token for a process inside

314 // an AppContainer. If the caller wants to use a more privileged initial

315 // token, or if the lockdown level will prevent the process from starting,

316 // we have to fail the operation.

317 if (lockdown_level_ < USER_LIMITED \|\| lockdown_level_ != initial_level_)

318 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;

319

320 DCHECK(!appcontainer_list_.get());	313 DCHECK(!appcontainer_list_.get());

321 appcontainer_list_.reset(new AppContainerAttributes);	314 appcontainer_list_.reset(new AppContainerAttributes);

322 ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);	315 ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);

323 if (rv != SBOX_ALL_OK)	316 if (rv != SBOX_ALL_OK)

324 return rv;	317 return rv;

325	318

326 return SBOX_ALL_OK;	319 return SBOX_ALL_OK;

327 }	320 }

328	321

329 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {	322 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {

(...skipping 140 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
470 SE_WINDOW_OBJECT,	463 SE_WINDOW_OBJECT,

471 L"",	464 L"",

472 GetIntegrityLevelString(integrity_level_));	465 GetIntegrityLevelString(integrity_level_));

473 if (ERROR_SUCCESS != result)	466 if (ERROR_SUCCESS != result)

474 return SBOX_ERROR_GENERIC;	467 return SBOX_ERROR_GENERIC;

475	468

476 alternate_desktop_integrity_level_label_ = integrity_level_;	469 alternate_desktop_integrity_level_label_ = integrity_level_;

477 }	470 }

478	471

479 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {	472 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {

480 // Windows refuses to work with an impersonation token. See SetAppContainer	473 NtCreateLowBoxToken CreateLowBox = NULL;

481 // implementation for more details.	474 ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox);

482 if (lockdown_level_ < USER_LIMITED \|\| lockdown_level_ != initial_level_)

483 return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;

484	475

485 *initial = INVALID_HANDLE_VALUE;	476 HANDLE token_lowbox = NULL;

486 return SBOX_ALL_OK;	477 const SECURITY_CAPABILITIES& capabilities =

	478 appcontainer_list_->GetCapabilities();

	479

	480 OBJECT_ATTRIBUTES obj_attr;

	481 InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);

	482

	483 NTSTATUS status = CreateLowBox(&token_lowbox,

	484 *lockdown,

	485 TOKEN_ALL_ACCESS,
	rvargas (doing something else) 2015/02/21 01:01:22 Just curious, any idea what this does? Just curious, any idea what this does? Shrikant Kelkar 2015/02/21 02:32:41 Not sure, but guess is that it will open and retur Show quoted text On 2015/02/21 01:01:22, rvargas wrote: > Just curious, any idea what this does? Not sure, but guess is that it will open and return new lowbox token with that access. rvargas (doing something else) 2015/02/24 01:01:49 Do we need ALL_ACCESS? Show quoted text On 2015/02/21 02:32:41, Shrikant Kelkar wrote: > On 2015/02/21 01:01:22, rvargas wrote: > > Just curious, any idea what this does? > Not sure, but guess is that it will open and return new lowbox token with that > access. Do we need ALL_ACCESS?
	486 &obj_attr,

	487 capabilities.AppContainerSid,

	488 capabilities.CapabilityCount,

	489 capabilities.Capabilities,

	490 0,

	491 NULL);

	492 if (!NT_SUCCESS(status) && token_lowbox == NULL) {
	rvargas (doing something else) 2015/02/21 01:01:22 \|\| !token_lowbox?. An && implies that if the funct \|\| !token_lowbox?. An && implies that if the function fails the contract is that there is no garbage in an out argument (which may be true, but is not the nt contract). In fact, I'd remove token_lowbox from the if, and DCHECK that is not null (if anything) on success. Shrikant Kelkar 2015/02/21 02:32:41 Done. Show quoted text On 2015/02/21 01:01:22, rvargas wrote: > \|\| !token_lowbox?. An && implies that if the function fails the contract is that > there is no garbage in an out argument (which may be true, but is not the nt > contract). > > In fact, I'd remove token_lowbox from the if, and DCHECK that is not null (if > anything) on success. Done.
	493 return SBOX_ERROR_GENERIC;

	494 }

	495 ::CloseHandle(*lockdown);

	496 *lockdown = token_lowbox;

487 }	497 }

488	498

489 // Create the 'better' token. We use this token as the one that the main	499 // Create the 'better' token. We use this token as the one that the main

490 // thread uses when booting up the process. It should contain most of	500 // thread uses when booting up the process. It should contain most of

491 // what we need (before reaching main( ))	501 // what we need (before reaching main( ))

492 result = CreateRestrictedToken(initial, initial_level_,	502 result = CreateRestrictedToken(initial, initial_level_,

493 integrity_level_, IMPERSONATION);	503 integrity_level_, IMPERSONATION);

494 if (ERROR_SUCCESS != result) {	504 if (ERROR_SUCCESS != result) {

495 ::CloseHandle(*lockdown);	505 ::CloseHandle(*lockdown);

496 return SBOX_ERROR_GENERIC;	506 return SBOX_ERROR_GENERIC;

(...skipping 243 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
740 break;	750 break;

741 }	751 }

742	752

743 default: { return SBOX_ERROR_UNSUPPORTED; }	753 default: { return SBOX_ERROR_UNSUPPORTED; }

744 }	754 }

745	755

746 return SBOX_ALL_OK;	756 return SBOX_ALL_OK;

747 }	757 }

748	758

749 } // namespace sandbox	759 } // namespace sandbox

OLD	NEW