Adding method to create process using LowBox token in sandbox code.

sandbox/win/src/target_process.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/target_process.h"
 
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/win/pe_image.h"
 #include "base/win/startup_information.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/crosscall_server.h"
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/policy_low_level.h"
 #include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/sharedmem_ipc_server.h"
+#include "sandbox/win/src/win_utils.h"
 
 namespace {
 
 void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
   if (!source || !size)
     return;
   memcpy(dest, source, size);
   sandbox::PolicyGlobal* policy =
       reinterpret_cast<sandbox::PolicyGlobal*>(dest);
 
@@ skipping 79 matching lines @@
   // ipc_server_ references our process handle, so make sure the former is shut
   // down before the latter is closed (by ScopedProcessInformation).
   ipc_server_.reset();
 }
 
 // Creates the target (child) process suspended and assigns it to the job
 // object.
 DWORD TargetProcess::Create(const wchar_t* exe_path,
                             const wchar_t* command_line,
                             bool inherit_handles,
+                            bool set_lockdown_token_after_create,
                             const base::win::StartupInformation& startup_info,
                             base::win::ScopedProcessInformation* target_info) {
+  if (set_lockdown_token_after_create &&
+      base::win::GetVersion() < base::win::VERSION_WIN8) {
+    // We don't allow set_lockdown_token_after_create below Windows 8.
+    return ERROR_INVALID_PARAMETER;
+  }
+
   exe_name_.reset(_wcsdup(exe_path));
 
   // the command line needs to be writable by CreateProcess().
   scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(command_line));
 
   // Start the target process suspended.
   DWORD flags =
       CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS;
 
   if (startup_info.has_extended_startup_info())
     flags |= EXTENDED_STARTUPINFO_PRESENT;
 
   if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) {
     // Windows 8 implements nested jobs, but for older systems we need to
     // break out of any job we're in to enforce our restrictions.
     flags |= CREATE_BREAKAWAY_FROM_JOB;
   }
 
+  base::win::ScopedHandle scoped_lockdown_token(lockdown_token_.Take());
   PROCESS_INFORMATION temp_process_info = {};
-  if (!::CreateProcessAsUserW(lockdown_token_.Get(),
-                              exe_path,
-                              cmd_line.get(),
-                              NULL,   // No security attribute.
-                              NULL,   // No thread attribute.
-                              inherit_handles,
-                              flags,
-                              NULL,   // Use the environment of the caller.
-                              NULL,   // Use current directory of the caller.
-                              startup_info.startup_info(),
-                              &temp_process_info)) {
-    return ::GetLastError();
+  if (set_lockdown_token_after_create) {
+    // First create process with a default token and then replace it later,
+    // after setting primary thread token. This is required for setting
+    // an AppContainer token along with an impersonation token.
+    if (!::CreateProcess(exe_path,
+                         cmd_line.get(),
+                         NULL,   // No security attribute.
+                         NULL,   // No thread attribute.
+                         inherit_handles,
+                         flags,
+                         NULL,   // Use the environment of the caller.
+                         NULL,   // Use current directory of the caller.
+                         startup_info.startup_info(),
+                         &temp_process_info)) {
+      return ::GetLastError();
+    }
+  } else {
+    if (!::CreateProcessAsUserW(scoped_lockdown_token.Get(),
+                                exe_path,
+                                cmd_line.get(),
+                                NULL,   // No security attribute.
+                                NULL,   // No thread attribute.
+                                inherit_handles,
+                                flags,
+                                NULL,   // Use the environment of the caller.
+                                NULL,   // Use current directory of the caller.
+                                startup_info.startup_info(),
+                                &temp_process_info)) {
+      return ::GetLastError();
+    }
   }
   base::win::ScopedProcessInformation process_info(temp_process_info);
-  lockdown_token_.Close();
 
   DWORD win_result = ERROR_SUCCESS;
 
   if (job_) {
     // Assign the suspended target to the windows job object.
     if (!::AssignProcessToJobObject(job_, process_info.process_handle())) {
       win_result = ::GetLastError();
       ::TerminateProcess(process_info.process_handle(), 0);
       return win_result;
     }
   }
 
   if (initial_token_.IsValid()) {
     // Change the token of the main thread of the new process for the
     // impersonation token with more rights. This allows the target to start;
     // otherwise it will crash too early for us to help.
     HANDLE temp_thread = process_info.thread_handle();
     if (!::SetThreadToken(&temp_thread, initial_token_.Get())) {
       win_result = ::GetLastError();
       // It might be a security breach if we let the target run outside the job
       // so kill it before it causes damage.
       ::TerminateProcess(process_info.process_handle(), 0);
       return win_result;
     }
     initial_token_.Close();
   }
 
+  if (set_lockdown_token_after_create) {
+    PROCESS_ACCESS_TOKEN process_access_token;
+    process_access_token.thread = process_info.thread_handle();
+    process_access_token.token = scoped_lockdown_token.Get();
+
+    NtSetInformationProcess SetInformationProcess = NULL;
+    ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess);
+
+    NTSTATUS status = SetInformationProcess(
+        process_info.process_handle(),
+        static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken),
+        &process_access_token,
+        sizeof(process_access_token));
+    if (!NT_SUCCESS(status)) {
+      win_result = ::GetLastError();
+      ::TerminateProcess(process_info.process_handle(), 0);  // exit code
+      return win_result;
+    }
+  }
+
   CONTEXT context;
   context.ContextFlags = CONTEXT_ALL;
   if (!::GetThreadContext(process_info.thread_handle(), &context)) {
     win_result = ::GetLastError();
     ::TerminateProcess(process_info.process_handle(), 0);
     return win_result;
   }
 
 #if defined(_WIN64)
   void* entry_point = reinterpret_cast<void*>(context.Rcx);
@@ skipping 141 matching lines @@
 TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
   TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL);
   PROCESS_INFORMATION process_info = {};
   process_info.hProcess = process;
   target->sandbox_process_info_.Set(process_info);
   target->base_address_ = base_address;
   return target;
 }
 
 }  // namespace sandbox