Move the Windows sandbox to sandbox/win

This is a rather large refactor to move the Windows sandbox to the right place. BUG= TEST= NOTRY=true TBR=sky@chromium.org Review URL: https://chromiumcodereview.appspot.com/10689170 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@147151 0039d316-1c4b-4281-b951-d872f2087c98
author: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-07-18 00:59:15 +0000
committer: jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-07-18 00:59:15 +0000
commit: 18149178646e45f3d7dde865efbeabbab431799a (patch)
tree: cc19ce0fc5cc1927695c789212fab93a195b9d9f /sandbox/win/src/target_services.cc
parent: 4633cdb53427b31197d3c6f991f07bee2a04e0df (diff)
download: chromium_src-18149178646e45f3d7dde865efbeabbab431799a.zip
chromium_src-18149178646e45f3d7dde865efbeabbab431799a.tar.gz
chromium_src-18149178646e45f3d7dde865efbeabbab431799a.tar.bz2
1 files changed, 188 insertions, 0 deletions
diff --git a/sandbox/win/src/target_services.cc b/sandbox/win/src/target_services.cc
new file mode 100644
index 0000000..495f108
--- /dev/null
+++ b/sandbox/win/src/target_services.cc
@@ -0,0 +1,188 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/win/src/target_services.h"
+
+#include <process.h>
+
+#include "base/basictypes.h"
+#include "sandbox/win/src/crosscall_client.h"
+#include "sandbox/win/src/handle_closer_agent.h"
+#include "sandbox/win/src/handle_interception.h"
+#include "sandbox/win/src/ipc_tags.h"
+#include "sandbox/win/src/restricted_token_utils.h"
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_types.h"
+#include "sandbox/win/src/sharedmem_ipc_client.h"
+#include "sandbox/win/src/sandbox_nt_util.h"
+
+namespace {
+
+// Flushing a cached key is triggered by just opening the key and closing the
+// resulting handle. RegDisablePredefinedCache() is the documented way to flush
+// HKCU so do not use it with this function.
+bool FlushRegKey(HKEY root) {
+  HKEY key;
+  if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
+    if (ERROR_SUCCESS != ::RegCloseKey(key))
+      return false;
+  }
+  return true;
+}
+
+// This function forces advapi32.dll to release some internally cached handles
+// that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
+// with a more restrictive token. Returns true if the flushing is succesful
+// although this behavior is undocumented and there is no guarantee that in
+// fact this will happen in future versions of windows.
+bool FlushCachedRegHandles() {
+  return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
+          FlushRegKey(HKEY_CLASSES_ROOT) &&
+          FlushRegKey(HKEY_USERS));
+}
+
+// Checks if we have handle entries pending and runs the closer.
+bool CloseOpenHandles() {
+  if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
+    sandbox::HandleCloserAgent handle_closer;
+
+    handle_closer.InitializeHandlesToClose();
+    if (!handle_closer.CloseHandles())
+      return false;
+  }
+
+  return true;
+}
+
+}  // namespace
+
+namespace sandbox {
+
+SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
+    INTEGRITY_LEVEL_LAST;
+
+TargetServicesBase::TargetServicesBase() {
+}
+
+ResultCode TargetServicesBase::Init() {
+  process_state_.SetInitCalled();
+  return SBOX_ALL_OK;
+}
+
+// Failure here is a breach of security so the process is terminated.
+void TargetServicesBase::LowerToken() {
+  if (ERROR_SUCCESS !=
+      SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
+  process_state_.SetRevertedToSelf();
+  // If the client code as called RegOpenKey, advapi32.dll has cached some
+  // handles. The following code gets rid of them.
+  if (!::RevertToSelf())
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
+  if (!FlushCachedRegHandles())
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
+  if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
+  if (!CloseOpenHandles())
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
+}
+
+ProcessState* TargetServicesBase::GetState() {
+  return &process_state_;
+}
+
+TargetServicesBase* TargetServicesBase::GetInstance() {
+  static TargetServicesBase instance;
+  return &instance;
+}
+
+// The broker services a 'test' IPC service with the IPC_PING_TAG tag.
+bool TargetServicesBase::TestIPCPing(int version) {
+  void* memory = GetGlobalIPCMemory();
+  if (NULL == memory) {
+    return false;
+  }
+  SharedMemIPCClient ipc(memory);
+  CrossCallReturn answer = {0};
+
+  if (1 == version) {
+    uint32 tick1 = ::GetTickCount();
+    uint32 cookie = 717115;
+    ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
+
+    if (SBOX_ALL_OK != code) {
+      return false;
+    }
+    // We should get two extended returns values from the IPC, one is the
+    // tick count on the broker and the other is the cookie times two.
+    if ((answer.extended_count != 2)) {
+      return false;
+    }
+    // We test the first extended answer to be within the bounds of the tick
+    // count only if there was no tick count wraparound.
+    uint32 tick2 = ::GetTickCount();
+    if (tick2 >= tick1) {
+      if ((answer.extended[0].unsigned_int < tick1) ||
+          (answer.extended[0].unsigned_int > tick2)) {
+        return false;
+      }
+    }
+
+    if (answer.extended[1].unsigned_int != cookie * 2) {
+      return false;
+    }
+  } else if (2 == version) {
+    uint32 cookie = 717111;
+    InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
+    ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
+
+    if (SBOX_ALL_OK != code) {
+      return false;
+    }
+    if (cookie != 717111 * 3) {
+      return false;
+    }
+  } else {
+    return false;
+  }
+  return true;
+}
+
+bool ProcessState::IsKernel32Loaded() {
+  return process_state_ != 0;
+}
+
+bool ProcessState::InitCalled() {
+  return process_state_ > 1;
+}
+
+bool ProcessState::RevertedToSelf() {
+  return process_state_ > 2;
+}
+
+void ProcessState::SetKernel32Loaded() {
+  if (!process_state_)
+    process_state_ = 1;
+}
+
+void ProcessState::SetInitCalled() {
+  if (process_state_ < 2)
+    process_state_ = 2;
+}
+
+void ProcessState::SetRevertedToSelf() {
+  if (process_state_ < 3)
+    process_state_ = 3;
+}
+
+ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
+                                               DWORD target_process_id,
+                                               HANDLE* target_handle,
+                                               DWORD desired_access,
+                                               DWORD options) {
+  return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
+                                       target_handle, desired_access, options);
+}
+
+}  // namespace sandbox
author	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-07-18 00:59:15 +0000
committer	jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-07-18 00:59:15 +0000
commit	18149178646e45f3d7dde865efbeabbab431799a (patch)
tree	cc19ce0fc5cc1927695c789212fab93a195b9d9f /sandbox/win/src/target_services.cc
parent	4633cdb53427b31197d3c6f991f07bee2a04e0df (diff)
download	chromium_src-18149178646e45f3d7dde865efbeabbab431799a.zip chromium_src-18149178646e45f3d7dde865efbeabbab431799a.tar.gz chromium_src-18149178646e45f3d7dde865efbeabbab431799a.tar.bz2