summaryrefslogtreecommitdiffstats
path: root/security/sandbox/chromium
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/chromium')
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h4
-rw-r--r--security/sandbox/chromium/sandbox/win/src/broker_services.cc75
-rw-r--r--security/sandbox/chromium/sandbox/win/src/broker_services.h22
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc93
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h41
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_interception.cc48
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_interception.h24
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy.cc93
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy.h39
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc114
-rw-r--r--security/sandbox/chromium/sandbox/win/src/ipc_tags.h1
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox.h22
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_policy.h4
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc9
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_services.cc10
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_services.h5
-rw-r--r--security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc5
17 files changed, 17 insertions, 592 deletions
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h
index 313511f22e..c43e73448f 100644
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h
+++ b/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h
@@ -51,9 +51,9 @@
#elif defined(__aarch64__)
-#include <asm-generic/unistd.h>
+// The unistd.h included in the sysroot has a very old __NR_syscalls
#define MIN_SYSCALL 0u
-#define MAX_PUBLIC_SYSCALL __NR_syscalls
+#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u)
#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
#else
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
index 0ba71bbd5d..613becf37b 100644
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc
+++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
@@ -159,8 +159,6 @@ ResultCode BrokerServicesBase::Init() {
if (job_port_.IsValid() || thread_pool_)
return SBOX_ERROR_UNEXPECTED_CALL;
- ::InitializeCriticalSection(&lock_);
-
job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0));
if (!job_port_.IsValid())
return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES;
@@ -201,7 +199,6 @@ BrokerServicesBase::~BrokerServicesBase() {
return;
}
thread_pool_.reset();
- ::DeleteCriticalSection(&lock_);
}
scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() {
@@ -294,11 +291,6 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {
case JOB_OBJECT_MSG_EXIT_PROCESS:
case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: {
- {
- AutoLock lock(&broker->lock_);
- broker->active_targets_.erase(
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
- }
size_t erase_result = child_process_ids.erase(
static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
if (erase_result != 1U) {
@@ -364,11 +356,6 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {
ProcessTracker* tracker =
static_cast<ProcessTracker*>(reinterpret_cast<void*>(ovl));
- {
- AutoLock lock(&broker->lock_);
- broker->active_targets_.erase(tracker->process_id);
- }
-
::UnregisterWait(tracker->wait_handle);
tracker->wait_handle = INVALID_HANDLE_VALUE;
// Copy process_id so that we can legally reference it even after we have
@@ -659,19 +646,26 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
// SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639
CHECK(
AssociateCompletionPort(tracker->job.Get(), job_port_.Get(), tracker));
-
- AutoLock lock(&lock_);
- active_targets_.insert(process_info.process_id());
} else {
- result = AddTargetPeerInternal(process_info.process_handle(),
- process_info.process_id(),
- policy_base, last_error);
- if (result != SBOX_ALL_OK) {
+ // Duplicate the process handle to give the tracking machinery
+ // something valid to wait on in the tracking thread.
+ HANDLE tmp_process_handle = INVALID_HANDLE_VALUE;
+ if (!::DuplicateHandle(::GetCurrentProcess(), process_info.process_handle(),
+ ::GetCurrentProcess(), &tmp_process_handle,
+ SYNCHRONIZE, false, 0 /*no options*/)) {
+ *last_error = ::GetLastError();
// This may fail in the same way as Job associated processes.
// crbug.com/480639.
target->Terminate();
- return result;
+ return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE;
}
+ base::win::ScopedHandle dup_process_handle(tmp_process_handle);
+ ProcessTracker* tracker = new ProcessTracker(
+ policy_base, process_info.process_id(), std::move(dup_process_handle));
+ // The tracker and policy will leak if this call fails.
+ ::PostQueuedCompletionStatus(job_port_.Get(), 0,
+ THREAD_CTRL_NEW_PROCESS_TRACKER,
+ reinterpret_cast<LPOVERLAPPED>(tracker));
}
*target_info = process_info.Take();
@@ -683,45 +677,6 @@ ResultCode BrokerServicesBase::WaitForAllTargets() {
return SBOX_ALL_OK;
}
-bool BrokerServicesBase::IsSafeDuplicationTarget(DWORD process_id) {
- AutoLock lock(&lock_);
- return active_targets_.find(process_id) != active_targets_.end();
-}
-
-ResultCode BrokerServicesBase::AddTargetPeerInternal(
- HANDLE peer_process_handle,
- DWORD peer_process_id,
- scoped_refptr<PolicyBase> policy_base,
- DWORD* last_error) {
- // Duplicate the process handle to give the tracking machinery
- // something valid to wait on in the tracking thread.
