// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <aclapi.h> #include <sddl.h> #include <vector> #include "sandbox/win/src/restricted_token_utils.h" #include "base/logging.h" #include "base/win/scoped_handle.h" #include "base/win/scoped_process_information.h" #include "base/win/windows_version.h" #include "sandbox/win/src/job.h" #include "sandbox/win/src/restricted_token.h" #include "sandbox/win/src/security_level.h" #include "sandbox/win/src/sid.h" namespace sandbox { DWORD CreateRestrictedToken(HANDLE *token_handle, TokenLevel security_level, IntegrityLevel integrity_level, TokenType token_type) { if (!token_handle) return ERROR_BAD_ARGUMENTS; RestrictedToken restricted_token; restricted_token.Init(NULL); // Initialized with the current process token std::vector<std::wstring> privilege_exceptions; std::vector<Sid> sid_exceptions; bool deny_sids = true; bool remove_privileges = true; switch (security_level) { case USER_UNPROTECTED: { deny_sids = false; remove_privileges = false; break; } case USER_RESTRICTED_SAME_ACCESS: { deny_sids = false; remove_privileges = false; unsigned err_code = restricted_token.AddRestrictingSidAllSids(); if (ERROR_SUCCESS != err_code) return err_code; break; } case USER_NON_ADMIN: { sid_exceptions.push_back(WinBuiltinUsersSid); sid_exceptions.push_back(WinWorldSid); sid_exceptions.push_back(WinInteractiveSid); sid_exceptions.push_back(WinAuthenticatedUserSid); privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); break; } case USER_INTERACTIVE: { sid_exceptions.push_back(WinBuiltinUsersSid); sid_exceptions.push_back(WinWorldSid); sid_exceptions.push_back(WinInteractiveSid); sid_exceptions.push_back(WinAuthenticatedUserSid); privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); restricted_token.AddRestrictingSid(WinBuiltinUsersSid); restricted_token.AddRestrictingSid(WinWorldSid); restricted_token.AddRestrictingSid(WinRestrictedCodeSid); restricted_token.AddRestrictingSidCurrentUser(); restricted_token.AddRestrictingSidLogonSession(); break; } case USER_LIMITED: { sid_exceptions.push_back(WinBuiltinUsersSid); sid_exceptions.push_back(WinWorldSid); sid_exceptions.push_back(WinInteractiveSid); privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); restricted_token.AddRestrictingSid(WinBuiltinUsersSid); restricted_token.AddRestrictingSid(WinWorldSid); restricted_token.AddRestrictingSid(WinRestrictedCodeSid); // This token has to be able to create objects in BNO. // Unfortunately, on vista, it needs the current logon sid // in the token to achieve this. You should also set the process to be // low integrity level so it can't access object created by other // processes. if (base::win::GetVersion() >= base::win::VERSION_VISTA) restricted_token.AddRestrictingSidLogonSession(); break; } case USER_RESTRICTED: { privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); restricted_token.AddUserSidForDenyOnly(); restricted_token.AddRestrictingSid(WinRestrictedCodeSid); break; } case USER_LOCKDOWN: { restricted_token.AddUserSidForDenyOnly(); restricted_token.AddRestrictingSid(WinNullSid); break; } default: { return ERROR_BAD_ARGUMENTS; } } DWORD err_code = ERROR_SUCCESS; if (deny_sids) { err_code = restricted_token.AddAllSidsForDenyOnly(&sid_exceptions); if (ERROR_SUCCESS != err_code) return err_code; } if (remove_privileges) { err_code = restricted_token.DeleteAllPrivileges(&privilege_exceptions); if (ERROR_SUCCESS != err_code) return err_code; } restricted_token.SetIntegrityLevel(integrity_level); switch (token_type) { case PRIMARY: { err_code = restricted_token.GetRestrictedTokenHandle(token_handle); break; } case IMPERSONATION: { err_code = restricted_token.GetRestrictedTokenHandleForImpersonation( token_handle); break; } default: { err_code = ERROR_BAD_ARGUMENTS; break; } } return err_code; } DWORD StartRestrictedProcessInJob(wchar_t *command_line, TokenLevel primary_level, TokenLevel impersonation_level, JobLevel job_level, HANDLE *const job_handle_ret) { Job job; DWORD err_code = job.Init(job_level, NULL, 0); if (ERROR_SUCCESS != err_code) return err_code; if (JOB_UNPROTECTED != job_level) { // Share the Desktop handle to be able to use MessageBox() in the sandboxed // application. err_code = job.UserHandleGrantAccess(GetDesktopWindow()); if (ERROR_SUCCESS != err_code) return err_code; } // Create the primary (restricted) token for the process HANDLE primary_token_handle = NULL; err_code = CreateRestrictedToken(&primary_token_handle, primary_level, INTEGRITY_LEVEL_LAST, PRIMARY); if (ERROR_SUCCESS != err_code) { return err_code; } base::win::ScopedHandle primary_token(primary_token_handle); // Create the impersonation token (restricted) to be able to start the // process. HANDLE impersonation_token_handle; err_code = CreateRestrictedToken(&impersonation_token_handle, impersonation_level, INTEGRITY_LEVEL_LAST, IMPERSONATION); if (ERROR_SUCCESS != err_code) { return err_code; } base::win::ScopedHandle impersonation_token(impersonation_token_handle); // Start the process STARTUPINFO startup_info = {0}; base::win::ScopedProcessInformation process_info; DWORD flags = CREATE_SUSPENDED; if (base::win::GetVersion() < base::win::VERSION_WIN8) { // Windows 8 implements nested jobs, but for older systems we need to // break out of any job we're in to enforce our restrictions. flags |= CREATE_BREAKAWAY_FROM_JOB; } if (!::CreateProcessAsUser(primary_token.Get(), NULL, // No application name. command_line, NULL, // No security attribute. NULL, // No thread attribute. FALSE, // Do not inherit handles. flags, NULL, // Use the environment of the caller. NULL, // Use current directory of the caller. &startup_info, process_info.Receive())) { return ::GetLastError(); } // Change the token of the main thread of the new process for the // impersonation token with more rights. { HANDLE temp_thread = process_info.thread_handle(); if (!::SetThreadToken(&temp_thread, impersonation_token.Get())) { ::TerminateProcess(process_info.process_handle(), 0); // exit code return ::GetLastError(); } } err_code = job.AssignProcessToJob(process_info.process_handle()); if (ERROR_SUCCESS != err_code) { ::TerminateProcess(process_info.process_handle(), 0); // exit code return ::GetLastError(); } // Start the application ::ResumeThread(process_info.thread_handle()); (*job_handle_ret) = job.Detach(); return ERROR_SUCCESS; } DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type, const wchar_t* ace_access, const wchar_t* integrity_level_sid) { // Build the SDDL string for the label. std::wstring sddl = L"S:("; // SDDL for a SACL. sddl += SDDL_MANDATORY_LABEL; // Ace Type is "Mandatory Label". sddl += L";;"; // No Ace Flags. sddl += ace_access; // Add the ACE access. sddl += L";;;"; // No ObjectType and Inherited Object Type. sddl += integrity_level_sid; // Trustee Sid. sddl += L")"; DWORD error = ERROR_SUCCESS; PSECURITY_DESCRIPTOR sec_desc = NULL; PACL sacl = NULL; BOOL sacl_present = FALSE; BOOL sacl_defaulted = FALSE; if (::ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl.c_str(), SDDL_REVISION, &sec_desc, NULL)) { if (::GetSecurityDescriptorSacl(sec_desc, &sacl_present, &sacl, &sacl_defaulted)) { error = ::SetSecurityInfo(handle, type, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, sacl); } else { error = ::GetLastError(); } ::LocalFree(sec_desc); } else { return::GetLastError(); } return error; } const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level) { switch (integrity_level) { case INTEGRITY_LEVEL_SYSTEM: return L"S-1-16-16384"; case INTEGRITY_LEVEL_HIGH: return L"S-1-16-12288"; case INTEGRITY_LEVEL_MEDIUM: return L"S-1-16-8192"; case INTEGRITY_LEVEL_MEDIUM_LOW: return L"S-1-16-6144"; case INTEGRITY_LEVEL_LOW: return L"S-1-16-4096"; case INTEGRITY_LEVEL_BELOW_LOW: return L"S-1-16-2048"; case INTEGRITY_LEVEL_UNTRUSTED: return L"S-1-16-0"; case INTEGRITY_LEVEL_LAST: return NULL; } NOTREACHED(); return NULL; } DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level) { if (base::win::GetVersion() < base::win::VERSION_VISTA) return ERROR_SUCCESS; const wchar_t* integrity_level_str = GetIntegrityLevelString(integrity_level); if (!integrity_level_str) { // No mandatory level specified, we don't change it. return ERROR_SUCCESS; } PSID integrity_sid = NULL; if (!::ConvertStringSidToSid(integrity_level_str, &integrity_sid)) return ::GetLastError(); TOKEN_MANDATORY_LABEL label = {0}; label.Label.Attributes = SE_GROUP_INTEGRITY; label.Label.Sid = integrity_sid; DWORD size = sizeof(TOKEN_MANDATORY_LABEL) + ::GetLengthSid(integrity_sid); BOOL result = ::SetTokenInformation(token, TokenIntegrityLevel, &label, size); ::LocalFree(integrity_sid); return result ? ERROR_SUCCESS : ::GetLastError(); } DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) { if (base::win::GetVersion() < base::win::VERSION_VISTA) return ERROR_SUCCESS; // We don't check for an invalid level here because we'll just let it // fail on the SetTokenIntegrityLevel call later on. if (integrity_level == INTEGRITY_LEVEL_LAST) { // No mandatory level specified, we don't change it. return ERROR_SUCCESS; } HANDLE token_handle; if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, &token_handle)) return ::GetLastError(); base::win::ScopedHandle token(token_handle); return SetTokenIntegrityLevel(token.Get(), integrity_level); } } // namespace sandbox