michael@0: // Copyright (c) 2012 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #include "sandbox/win/src/restricted_token.h" michael@0: michael@0: #include michael@0: michael@0: #include "base/logging.h" michael@0: #include "sandbox/win/src/acl.h" michael@0: #include "sandbox/win/src/win_utils.h" michael@0: michael@0: michael@0: namespace sandbox { michael@0: michael@0: unsigned RestrictedToken::Init(const HANDLE effective_token) { michael@0: DCHECK(!init_); michael@0: if (init_) michael@0: return ERROR_ALREADY_INITIALIZED; michael@0: michael@0: if (effective_token) { michael@0: // We duplicate the handle to be able to use it even if the original handle michael@0: // is closed. michael@0: HANDLE effective_token_dup; michael@0: if (::DuplicateHandle(::GetCurrentProcess(), michael@0: effective_token, michael@0: ::GetCurrentProcess(), michael@0: &effective_token_dup, michael@0: 0, michael@0: FALSE, michael@0: DUPLICATE_SAME_ACCESS)) { michael@0: effective_token_ = effective_token_dup; michael@0: } else { michael@0: return ::GetLastError(); michael@0: } michael@0: } else { michael@0: if (!::OpenProcessToken(::GetCurrentProcess(), michael@0: TOKEN_ALL_ACCESS, michael@0: &effective_token_)) michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: init_ = true; michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: size_t deny_size = sids_for_deny_only_.size(); michael@0: size_t restrict_size = sids_to_restrict_.size(); michael@0: size_t privileges_size = privileges_to_disable_.size(); michael@0: michael@0: SID_AND_ATTRIBUTES *deny_only_array = NULL; michael@0: if (deny_size) { michael@0: deny_only_array = new SID_AND_ATTRIBUTES[deny_size]; michael@0: michael@0: for (unsigned int i = 0; i < sids_for_deny_only_.size() ; ++i) { michael@0: deny_only_array[i].Attributes = SE_GROUP_USE_FOR_DENY_ONLY; michael@0: deny_only_array[i].Sid = michael@0: const_cast(sids_for_deny_only_[i].GetPSID()); michael@0: } michael@0: } michael@0: michael@0: SID_AND_ATTRIBUTES *sids_to_restrict_array = NULL; michael@0: if (restrict_size) { michael@0: sids_to_restrict_array = new SID_AND_ATTRIBUTES[restrict_size]; michael@0: michael@0: for (unsigned int i = 0; i < restrict_size; ++i) { michael@0: sids_to_restrict_array[i].Attributes = 0; michael@0: sids_to_restrict_array[i].Sid = michael@0: const_cast(sids_to_restrict_[i].GetPSID()); michael@0: } michael@0: } michael@0: michael@0: LUID_AND_ATTRIBUTES *privileges_to_disable_array = NULL; michael@0: if (privileges_size) { michael@0: privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size]; michael@0: michael@0: for (unsigned int i = 0; i < privileges_size; ++i) { michael@0: privileges_to_disable_array[i].Attributes = 0; michael@0: privileges_to_disable_array[i].Luid = privileges_to_disable_[i]; michael@0: } michael@0: } michael@0: michael@0: BOOL result = TRUE; michael@0: HANDLE new_token = NULL; michael@0: // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell michael@0: // if a token has ben restricted given the limiations of IsTokenRestricted() michael@0: // but it appears that in Windows 7 it hints the AppLocker subsystem to michael@0: // leave us alone. michael@0: if (deny_size || restrict_size || privileges_size) { michael@0: result = ::CreateRestrictedToken(effective_token_, michael@0: SANDBOX_INERT, michael@0: static_cast(deny_size), michael@0: deny_only_array, michael@0: static_cast(privileges_size), michael@0: privileges_to_disable_array, michael@0: static_cast(restrict_size), michael@0: sids_to_restrict_array, michael@0: &new_token); michael@0: } else { michael@0: // Duplicate the token even if it's not modified at this point michael@0: // because any subsequent changes to this token would also affect the michael@0: // current process. michael@0: result = ::DuplicateTokenEx(effective_token_, TOKEN_ALL_ACCESS, NULL, michael@0: SecurityIdentification, TokenPrimary, michael@0: &new_token); michael@0: } michael@0: michael@0: if (deny_only_array) michael@0: delete[] deny_only_array; michael@0: michael@0: if (sids_to_restrict_array) michael@0: delete[] sids_to_restrict_array; michael@0: michael@0: if (privileges_to_disable_array) michael@0: delete[] privileges_to_disable_array; michael@0: michael@0: if (!result) michael@0: return ::GetLastError(); michael@0: michael@0: // Modify the default dacl on the token to contain Restricted and the user. michael@0: if (!AddSidToDefaultDacl(new_token, WinRestrictedCodeSid, GENERIC_ALL)) michael@0: return ::GetLastError(); michael@0: michael@0: if (!AddUserSidToDefaultDacl(new_token, GENERIC_ALL)) michael@0: return ::GetLastError(); michael@0: michael@0: DWORD error = SetTokenIntegrityLevel(new_token, integrity_level_); michael@0: if (ERROR_SUCCESS != error) michael@0: return error; michael@0: michael@0: BOOL status = ::DuplicateHandle(::GetCurrentProcess(), michael@0: new_token, michael@0: ::GetCurrentProcess(), michael@0: token_handle, michael@0: TOKEN_ALL_ACCESS, michael@0: FALSE, // Don't inherit. michael@0: 0); michael@0: michael@0: if (new_token != effective_token_) michael@0: ::CloseHandle(new_token); michael@0: michael@0: if (!status) michael@0: return ::GetLastError(); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::GetRestrictedTokenHandleForImpersonation( michael@0: HANDLE *token_handle) const { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: HANDLE restricted_token_handle; michael@0: unsigned err_code = GetRestrictedTokenHandle(&restricted_token_handle); michael@0: if (ERROR_SUCCESS != err_code) michael@0: return err_code; michael@0: michael@0: HANDLE impersonation_token; michael@0: if (!::DuplicateToken(restricted_token_handle, michael@0: SecurityImpersonation, michael@0: &impersonation_token)) { michael@0: ::CloseHandle(restricted_token_handle); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: ::CloseHandle(restricted_token_handle); michael@0: michael@0: BOOL status = ::DuplicateHandle(::GetCurrentProcess(), michael@0: impersonation_token, michael@0: ::GetCurrentProcess(), michael@0: token_handle, michael@0: TOKEN_ALL_ACCESS, michael@0: FALSE, // Don't inherit. michael@0: 0); michael@0: michael@0: ::CloseHandle(impersonation_token); michael@0: michael@0: if (!status) michael@0: return ::GetLastError(); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddAllSidsForDenyOnly(std::vector *exceptions) { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: TOKEN_GROUPS *token_groups = NULL; michael@0: DWORD size = 0; michael@0: michael@0: BOOL result = ::GetTokenInformation(effective_token_, michael@0: TokenGroups, michael@0: NULL, // No buffer. michael@0: 0, // Size is 0. michael@0: &size); michael@0: if (!size) michael@0: return ::GetLastError(); michael@0: michael@0: token_groups = reinterpret_cast(new BYTE[size]); michael@0: result = ::GetTokenInformation(effective_token_, michael@0: TokenGroups, michael@0: token_groups, michael@0: size, michael@0: &size); michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_groups); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: // Build the list of the deny only group SIDs michael@0: for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) { michael@0: if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 && michael@0: (token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) { michael@0: bool should_ignore = false; michael@0: if (exceptions) { michael@0: for (unsigned int j = 0; j < exceptions->size(); ++j) { michael@0: if (::EqualSid(const_cast((*exceptions)[j].GetPSID()), michael@0: token_groups->Groups[i].Sid)) { michael@0: should_ignore = true; michael@0: break; michael@0: } michael@0: } michael@0: } michael@0: if (!should_ignore) { michael@0: sids_for_deny_only_.push_back( michael@0: reinterpret_cast(token_groups->Groups[i].Sid)); michael@0: } michael@0: } michael@0: } michael@0: michael@0: delete[] reinterpret_cast(token_groups); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddSidForDenyOnly(const Sid &sid) { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: sids_for_deny_only_.push_back(sid); michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddUserSidForDenyOnly() { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; michael@0: TOKEN_USER* token_user = reinterpret_cast(new BYTE[size]); michael@0: michael@0: BOOL result = ::GetTokenInformation(effective_token_, michael@0: TokenUser, michael@0: token_user, michael@0: size, michael@0: &size); michael@0: michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_user); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: Sid user = reinterpret_cast(token_user->User.Sid); michael@0: sids_for_deny_only_.push_back(user); michael@0: michael@0: delete[] reinterpret_cast(token_user); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::DeleteAllPrivileges( michael@0: const std::vector *exceptions) { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: // Get the list of privileges in the token michael@0: TOKEN_PRIVILEGES *token_privileges = NULL; michael@0: DWORD size = 0; michael@0: michael@0: BOOL result = ::GetTokenInformation(effective_token_, michael@0: TokenPrivileges, michael@0: NULL, // No buffer. michael@0: 0, // Size is 0. michael@0: &size); michael@0: if (!size) michael@0: return ::GetLastError(); michael@0: michael@0: token_privileges = reinterpret_cast(new BYTE[size]); michael@0: result = ::GetTokenInformation(effective_token_, michael@0: TokenPrivileges, michael@0: token_privileges, michael@0: size, michael@0: &size); michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_privileges); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: michael@0: // Build the list of privileges to disable michael@0: for (unsigned int i = 0; i < token_privileges->PrivilegeCount; ++i) { michael@0: bool should_ignore = false; michael@0: if (exceptions) { michael@0: for (unsigned int j = 0; j < exceptions->size(); ++j) { michael@0: LUID luid = {0}; michael@0: ::LookupPrivilegeValue(NULL, (*exceptions)[j].c_str(), &luid); michael@0: if (token_privileges->Privileges[i].Luid.HighPart == luid.HighPart && michael@0: token_privileges->Privileges[i].Luid.LowPart == luid.LowPart) { michael@0: should_ignore = true; michael@0: break; michael@0: } michael@0: } michael@0: } michael@0: if (!should_ignore) { michael@0: privileges_to_disable_.push_back(token_privileges->Privileges[i].Luid); michael@0: } michael@0: } michael@0: michael@0: delete[] reinterpret_cast(token_privileges); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::DeletePrivilege(const wchar_t *privilege) { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: LUID luid = {0}; michael@0: if (LookupPrivilegeValue(NULL, privilege, &luid)) michael@0: privileges_to_disable_.push_back(luid); michael@0: else michael@0: return ::GetLastError(); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddRestrictingSid(const Sid &sid) { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: sids_to_restrict_.push_back(sid); // No attributes michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddRestrictingSidLogonSession() { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: TOKEN_GROUPS *token_groups = NULL; michael@0: DWORD size = 0; michael@0: michael@0: BOOL result = ::GetTokenInformation(effective_token_, michael@0: TokenGroups, michael@0: NULL, // No buffer. michael@0: 0, // Size is 0. michael@0: &size); michael@0: if (!size) michael@0: return ::GetLastError(); michael@0: michael@0: token_groups = reinterpret_cast(new BYTE[size]); michael@0: result = ::GetTokenInformation(effective_token_, michael@0: TokenGroups, michael@0: token_groups, michael@0: size, michael@0: &size); michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_groups); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: SID *logon_sid = NULL; michael@0: for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) { michael@0: if ((token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) != 0) { michael@0: logon_sid = static_cast(token_groups->Groups[i].Sid); michael@0: break; michael@0: } michael@0: } michael@0: michael@0: if (logon_sid) michael@0: sids_to_restrict_.push_back(logon_sid); michael@0: michael@0: delete[] reinterpret_cast(token_groups); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddRestrictingSidCurrentUser() { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; michael@0: TOKEN_USER* token_user = reinterpret_cast(new BYTE[size]); michael@0: michael@0: BOOL result = ::GetTokenInformation(effective_token_, michael@0: TokenUser, michael@0: token_user, michael@0: size, michael@0: &size); michael@0: michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_user); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: Sid user = reinterpret_cast(token_user->User.Sid); michael@0: sids_to_restrict_.push_back(user); michael@0: michael@0: delete[] reinterpret_cast(token_user); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::AddRestrictingSidAllSids() { michael@0: DCHECK(init_); michael@0: if (!init_) michael@0: return ERROR_NO_TOKEN; michael@0: michael@0: // Add the current user to the list. michael@0: unsigned error = AddRestrictingSidCurrentUser(); michael@0: if (ERROR_SUCCESS != error) michael@0: return error; michael@0: michael@0: TOKEN_GROUPS *token_groups = NULL; michael@0: DWORD size = 0; michael@0: michael@0: // Get the buffer size required. michael@0: BOOL result = ::GetTokenInformation(effective_token_, TokenGroups, NULL, 0, michael@0: &size); michael@0: if (!size) michael@0: return ::GetLastError(); michael@0: michael@0: token_groups = reinterpret_cast(new BYTE[size]); michael@0: result = ::GetTokenInformation(effective_token_, michael@0: TokenGroups, michael@0: token_groups, michael@0: size, michael@0: &size); michael@0: if (!result) { michael@0: delete[] reinterpret_cast(token_groups); michael@0: return ::GetLastError(); michael@0: } michael@0: michael@0: // Build the list of restricting sids from all groups. michael@0: for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) { michael@0: if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0) michael@0: AddRestrictingSid(reinterpret_cast(token_groups->Groups[i].Sid)); michael@0: } michael@0: michael@0: delete[] reinterpret_cast(token_groups); michael@0: michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { michael@0: integrity_level_ = integrity_level; michael@0: return ERROR_SUCCESS; michael@0: } michael@0: michael@0: } // namespace sandbox