- HANDLE tmp_process_handle = INVALID_HANDLE_VALUE;
- if (!::DuplicateHandle(::GetCurrentProcess(), peer_process_handle,
- ::GetCurrentProcess(), &tmp_process_handle,
- SYNCHRONIZE, false, 0 /*no options*/)) {
- *last_error = ::GetLastError();
- return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE;
- }
- base::win::ScopedHandle dup_process_handle(tmp_process_handle);
- ProcessTracker* tracker = new ProcessTracker(
- policy_base, peer_process_id, std::move(dup_process_handle));
- // The tracker and policy will leak if this call fails.
- ::PostQueuedCompletionStatus(job_port_.Get(), 0,
- THREAD_CTRL_NEW_PROCESS_TRACKER,
- reinterpret_cast<LPOVERLAPPED>(tracker));
-
- AutoLock lock(&lock_);
- active_targets_.insert(peer_process_id);
-
- return SBOX_ALL_OK;
-}
-
-ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) {
- DWORD last_error;
- return AddTargetPeerInternal(peer_process, ::GetProcessId(peer_process),
- nullptr, &last_error);
-}
-
ResultCode BrokerServicesBase::GetPolicyDiagnostics(
std::unique_ptr<PolicyDiagnosticsReceiver> receiver) {
CHECK(job_thread_.IsValid());
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h
index 64dc6d66e5..1d7eafdea3 100644
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h
+++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h
@@ -19,7 +19,6 @@
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/job.h"
#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
#include "sandbox/win/src/sharedmem_ipc_server.h"
#include "sandbox/win/src/win2k_threadpool.h"
#include "sandbox/win/src/win_utils.h"
@@ -51,14 +50,6 @@ class BrokerServicesBase final : public BrokerServices,
DWORD* last_error,
PROCESS_INFORMATION* target) override;
ResultCode WaitForAllTargets() override;
- ResultCode AddTargetPeer(HANDLE peer_process) override;
-
- // Checks if the supplied process ID matches one of the broker's active
- // target processes. We use this method for the specific purpose of
- // checking if we can safely duplicate a handle to the supplied process
- // in DuplicateHandleProxyAction.
- bool IsSafeDuplicationTarget(DWORD process_id);
-
ResultCode GetPolicyDiagnostics(
std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override;
@@ -84,19 +75,6 @@ class BrokerServicesBase final : public BrokerServices,
// Provides a pool of threads that are used to wait on the IPC calls.
std::unique_ptr<ThreadProvider> thread_pool_;
- // The set representing the broker's active target processes including
- // both sandboxed and unsandboxed peer processes.
- std::set<DWORD> active_targets_;
-
- // Lock used to protect active_targets_ from being simultaneously accessed
- // by multiple threads.
- CRITICAL_SECTION lock_;
-
- ResultCode AddTargetPeerInternal(HANDLE peer_process_handle,
- DWORD peer_process_id,
- scoped_refptr<PolicyBase> policy_base,
- DWORD* last_error);
-
DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase);
};
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
deleted file mode 100644
index 611e33d2a6..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_dispatcher.h"
-
-#include <stdint.h>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/handle_interception.h"
-#include "sandbox/win/src/handle_policy.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-
-namespace sandbox {
-
-HandleDispatcher::HandleDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall duplicate_handle_proxy = {
- {IpcTag::DUPLICATEHANDLEPROXY,
- {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &HandleDispatcher::DuplicateHandleProxy)};
-
- ipc_calls_.push_back(duplicate_handle_proxy);
-}
-
-bool HandleDispatcher::SetupService(InterceptionManager* manager,
- IpcTag service) {
- // We perform no interceptions for handles right now.
- switch (service) {
- case IpcTag::DUPLICATEHANDLEPROXY:
- return true;
-
- default:
- return false;
- }
-}
-
-bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc,
- HANDLE source_handle,
- uint32_t target_process_id,
- uint32_t desired_access,
- uint32_t options) {
- static NtQueryObject QueryObject = NULL;
- if (!QueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
-
- // Get a copy of the handle for use in the broker process.
