diff options
Diffstat (limited to 'sandbox/win/src')
-rw-r--r-- | sandbox/win/src/restricted_token.cc | 72 | ||||
-rw-r--r-- | sandbox/win/src/restricted_token.h | 20 | ||||
-rw-r--r-- | sandbox/win/src/restricted_token_unittest.cc | 137 | ||||
-rw-r--r-- | sandbox/win/src/restricted_token_utils.cc | 39 | ||||
-rw-r--r-- | sandbox/win/src/restricted_token_utils.h | 11 | ||||
-rw-r--r-- | sandbox/win/src/sandbox_policy_base.cc | 12 |
6 files changed, 157 insertions, 134 deletions
diff --git a/sandbox/win/src/restricted_token.cc b/sandbox/win/src/restricted_token.cc index 7fadb2b..d94ca06 100644 --- a/sandbox/win/src/restricted_token.cc +++ b/sandbox/win/src/restricted_token.cc @@ -53,8 +53,7 @@ unsigned RestrictedToken::Init(const HANDLE effective_token) { return ERROR_SUCCESS; } -unsigned RestrictedToken::GetRestrictedToken( - base::win::ScopedHandle* token) const { +unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { DCHECK(init_); if (!init_) return ERROR_NO_TOKEN; @@ -96,7 +95,7 @@ unsigned RestrictedToken::GetRestrictedToken( } BOOL result = TRUE; - HANDLE new_token_handle = NULL; + HANDLE new_token = NULL; // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell // if a token has ben restricted given the limiations of IsTokenRestricted() // but it appears that in Windows 7 it hints the AppLocker subsystem to @@ -110,14 +109,14 @@ unsigned RestrictedToken::GetRestrictedToken( privileges_to_disable_array, static_cast<DWORD>(restrict_size), sids_to_restrict_array, - &new_token_handle); + &new_token); } else { // Duplicate the token even if it's not modified at this point // because any subsequent changes to this token would also affect the // current process. result = ::DuplicateTokenEx(effective_token_, TOKEN_ALL_ACCESS, NULL, SecurityIdentification, TokenPrimary, - &new_token_handle); + &new_token); } if (deny_only_array) @@ -132,59 +131,68 @@ unsigned RestrictedToken::GetRestrictedToken( if (!result) return ::GetLastError(); - base::win::ScopedHandle new_token(new_token_handle); - // Modify the default dacl on the token to contain Restricted and the user. - if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL)) + if (!AddSidToDefaultDacl(new_token, WinRestrictedCodeSid, GENERIC_ALL)) return ::GetLastError(); - if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) + if (!AddUserSidToDefaultDacl(new_token, GENERIC_ALL)) return ::GetLastError(); - DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); + DWORD error = SetTokenIntegrityLevel(new_token, integrity_level_); if (ERROR_SUCCESS != error) return error; - HANDLE token_handle; - if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(), - ::GetCurrentProcess(), &token_handle, - TOKEN_ALL_ACCESS, FALSE, // Don't inherit. - 0)) { + BOOL status = ::DuplicateHandle(::GetCurrentProcess(), + new_token, + ::GetCurrentProcess(), + token_handle, + TOKEN_ALL_ACCESS, + FALSE, // Don't inherit. + 0); + + if (new_token != effective_token_) + ::CloseHandle(new_token); + + if (!status) return ::GetLastError(); - } - token->Set(token_handle); return ERROR_SUCCESS; } -unsigned RestrictedToken::GetRestrictedTokenForImpersonation( - base::win::ScopedHandle* token) const { +unsigned RestrictedToken::GetRestrictedTokenHandleForImpersonation( + HANDLE *token_handle) const { DCHECK(init_); if (!init_) return ERROR_NO_TOKEN; - base::win::ScopedHandle restricted_token; - unsigned err_code = GetRestrictedToken(&restricted_token); + HANDLE restricted_token_handle; + unsigned err_code = GetRestrictedTokenHandle(&restricted_token_handle); if (ERROR_SUCCESS != err_code) return err_code; - HANDLE impersonation_token_handle; - if (!::DuplicateToken(restricted_token.Get(), + HANDLE impersonation_token; + if (!::DuplicateToken(restricted_token_handle, SecurityImpersonation, - &impersonation_token_handle)) { + &impersonation_token)) { + ::CloseHandle(restricted_token_handle); return ::GetLastError(); } - base::win::ScopedHandle impersonation_token(impersonation_token_handle); - HANDLE token_handle; - if (!::DuplicateHandle(::GetCurrentProcess(), impersonation_token.Get(), - ::GetCurrentProcess(), &token_handle, - TOKEN_ALL_ACCESS, FALSE, // Don't inherit. - 