diff options
| author | rvargas <rvargas@chromium.org> | 2015-07-16 14:42:10 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-07-16 21:42:54 +0000 |
| commit | 9808175ad322e8387366cdec088e65ccb934ceac (patch) | |
| tree | 8eb3fe3803dea4aa24f8a20c563939f67bca2c3c | |
| parent | 9f60f1ab2cfc83b0eef94c5be0db2b24383bdd17 (diff) | |
| download | chromium_src-9808175ad322e8387366cdec088e65ccb934ceac.zip chromium_src-9808175ad322e8387366cdec088e65ccb934ceac.tar.gz chromium_src-9808175ad322e8387366cdec088e65ccb934ceac.tar.bz2 | |
Sandbox: Make CreateRestrictedToken return a ScopedHandle.
Removes raw handles from the API.
BUG=426577
Review URL: https://codereview.chromium.org/1232963002
Cr-Commit-Position: refs/heads/master@{#339130}
| -rw-r--r-- | sandbox/win/src/restricted_token.cc | 72 | ||||
| -rw-r--r-- | sandbox/win/src/restricted_token.h | 20 | ||||
| -rw-r--r-- | sandbox/win/src/restricted_token_unittest.cc | 137 | ||||
| -rw-r--r-- | sandbox/win/src/restricted_token_utils.cc | 39 | ||||
| -rw-r--r-- | sandbox/win/src/restricted_token_utils.h | 11 | ||||
| -rw-r--r-- | sandbox/win/src/sandbox_policy_base.cc | 12 | ||||
| -rw-r--r-- | sandbox/win/tools/finder/finder.cc | 9 | ||||
| -rw-r--r-- | sandbox/win/tools/finder/finder.h | 9 |
8 files changed, 142 insertions, 167 deletions
diff --git a/sandbox/win/src/restricted_token.cc b/sandbox/win/src/restricted_token.cc index d94ca06..7fadb2b 100644 --- a/sandbox/win/src/restricted_token.cc +++ b/sandbox/win/src/restricted_token.cc @@ -53,7 +53,8 @@ unsigned RestrictedToken::Init(const HANDLE effective_token) { return ERROR_SUCCESS; } -unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { +unsigned RestrictedToken::GetRestrictedToken( + base::win::ScopedHandle* token) const { DCHECK(init_); if (!init_) return ERROR_NO_TOKEN; @@ -95,7 +96,7 @@ unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { } BOOL result = TRUE; - HANDLE new_token = NULL; + HANDLE new_token_handle = NULL; // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell // if a token has ben restricted given the limiations of IsTokenRestricted() // but it appears that in Windows 7 it hints the AppLocker subsystem to @@ -109,14 +110,14 @@ unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { privileges_to_disable_array, static_cast<DWORD>(restrict_size), sids_to_restrict_array, - &new_token); + &new_token_handle); } else { // Duplicate the token even if it's not modified at this point // because any subsequent changes to this token would also affect the // current process. result = ::DuplicateTokenEx(effective_token_, TOKEN_ALL_ACCESS, NULL, SecurityIdentification, TokenPrimary, - &new_token); + &new_token_handle); } if (deny_only_array) @@ -131,68 +132,59 @@ unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { if (!result) return ::GetLastError(); + base::win::ScopedHandle new_token(new_token_handle); + // Modify the default dacl on the token to contain Restricted and the user. - if (!AddSidToDefaultDacl(new_token, WinRestrictedCodeSid, GENERIC_ALL)) + if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL)) return ::GetLastError(); - if (!AddUserSidToDefaultDacl(new_token, GENERIC_ALL)) + if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) return ::GetLastError(); - DWORD error = SetTokenIntegrityLevel(new_token, integrity_level_); + DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); if (ERROR_SUCCESS != error) return error; - BOOL status = ::DuplicateHandle(::GetCurrentProcess(), - new_token, - ::GetCurrentProcess(), - token_handle, - TOKEN_ALL_ACCESS, - FALSE, // Don't inherit. - 0); - - if (new_token != effective_token_) - ::CloseHandle(new_token); - - if (!status) + HANDLE token_handle; + if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(), + ::GetCurrentProcess(), &token_handle, + TOKEN_ALL_ACCESS, FALSE, // Don't inherit. + 0)) { return ::GetLastError(); + } + token->Set(token_handle); return ERROR_SUCCESS; } -unsigned RestrictedToken::GetRestrictedTokenHandleForImpersonation( - HANDLE *token_handle) const { +unsigned RestrictedToken::GetRestrictedTokenForImpersonation( + base::win::ScopedHandle* token) const { DCHECK(init_); if (!init_) return ERROR_NO_TOKEN; - HANDLE restricted_token_handle; - unsigned err_code = GetRestrictedTokenHandle(&restricted_token_handle); + base::win::ScopedHandle restricted_token; + unsigned err_code = GetRestrictedToken(&restricted_token); if (ERROR_SUCCESS != err_code) return err_code; - HANDLE impersonation_token; - if (!::DuplicateToken(restricted_token_handle, + HANDLE impersonation_token_handle; + if (!::DuplicateToken(restricted_token.Get(), SecurityImpersonation, - &impersonation_token)) { - ::CloseHandle(restricted_token_handle); + &impersonation_token_handle)) { return ::GetLastError(); } + base::win::ScopedHandle impersonation_token(impersonation_token_handle); - ::CloseHandle(restricted_token_handle); - - BOOL status = ::DuplicateHandle(::GetCurrentProcess(), - impersonation_token, - ::GetCurrentProcess(), - token_handle, - TOKEN_ALL_ACCESS, - FALSE, // Don't inherit. - 0); - - ::CloseHandle(impersonation_token); - - if (!status) + HANDLE token_handle; + if (!::DuplicateHandle(::GetCurrentProcess(), impersonation_token.Get(), + ::GetCurrentProcess(), &token_handle, + TOKEN_ALL_ACCESS, FALSE, // Don't inherit. + 0)) { return ::GetLastError(); + } + token->Set(token_handle); return ERROR_SUCCESS; } diff --git a/sandbox/win/src/restricted_token.h b/sandbox/win/src/restricted_token.h index 565880e..1bfc364b 100644 --- a/sandbox/win/src/restricted_token.h +++ b/sandbox/win/src/restricted_token.h @@ -10,6 +10,7 @@ #include "base/basictypes.h" #include "base/strings/string16.h" +#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token_utils.h" #include "sandbox/win/src/security_level.h" #include "sandbox/win/src/sid.h" @@ -35,13 +36,12 @@ namespace sandbox { // } // // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID()); -// HANDLE token_handle; -// err_code = restricted_token.GetRestrictedTokenHandle(&token_handle); +// base::win::ScopedHandle token_handle; +// err_code = restricted_token.GetRestrictedToken(&token_handle); // if (ERROR_SUCCESS != err_code) { // // handle error. // } // [...] -// CloseHandle(token_handle); class RestrictedToken { public: // Init() has to be called before calling any other method in the class. @@ -53,24 +53,22 @@ class RestrictedToken { // the effective token of the current process. unsigned Init(HANDLE effective_token); - // Creates a restricted token and returns its handle using the token_handle - // output parameter. This handle has to be closed by the caller. + // Creates a restricted token. // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. - unsigned GetRestrictedTokenHandle(HANDLE *token_handle) const; + unsigned GetRestrictedToken(base::win::ScopedHandle* token) const; // Creates a restricted token and uses this new token to create a new token - // for impersonation. Returns the handle of this impersonation token using - // the token_handle output parameter. This handle has to be closed by - // the caller. + // for impersonation. Returns this impersonation token. // // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. // - // The sample usage is the same as the GetRestrictedTokenHandle function. - unsigned GetRestrictedTokenHandleForImpersonation(HANDLE *token_handle) const; + // The sample usage is the same as the GetRestrictedToken function. + unsigned GetRestrictedTokenForImpersonation( + base::win::ScopedHandle* token) const; // Lists all sids in the token and mark them as Deny Only except for those // present in the exceptions parameter. If there is no exception needed, diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc index 8186f9c..fca1a07 100644 --- a/sandbox/win/src/restricted_token_unittest.cc +++ b/sandbox/win/src/restricted_token_unittest.cc @@ -8,6 +8,8 @@ #include <atlbase.h> #include <atlsecurity.h> #include <vector> + +#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token.h" #include "sandbox/win/src/sid.h" #include "testing/gtest/include/gtest/gtest.h" @@ -38,12 +40,12 @@ TEST(RestrictedTokenTest, DefaultInit) { // Get the handle to the restricted token. - HANDLE restricted_token_handle = NULL; + base::win::ScopedHandle restricted_token_handle; ASSERT_EQ(ERROR_SUCCESS, - token_default.GetRestrictedTokenHandle(&restricted_token_handle)); + token_default.GetRestrictedToken(&restricted_token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(restricted_token_handle); + restricted_token.Attach(restricted_token_handle.Take()); ATL::CSid sid_user_restricted; ATL::CSid sid_user_default; @@ -80,12 +82,12 @@ TEST(RestrictedTokenTest, CustomInit) { // Get the handle to the restricted token. - HANDLE restricted_token_handle = NULL; + base::win::ScopedHandle restricted_token_handle; ASSERT_EQ(ERROR_SUCCESS, - token.GetRestrictedTokenHandle(&restricted_token_handle)); + token.GetRestrictedToken(&restricted_token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(restricted_token_handle); + restricted_token.Attach(restricted_token_handle.Take()); ATL::CSid sid_restricted; ATL::CSid sid_default; @@ -104,14 +106,14 @@ TEST(RestrictedTokenTest, ResultToken) { ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - HANDLE restricted_token; - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token)); + base::win::ScopedHandle restricted_token; + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&restricted_token)); - ASSERT_TRUE(::IsTokenRestricted(restricted_token)); + ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get())); DWORD length = 0; TOKEN_TYPE type; - ASSERT_TRUE(::GetTokenInformation(restricted_token, + ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(), ::TokenType, &type, sizeof(type), @@ -119,22 +121,19 @@ TEST(RestrictedTokenTest, ResultToken) { ASSERT_EQ(type, TokenPrimary); - HANDLE impersonation_token; + base::win::ScopedHandle impersonation_token; ASSERT_EQ(ERROR_SUCCESS, - token.GetRestrictedTokenHandleForImpersonation(&impersonation_token)); + token.GetRestrictedTokenForImpersonation(&impersonation_token)); - ASSERT_TRUE(::IsTokenRestricted(impersonation_token)); + ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get())); - ASSERT_TRUE(::GetTokenInformation(impersonation_token, + ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(), ::TokenType, &type, sizeof(type), &length)); ASSERT_EQ(type, TokenImpersonation); - - ::CloseHandle(impersonation_token); - ::CloseHandle(restricted_token); } // Verifies that the token created has "Restricted" in its default dacl. @@ -145,11 +144,11 @@ TEST(RestrictedTokenTest, DefaultDacl) { ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - HANDLE handle; - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle)); + base::win::ScopedHandle handle; + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(handle); + restricted_token.Attach(handle.Take()); ATL::CDacl dacl; ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); @@ -173,14 +172,14 @@ TEST(RestrictedTokenTest, DefaultDacl) { // Tests the method "AddSidForDenyOnly". TEST(RestrictedTokenTest, DenySid) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid))); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -200,14 +199,14 @@ TEST(RestrictedTokenTest, DenySid) { // Tests the method "AddAllSidsForDenyOnly". TEST(RestrictedTokenTest, DenySids) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -229,17 +228,17 @@ TEST(RestrictedTokenTest, DenySids) { // Tests the method "AddAllSidsForDenyOnly" using an exception list. TEST(RestrictedTokenTest, DenySidsException) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; std::vector<Sid> sids_exception; sids_exception.push_back(Sid(WinWorldSid)); ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -265,14 +264,14 @@ TEST(RestrictedTokenTest, DenySidsException) { // Tests test method AddOwnerSidForDenyOnly. TEST(RestrictedTokenTest, DenyOwnerSid) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -295,22 +294,23 @@ TEST(RestrictedTokenTest, DenyOwnerSid) { // Tests test method AddOwnerSidForDenyOnly with a custom effective token. TEST(RestrictedTokenTest, DenyOwnerSidCustom) { // Get the current process token. - HANDLE token_handle = INVALID_HANDLE_VALUE; + HANDLE access_handle = INVALID_HANDLE_VALUE; ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, - &token_handle)); + &access_handle)); - ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); + ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); ATL::CAccessToken access_token; - access_token.Attach(token_handle); + access_token.Attach(access_handle); RestrictedToken token; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -333,14 +333,14 @@ TEST(RestrictedTokenTest, DenyOwnerSidCustom) { // Tests the method DeleteAllPrivileges. TEST(RestrictedTokenTest, DeleteAllPrivileges) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -351,17 +351,17 @@ TEST(RestrictedTokenTest, DeleteAllPrivileges) { // Tests the method DeleteAllPrivileges with an exception list. TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; std::vector<base::string16> exceptions; exceptions.push_back(SE_CHANGE_NOTIFY_NAME); ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -381,14 +381,14 @@ TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { // Tests the method DeletePrivilege. TEST(RestrictedTokenTest, DeletePrivilege) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -441,15 +441,15 @@ void CheckRestrictingSid(const ATL::CAccessToken &restricted_token, // Tests the method AddRestrictingSid. TEST(RestrictedTokenTest, AddRestrictingSid) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); } @@ -457,14 +457,14 @@ TEST(RestrictedTokenTest, AddRestrictingSid) { // Tests the method AddRestrictingSidCurrentUser. TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CSid user; restricted_token.GetUser(&user); @@ -474,22 +474,23 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { // Tests the method AddRestrictingSidCurrentUser with a custom effective token. TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { // Get the current process token. - HANDLE token_handle = INVALID_HANDLE_VALUE; + HANDLE access_handle = INVALID_HANDLE_VALUE; ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, - &token_handle)); + &access_handle)); - ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); + ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); ATL::CAccessToken access_token; - access_token.Attach(token_handle); + access_token.Attach(access_handle); RestrictedToken token; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CSid user; restricted_token.GetUser(&user); @@ -499,14 +500,14 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { // Tests the method AddRestrictingSidLogonSession. TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CSid session; restricted_token.GetLogonSid(&session); @@ -516,17 +517,17 @@ TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { // Tests adding a lot of restricting sids. TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CSid session; restricted_token.GetLogonSid(&session); @@ -548,14 +549,14 @@ TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { // Tests the method "AddRestrictingSidAllSids". TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { RestrictedToken token; - HANDLE token_handle = NULL; + base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle); + restricted_token.Attach(token_handle.Take()); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc index 1745236..5f97192 100644 --- a/sandbox/win/src/restricted_token_utils.cc +++ b/sandbox/win/src/restricted_token_utils.cc @@ -19,13 +19,10 @@ namespace sandbox { -DWORD CreateRestrictedToken(HANDLE *token_handle, - TokenLevel security_level, +DWORD CreateRestrictedToken(TokenLevel security_level, IntegrityLevel integrity_level, - TokenType token_type) { - if (!token_handle) - return ERROR_BAD_ARGUMENTS; - + TokenType token_type, + base::win::ScopedHandle* token) { RestrictedToken restricted_token; restricted_token.Init(NULL); // Initialized with the current process token @@ -123,12 +120,11 @@ DWORD CreateRestrictedToken(HANDLE *token_handle, switch (token_type) { case PRIMARY: { - err_code = restricted_token.GetRestrictedTokenHandle(token_handle); + err_code = restricted_token.GetRestrictedToken(token); break; } case IMPERSONATION: { - err_code = restricted_token.GetRestrictedTokenHandleForImpersonation( - token_handle); + err_code = restricted_token.GetRestrictedTokenForImpersonation(token); break; } default: { @@ -159,27 +155,20 @@ DWORD StartRestrictedProcessInJob(wchar_t *command_line, } // Create the primary (restricted) token for the process - HANDLE primary_token_handle = NULL; - err_code = CreateRestrictedToken(&primary_token_handle, - primary_level, - INTEGRITY_LEVEL_LAST, - PRIMARY); - if (ERROR_SUCCESS != err_code) { + base::win::ScopedHandle primary_token; + err_code = CreateRestrictedToken(primary_level, INTEGRITY_LEVEL_LAST, + PRIMARY, &primary_token); + if (ERROR_SUCCESS != err_code) return err_code; - } - base::win::ScopedHandle primary_token(primary_token_handle); + // Create the impersonation token (restricted) to be able to start the // process. - HANDLE impersonation_token_handle; - err_code = CreateRestrictedToken(&impersonation_token_handle, - impersonation_level, - INTEGRITY_LEVEL_LAST, - IMPERSONATION); - if (ERROR_SUCCESS != err_code) { + base::win::ScopedHandle impersonation_token; + err_code = CreateRestrictedToken(impersonation_level, INTEGRITY_LEVEL_LAST, + IMPERSONATION, &impersonation_token); + if (ERROR_SUCCESS != err_code) return err_code; - } - base::win::ScopedHandle impersonation_token(impersonation_token_handle); // Start the process STARTUPINFO startup_info = {0}; diff --git a/sandbox/win/src/restricted_token_utils.h b/sandbox/win/src/restricted_token_utils.h index 509feaf..40d2286 100644 --- a/sandbox/win/src/restricted_token_utils.h +++ b/sandbox/win/src/restricted_token_utils.h @@ -8,6 +8,7 @@ #include <accctrl.h> #include <windows.h> +#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token.h" #include "sandbox/win/src/security_level.h" @@ -27,15 +28,15 @@ enum TokenType { // restricted. The token_type determines if the token will be used as a primary // token or impersonation token. The integrity level of the token is set to // |integrity level| on Vista only. -// token_handle is the output value containing the handle of the -// newly created restricted token. +// |token| is the output value containing the handle of the newly created +// restricted token. // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. -DWORD CreateRestrictedToken(HANDLE *token_handle, - TokenLevel security_level, +DWORD CreateRestrictedToken(TokenLevel security_level, IntegrityLevel integrity_level, - TokenType token_type); + TokenType token_type, + base::win::ScopedHandle* token); // Starts the process described by the input parameter command_line in a job // with a restricted token. Also set the main thread of this newly created diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc index fcc4a7c..12f72d5 100644 --- a/sandbox/win/src/sandbox_policy_base.cc +++ b/sandbox/win/src/sandbox_policy_base.cc @@ -550,14 +550,11 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, // Create the 'naked' token. This will be the permanent token associated // with the process and therefore with any thread that is not impersonating. - HANDLE temp_handle; - DWORD result = CreateRestrictedToken(&temp_handle, lockdown_level_, - integrity_level_, PRIMARY); + DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_, + PRIMARY, lockdown); if (ERROR_SUCCESS != result) return SBOX_ERROR_GENERIC; - lockdown->Set(temp_handle); - // If we're launching on the alternate desktop we need to make sure the // integrity label on the object is no higher than the sandboxed process's // integrity level. So, we lower the label on the desktop process if it's @@ -622,12 +619,11 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, // Create the 'better' token. We use this token as the one that the main // thread uses when booting up the process. It should contain most of // what we need (before reaching main( )) - result = CreateRestrictedToken(&temp_handle, initial_level_, - integrity_level_, IMPERSONATION); + result = CreateRestrictedToken(initial_level_, integrity_level_, + IMPERSONATION, initial); if (ERROR_SUCCESS != result) return SBOX_ERROR_GENERIC; - initial->Set(temp_handle); return SBOX_ALL_OK; } diff --git a/sandbox/win/tools/finder/finder.cc b/sandbox/win/tools/finder/finder.cc index 9b82962..7753dd0 100644 --- a/sandbox/win/tools/finder/finder.cc +++ b/sandbox/win/tools/finder/finder.cc @@ -10,15 +10,12 @@ Finder::Finder() { file_output_ = NULL; object_type_ = 0; access_type_ = 0; - token_handle_ = NULL; memset(filesystem_stats_, 0, sizeof(filesystem_stats_)); memset(registry_stats_, 0, sizeof(registry_stats_)); memset(kernel_object_stats_, 0, sizeof(kernel_object_stats_)); } Finder::~Finder() { - if (token_handle_) - ::CloseHandle(token_handle_); } DWORD Finder::Init(sandbox::TokenLevel token_type, @@ -35,14 +32,14 @@ DWORD Finder::Init(sandbox::TokenLevel token_type, access_type_ = access_type; file_output_ = file_output; - err_code = sandbox::CreateRestrictedToken(&token_handle_, token_type, + err_code = sandbox::CreateRestrictedToken(token_type, sandbox::INTEGRITY_LEVEL_LAST, - sandbox::PRIMARY); + sandbox::PRIMARY, &token_handle_); return err_code; } DWORD Finder::Scan() { - if (!token_handle_) { + if (!token_handle_.IsValid()) { return ERROR_NO_TOKEN; } diff --git a/sandbox/win/tools/finder/finder.h b/sandbox/win/tools/finder/finder.h index 23255ce..503447d 100644 --- a/sandbox/win/tools/finder/finder.h +++ b/sandbox/win/tools/finder/finder.h @@ -2,9 +2,10 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_TOOLS_FINDER_FINDER_H__ -#define SANDBOX_TOOLS_FINDER_FINDER_H__ +#ifndef SANDBOX_TOOLS_FINDER_FINDER_H_ +#define SANDBOX_TOOLS_FINDER_FINDER_H_ +#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token_utils.h" #include "sandbox/win/tools/finder/ntundoc.h" @@ -132,7 +133,7 @@ class Finder { // Output file for the results. FILE * file_output_; // Handle to the restricted token. - HANDLE token_handle_; + base::win::ScopedHandle token_handle_; // Stats containing the number of operations performed on the different // objects. int filesystem_stats_[SIZE_STATS]; @@ -140,4 +141,4 @@ class Finder { int kernel_object_stats_[SIZE_STATS]; }; -#endif // SANDBOX_TOOLS_FINDER_FINDER_H__ +#endif // SANDBOX_TOOLS_FINDER_FINDER_H_ |