- HANDLE handle_temp;
- if (!::DuplicateHandle(ipc->client_info->process, source_handle,
- ::GetCurrentProcess(), &handle_temp,
- 0, FALSE, DUPLICATE_SAME_ACCESS | options)) {
- ipc->return_info.win32_result = ::GetLastError();
- return false;
- }
- options &= ~DUPLICATE_CLOSE_SOURCE;
- base::win::ScopedHandle handle(handle_temp);
-
- // Get the object type (32 characters is safe; current max is 14).
- BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)];
- OBJECT_TYPE_INFORMATION* type_info =
- reinterpret_cast<OBJECT_TYPE_INFORMATION*>(buffer);
- ULONG size = sizeof(buffer) - sizeof(wchar_t);
- NTSTATUS error =
- QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size);
- if (!NT_SUCCESS(error)) {
- ipc->return_info.nt_status = error;
- return false;
- }
- type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
-
- CountedParameterSet<HandleTarget> params;
- params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer);
- params[HandleTarget::TARGET] = ParamPickerMake(target_process_id);
-
- EvalResult eval = policy_base_->EvalPolicy(IpcTag::DUPLICATEHANDLEPROXY,
- params.GetBase());
- ipc->return_info.win32_result =
- HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(),
- target_process_id,
- &ipc->return_info.handle,
- desired_access, options);
- return true;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h
deleted file mode 100644
index 6f9adbc10b..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_DISPATCHER_H_
-#define SANDBOX_SRC_HANDLE_DISPATCHER_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles handle-related IPC calls.
-class HandleDispatcher : public Dispatcher {
- public:
- explicit HandleDispatcher(PolicyBase* policy_base);
- ~HandleDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, IpcTag service) override;
-
- private:
- // Processes IPC requests coming from calls to
- // TargetServices::DuplicateHandle() in the target.
- bool DuplicateHandleProxy(IPCInfo* ipc,
- HANDLE source_handle,
- uint32_t target_process_id,
- uint32_t desired_access,
- uint32_t options);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(HandleDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_DISPATCHER_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
deleted file mode 100644
index 53db4a8b27..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_interception.h"
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-ResultCode DuplicateHandleProxy(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- *target_handle = NULL;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- return SBOX_ERROR_NO_SPACE;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY,
- source_handle, target_process_id,
- desired_access, options, &answer);
- if (SBOX_ALL_OK != code)
- return code;
-
- if (answer.win32_result) {
- ::SetLastError(answer.win32_result);
- mozilla::sandboxing::LogBlocked("DuplicateHandle");
- return SBOX_ERROR_GENERIC;
- }
-
- *target_handle = answer.handle;
- mozilla::sandboxing::LogAllowed("DuplicateHandle");
- return SBOX_ALL_OK;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.h b/security/sandbox/chromium/sandbox/win/src/handle_interception.h
deleted file mode 100644
index 6f60811f17..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.h
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-#define SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-
-namespace sandbox {
-
-// TODO(jschuh) Add an interception to catch dangerous DuplicateHandle calls.
-
-ResultCode DuplicateHandleProxy(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc
deleted file mode 100644
index fa3295ae3f..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_policy.h"
-
-#include <string>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/broker_services.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-
-namespace sandbox {
-
-bool HandlePolicy::GenerateRules(const wchar_t* type_name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- PolicyRule duplicate_rule(ASK_BROKER);
-
- switch (semantics) {
- case TargetPolicy::HANDLES_DUP_ANY: {
- if (!duplicate_rule.AddNumberMatch(IF_NOT, HandleTarget::TARGET,
- ::GetCurrentProcessId(), EQUAL)) {
- return false;
- }
- break;
- }
-
- case TargetPolicy::HANDLES_DUP_BROKER: {
- if (!duplicate_rule.AddNumberMatch(IF, HandleTarget::TARGET,
- ::GetCurrentProcessId(), EQUAL)) {
- return false;
- }
- break;
- }
-
- default:
- return false;
- }
- if (!duplicate_rule.AddStringMatch(IF, HandleTarget::NAME, type_name,
- CASE_INSENSITIVE)) {
- return false;
- }
- if (!policy->AddRule(IpcTag::DUPLICATEHANDLEPROXY, &duplicate_rule)) {
- return false;
- }
- return true;
-}
-
-DWORD HandlePolicy::DuplicateHandleProxyAction(EvalResult eval_result,
- HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- // The only action supported is ASK_BROKER which means duplicate the handle.
