close ALPC ports in sbox integrations tests. This is the first step in locking down ALPC ports.

Closing ALPC ports causes the following tests to break, because they call CreateProcess(). The interception of CreateProcess() tries to call CreateProcess natively, which crashes.
ProcessPolicyTest.TestGetProcessTokenMaxAccess
ProcessPolicyTest.TestGetProcessTokenMaxAccessNoJob
PolicyTargetTest.OpenThread

The changes in process_thread_interception.cc check to see if CSRSS is disconnected, and doesn't use the native CreateProcess if CSRSS is disconnected. This connected flag is implicitly set in the HandleCloserAgent when type "ALPC Port" are requested to be closed.

Therefore this still only affects sbox_integration_tests, but adds some of the capability that will be needed to further lock down CSRSS.

BUG=464430

Review URL: https://codereview.chromium.org/1226383005

Cr-Commit-Position: refs/heads/master@{#338963}

1 files changed, 2 insertions, 1 deletions

diff --git a/sandbox/win/src/process_thread_interception.cc b/sandbox/win/src/process_thread_interception.cc
index 45926bc..e6c8c2e 100644
--- a/sandbox/win/src/process_thread_interception.cc
+++ b/sandbox/win/src/process_thread_interception.cc
@@ -267,7 +267,8 @@ BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
                                  LPVOID environment, LPCWSTR current_directory,
                                  LPSTARTUPINFOW startup_info,
                                  LPPROCESS_INFORMATION process_information) {
-  if (orig_CreateProcessW(application_name, command_line, process_attributes,
+  if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
+      orig_CreateProcessW(application_name, command_line, process_attributes,
                           thread_attributes, inherit_handles, flags,
                           environment, current_directory, startup_info,
                           process_information)) {