The Tor Browser: comparison security/sandbox/win/src/sandbox_policy

--1:000000000000
+:9d48677c2c25
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "sandbox/win/src/sandbox_policy_base.h"
+#include "base/basictypes.h"
+#include "base/callback.h"
+#include "base/logging.h"
+#include "base/win/windows_version.h"
+#include "sandbox/win/src/app_container.h"
+#include "sandbox/win/src/filesystem_dispatcher.h"
+#include "sandbox/win/src/filesystem_policy.h"
+#include "sandbox/win/src/handle_dispatcher.h"
+#include "sandbox/win/src/handle_policy.h"
+#include "sandbox/win/src/job.h"
+#include "sandbox/win/src/interception.h"
+#include "sandbox/win/src/process_mitigations.h"
+#include "sandbox/win/src/named_pipe_dispatcher.h"
+#include "sandbox/win/src/named_pipe_policy.h"
+#include "sandbox/win/src/policy_broker.h"
+#include "sandbox/win/src/policy_engine_processor.h"
+#include "sandbox/win/src/policy_low_level.h"
+#include "sandbox/win/src/process_thread_dispatcher.h"
+#include "sandbox/win/src/process_thread_policy.h"
+#include "sandbox/win/src/registry_dispatcher.h"
+#include "sandbox/win/src/registry_policy.h"
+#include "sandbox/win/src/restricted_token_utils.h"
+#include "sandbox/win/src/sandbox_policy.h"
+#include "sandbox/win/src/sync_dispatcher.h"
+#include "sandbox/win/src/sync_policy.h"
+#include "sandbox/win/src/target_process.h"
+#include "sandbox/win/src/window.h"
+namespace {
+// The standard windows size for one memory page.
+const size_t kOneMemPage = 4096;
+// The IPC and Policy shared memory sizes.
+const size_t kIPCMemSize = kOneMemPage * 2;
+const size_t kPolMemSize = kOneMemPage * 14;
+// Helper function to allocate space (on the heap) for policy.
+sandbox::PolicyGlobal* MakeBrokerPolicyMemory() {
+const size_t kTotalPolicySz = kPolMemSize;
+sandbox::PolicyGlobal* policy = static_cast<sandbox::PolicyGlobal*>
+(::operator new(kTotalPolicySz));
+DCHECK(policy);
+memset(policy, 0, kTotalPolicySz);
+policy->data_size = kTotalPolicySz - sizeof(sandbox::PolicyGlobal);
+return policy;
+}
+bool IsInheritableHandle(HANDLE handle) {
+if (!handle)
+return false;
+if (handle == INVALID_HANDLE_VALUE)
+return false;
+// File handles (FILE_TYPE_DISK) and pipe handles are known to be
+// inheritable.  Console handles (FILE_TYPE_CHAR) are not
+// inheritable via PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
+DWORD handle_type = GetFileType(handle);
+return handle_type == FILE_TYPE_DISK || handle_type == FILE_TYPE_PIPE;
+}
+}
+namespace sandbox {
+SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
+SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
+// Initializes static members.
+HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
+HDESK PolicyBase::alternate_desktop_handle_ = NULL;
+PolicyBase::PolicyBase()
+: ref_count(1),
+lockdown_level_(USER_LOCKDOWN),
+initial_level_(USER_LOCKDOWN),
+job_level_(JOB_LOCKDOWN),
+ui_exceptions_(0),
+use_alternate_desktop_(false),
+use_alternate_winstation_(false),
+file_system_init_(false),
+relaxed_interceptions_(true),
+stdout_handle_(INVALID_HANDLE_VALUE),
+stderr_handle_(INVALID_HANDLE_VALUE),
+integrity_level_(INTEGRITY_LEVEL_LAST),
+delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
+mitigations_(0),
+delayed_mitigations_(0),
+policy_maker_(NULL),
+policy_(NULL) {
+::InitializeCriticalSection(&lock_);
+// Initialize the IPC dispatcher array.