- if (ASK_BROKER != eval_result) {
- return ERROR_ACCESS_DENIED;
- }
-
- base::win::ScopedHandle remote_target_process;
- if (target_process_id != ::GetCurrentProcessId()) {
- // Sandboxed children are dynamic, so we check that manually.
- if (!BrokerServicesBase::GetInstance()->IsSafeDuplicationTarget(
- target_process_id)) {
- return ERROR_ACCESS_DENIED;
- }
-
- remote_target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE,
- target_process_id));
- if (!remote_target_process.IsValid())
- return ::GetLastError();
- }
-
- // If the policy didn't block us and we have no valid target, then the broker
- // (this process) is the valid target.
- HANDLE target_process = remote_target_process.IsValid() ?
- remote_target_process.Get() : ::GetCurrentProcess();
- if (!::DuplicateHandle(::GetCurrentProcess(), source_handle, target_process,
- target_handle, desired_access, FALSE,
- options)) {
- return ::GetLastError();
- }
-
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.h b/security/sandbox/chromium/sandbox/win/src/handle_policy.h
deleted file mode 100644
index 29ce5ab666..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy.h
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_POLICY_H_
-#define SANDBOX_SRC_HANDLE_POLICY_H_
-
-#include <string>
-
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to handle policy.
-class HandlePolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for handles, in particular duplicate action.
- static bool GenerateRules(const wchar_t* type_name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Processes a 'TargetPolicy::DuplicateHandle()' request from the target.
- static DWORD DuplicateHandleProxyAction(EvalResult eval_result,
- HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_POLICY_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc
deleted file mode 100644
index 11382da811..0000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/stringprintf.h"
-#include "sandbox/win/src/handle_policy.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Just waits for the supplied number of milliseconds.
-SBOX_TESTS_COMMAND int Handle_WaitProcess(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- ::Sleep(::wcstoul(argv[0], NULL, 10));
- return SBOX_TEST_TIMED_OUT;
-}
-
-// Attempts to duplicate an event handle into the target process.
-SBOX_TESTS_COMMAND int Handle_DuplicateEvent(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- // Create a test event to use as a handle.
- base::win::ScopedHandle test_event;
- test_event.Set(::CreateEvent(NULL, TRUE, TRUE, NULL));
- if (!test_event.IsValid())
- return SBOX_TEST_FIRST_ERROR;
-
- // Get the target process ID.
- DWORD target_process_id = ::wcstoul(argv[0], NULL, 10);
-
- HANDLE handle = NULL;
- ResultCode result = SandboxFactory::GetTargetServices()->DuplicateHandle(
- test_event.Get(), target_process_id, &handle, 0, DUPLICATE_SAME_ACCESS);
-
- return (result == SBOX_ALL_OK) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED;
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicateHandle) {
- TestRunner target;
- TestRunner runner;
-
- // Kick off an asynchronous target process for testing.
- target.SetAsynchronous(true);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000"));
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- target.process_id());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Now successfully open the event after adding a duplicate handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicatePeerHandle) {
- TestRunner target;
- TestRunner runner;
-
- // Kick off an asynchronous target process for testing.
- target.SetAsynchronous(true);
- target.SetUnsandboxed(true);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000"));
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- target.process_id());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Now successfully open the event after adding a duplicate handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicateBrokerHandle) {
- TestRunner runner;
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- ::GetCurrentProcessId());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Add the peer rule and make sure we fail again.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
-
- // Now successfully open the event after adding a broker handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_BROKER,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
index ec6de4a66a..e655fc4b9a 100644
--- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
+++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
@@ -28,7 +28,6 @@ enum class IpcTag {
OPENEVENT,
NTCREATEKEY,
NTOPENKEY,
- DUPLICATEHANDLEPROXY,
GDI_GDIDLLINITIALIZE,
GDI_GETSTOCKOBJECT,
USER_REGISTERCLASSW,
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h
index 858c350558..6133687f48 100644
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h
@@ -102,14 +102,6 @@ class BrokerServices {
// more information.
virtual ResultCode WaitForAllTargets() = 0;
- // Adds an unsandboxed process as a peer for policy decisions (e.g.
- // HANDLES_DUP_ANY policy).
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0;
-
// This call creates a snapshot of policies managed by the sandbox and
// returns them via a helper class.
// Parameters:
@@ -172,20 +164,6 @@ class TargetServices {
// LowerToken has been called or not.
virtual ProcessState* GetState() = 0;
- // Requests the broker to duplicate the supplied handle into the target
- // process. The target process must be an active sandbox child process
- // and the source process must have a corresponding policy allowing
- // handle duplication for this object type.
