Index: sandbox/win/src/sandbox_policy_base.cc |
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc |
index d3c920e6429c0e7119a34d423747ec921113603e..64b5c9aaed356d395b8083a5776be5ea50fc42ac 100644 |
--- a/sandbox/win/src/sandbox_policy_base.cc |
+++ b/sandbox/win/src/sandbox_policy_base.cc |
@@ -98,7 +98,8 @@ PolicyBase::PolicyBase() |
mitigations_(0), |
delayed_mitigations_(0), |
policy_maker_(NULL), |
- policy_(NULL) { |
+ policy_(NULL), |
+ lowbox_sid_(NULL) { |
::InitializeCriticalSection(&lock_); |
// Initialize the IPC dispatcher array. |
memset(&ipc_targets_, NULL, sizeof(ipc_targets_)); |
@@ -152,6 +153,10 @@ PolicyBase::~PolicyBase() { |
delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; |
delete policy_maker_; |
delete policy_; |
+ |
+ if (lowbox_sid_) |
+ LocalFree(lowbox_sid_); |
+ |
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
::LocalFree() or at least we seem to be consistent
Shrikant Kelkar
2015/02/28 02:33:47
Done.
|
::DeleteCriticalSection(&lock_); |
} |
@@ -331,6 +336,25 @@ ResultCode PolicyBase::SetCapability(const wchar_t* sid) { |
return SBOX_ALL_OK; |
} |
+ResultCode PolicyBase::SetLowBox(const wchar_t* sid) { |
+ if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) |
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
why the long form instead of the GetVersinon() one
Shrikant Kelkar
2015/02/28 02:33:47
Copied from earlier usage within this file. like l
|
+ return SBOX_ERROR_UNEXPECTED_CALL; |
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
return SBOX_ERROR_UNSUPPORTED
rvargas (doing something else)
2015/02/28 02:23:08
I'm not sure what is the right thing to do, but no
Shrikant Kelkar
2015/02/28 02:33:46
Acknowledged.
Shrikant Kelkar
2015/02/28 02:33:47
Done.
|
+ |
+ // SetLowBox and SetAppContainer are mutually exclusive. |
+ if (appcontainer_list_.get()) |
+ return SBOX_ERROR_UNEXPECTED_CALL; |
rvargas (doing something else)
2015/02/28 02:23:08
On the other hand, unsupported looks like a good c
Shrikant Kelkar
2015/02/28 02:33:47
Done.
|
+ |
+ DCHECK(sid); |
+ |
+ if (lowbox_sid_) |
+ return SBOX_ERROR_BAD_PARAMS; |
+ |
+ if (!ConvertStringSidToSid(sid, &lowbox_sid_)) |
+ return SBOX_ERROR_GENERIC; |
+ |
+ return SBOX_ALL_OK; |
+} |
+ |
ResultCode PolicyBase::SetProcessMitigations( |
MitigationFlags flags) { |
if (!CanSetProcessMitigationsPreStartup(flags)) |
@@ -448,6 +472,11 @@ ResultCode PolicyBase::MakeJobObject(HANDLE* job) { |
} |
ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
+ if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && |
+ lowbox_sid_) { |
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
is there a way to trigger this check while bypassi
|
+ return SBOX_ERROR_BAD_PARAMS; |
+ } |
+ |
// Create the 'naked' token. This will be the permanent token associated |
// with the process and therefore with any thread that is not impersonating. |
DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, |
@@ -476,6 +505,9 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
alternate_desktop_integrity_level_label_ = integrity_level_; |
} |
+ // We are maintaining two mutually exclusive approaches. One is to start an |
+ // AppContainer process through StartupInfoEx and other is by replacing |
rvargas (doing something else)
2015/02/28 02:23:08
nit: remove "by"?
Shrikant Kelkar
2015/02/28 02:33:47
Done.
|
+ // existing token with LowBox token after process creation. |
if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { |
// Windows refuses to work with an impersonation token. See SetAppContainer |
// implementation for more details. |
@@ -484,6 +516,22 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { |
*initial = INVALID_HANDLE_VALUE; |
return SBOX_ALL_OK; |
+ } else if (lowbox_sid_) { |
+ NtCreateLowBoxToken CreateLowBox = NULL; |
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
function should be named CreateLowBoxToken, or is
Shrikant Kelkar
2015/02/28 02:33:47
Done.
|
+ ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBox); |
+ |
+ OBJECT_ATTRIBUTES obj_attr; |
+ InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL); |
+ HANDLE token_lowbox = NULL; |
+ |
rvargas (doing something else)
2015/02/28 02:23:08
nit: move the empty line above the previous line.
Shrikant Kelkar
2015/02/28 02:33:47
Done.
rvargas (doing something else)
2015/02/28 02:48:05
Don't see it (the variable declaration should be t
Shrikant Kelkar
2015/03/01 00:31:43
Done.
|
+ NTSTATUS status = CreateLowBox(&token_lowbox, *lockdown, TOKEN_ALL_ACCESS, |
+ &obj_attr, lowbox_sid_, 0, NULL, 0, NULL); |
+ if (!NT_SUCCESS(status)) |
+ return SBOX_ERROR_GENERIC; |
+ |
+ DCHECK(token_lowbox); |
+ ::CloseHandle(*lockdown); |
+ *lockdown = token_lowbox; |
} |
// Create the 'better' token. We use this token as the one that the main |
@@ -505,6 +553,10 @@ const AppContainerAttributes* PolicyBase::GetAppContainer() const { |
return appcontainer_list_.get(); |
} |
+const PSID PolicyBase::GetLowBoxSid() const { |
+ return lowbox_sid_; |
+} |
+ |
bool PolicyBase::AddTarget(TargetProcess* target) { |
if (NULL != policy_) |
policy_maker_->Done(); |