+memset(&ipc_targets_, NULL, sizeof(ipc_targets_));
+Dispatcher* dispatcher = NULL;
+dispatcher = new FilesystemDispatcher(this);
+ipc_targets_[IPC_NTCREATEFILE_TAG] = dispatcher;
+ipc_targets_[IPC_NTOPENFILE_TAG] = dispatcher;
+ipc_targets_[IPC_NTSETINFO_RENAME_TAG] = dispatcher;
+ipc_targets_[IPC_NTQUERYATTRIBUTESFILE_TAG] = dispatcher;
+ipc_targets_[IPC_NTQUERYFULLATTRIBUTESFILE_TAG] = dispatcher;
+dispatcher = new NamedPipeDispatcher(this);
+ipc_targets_[IPC_CREATENAMEDPIPEW_TAG] = dispatcher;
+dispatcher = new ThreadProcessDispatcher(this);
+ipc_targets_[IPC_NTOPENTHREAD_TAG] = dispatcher;
+ipc_targets_[IPC_NTOPENPROCESS_TAG] = dispatcher;
+ipc_targets_[IPC_CREATEPROCESSW_TAG] = dispatcher;
+ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher;
+ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher;
+dispatcher = new SyncDispatcher(this);
+ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher;
+ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher;
+dispatcher = new RegistryDispatcher(this);
+ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher;
+ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher;
+dispatcher = new HandleDispatcher(this);
+ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher;
+}
+PolicyBase::~PolicyBase() {
+TargetSet::iterator it;
+for (it = targets_.begin(); it != targets_.end(); ++it) {
+TargetProcess* target = (*it);
+delete target;
+}
+delete ipc_targets_[IPC_NTCREATEFILE_TAG];
+delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG];
+delete ipc_targets_[IPC_NTOPENTHREAD_TAG];
+delete ipc_targets_[IPC_CREATEEVENT_TAG];
+delete ipc_targets_[IPC_NTCREATEKEY_TAG];
+delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG];
+delete policy_maker_;
+delete policy_;
+::DeleteCriticalSection(&lock_);
+}
+void PolicyBase::AddRef() {
+::InterlockedIncrement(&ref_count);
+}
+void PolicyBase::Release() {
+if (0 == ::InterlockedDecrement(&ref_count))
+delete this;
+}
+ResultCode PolicyBase::SetTokenLevel(TokenLevel initial, TokenLevel lockdown) {
+if (initial < lockdown) {
+return SBOX_ERROR_BAD_PARAMS;
+}
+initial_level_ = initial;
+lockdown_level_ = lockdown;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32 ui_exceptions) {
+job_level_ = job_level;
+ui_exceptions_ = ui_exceptions;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) {
+use_alternate_desktop_ = true;
+use_alternate_winstation_ = alternate_winstation;
+return CreateAlternateDesktop(alternate_winstation);
+}
+string16 PolicyBase::GetAlternateDesktop() const {
+// No alternate desktop or winstation. Return an empty string.
+if (!use_alternate_desktop_ && !use_alternate_winstation_) {
+return string16();
+}
+// The desktop and winstation should have been created by now.
+// If we hit this scenario, it means that the user ignored the failure
+// during SetAlternateDesktop, so we ignore it here too.
+if (use_alternate_desktop_ && !alternate_desktop_handle_) {
+return string16();
+}
+if (use_alternate_winstation_ && (!alternate_desktop_handle_ ||
+!alternate_winstation_handle_)) {
+return string16();
+}
+return GetFullDesktopName(alternate_winstation_handle_,
+alternate_desktop_handle_);
+}
+ResultCode PolicyBase::CreateAlternateDesktop(bool alternate_winstation) {
+if (alternate_winstation) {
+// Previously called with alternate_winstation = false?
+if (!alternate_winstation_handle_ && alternate_desktop_handle_)
+return SBOX_ERROR_UNSUPPORTED;
+// Check if it's already created.
+if (alternate_winstation_handle_ && alternate_desktop_handle_)
+return SBOX_ALL_OK;
+DCHECK(!alternate_winstation_handle_);
+// Create the window station.
+ResultCode result = CreateAltWindowStation(&alternate_winstation_handle_);
+if (SBOX_ALL_OK != result)
+return result;
+// Verify that everything is fine.
+if (!alternate_winstation_handle_ ||
+GetWindowObjectName(alternate_winstation_handle_).empty())
+return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
+// Create the destkop.
+result = CreateAltDesktop(alternate_winstation_handle_,
+&alternate_desktop_handle_);
+if (SBOX_ALL_OK != result)
+return result;
+// Verify that everything is fine.
+if (!alternate_desktop_handle_ ||
+GetWindowObjectName(alternate_desktop_handle_).empty())
+return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
+} else {
+// Previously called with alternate_winstation = true?
+if (alternate_winstation_handle_)
+return SBOX_ERROR_UNSUPPORTED;
+// Check if it already exists.
+if (alternate_desktop_handle_)
+return SBOX_ALL_OK;
+// Create the destkop.
+ResultCode result = CreateAltDesktop(NULL, &alternate_desktop_handle_);
+if (SBOX_ALL_OK != result)
+return result;
+// Verify that everything is fine.
+if (!alternate_desktop_handle_ ||
+GetWindowObjectName(alternate_desktop_handle_).empty())
+return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
+}
+return SBOX_ALL_OK;
+}
+void PolicyBase::DestroyAlternateDesktop() {
+if (alternate_desktop_handle_) {
+::CloseDesktop(alternate_desktop_handle_);
+alternate_desktop_handle_ = NULL;
+}
+if (alternate_winstation_handle_) {
+::CloseWindowStation(alternate_winstation_handle_);
+alternate_winstation_handle_ = NULL;
+}
+}
+ResultCode PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level) {
+integrity_level_ = integrity_level;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetDelayedIntegrityLevel(
+IntegrityLevel integrity_level) {
+delayed_integrity_level_ = integrity_level;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {
+if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
+return SBOX_ALL_OK;
+// Windows refuses to work with an impersonation token for a process inside
+// an AppContainer. If the caller wants to use a more privileged initial
+// token, or if the lockdown level will prevent the process from starting,
+// we have to fail the operation.
+if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
+return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
+DCHECK(!appcontainer_list_.get());
+appcontainer_list_.reset(new AppContainerAttributes);
+ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);
+if (rv != SBOX_ALL_OK)
+return rv;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
+capabilities_.push_back(sid);
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetProcessMitigations(
+MitigationFlags flags) {
+if (!CanSetProcessMitigationsPreStartup(flags))
+return SBOX_ERROR_BAD_PARAMS;
+mitigations_ = flags;
+return SBOX_ALL_OK;
+}
+MitigationFlags PolicyBase::GetProcessMitigations() {
+return mitigations_;
+}
+ResultCode PolicyBase::SetDelayedProcessMitigations(
+MitigationFlags flags) {
+if (!CanSetProcessMitigationsPostStartup(flags))
+return SBOX_ERROR_BAD_PARAMS;
+delayed_mitigations_ = flags;
+return SBOX_ALL_OK;
+}
+MitigationFlags PolicyBase::GetDelayedProcessMitigations() {
+return delayed_mitigations_;
+}
+void PolicyBase::SetStrictInterceptions() {
+relaxed_interceptions_ = false;
+}
+ResultCode PolicyBase::SetStdoutHandle(HANDLE handle) {
+if (!IsInheritableHandle(handle))
+return SBOX_ERROR_BAD_PARAMS;
+stdout_handle_ = handle;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::SetStderrHandle(HANDLE handle) {
+if (!IsInheritableHandle(handle))
+return SBOX_ERROR_BAD_PARAMS;
+stderr_handle_ = handle;
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::AddRule(SubSystem subsystem, Semantics semantics,
+const wchar_t* pattern) {
+if (NULL == policy_) {
+policy_ = MakeBrokerPolicyMemory();
+DCHECK(policy_);
+policy_maker_ = new LowLevelPolicy(policy_);
+DCHECK(policy_maker_);
+}
+switch (subsystem) {
+case SUBSYS_FILES: {
+if (!file_system_init_) {
+if (!FileSystemPolicy::SetInitialRules(policy_maker_))
+return SBOX_ERROR_BAD_PARAMS;
+file_system_init_ = true;
+}
+if (!FileSystemPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+case SUBSYS_SYNC: {
+if (!SyncPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+case SUBSYS_PROCESS: {
+if (lockdown_level_  < USER_INTERACTIVE &&
+TargetPolicy::PROCESS_ALL_EXEC == semantics) {
+// This is unsupported. This is a huge security risk to give full access
+// to a process handle.
+return SBOX_ERROR_UNSUPPORTED;
+}
+if (!ProcessPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+case SUBSYS_NAMED_PIPES: {
+if (!NamedPipePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+case SUBSYS_REGISTRY: {
+if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+case SUBSYS_HANDLES: {
+if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
+NOTREACHED();
+return SBOX_ERROR_BAD_PARAMS;
+}
+break;
+}
+default: {
+return SBOX_ERROR_UNSUPPORTED;
+}
+}
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) {
+blacklisted_dlls_.push_back(dll_name);
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::AddKernelObjectToClose(const char16* handle_type,
+const char16* handle_name) {
+return handle_closer_.AddHandle(handle_type, handle_name);
+}
+// When an IPC is ready in any of the targets we get called. We manage an array
+// of IPC dispatchers which are keyed on the IPC tag so we normally delegate
+// to the appropriate dispatcher unless we can handle the IPC call ourselves.
+Dispatcher* PolicyBase::OnMessageReady(IPCParams* ipc,
+CallbackGeneric* callback) {
+DCHECK(callback);
+static const IPCParams ping1 = {IPC_PING1_TAG, ULONG_TYPE};
+static const IPCParams ping2 = {IPC_PING2_TAG, INOUTPTR_TYPE};
+if (ping1.Matches(ipc) || ping2.Matches(ipc)) {
+*callback = reinterpret_cast<CallbackGeneric>(
+static_cast<Callback1>(&PolicyBase::Ping));
+return this;
+}
+Dispatcher* dispatch = GetDispatcher(ipc->ipc_tag);
+if (!dispatch) {
+NOTREACHED();
+return NULL;
+}
+return dispatch->OnMessageReady(ipc, callback);
+}
+// Delegate to the appropriate dispatcher.
+bool PolicyBase::SetupService(InterceptionManager* manager, int service) {
+if (IPC_PING1_TAG == service || IPC_PING2_TAG == service)
+return true;
+Dispatcher* dispatch = GetDispatcher(service);
+if (!dispatch) {
+NOTREACHED();
+return false;
+}
+return dispatch->SetupService(manager, service);
+}
+ResultCode PolicyBase::MakeJobObject(HANDLE* job) {
+if (job_level_ != JOB_NONE) {
+// Create the windows job object.
+Job job_obj;
+DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_);
+if (ERROR_SUCCESS != result) {
+return SBOX_ERROR_GENERIC;
+}
+*job = job_obj.Detach();
+} else {
+*job = NULL;
+}
+return SBOX_ALL_OK;
+}
+ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
+// Create the 'naked' token. This will be the permanent token associated
+// with the process and therefore with any thread that is not impersonating.
+DWORD result = CreateRestrictedToken(lockdown, lockdown_level_,
+integrity_level_, PRIMARY);
+if (ERROR_SUCCESS != result) {
+return SBOX_ERROR_GENERIC;
+}
+if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
+// Windows refuses to work with an impersonation token. See SetAppContainer
+// implementation for more details.
+if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
+return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
+*initial = INVALID_HANDLE_VALUE;
+return SBOX_ALL_OK;
+}
+// Create the 'better' token. We use this token as the one that the main
+// thread uses when booting up the process. It should contain most of
+// what we need (before reaching main( ))
+result = CreateRestrictedToken(initial, initial_level_,
+integrity_level_, IMPERSONATION);
+if (ERROR_SUCCESS != result) {
+::CloseHandle(*lockdown);
+return SBOX_ERROR_GENERIC;
+}
+return SBOX_ALL_OK;
+}
+const AppContainerAttributes* PolicyBase::GetAppContainer() {
+if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer())
+return NULL;
+return appcontainer_list_.get();
+}
+bool PolicyBase::AddTarget(TargetProcess* target) {
+if (NULL != policy_)
+policy_maker_->Done();
+if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
+mitigations_)) {
+return false;
+}
+if (!SetupAllInterceptions(target))
+return false;
+if (!SetupHandleCloser(target))
+return false;
+// Initialize the sandbox infrastructure for the target.
+if (ERROR_SUCCESS != target->Init(this, policy_, kIPCMemSize, kPolMemSize))
+return false;
+g_shared_delayed_integrity_level = delayed_integrity_level_;
+ResultCode ret = target->TransferVariable(
+"g_shared_delayed_integrity_level",
+&g_shared_delayed_integrity_level,
+sizeof(g_shared_delayed_integrity_level));
+g_shared_delayed_integrity_level = INTEGRITY_LEVEL_LAST;
+if (SBOX_ALL_OK != ret)
+return false;
+// Add in delayed mitigations and pseudo-mitigations enforced at startup.
+g_shared_delayed_mitigations = delayed_mitigations_ |
+FilterPostStartupProcessMitigations(mitigations_);
+if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations))
+return false;
+ret = target->TransferVariable("g_shared_delayed_mitigations",
+&g_shared_delayed_mitigations,
+sizeof(g_shared_delayed_mitigations));
+g_shared_delayed_mitigations = 0;
+if (SBOX_ALL_OK != ret)
+return false;
+AutoLock lock(&lock_);
+targets_.push_back(target);
+return true;
+}
+bool PolicyBase::OnJobEmpty(HANDLE job) {
+AutoLock lock(&lock_);
+TargetSet::iterator it;
+for (it = targets_.begin(); it != targets_.end(); ++it) {
+if ((*it)->Job() == job)
+break;
+}
+if (it == targets_.end()) {
+return false;
+}
+TargetProcess* target = *it;
+targets_.erase(it);
+delete target;
+return true;
+}
+EvalResult PolicyBase::EvalPolicy(int service,
+CountedParameterSetBase* params) {
+if (NULL != policy_) {
+if (NULL == policy_->entry[service]) {
+// There is no policy for this particular service. This is not a big
+// deal.
+return DENY_ACCESS;
+}
+for (int i = 0; i < params->count; i++) {
+if (!params->parameters[i].IsValid()) {
+NOTREACHED();
+return SIGNAL_ALARM;
+}
+}
+PolicyProcessor pol_evaluator(policy_->entry[service]);
+PolicyResult result =  pol_evaluator.Evaluate(kShortEval,
+params->parameters,
+params->count);
+if (POLICY_MATCH == result) {
+return pol_evaluator.GetAction();
+}
+DCHECK(POLICY_ERROR != result);
+}
+return DENY_ACCESS;
+}
+HANDLE PolicyBase::GetStdoutHandle() {
+return stdout_handle_;
+}
+HANDLE PolicyBase::GetStderrHandle() {
+return stderr_handle_;
+}
+// We service IPC_PING_TAG message which is a way to test a round trip of the
+// IPC subsystem. We receive a integer cookie and we are expected to return the
+// cookie times two (or three) and the current tick count.
+bool PolicyBase::Ping(IPCInfo* ipc, void* arg1) {
+switch (ipc->ipc_tag) {
+case IPC_PING1_TAG: {
+IPCInt ipc_int(arg1);
+uint32 cookie = ipc_int.As32Bit();
+ipc->return_info.extended_count = 2;
+ipc->return_info.extended[0].unsigned_int = ::GetTickCount();
+ipc->return_info.extended[1].unsigned_int = 2 * cookie;
+return true;
+}
+case IPC_PING2_TAG: {
+CountedBuffer* io_buffer = reinterpret_cast<CountedBuffer*>(arg1);
+if (sizeof(uint32) != io_buffer->Size())
+return false;
+uint32* cookie = reinterpret_cast<uint32*>(io_buffer->Buffer());
+*cookie = (*cookie) * 3;
+return true;
+}
+default: return false;
+}
+}
+Dispatcher* PolicyBase::GetDispatcher(int ipc_tag) {
+if (ipc_tag >= IPC_LAST_TAG || ipc_tag <= IPC_UNUSED_TAG)
+return NULL;
+return ipc_targets_[ipc_tag];
+}
+bool PolicyBase::SetupAllInterceptions(TargetProcess* target) {
+InterceptionManager manager(target, relaxed_interceptions_);
+if (policy_) {
+for (int i = 0; i < IPC_LAST_TAG; i++) {
+if (policy_->entry[i] && !ipc_targets_[i]->SetupService(&manager, i))
+return false;
+}
+}
+if (!blacklisted_dlls_.empty()) {
+std::vector<string16>::iterator it = blacklisted_dlls_.begin();
+for (; it != blacklisted_dlls_.end(); ++it) {
+manager.AddToUnloadModules(it->c_str());
+}
+}
+if (!handle_closer_.SetupHandleInterceptions(&manager))
+return false;
+if (!SetupBasicInterceptions(&manager))
+return false;
+if (!manager.InitializeInterceptions())
+return false;
+// Finally, setup imports on the target so the interceptions can work.
+return SetupNtdllImports(target);
+}
+bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
+return handle_closer_.InitializeTargetHandles(target);
+}
+}  // namespace sandbox

The Tor Browser / file comparison

comparison: security/sandbox/win/src/sandbox_policy_base.cc

security/sandbox/win/src/sandbox_policy_base.cc