Index: sandbox/win/src/sandbox_policy_base.cc |
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc |
index d3c920e6429c0e7119a34d423747ec921113603e..b297035c19a0552d4c9e3ed7b77a46edfbfbf2c5 100644 |
--- a/sandbox/win/src/sandbox_policy_base.cc |
+++ b/sandbox/win/src/sandbox_policy_base.cc |
@@ -98,7 +98,8 @@ PolicyBase::PolicyBase() |
mitigations_(0), |
delayed_mitigations_(0), |
policy_maker_(NULL), |
- policy_(NULL) { |
+ policy_(NULL), |
+ lowbox_sid_(NULL) { |
::InitializeCriticalSection(&lock_); |
// Initialize the IPC dispatcher array. |
memset(&ipc_targets_, NULL, sizeof(ipc_targets_)); |
@@ -152,6 +153,10 @@ PolicyBase::~PolicyBase() { |
delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; |
delete policy_maker_; |
delete policy_; |
+ |
+ if (lowbox_sid_) |
+ LocalFree(lowbox_sid_); |
+ |
::DeleteCriticalSection(&lock_); |
} |
@@ -331,6 +336,22 @@ ResultCode PolicyBase::SetCapability(const wchar_t* sid) { |
return SBOX_ALL_OK; |
} |
+ResultCode PolicyBase::SetLowBox(const wchar_t* sid) { |
+ // SetLowBox and SetAppContainer are mutually exclusive. |
+ if (appcontainer_list_.get()) |
+ return SBOX_ERROR_UNEXPECTED_CALL; |
+ |
+ DCHECK(sid); |
+ |
+ if (lowbox_sid_) |
rvargas (doing something else)
2015/02/28 01:10:06
nit: This should be an error.
Shrikant Kelkar
2015/02/28 01:55:41
Done.
|
+ LocalFree(lowbox_sid_); |
+ |
+ if (!ConvertStringSidToSid(sid, &lowbox_sid_)) |
rvargas (doing something else)
2015/02/28 01:10:06
The should be an OS version check here
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ return SBOX_ERROR_GENERIC; |
+ |
+ return SBOX_ALL_OK; |
+} |
+ |
ResultCode PolicyBase::SetProcessMitigations( |
MitigationFlags flags) { |
if (!CanSetProcessMitigationsPreStartup(flags)) |
@@ -448,6 +469,11 @@ ResultCode PolicyBase::MakeJobObject(HANDLE* job) { |
} |
ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
+ if (appcontainer_list_.get() && |
+ appcontainer_list_->HasAppContainer() && |
rvargas (doing something else)
2015/02/28 01:10:06
nit: send this to the previous line
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ lowbox_sid_) |
rvargas (doing something else)
2015/02/28 01:10:06
nit : requires {}
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ return SBOX_ERROR_UNEXPECTED_CALL; |
rvargas (doing something else)
2015/02/28 01:10:06
SBOX_ERROR_BAD_PARAMS ?
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ |
// Create the 'naked' token. This will be the permanent token associated |
// with the process and therefore with any thread that is not impersonating. |
DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, |
@@ -476,6 +502,9 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
alternate_desktop_integrity_level_label_ = integrity_level_; |
} |
+ // We are maintaining two approaches this time and making them mutually |
rvargas (doing something else)
2015/02/28 01:10:06
nit: this time? (aka, remove)
rvargas (doing something else)
2015/02/28 01:10:06
nit: we are not making them mutually exclusive...
Shrikant Kelkar
2015/02/28 01:55:41
Done.
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ // exclusive. One is to start appcontainer process through StartupInfoEx |
rvargas (doing something else)
2015/02/28 01:10:06
nit: start an AppContainer
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ // and other is by attaching LowBox token after process creation. |
rvargas (doing something else)
2015/02/28 01:10:06
nit: We don't attach a token, we replace the token
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
// Windows refuses to work with an impersonation token. See SetAppContainer |
// implementation for more details. |
@@ -484,6 +513,30 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
*initial = INVALID_HANDLE_VALUE; |
return SBOX_ALL_OK; |
+ } else if (lowbox_sid_) { |
+ NtCreateLowBoxToken CreateLowBox = NULL; |
+ ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox); |
+ |
+ HANDLE token_lowbox = NULL; |
+ |
rvargas (doing something else)
2015/02/28 01:10:06
nit: remove empty line. In fact, move line 520 to
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ OBJECT_ATTRIBUTES obj_attr; |
+ InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL); |
+ |
+ NTSTATUS status = CreateLowBox(&token_lowbox, |
+ *lockdown, |
rvargas (doing something else)
2015/02/28 01:10:06
nit: we can fit more arguments per line here...
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
+ TOKEN_ALL_ACCESS, |
+ &obj_attr, |
+ lowbox_sid_, |
+ 0, |
+ NULL, |
+ 0, |
+ NULL); |
+ if (!NT_SUCCESS(status)) { |
rvargas (doing something else)
2015/02/28 01:10:06
nit: no {}
Shrikant Kelkar
2015/02/28 01:55:41
Done.
|
+ return SBOX_ERROR_GENERIC; |
+ } |
+ DCHECK(token_lowbox); |
+ ::CloseHandle(*lockdown); |
+ *lockdown = token_lowbox; |
} |
// Create the 'better' token. We use this token as the one that the main |
@@ -505,6 +558,10 @@ const AppContainerAttributes* PolicyBase::GetAppContainer() const { |
return appcontainer_list_.get(); |
} |
+const PSID PolicyBase::GetLowBoxSid() const { |
+ return lowbox_sid_; |
+} |
+ |
bool PolicyBase::AddTarget(TargetProcess* target) { |
if (NULL != policy_) |
policy_maker_->Done(); |