Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/target_process.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/target_process.h"
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/win/pe_image.h"
 #include "base/win/startup_information.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/crosscall_server.h"
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/policy_low_level.h"
 #include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/sharedmem_ipc_server.h"
+#include "sandbox/win/src/win_utils.h"
 
 namespace {
 
 void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
   if (!source || !size)
     return;
   memcpy(dest, source, size);
   sandbox::PolicyGlobal* policy =
       reinterpret_cast<sandbox::PolicyGlobal*>(dest);
 
@@ skipping 100 matching lines @@
   if (startup_info.has_extended_startup_info())
     flags |= EXTENDED_STARTUPINFO_PRESENT;
 
   if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) {
     // Windows 8 implements nested jobs, but for older systems we need to
     // break out of any job we're in to enforce our restrictions.
     flags |= CREATE_BREAKAWAY_FROM_JOB;
   }
 
   PROCESS_INFORMATION temp_process_info = {};
-  if (!::CreateProcessAsUserW(lockdown_token_.Get(),
-                              exe_path,
-                              cmd_line.get(),
-                              NULL,   // No security attribute.
-                              NULL,   // No thread attribute.
-                              inherit_handles,
-                              flags,
-                              NULL,   // Use the environment of the caller.
-                              NULL,   // Use current directory of the caller.
-                              startup_info.startup_info(),
-                              &temp_process_info)) {
-    return ::GetLastError();
+  if (base::win::GetVersion() < base::win::VERSION_WIN8) {
+    if (!::CreateProcessAsUserW(lockdown_token_.Get(),

[forshaw, 2015/02/20 11:38:02]

There was some discussion about doing this trick for all platforms not just Win8
as that would greatly simplify the code. Did we test this out and find it didn't
work?

[Shrikant Kelkar, 2015/02/21 02:32:41]

No, I haven't tested on other platforms. But to be on safer side I would like to
experiment with Win8 on canary first and see if things are working okay in the
field. Merging code will be easier CL later.

+                                exe_path,
+                                cmd_line.get(),
+                                NULL,   // No security attribute.
+                                NULL,   // No thread attribute.
+                                inherit_handles,
+                                flags,
+                                NULL,   // Use the environment of the caller.
+                                NULL,   // Use current directory of the caller.
+                                startup_info.startup_info(),
+                                &temp_process_info)) {
+      return ::GetLastError();
+    }
+    lockdown_token_.Close();
+  } else {
+    // For Windows 8 and above we will first create process with default token

[rvargas (doing something else), 2015/02/21 01:01:22]

nit: create the process with a default... later, after setting ... required for
setting an app.... along with an

[Shrikant Kelkar, 2015/02/21 02:32:41]

Done.

+    // and then replace it later after setting primary thread token. This is
+    // required for setting app container token along with impersonation one.
+    if (!::CreateProcess(exe_path,
+                         cmd_line.get(),
+                         NULL,   // No security attribute.
+                         NULL,   // No thread attribute.
+                         inherit_handles,
+                         flags,
+                         NULL,   // Use the environment of the caller.
+                         NULL,   // Use current directory of the caller.
+                         startup_info.startup_info(),
+                         &temp_process_info)) {
+      return ::GetLastError();
+    }
   }
   base::win::ScopedProcessInformation process_info(temp_process_info);
-  lockdown_token_.Close();
 
   DWORD win_result = ERROR_SUCCESS;
 
   if (job_) {
     // Assign the suspended target to the windows job object.
     if (!::AssignProcessToJobObject(job_, process_info.process_handle())) {
       win_result = ::GetLastError();
       ::TerminateProcess(process_info.process_handle(), 0);
       return win_result;
     }
   }
 
   if (initial_token_.IsValid()) {
     // Change the token of the main thread of the new process for the
     // impersonation token with more rights. This allows the target to start;
     // otherwise it will crash too early for us to help.
     HANDLE temp_thread = process_info.thread_handle();
     if (!::SetThreadToken(&temp_thread, initial_token_.Get())) {
       win_result = ::GetLastError();
       // It might be a security breach if we let the target run outside the job
       // so kill it before it causes damage.
       ::TerminateProcess(process_info.process_handle(), 0);
       return win_result;
     }
     initial_token_.Close();
   }
 
+  if (base::win::GetVersion() >= base::win::VERSION_WIN8) {
+    PROCESS_ACCESS_TOKEN process_access_token;
+    process_access_token.thread = process_info.thread_handle();
+    process_access_token.token = lockdown_token_.Get();
+
+    NtSetInformationProcess SetInformationProcess = NULL;
+    ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess);
+
+    NTSTATUS status = SetInformationProcess(
+        process_info.process_handle(),
+        static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken),
+        &process_access_token,
+        sizeof(process_access_token));
+    if (!NT_SUCCESS(status)) {

[forshaw, 2015/02/20 11:38:02]

Missing a call to lockdown_token_.Close() for this execution path.

[Will Harris, 2015/02/21 01:13:15]

This should get closed in TargetProcess descructor at exit of
BrokerServicesBase::SpawnTarget as it's a scoped handle.  I don't think we need
any of the Close() calls tbh - rvargas?

[rvargas (doing something else), 2015/02/21 01:26:01]

Yes, not leaking. I thought that for some reason we didn't want an open handle
after leaving this function... which is kind of true as the process may live a
long time and an extra handle is just more resources waiting to be messed up
with :).

We should probably scope it to a local variable up there.

[Shrikant Kelkar, 2015/02/21 02:32:41]

Done.

[Shrikant Kelkar, 2015/02/21 02:32:41]

Done.

[Shrikant Kelkar, 2015/02/21 02:32:41]

Done.

+      win_result = ::GetLastError();
+      ::TerminateProcess(process_info.process_handle(), 0);  // exit code
+      return win_result;
+    }
+  }
+
   CONTEXT context;
   context.ContextFlags = CONTEXT_ALL;
   if (!::GetThreadContext(process_info.thread_handle(), &context)) {
     win_result = ::GetLastError();
     ::TerminateProcess(process_info.process_handle(), 0);
     return win_result;
   }
 
 #if defined(_WIN64)
   void* entry_point = reinterpret_cast<void*>(context.Rcx);
@@ skipping 141 matching lines @@
 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
   TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL);
   PROCESS_INFORMATION process_info = {};
   process_info.hProcess = process;
   target->sandbox_process_info_.Set(process_info);
   target->base_address_ = base_address;
   return target;
 }
 
 }  // namespace sandbox