From e4876b29d769e62971fc67fe0ab0efab7512e3d1 Mon Sep 17 00:00:00 2001
From: "jschuh@chromium.org"
 <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed, 20 Jul 2011 23:03:41 +0000
Subject: Add a sandbox API to allow closing open handles at lockdown.

BUG=58069
BUG=74242
TEST=sbox_integration_tests --gtest_filter=HandleCloserTests.*
Review URL: http://codereview.chromium.org/7253054

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@93274 0039d316-1c4b-4281-b951-d872f2087c98
---
 content/common/sandbox_policy.cc | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

(limited to 'content')

diff --git a/content/common/sandbox_policy.cc b/content/common/sandbox_policy.cc
index bfa7db1..41995f4 100644
--- a/content/common/sandbox_policy.cc
+++ b/content/common/sandbox_policy.cc
@@ -194,6 +194,41 @@ void AddDllEvictionPolicy(sandbox::TargetPolicy* policy) {
     BlacklistAddOneDll(kTroublesomeDlls[ix], policy);
 }
 
+// Returns the object path prepended with the current logon session.
+string16 PrependWindowsSessionPath(const char16* object) {
+  // Cache this because it can't change after process creation.
+  static string16* session_prefix = NULL;
+  if (!session_prefix) {
+    HANDLE token;
+    DWORD session_id;
+    DWORD session_id_length;
+
+    CHECK(::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token));
+    CHECK(::GetTokenInformation(token, TokenSessionId, &session_id,
+        sizeof(session_id), &session_id_length));
+    CloseHandle(token);
+
+    session_prefix = new string16(base::StringPrintf(L"\\Sessions\\%d",
+        session_id));
+  }
+
+  return *session_prefix + object;
+}
+
+// Closes handles that are opened at process creation and initialization.
+void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
+  // Being able to manipulate anything BaseNamedObjects is bad.
+  policy->AddKernelObjectToClose(L"Directory", PrependWindowsSessionPath(
+      L"\\BaseNamedObjects").data());
+  policy->AddKernelObjectToClose(L"Section", PrependWindowsSessionPath(
+      L"\\BaseNamedObjects\\windows_shell_global_counters").data());
+}
+
+void AddStrictHandleClosePolicy(sandbox::TargetPolicy* policy) {
+  // This is loaded when rand_s is seeded, but not needed again.
+  policy->AddKernelObjectToClose(L"File", L"\\Device\\KsecDD");
+}
+
 // Adds the generic policy rules to a sandbox TargetPolicy.
 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
   sandbox::ResultCode result;
@@ -279,6 +314,7 @@ void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
   }
 
   AddDllEvictionPolicy(policy);
+  AddBaseHandleClosePolicy(policy);
 }
 
 // The Pepper process as locked-down as a renderer execpt that it can
@@ -414,6 +450,8 @@ base::ProcessHandle StartProcessWithAccess(CommandLine* cmd_line,
       return 0;
   } else {
     AddPolicyForRenderer(policy);
+    if (type == ChildProcessInfo::RENDER_PROCESS)
+      AddStrictHandleClosePolicy(policy);
 
     if (type_str != switches::kRendererProcess) {
       // Hack for Google Desktop crash. Trick GD into not injecting its DLL into
-- 
cgit v1.1