Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/sandbox_policy_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/sandbox_policy_base.h"
 
 #include <sddl.h>
 
 #include "base/basictypes.h"
 #include "base/callback.h"
@@ skipping 80 matching lines @@
       use_alternate_winstation_(false),
       file_system_init_(false),
       relaxed_interceptions_(true),
       stdout_handle_(INVALID_HANDLE_VALUE),
       stderr_handle_(INVALID_HANDLE_VALUE),
       integrity_level_(INTEGRITY_LEVEL_LAST),
       delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
       mitigations_(0),
       delayed_mitigations_(0),
       policy_maker_(NULL),
-      policy_(NULL) {
+      policy_(NULL),
+      lowbox_sid_(NULL) {
   ::InitializeCriticalSection(&lock_);
   // Initialize the IPC dispatcher array.
   memset(&ipc_targets_, NULL, sizeof(ipc_targets_));
   Dispatcher* dispatcher = NULL;
 
   dispatcher = new FilesystemDispatcher(this);
   ipc_targets_[IPC_NTCREATEFILE_TAG] = dispatcher;
   ipc_targets_[IPC_NTOPENFILE_TAG] = dispatcher;
   ipc_targets_[IPC_NTSETINFO_RENAME_TAG] = dispatcher;
   ipc_targets_[IPC_NTQUERYATTRIBUTESFILE_TAG] = dispatcher;
@@ skipping 33 matching lines @@
     delete target;
   }
   delete ipc_targets_[IPC_NTCREATEFILE_TAG];
   delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG];
   delete ipc_targets_[IPC_NTOPENTHREAD_TAG];
   delete ipc_targets_[IPC_CREATEEVENT_TAG];
   delete ipc_targets_[IPC_NTCREATEKEY_TAG];
   delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG];
   delete policy_maker_;
   delete policy_;
+
+  if (lowbox_sid_)
+    LocalFree(lowbox_sid_);
+

[cpu_(ooo_6.6-7.5), 2015/02/28 02:13:53]

::LocalFree() or at least we seem to be consistent on this file about that.

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

   ::DeleteCriticalSection(&lock_);
 }
 
 void PolicyBase::AddRef() {
   ::InterlockedIncrement(&ref_count);
 }
 
 void PolicyBase::Release() {
   if (0 == ::InterlockedDecrement(&ref_count))
     delete this;
@@ skipping 159 matching lines @@
     return rv;
 
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
   capabilities_.push_back(sid);
   return SBOX_ALL_OK;
 }
 
+ResultCode PolicyBase::SetLowBox(const wchar_t* sid) {
+  if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)

[cpu_(ooo_6.6-7.5), 2015/02/28 02:13:53]

why the long form instead of the GetVersinon() one?

[Shrikant Kelkar, 2015/02/28 02:33:47]

Copied from earlier usage within this file. like line 315.

+    return SBOX_ERROR_UNEXPECTED_CALL;

[cpu_(ooo_6.6-7.5), 2015/02/28 02:13:53]

return SBOX_ERROR_UNSUPPORTED

[rvargas (doing something else), 2015/02/28 02:23:08]

I'm not sure what is the right thing to do, but note that SetAppContainer()
returns SBOX_ALL_OK instead, which means that the caller doesn't need OS-version
dependent code.

[Shrikant Kelkar, 2015/02/28 02:33:46]

Acknowledged.

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

+
+  // SetLowBox and SetAppContainer are mutually exclusive.
+  if (appcontainer_list_.get())
+    return SBOX_ERROR_UNEXPECTED_CALL;

[rvargas (doing something else), 2015/02/28 02:23:08]

On the other hand, unsupported looks like a good choice here.

BTW, we should be consistent in returning the same error if the order of calls
is inverted (setLowBox + SetAppContainer)

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

+
+  DCHECK(sid);
+
+  if (lowbox_sid_)
+    return SBOX_ERROR_BAD_PARAMS;
+
+  if (!ConvertStringSidToSid(sid, &lowbox_sid_))
+    return SBOX_ERROR_GENERIC;
+
+  return SBOX_ALL_OK;
+}
+
 ResultCode PolicyBase::SetProcessMitigations(
     MitigationFlags flags) {
   if (!CanSetProcessMitigationsPreStartup(flags))
     return SBOX_ERROR_BAD_PARAMS;
   mitigations_ = flags;
   return SBOX_ALL_OK;
 }
 
 MitigationFlags PolicyBase::GetProcessMitigations() {
   return mitigations_;
@@ skipping 97 matching lines @@
       return SBOX_ERROR_GENERIC;
     }
     *job = job_obj.Detach();
   } else {
     *job = NULL;
   }
   return SBOX_ALL_OK;
 }
 
 ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
+  if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() &&
+      lowbox_sid_) {

[cpu_(ooo_6.6-7.5), 2015/02/28 02:13:53]

is there a way to trigger this check while bypassing the checks above?

