diff options
| author | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-07-21 02:52:13 +0000 |
|---|---|---|
| committer | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-07-21 02:52:13 +0000 |
| commit | 17246ff04de0dd4b9eec8b9f6efdc76bba23bb31 (patch) | |
| tree | 3d53c6031a7f382434ee49a9161a8e7a28ba9e96 /content | |
| parent | 3a719b37becda4dd9fe6cfe8215edd7dfbabd39e (diff) | |
| download | chromium_src-17246ff04de0dd4b9eec8b9f6efdc76bba23bb31.zip chromium_src-17246ff04de0dd4b9eec8b9f6efdc76bba23bb31.tar.gz chromium_src-17246ff04de0dd4b9eec8b9f6efdc76bba23bb31.tar.bz2 | |
Add a sandbox API to allow closing open handles at lockdown.
BUG=58069
BUG=74242
TEST=sbox_integration_tests --gtest_filter=HandleCloserTests.*
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=93274
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=93308
Review URL: http://codereview.chromium.org/7253054
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93321 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/common/sandbox_policy.cc | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/content/common/sandbox_policy.cc b/content/common/sandbox_policy.cc index bfa7db1..41995f4 100644 --- a/content/common/sandbox_policy.cc +++ b/content/common/sandbox_policy.cc @@ -194,6 +194,41 @@ void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) { BlacklistAddOneDll(kTroublesomeDlls[ix], policy); } +// Returns the object path prepended with the current logon session. +string16 PrependWindowsSessionPath(const char16* object) { + // Cache this because it can't change after process creation. + static string16* session_prefix = NULL; + if (!session_prefix) { + HANDLE token; + DWORD session_id; + DWORD session_id_length; + + CHECK(::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token)); + CHECK(::GetTokenInformation(token, TokenSessionId, &session_id, + sizeof(session_id), &session_id_length)); + CloseHandle(token); + + session_prefix = new string16(base::StringPrintf(L"\\Sessions\\%d", + session_id)); + } + + return *session_prefix + object; +} + +// Closes handles that are opened at process creation and initialization. +void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) { + // Being able to manipulate anything BaseNamedObjects is bad. + policy->AddKernelObjectToClose(L"Directory", PrependWindowsSessionPath( + L"\\BaseNamedObjects").data()); + policy->AddKernelObjectToClose(L"Section", PrependWindowsSessionPath( + L"\\BaseNamedObjects\\windows_shell_global_counters").data()); +} + +void AddStrictHandleClosePolicy(sandbox::TargetPolicy* policy) { + // This is loaded when rand_s is seeded, but not needed again. + policy->AddKernelObjectToClose(L"File", L"\\Device\\KsecDD"); +} + // Adds the generic policy rules to a sandbox TargetPolicy. bool AddGenericPolicy(sandbox::TargetPolicy* policy) { sandbox::ResultCode result; @@ -279,6 +314,7 @@ void AddPolicyForRenderer(sandbox::TargetPolicy* policy) { } AddDllEvictionPolicy(policy); + AddBaseHandleClosePolicy(policy); } // The Pepper process as locked-down as a renderer execpt that it can @@ -414,6 +450,8 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line, return 0; } else { AddPolicyForRenderer(policy); + if (type == ChildProcessInfo::RENDER_PROCESS) + AddStrictHandleClosePolicy(policy); if (type_str != switches::kRendererProcess) { // Hack for Google Desktop crash. Trick GD into not injecting its DLL into |