0)) { + ::CloseHandle(restricted_token_handle); + + BOOL status = ::DuplicateHandle(::GetCurrentProcess(), + impersonation_token, + ::GetCurrentProcess(), + token_handle, + TOKEN_ALL_ACCESS, + FALSE, // Don't inherit. + 0); + + ::CloseHandle(impersonation_token); + + if (!status) return ::GetLastError(); - } - token->Set(token_handle); return ERROR_SUCCESS; } diff --git a/sandbox/win/src/restricted_token.h b/sandbox/win/src/restricted_token.h index 1bfc364b..565880e 100644 --- a/sandbox/win/src/restricted_token.h +++ b/sandbox/win/src/restricted_token.h @@ -10,7 +10,6 @@ #include "base/basictypes.h" #include "base/strings/string16.h" -#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token_utils.h" #include "sandbox/win/src/security_level.h" #include "sandbox/win/src/sid.h" @@ -36,12 +35,13 @@ namespace sandbox { // } // // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID()); -// base::win::ScopedHandle token_handle; -// err_code = restricted_token.GetRestrictedToken(&token_handle); +// HANDLE token_handle; +// err_code = restricted_token.GetRestrictedTokenHandle(&token_handle); // if (ERROR_SUCCESS != err_code) { // // handle error. // } // [...] +// CloseHandle(token_handle); class RestrictedToken { public: // Init() has to be called before calling any other method in the class. @@ -53,22 +53,24 @@ class RestrictedToken { // the effective token of the current process. unsigned Init(HANDLE effective_token); - // Creates a restricted token. + // Creates a restricted token and returns its handle using the token_handle + // output parameter. This handle has to be closed by the caller. // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. - unsigned GetRestrictedToken(base::win::ScopedHandle* token) const; + unsigned GetRestrictedTokenHandle(HANDLE *token_handle) const; // Creates a restricted token and uses this new token to create a new token - // for impersonation. Returns this impersonation token. + // for impersonation. Returns the handle of this impersonation token using + // the token_handle output parameter. This handle has to be closed by + // the caller. // // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. // - // The sample usage is the same as the GetRestrictedToken function. - unsigned GetRestrictedTokenForImpersonation( - base::win::ScopedHandle* token) const; + // The sample usage is the same as the GetRestrictedTokenHandle function. + unsigned GetRestrictedTokenHandleForImpersonation(HANDLE *token_handle) const; // Lists all sids in the token and mark them as Deny Only except for those // present in the exceptions parameter. If there is no exception needed, diff --git a/sandbox/win/src/restricted_token_unittest.cc b/sandbox/win/src/restricted_token_unittest.cc index fca1a07..8186f9c 100644 --- a/sandbox/win/src/restricted_token_unittest.cc +++ b/sandbox/win/src/restricted_token_unittest.cc @@ -8,8 +8,6 @@ #include <atlbase.h> #include <atlsecurity.h> #include <vector> - -#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token.h" #include "sandbox/win/src/sid.h" #include "testing/gtest/include/gtest/gtest.h" @@ -40,12 +38,12 @@ TEST(RestrictedTokenTest, DefaultInit) { // Get the handle to the restricted token. - base::win::ScopedHandle restricted_token_handle; + HANDLE restricted_token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, - token_default.GetRestrictedToken(&restricted_token_handle)); + token_default.GetRestrictedTokenHandle(&restricted_token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(restricted_token_handle.Take()); + restricted_token.Attach(restricted_token_handle); ATL::CSid sid_user_restricted; ATL::CSid sid_user_default; @@ -82,12 +80,12 @@ TEST(RestrictedTokenTest, CustomInit) { // Get the handle to the restricted token. - base::win::ScopedHandle restricted_token_handle; + HANDLE restricted_token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, - token.GetRestrictedToken(&restricted_token_handle)); + token.GetRestrictedTokenHandle(&restricted_token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(restricted_token_handle.Take()); + restricted_token.Attach(restricted_token_handle); ATL::CSid sid_restricted; ATL::CSid sid_default; @@ -106,14 +104,14 @@ TEST(RestrictedTokenTest, ResultToken) { ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - base::win::ScopedHandle restricted_token; - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&restricted_token)); + HANDLE restricted_token; + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&restricted_token)); - ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get())); + ASSERT_TRUE(::IsTokenRestricted(restricted_token)); DWORD length = 0; TOKEN_TYPE type; - ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(), + ASSERT_TRUE(::GetTokenInformation(restricted_token, ::TokenType, &type, sizeof(type), @@ -121,19 +119,22 @@ TEST(RestrictedTokenTest, ResultToken) { ASSERT_EQ(type, TokenPrimary); - base::win::ScopedHandle impersonation_token; + HANDLE impersonation_token; ASSERT_EQ(ERROR_SUCCESS, - token.GetRestrictedTokenForImpersonation(&impersonation_token)); + token.GetRestrictedTokenHandleForImpersonation(&impersonation_token)); - ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get())); + ASSERT_TRUE(::IsTokenRestricted(impersonation_token)); - ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(), + ASSERT_TRUE(::GetTokenInformation(impersonation_token, ::TokenType, &type, sizeof(type), &length)); ASSERT_EQ(type, TokenImpersonation); + + ::CloseHandle(impersonation_token); + ::CloseHandle(restricted_token); } // Verifies that the token created has "Restricted" in its default dacl. @@ -144,11 +145,11 @@ TEST(RestrictedTokenTest, DefaultDacl) { ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - base::win::ScopedHandle handle; - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&handle)); + HANDLE handle; + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(handle.Take()); + restricted_token.Attach(handle); ATL::CDacl dacl; ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl)); @@ -172,14 +173,14 @@ TEST(RestrictedTokenTest, DefaultDacl) { // Tests the method "AddSidForDenyOnly". TEST(RestrictedTokenTest, DenySid) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddSidForDenyOnly(Sid(WinWorldSid))); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -199,14 +200,14 @@ TEST(RestrictedTokenTest, DenySid) { // Tests the method "AddAllSidsForDenyOnly". TEST(RestrictedTokenTest, DenySids) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(NULL)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -228,17 +229,17 @@ TEST(RestrictedTokenTest, DenySids) { // Tests the method "AddAllSidsForDenyOnly" using an exception list. TEST(RestrictedTokenTest, DenySidsException) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; std::vector<Sid> sids_exception; sids_exception.push_back(Sid(WinWorldSid)); ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddAllSidsForDenyOnly(&sids_exception)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -264,14 +265,14 @@ TEST(RestrictedTokenTest, DenySidsException) { // Tests test method AddOwnerSidForDenyOnly. TEST(RestrictedTokenTest, DenyOwnerSid) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -294,23 +295,22 @@ TEST(RestrictedTokenTest, DenyOwnerSid) { // Tests test method AddOwnerSidForDenyOnly with a custom effective token. TEST(RestrictedTokenTest, DenyOwnerSidCustom) { // Get the current process token. - HANDLE access_handle = INVALID_HANDLE_VALUE; + HANDLE token_handle = INVALID_HANDLE_VALUE; ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, - &access_handle)); + &token_handle)); - ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); ATL::CAccessToken access_token; - access_token.Attach(access_handle); + access_token.Attach(token_handle); RestrictedToken token; - base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); ASSERT_EQ(ERROR_SUCCESS, token.AddUserSidForDenyOnly()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); @@ -333,14 +333,14 @@ TEST(RestrictedTokenTest, DenyOwnerSidCustom) { // Tests the method DeleteAllPrivileges. TEST(RestrictedTokenTest, DeleteAllPrivileges) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(NULL)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -351,17 +351,17 @@ TEST(RestrictedTokenTest, DeleteAllPrivileges) { // Tests the method DeleteAllPrivileges with an exception list. TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; std::vector<base::string16> exceptions; exceptions.push_back(SE_CHANGE_NOTIFY_NAME); ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeleteAllPrivileges(&exceptions)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -381,14 +381,14 @@ TEST(RestrictedTokenTest, DeleteAllPrivilegesException) { // Tests the method DeletePrivilege. TEST(RestrictedTokenTest, DeletePrivilege) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME)); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenPrivileges privileges; ASSERT_TRUE(restricted_token.GetPrivileges(&privileges)); @@ -441,15 +441,15 @@ void CheckRestrictingSid(const ATL::CAccessToken &restricted_token, // Tests the method AddRestrictingSid. TEST(RestrictedTokenTest, AddRestrictingSid) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1); } @@ -457,14 +457,14 @@ TEST(RestrictedTokenTest, AddRestrictingSid) { // Tests the method AddRestrictingSidCurrentUser. TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CSid user; restricted_token.GetUser(&user); @@ -474,23 +474,22 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) { // Tests the method AddRestrictingSidCurrentUser with a custom effective token. TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { // Get the current process token. - HANDLE access_handle = INVALID_HANDLE_VALUE; + HANDLE token_handle = INVALID_HANDLE_VALUE; ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, - &access_handle)); + &token_handle)); - ASSERT_NE(INVALID_HANDLE_VALUE, access_handle); + ASSERT_NE(INVALID_HANDLE_VALUE, token_handle); ATL::CAccessToken access_token; - access_token.Attach(access_handle); + access_token.Attach(token_handle); RestrictedToken token; - base::win::ScopedHandle token_handle; ASSERT_EQ(ERROR_SUCCESS, token.Init(access_token.GetHandle())); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CSid user; restricted_token.GetUser(&user); @@ -500,14 +499,14 @@ TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) { // Tests the method AddRestrictingSidLogonSession. TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CSid session; restricted_token.GetLogonSid(&session); @@ -517,17 +516,17 @@ TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) { // Tests adding a lot of restricting sids. TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidCurrentUser()); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidLogonSession()); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSid(ATL::Sids::World().GetPSID())); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CSid session; restricted_token.GetLogonSid(&session); @@ -549,14 +548,14 @@ TEST(RestrictedTokenTest, AddMultipleRestrictingSids) { // Tests the method "AddRestrictingSidAllSids". TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) { RestrictedToken token; - base::win::ScopedHandle token_handle; + HANDLE token_handle = NULL; ASSERT_EQ(ERROR_SUCCESS, token.Init(NULL)); ASSERT_EQ(ERROR_SUCCESS, token.AddRestrictingSidAllSids()); - ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedToken(&token_handle)); + ASSERT_EQ(ERROR_SUCCESS, token.GetRestrictedTokenHandle(&token_handle)); ATL::CAccessToken restricted_token; - restricted_token.Attach(token_handle.Take()); + restricted_token.Attach(token_handle); ATL::CTokenGroups groups; ASSERT_TRUE(restricted_token.GetGroups(&groups)); diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc index 5f97192..1745236 100644 --- a/sandbox/win/src/restricted_token_utils.cc +++ b/sandbox/win/src/restricted_token_utils.cc @@ -19,10 +19,13 @@ namespace sandbox { -DWORD CreateRestrictedToken(TokenLevel security_level, +DWORD CreateRestrictedToken(HANDLE *token_handle, + TokenLevel security_level, IntegrityLevel integrity_level, - TokenType token_type, - base::win::ScopedHandle* token) { + TokenType token_type) { + if (!token_handle) + return ERROR_BAD_ARGUMENTS; + RestrictedToken restricted_token; restricted_token.Init(NULL); // Initialized with the current process token @@ -120,11 +123,12 @@ DWORD CreateRestrictedToken(TokenLevel security_level, switch (token_type) { case PRIMARY: { - err_code = restricted_token.GetRestrictedToken(token); + err_code = restricted_token.GetRestrictedTokenHandle(token_handle); break; } case