diff options
author | shrikant <shrikant@chromium.org> | 2015-03-01 20:23:01 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-03-02 04:23:28 +0000 |
commit | f7540af7428f4b146136ec19b781886693f8c03f (patch) | |
tree | 182f19c9fe7d507ab98c4e6fe4d313bb6ab3dec3 /sandbox/win/src/sandbox_policy_base.cc | |
parent | 611754aea9d1c0ba5c7980fa267fd005dc249b85 (diff) | |
download | chromium_src-f7540af7428f4b146136ec19b781886693f8c03f.zip chromium_src-f7540af7428f4b146136ec19b781886693f8c03f.tar.gz chromium_src-f7540af7428f4b146136ec19b781886693f8c03f.tar.bz2 |
This CL adds a method to create process using LowBox token on Windows. LowBox will help us tackle some of the escapes from Sandbox.
R=cpu,jschuh,rvargas,wfh,forshaw
BUG=455496
Review URL: https://codereview.chromium.org/937353002
Cr-Commit-Position: refs/heads/master@{#318648}
Diffstat (limited to 'sandbox/win/src/sandbox_policy_base.cc')
-rw-r--r-- | sandbox/win/src/sandbox_policy_base.cc | 57 |
1 files changed, 56 insertions, 1 deletions
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc index d3c920e..f5ed7e4 100644 --- a/sandbox/win/src/sandbox_policy_base.cc +++ b/sandbox/win/src/sandbox_policy_base.cc @@ -98,7 +98,8 @@ PolicyBase::PolicyBase() mitigations_(0), delayed_mitigations_(0), policy_maker_(NULL), - policy_(NULL) { + policy_(NULL), + lowbox_sid_(NULL) { ::InitializeCriticalSection(&lock_); // Initialize the IPC dispatcher array. memset(&ipc_targets_, NULL, sizeof(ipc_targets_)); @@ -152,6 +153,10 @@ PolicyBase::~PolicyBase() { delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; delete policy_maker_; delete policy_; + + if (lowbox_sid_) + ::LocalFree(lowbox_sid_); + ::DeleteCriticalSection(&lock_); } @@ -310,6 +315,10 @@ ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) { if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) return SBOX_ALL_OK; + // SetLowBox and SetAppContainer are mutually exclusive. + if (lowbox_sid_) + return SBOX_ERROR_UNSUPPORTED; + // Windows refuses to work with an impersonation token for a process inside // an AppContainer. If the caller wants to use a more privileged initial // token, or if the lockdown level will prevent the process from starting, @@ -331,6 +340,25 @@ ResultCode PolicyBase::SetCapability(const wchar_t* sid) { return SBOX_ALL_OK; } +ResultCode PolicyBase::SetLowBox(const wchar_t* sid) { + if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8) + return SBOX_ERROR_UNSUPPORTED; + + // SetLowBox and SetAppContainer are mutually exclusive. + if (appcontainer_list_.get()) + return SBOX_ERROR_UNSUPPORTED; + + DCHECK(sid); + + if (lowbox_sid_) + return SBOX_ERROR_BAD_PARAMS; + + if (!ConvertStringSidToSid(sid, &lowbox_sid_)) + return SBOX_ERROR_GENERIC; + + return SBOX_ALL_OK; +} + ResultCode PolicyBase::SetProcessMitigations( MitigationFlags flags) { if (!CanSetProcessMitigationsPreStartup(flags)) @@ -448,6 +476,11 @@ ResultCode PolicyBase::MakeJobObject(HANDLE* job) { } ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { + if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && + lowbox_sid_) { + return SBOX_ERROR_BAD_PARAMS; + } + // Create the 'naked' token. This will be the permanent token associated // with the process and therefore with any thread that is not impersonating. DWORD result = CreateRestrictedToken(lockdown, lockdown_level_, @@ -476,6 +509,9 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { alternate_desktop_integrity_level_label_ = integrity_level_; } + // We are maintaining two mutually exclusive approaches. One is to start an + // AppContainer process through StartupInfoEx and other is replacing + // existing token with LowBox token after process creation. if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) { // Windows refuses to work with an impersonation token. See SetAppContainer // implementation for more details. @@ -484,6 +520,21 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) { *initial = INVALID_HANDLE_VALUE; return SBOX_ALL_OK; + } else if (lowbox_sid_) { + NtCreateLowBoxToken CreateLowBoxToken = NULL; + ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken); + OBJECT_ATTRIBUTES obj_attr; + InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL); + HANDLE token_lowbox = NULL; + NTSTATUS status = CreateLowBoxToken(&token_lowbox, *lockdown, + TOKEN_ALL_ACCESS, &obj_attr, + lowbox_sid_, 0, NULL, 0, NULL); + if (!NT_SUCCESS(status)) + return SBOX_ERROR_GENERIC; + + DCHECK(token_lowbox); + ::CloseHandle(*lockdown); + *lockdown = token_lowbox; } // Create the 'better' token. We use this token as the one that the main @@ -505,6 +556,10 @@ const AppContainerAttributes* PolicyBase::GetAppContainer() const { return appcontainer_list_.get(); } +const PSID PolicyBase::GetLowBoxSid() const { + return lowbox_sid_; +} + bool PolicyBase::AddTarget(TargetProcess* target) { if (NULL != policy_) policy_maker_->Done(); |