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) = 0;
-
virtual ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length,
uint8_t* break_before) = 0;
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
index 75514ef595..10a29d6f3b 100644
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
@@ -30,7 +30,6 @@ class TargetPolicy {
SUBSYS_PROCESS, // Creation of child processes.
SUBSYS_REGISTRY, // Creation and opening of registry keys.
SUBSYS_SYNC, // Creation of named sync objects.
- SUBSYS_HANDLES, // Duplication of handles to other processes.
SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy.
SUBSYS_SIGNED_BINARY, // Signed binary policy.
SUBSYS_LINE_BREAK // Complex line break policy.
@@ -44,9 +43,6 @@ class TargetPolicy {
FILES_ALLOW_QUERY, // Allows access to query the attributes of a file.
FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics
// only.
- HANDLES_DUP_ANY, // Allows duplicating handles opened with any
- // access permissions.
- HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process.
NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe.
PROCESS_MIN_EXEC, // Allows to create a process with minimal rights
// over the resulting process and thread handles.
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
index f228dbbc31..0a23cb4470 100644
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
@@ -17,7 +17,6 @@
#include "base/win/windows_version.h"
#include "sandbox/win/src/acl.h"
#include "sandbox/win/src/filesystem_policy.h"
-#include "sandbox/win/src/handle_policy.h"
#include "sandbox/win/src/interception.h"
#include "sandbox/win/src/job.h"
#include "sandbox/win/src/line_break_policy.h"
@@ -775,14 +774,6 @@ ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem,
}
break;
}
- case SUBSYS_HANDLES: {
- if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
-
case SUBSYS_WIN32K_LOCKDOWN: {
// Win32k intercept rules only supported on Windows 8 and above. This must
// match the version checks in process_mitigations.cc for consistency.
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc
index a80e0106ef..7bd0e87aab 100644
--- a/security/sandbox/chromium/sandbox/win/src/target_services.cc
+++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc
@@ -12,7 +12,6 @@
#include "base/win/windows_version.h"
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/handle_closer_agent.h"
-#include "sandbox/win/src/handle_interception.h"
#include "sandbox/win/src/heap_helper.h"
#include "sandbox/win/src/line_break_interception.h"
#include "sandbox/win/src/ipc_tags.h"
@@ -246,15 +245,6 @@ void ProcessState::SetCsrssConnected(bool csrss_connected) {
csrss_connected_ = csrss_connected;
}
-ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
- target_handle, desired_access, options);
-}
-
ResultCode TargetServicesBase::GetComplexLineBreaks(const WCHAR* text,
uint32_t length,
uint8_t* break_before) {
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h
index 1d70d4cd34..0231a250f3 100644
--- a/security/sandbox/chromium/sandbox/win/src/target_services.h
+++ b/security/sandbox/chromium/sandbox/win/src/target_services.h
@@ -45,11 +45,6 @@ class TargetServicesBase : public TargetServices {
ResultCode Init() override;
void LowerToken() override;
ProcessState* GetState() override;
- ResultCode DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) override;
ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length,
uint8_t* break_before) final;
diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc
index 3c8f8e25e5..7c072d5279 100644
--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc
@@ -10,7 +10,6 @@
#include "base/logging.h"
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/filesystem_dispatcher.h"
-#include "sandbox/win/src/handle_dispatcher.h"
#include "sandbox/win/src/interception.h"
#include "sandbox/win/src/internal_types.h"
#include "sandbox/win/src/ipc_tags.h"
@@ -62,10 +61,6 @@ TopLevelDispatcher::TopLevelDispatcher(PolicyBase* policy) : policy_(policy) {
ipc_targets_[static_cast<size_t>(IpcTag::NTOPENKEY)] = dispatcher;
registry_dispatcher_.reset(dispatcher);
- dispatcher = new HandleDispatcher(policy_);
- ipc_targets_[static_cast<size_t>(IpcTag::DUPLICATEHANDLEPROXY)] = dispatcher;
- handle_dispatcher_.reset(dispatcher);
-
dispatcher = new ProcessMitigationsWin32KDispatcher(policy_);
ipc_targets_[static_cast<size_t>(IpcTag::GDI_GDIDLLINITIALIZE)] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::GDI_GETSTOCKOBJECT)] = dispatcher;