IMPERSONATION: { - err_code = restricted_token.GetRestrictedTokenForImpersonation(token); + err_code = restricted_token.GetRestrictedTokenHandleForImpersonation( + token_handle); break; } default: { @@ -155,20 +159,27 @@ DWORD StartRestrictedProcessInJob(wchar_t *command_line, } // Create the primary (restricted) token for the process - base::win::ScopedHandle primary_token; - err_code = CreateRestrictedToken(primary_level, INTEGRITY_LEVEL_LAST, - PRIMARY, &primary_token); - if (ERROR_SUCCESS != err_code) + HANDLE primary_token_handle = NULL; + err_code = CreateRestrictedToken(&primary_token_handle, + primary_level, + INTEGRITY_LEVEL_LAST, + PRIMARY); + if (ERROR_SUCCESS != err_code) { return err_code; - + } + base::win::ScopedHandle primary_token(primary_token_handle); // Create the impersonation token (restricted) to be able to start the // process. - base::win::ScopedHandle impersonation_token; - err_code = CreateRestrictedToken(impersonation_level, INTEGRITY_LEVEL_LAST, - IMPERSONATION, &impersonation_token); - if (ERROR_SUCCESS != err_code) + HANDLE impersonation_token_handle; + err_code = CreateRestrictedToken(&impersonation_token_handle, + impersonation_level, + INTEGRITY_LEVEL_LAST, + IMPERSONATION); + if (ERROR_SUCCESS != err_code) { return err_code; + } + base::win::ScopedHandle impersonation_token(impersonation_token_handle); // Start the process STARTUPINFO startup_info = {0}; diff --git a/sandbox/win/src/restricted_token_utils.h b/sandbox/win/src/restricted_token_utils.h index 40d2286..509feaf 100644 --- a/sandbox/win/src/restricted_token_utils.h +++ b/sandbox/win/src/restricted_token_utils.h @@ -8,7 +8,6 @@ #include <accctrl.h> #include <windows.h> -#include "base/win/scoped_handle.h" #include "sandbox/win/src/restricted_token.h" #include "sandbox/win/src/security_level.h" @@ -28,15 +27,15 @@ enum TokenType { // restricted. The token_type determines if the token will be used as a primary // token or impersonation token. The integrity level of the token is set to // |integrity level| on Vista only. -// |token| is the output value containing the handle of the newly created -// restricted token. +// token_handle is the output value containing the handle of the +// newly created restricted token. // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. -DWORD CreateRestrictedToken(TokenLevel security_level, +DWORD CreateRestrictedToken(HANDLE *token_handle, + TokenLevel security_level, IntegrityLevel integrity_level, - TokenType token_type, - base::win::ScopedHandle* token); + TokenType token_type); // Starts the process described by the input parameter command_line in a job // with a restricted token. Also set the main thread of this newly created diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc index 12f72d5..fcc4a7c 100644 --- a/sandbox/win/src/sandbox_policy_base.cc +++ b/sandbox/win/src/sandbox_policy_base.cc @@ -550,11 +550,14 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, // Create the 'naked' token. This will be the permanent token associated // with the process and therefore with any thread that is not impersonating. - DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_, - PRIMARY, lockdown); + HANDLE temp_handle; + DWORD result = CreateRestrictedToken(&temp_handle, lockdown_level_, + integrity_level_, PRIMARY); if (ERROR_SUCCESS != result) return SBOX_ERROR_GENERIC; + lockdown->Set(temp_handle); + // If we're launching on the alternate desktop we need to make sure the // integrity label on the object is no higher than the sandboxed process's // integrity level. So, we lower the label on the desktop process if it's @@ -619,11 +622,12 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, // Create the 'better' token. We use this token as the one that the main // thread uses when booting up the process. It should contain most of // what we need (before reaching main( )) - result = CreateRestrictedToken(initial_level_, integrity_level_, - IMPERSONATION, initial); + result = CreateRestrictedToken(&temp_handle, initial_level_, + integrity_level_, IMPERSONATION); if (ERROR_SUCCESS != result) return SBOX_ERROR_GENERIC; + initial->Set(temp_handle); return SBOX_ALL_OK; } |