Chromium Code Reviews Chromium Code Reviews
Issue 937353002:
Adding method to create process using LowBox token in sandbox code. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: sandbox/win/src/sandbox_policy_base.cc |
| diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc |
| index d3c920e6429c0e7119a34d423747ec921113603e..b297035c19a0552d4c9e3ed7b77a46edfbfbf2c5 100644 |
| --- a/sandbox/win/src/sandbox_policy_base.cc |
| +++ b/sandbox/win/src/sandbox_policy_base.cc |
| @@ -98,7 +98,8 @@ PolicyBase::PolicyBase() |
| mitigations_(0), |
| delayed_mitigations_(0), |
| policy_maker_(NULL), |
| - policy_(NULL) { |
| + policy_(NULL), |
| + lowbox_sid_(NULL) { |
| ::InitializeCriticalSection(&lock_); |
| // Initialize the IPC dispatcher array. |
| memset(&ipc_targets_, NULL, sizeof(ipc_targets_)); |
| @@ -152,6 +153,10 @@ PolicyBase::~PolicyBase() { |
| delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; |
| delete policy_maker_; |
| delete policy_; |
| + |
| + if (lowbox_sid_) |
| + LocalFree(lowbox_sid_); |
| + |
| ::DeleteCriticalSection(&lock_); |
| } |
| @@ -331,6 +336,22 @@ ResultCode PolicyBase::SetCapability(const wchar_t* sid) { |
| return SBOX_ALL_OK; |
| } |
| +ResultCode PolicyBase::SetLowBox(const wchar_t* sid) { |
| + // SetLowBox and SetAppContainer are mutually exclusive. |
| + if (appcontainer_list_.get()) |
| + return SBOX_ERROR_UNEXPECTED_CALL; |
| + |
| + DCHECK(sid); |
| + |
| + if (lowbox_sid_) |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: This should be an error.
Shrikant Kelkar
2015/02/28 01:55:41
Done.
|
| + LocalFree(lowbox_sid_); |
| + |
| + if (!ConvertStringSidToSid(sid, &lowbox_sid_)) |
|
rvargas (doing something else)
2015/02/28 01:10:06
The should be an OS version check here
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + return SBOX_ERROR_GENERIC; |
| + |
| + return SBOX_ALL_OK; |
| +} |
| + |
| ResultCode PolicyBase::SetProcessMitigations( |
| MitigationFlags flags) { |
| if (!CanSetProcessMitigationsPreStartup(flags)) |
| @@ -448,6 +469,11 @@ ResultCode PolicyBase::MakeJobObject(HANDLE* job) { |
| } |
| ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
| + if (appcontainer_list_.get() && |
| + appcontainer_list_->HasAppContainer() && |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: send this to the previous line
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + lowbox_sid_) |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit : requires {}
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + return SBOX_ERROR_UNEXPECTED_CALL; |
|
rvargas (doing something else)
2015/02/28 01:10:06
SBOX_ERROR_BAD_PARAMS ?
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + |
| // Create the 'naked' token. This will be the permanent token associated |
| // with the process and therefore with any thread that is not impersonating. |
| DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, |
| @@ -476,6 +502,9 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
| alternate_desktop_integrity_level_label_ = integrity_level_; |
| } |
| + // We are maintaining two approaches this time and making them mutually |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: this time? (aka, remove)
rvargas (doing something else)
2015/02/28 01:10:06
nit: we are not making them mutually exclusive...
Shrikant Kelkar
2015/02/28 01:55:41
Done.
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + // exclusive. One is to start appcontainer process through StartupInfoEx |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: start an AppContainer
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + // and other is by attaching LowBox token after process creation. |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: We don't attach a token, we replace the token
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
| // Windows refuses to work with an impersonation token. See SetAppContainer |
| // implementation for more details. |
| @@ -484,6 +513,30 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
| *initial = INVALID_HANDLE_VALUE; |
| return SBOX_ALL_OK; |
| + } else if (lowbox_sid_) { |
| + NtCreateLowBoxToken CreateLowBox = NULL; |
| + ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox); |
| + |
| + HANDLE token_lowbox = NULL; |
| + |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: remove empty line. In fact, move line 520 to
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + OBJECT_ATTRIBUTES obj_attr; |
| + InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL); |
| + |
| + NTSTATUS status = CreateLowBox(&token_lowbox, |
| + *lockdown, |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: we can fit more arguments per line here...
Shrikant Kelkar
2015/02/28 01:55:42
Done.
|
| + TOKEN_ALL_ACCESS, |
| + &obj_attr, |
| + lowbox_sid_, |
| + 0, |
| + NULL, |
| + 0, |
| + NULL); |
| + if (!NT_SUCCESS(status)) { |
|
rvargas (doing something else)
2015/02/28 01:10:06
nit: no {}
Shrikant Kelkar
2015/02/28 01:55:41
Done.
|
| + return SBOX_ERROR_GENERIC; |
| + } |
| + DCHECK(token_lowbox); |
| + ::CloseHandle(*lockdown); |
| + *lockdown = token_lowbox; |
| } |
| // Create the 'better' token. We use this token as the one that the main |
| @@ -505,6 +558,10 @@ const AppContainerAttributes* PolicyBase::GetAppContainer() const { |
| return appcontainer_list_.get(); |
| } |
| +const PSID PolicyBase::GetLowBoxSid() const { |
| + return lowbox_sid_; |
| +} |
| + |
| bool PolicyBase::AddTarget(TargetProcess* target) { |
| if (NULL != policy_) |
| policy_maker_->Done(); |