+    return SBOX_ERROR_BAD_PARAMS;
+  }
+
   // Create the 'naked' token. This will be the permanent token associated
   // with the process and therefore with any thread that is not impersonating.
   DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
                                        integrity_level_, PRIMARY);
   if (ERROR_SUCCESS != result)
     return SBOX_ERROR_GENERIC;
 
   // If we're launching on the alternate desktop we need to make sure the
   // integrity label on the object is no higher than the sandboxed process's
   // integrity level. So, we lower the label on the desktop process if it's
   // not already low enough for our process.
   if (alternate_desktop_handle_ && use_alternate_desktop_ &&
       integrity_level_ != INTEGRITY_LEVEL_LAST &&
       alternate_desktop_integrity_level_label_ < integrity_level_ &&
       base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
     // Integrity label enum is reversed (higher level is a lower value).
     static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
                   "Integrity level ordering reversed.");
     result = SetObjectIntegrityLabel(alternate_desktop_handle_,
                                      SE_WINDOW_OBJECT,
                                      L"",
                                      GetIntegrityLevelString(integrity_level_));
     if (ERROR_SUCCESS != result)
       return SBOX_ERROR_GENERIC;
 
     alternate_desktop_integrity_level_label_ = integrity_level_;
   }
 
+  // We are maintaining two mutually exclusive approaches. One is to start an
+  // AppContainer process through StartupInfoEx and other is by replacing

[rvargas (doing something else), 2015/02/28 02:23:08]

nit: remove "by"?

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

+  // existing token with LowBox token after process creation.
   if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
     // Windows refuses to work with an impersonation token. See SetAppContainer
     // implementation for more details.
     if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
       return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
 
     *initial = INVALID_HANDLE_VALUE;
     return SBOX_ALL_OK;
+  } else if (lowbox_sid_) {
+    NtCreateLowBoxToken CreateLowBox = NULL;

[cpu_(ooo_6.6-7.5), 2015/02/28 02:13:53]

function should be named CreateLowBoxToken, or is it clashing with something
else?

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

+    ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox);
+
+    OBJECT_ATTRIBUTES obj_attr;
+    InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
+    HANDLE token_lowbox = NULL;
+

[rvargas (doing something else), 2015/02/28 02:23:08]

nit: move the empty line above the previous line.

[Shrikant Kelkar, 2015/02/28 02:33:47]

Done.

[rvargas (doing something else), 2015/02/28 02:48:05]

Don't see it (the variable declaration should be together with the function that
uses it as opposed to with the previous block of code)

[Shrikant Kelkar, 2015/03/01 00:31:43]

Done.

+    NTSTATUS status = CreateLowBox(&token_lowbox, *lockdown, TOKEN_ALL_ACCESS,
+                                   &obj_attr, lowbox_sid_, 0, NULL, 0, NULL);
+    if (!NT_SUCCESS(status))
+      return SBOX_ERROR_GENERIC;
+
+    DCHECK(token_lowbox);
+    ::CloseHandle(*lockdown);
+    *lockdown = token_lowbox;
   }
 
   // Create the 'better' token. We use this token as the one that the main
   // thread uses when booting up the process. It should contain most of
   // what we need (before reaching main( ))
   result = CreateRestrictedToken(initial, initial_level_,
                                  integrity_level_, IMPERSONATION);
   if (ERROR_SUCCESS != result) {
     ::CloseHandle(*lockdown);
     return SBOX_ERROR_GENERIC;
   }
   return SBOX_ALL_OK;
 }
 
 const AppContainerAttributes* PolicyBase::GetAppContainer() const {
   if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer())
     return NULL;
 
   return appcontainer_list_.get();
 }
 
+const PSID PolicyBase::GetLowBoxSid() const {
+  return lowbox_sid_;
+}
+
 bool PolicyBase::AddTarget(TargetProcess* target) {
   if (NULL != policy_)
     policy_maker_->Done();
 
   if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
                                                  mitigations_)) {
     return false;
   }
 
   if (!SetupAllInterceptions(target))
@@ skipping 222 matching lines @@
       break;
     }
 
     default: { return SBOX_ERROR_UNSUPPORTED; }
   }
 
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox