1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/target_services.cc Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,194 @@
1.4 +// Copyright (c) 2012 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#include "sandbox/win/src/target_services.h"
1.9 +
1.10 +#include <process.h>
1.11 +
1.12 +#include "base/basictypes.h"
1.13 +#include "sandbox/win/src/crosscall_client.h"
1.14 +#include "sandbox/win/src/handle_closer_agent.h"
1.15 +#include "sandbox/win/src/handle_interception.h"
1.16 +#include "sandbox/win/src/ipc_tags.h"
1.17 +#include "sandbox/win/src/process_mitigations.h"
1.18 +#include "sandbox/win/src/restricted_token_utils.h"
1.19 +#include "sandbox/win/src/sandbox.h"
1.20 +#include "sandbox/win/src/sandbox_types.h"
1.21 +#include "sandbox/win/src/sharedmem_ipc_client.h"
1.22 +#include "sandbox/win/src/sandbox_nt_util.h"
1.23 +
1.24 +namespace {
1.25 +
1.26 +// Flushing a cached key is triggered by just opening the key and closing the
1.27 +// resulting handle. RegDisablePredefinedCache() is the documented way to flush
1.28 +// HKCU so do not use it with this function.
1.29 +bool FlushRegKey(HKEY root) {
1.30 + HKEY key;
1.31 + if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
1.32 + if (ERROR_SUCCESS != ::RegCloseKey(key))
1.33 + return false;
1.34 + }
1.35 + return true;
1.36 +}
1.37 +
1.38 +// This function forces advapi32.dll to release some internally cached handles
1.39 +// that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
1.40 +// with a more restrictive token. Returns true if the flushing is succesful
1.41 +// although this behavior is undocumented and there is no guarantee that in
1.42 +// fact this will happen in future versions of windows.
1.43 +bool FlushCachedRegHandles() {
1.44 + return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
1.45 + FlushRegKey(HKEY_CLASSES_ROOT) &&
1.46 + FlushRegKey(HKEY_USERS));
1.47 +}
1.48 +
1.49 +// Checks if we have handle entries pending and runs the closer.
1.50 +bool CloseOpenHandles() {
1.51 + if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
1.52 + sandbox::HandleCloserAgent handle_closer;
1.53 +
1.54 + handle_closer.InitializeHandlesToClose();
1.55 + if (!handle_closer.CloseHandles())
1.56 + return false;
1.57 + }
1.58 +
1.59 + return true;
1.60 +}
1.61 +
1.62 +} // namespace
1.63 +
1.64 +namespace sandbox {
1.65 +
1.66 +SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
1.67 + INTEGRITY_LEVEL_LAST;
1.68 +SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
1.69 +
1.70 +TargetServicesBase::TargetServicesBase() {
1.71 +}
1.72 +
1.73 +ResultCode TargetServicesBase::Init() {
1.74 + process_state_.SetInitCalled();
1.75 + return SBOX_ALL_OK;
1.76 +}
1.77 +
1.78 +// Failure here is a breach of security so the process is terminated.
1.79 +void TargetServicesBase::LowerToken() {
1.80 + if (ERROR_SUCCESS !=
1.81 + SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
1.82 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
1.83 + process_state_.SetRevertedToSelf();
1.84 + // If the client code as called RegOpenKey, advapi32.dll has cached some
1.85 + // handles. The following code gets rid of them.
1.86 + if (!::RevertToSelf())
1.87 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
1.88 + if (!FlushCachedRegHandles())
1.89 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
1.90 + if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
1.91 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
1.92 + if (!CloseOpenHandles())
1.93 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
1.94 + // Enabling mitigations must happen last otherwise handle closing breaks
1.95 + if (g_shared_delayed_mitigations &&
1.96 + !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
1.97 + ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
1.98 +}
1.99 +
1.100 +ProcessState* TargetServicesBase::GetState() {
1.101 + return &process_state_;
1.102 +}
1.103 +
1.104 +TargetServicesBase* TargetServicesBase::GetInstance() {
1.105 + static TargetServicesBase instance;
1.106 + return &instance;
1.107 +}
1.108 +
1.109 +// The broker services a 'test' IPC service with the IPC_PING_TAG tag.
1.110 +bool TargetServicesBase::TestIPCPing(int version) {
1.111 + void* memory = GetGlobalIPCMemory();
1.112 + if (NULL == memory) {
1.113 + return false;
1.114 + }
1.115 + SharedMemIPCClient ipc(memory);
1.116 + CrossCallReturn answer = {0};
1.117 +
1.118 + if (1 == version) {
1.119 + uint32 tick1 = ::GetTickCount();
1.120 + uint32 cookie = 717115;
1.121 + ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
1.122 +
1.123 + if (SBOX_ALL_OK != code) {
1.124 + return false;
1.125 + }
1.126 + // We should get two extended returns values from the IPC, one is the
1.127 + // tick count on the broker and the other is the cookie times two.
1.128 + if ((answer.extended_count != 2)) {
1.129 + return false;
1.130 + }
1.131 + // We test the first extended answer to be within the bounds of the tick
1.132 + // count only if there was no tick count wraparound.
1.133 + uint32 tick2 = ::GetTickCount();
1.134 + if (tick2 >= tick1) {
1.135 + if ((answer.extended[0].unsigned_int < tick1) ||
1.136 + (answer.extended[0].unsigned_int > tick2)) {
1.137 + return false;
1.138 + }
1.139 + }
1.140 +
1.141 + if (answer.extended[1].unsigned_int != cookie * 2) {
1.142 + return false;
1.143 + }
1.144 + } else if (2 == version) {
1.145 + uint32 cookie = 717111;
1.146 + InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
1.147 + ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
1.148 +
1.149 + if (SBOX_ALL_OK != code) {
1.150 + return false;
1.151 + }
1.152 + if (cookie != 717111 * 3) {
1.153 + return false;
1.154 + }
1.155 + } else {
1.156 + return false;
1.157 + }
1.158 + return true;
1.159 +}
1.160 +
1.161 +bool ProcessState::IsKernel32Loaded() {
1.162 + return process_state_ != 0;
1.163 +}
1.164 +
1.165 +bool ProcessState::InitCalled() {
1.166 + return process_state_ > 1;
1.167 +}
1.168 +
1.169 +bool ProcessState::RevertedToSelf() {
1.170 + return process_state_ > 2;
1.171 +}
1.172 +
1.173 +void ProcessState::SetKernel32Loaded() {
1.174 + if (!process_state_)
1.175 + process_state_ = 1;
1.176 +}
1.177 +
1.178 +void ProcessState::SetInitCalled() {
1.179 + if (process_state_ < 2)
1.180 + process_state_ = 2;
1.181 +}
1.182 +
1.183 +void ProcessState::SetRevertedToSelf() {
1.184 + if (process_state_ < 3)
1.185 + process_state_ = 3;
1.186 +}
1.187 +
1.188 +ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
1.189 + DWORD target_process_id,
1.190 + HANDLE* target_handle,
1.191 + DWORD desired_access,
1.192 + DWORD options) {
1.193 + return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
1.194 + target_handle, desired_access, options);
1.195 +}
1.196 +
1.197 +} // namespace sandbox
