diff options
Diffstat (limited to 'security/sandbox/chromium')
17 files changed, 17 insertions, 592 deletions
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h index 313511f22e..c43e73448f 100644 --- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h +++ b/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h @@ -51,9 +51,9 @@ #elif defined(__aarch64__) -#include <asm-generic/unistd.h> +// The unistd.h included in the sysroot has a very old __NR_syscalls #define MIN_SYSCALL 0u -#define MAX_PUBLIC_SYSCALL __NR_syscalls +#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u) #define MAX_SYSCALL MAX_PUBLIC_SYSCALL #else diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc index 0ba71bbd5d..613becf37b 100644 --- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc +++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc @@ -159,8 +159,6 @@ ResultCode BrokerServicesBase::Init() { if (job_port_.IsValid() || thread_pool_) return SBOX_ERROR_UNEXPECTED_CALL; - ::InitializeCriticalSection(&lock_); - job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0)); if (!job_port_.IsValid()) return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; @@ -201,7 +199,6 @@ BrokerServicesBase::~BrokerServicesBase() { return; } thread_pool_.reset(); - ::DeleteCriticalSection(&lock_); } scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() { @@ -294,11 +291,6 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { case JOB_OBJECT_MSG_EXIT_PROCESS: case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: { - { - AutoLock lock(&broker->lock_); - broker->active_targets_.erase( - static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl))); - } size_t erase_result = child_process_ids.erase( static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl))); if (erase_result != 1U) { @@ -364,11 +356,6 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { ProcessTracker* tracker = static_cast<ProcessTracker*>(reinterpret_cast<void*>(ovl)); - { - AutoLock lock(&broker->lock_); - broker->active_targets_.erase(tracker->process_id); - } - ::UnregisterWait(tracker->wait_handle); tracker->wait_handle = INVALID_HANDLE_VALUE; // Copy process_id so that we can legally reference it even after we have @@ -659,19 +646,26 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, // SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639 CHECK( AssociateCompletionPort(tracker->job.Get(), job_port_.Get(), tracker)); - - AutoLock lock(&lock_); - active_targets_.insert(process_info.process_id()); } else { - result = AddTargetPeerInternal(process_info.process_handle(), - process_info.process_id(), - policy_base, last_error); - if (result != SBOX_ALL_OK) { + // Duplicate the process handle to give the tracking machinery + // something valid to wait on in the tracking thread. + HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; + if (!::DuplicateHandle(::GetCurrentProcess(), process_info.process_handle(), + ::GetCurrentProcess(), &tmp_process_handle, + SYNCHRONIZE, false, 0 /*no options*/)) { + *last_error = ::GetLastError(); // This may fail in the same way as Job associated processes. // crbug.com/480639. target->Terminate(); - return result; + return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; } + base::win::ScopedHandle dup_process_handle(tmp_process_handle); + ProcessTracker* tracker = new ProcessTracker( + policy_base, process_info.process_id(), std::move(dup_process_handle)); + // The tracker and policy will leak if this call fails. + ::PostQueuedCompletionStatus(job_port_.Get(), 0, + THREAD_CTRL_NEW_PROCESS_TRACKER, + reinterpret_cast<LPOVERLAPPED>(tracker)); } *target_info = process_info.Take(); @@ -683,45 +677,6 @@ ResultCode BrokerServicesBase::WaitForAllTargets() { return SBOX_ALL_OK; } -bool BrokerServicesBase::IsSafeDuplicationTarget(DWORD process_id) { - AutoLock lock(&lock_); - return active_targets_.find(process_id) != active_targets_.end(); -} - -ResultCode BrokerServicesBase::AddTargetPeerInternal( - HANDLE peer_process_handle, - DWORD peer_process_id, - scoped_refptr<PolicyBase> policy_base, - DWORD* last_error) { - // Duplicate the process handle to give the tracking machinery - // something valid to wait on in the tracking thread. - HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; - if (!::DuplicateHandle(::GetCurrentProcess(), peer_process_handle, - ::GetCurrentProcess(), &tmp_process_handle, - SYNCHRONIZE, false, 0 /*no options*/)) { - *last_error = ::GetLastError(); - return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; - } - base::win::ScopedHandle dup_process_handle(tmp_process_handle); - ProcessTracker* tracker = new ProcessTracker( - policy_base, peer_process_id, std::move(dup_process_handle)); - // The tracker and policy will leak if this call fails. - ::PostQueuedCompletionStatus(job_port_.Get(), 0, - THREAD_CTRL_NEW_PROCESS_TRACKER, - reinterpret_cast<LPOVERLAPPED>(tracker)); - - AutoLock lock(&lock_); - active_targets_.insert(peer_process_id); - - return SBOX_ALL_OK; -} - -ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) { - DWORD last_error; - return AddTargetPeerInternal(peer_process, ::GetProcessId(peer_process), - nullptr, &last_error); -} - ResultCode BrokerServicesBase::GetPolicyDiagnostics( std::unique_ptr<PolicyDiagnosticsReceiver> receiver) { CHECK(job_thread_.IsValid()); diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h index 64dc6d66e5..1d7eafdea3 100644 --- a/security/sandbox/chromium/sandbox/win/src/broker_services.h +++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h @@ -19,7 +19,6 @@ #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/job.h" #include "sandbox/win/src/sandbox.h" -#include "sandbox/win/src/sandbox_policy_base.h" #include "sandbox/win/src/sharedmem_ipc_server.h" #include "sandbox/win/src/win2k_threadpool.h" #include "sandbox/win/src/win_utils.h" @@ -51,14 +50,6 @@ class BrokerServicesBase final : public BrokerServices, DWORD* last_error, PROCESS_INFORMATION* target) override; ResultCode WaitForAllTargets() override; - ResultCode AddTargetPeer(HANDLE peer_process) override; - - // Checks if the supplied process ID matches one of the broker's active - // target processes. We use this method for the specific purpose of - // checking if we can safely duplicate a handle to the supplied process - // in DuplicateHandleProxyAction. - bool IsSafeDuplicationTarget(DWORD process_id); - ResultCode GetPolicyDiagnostics( std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override; @@ -84,19 +75,6 @@ class BrokerServicesBase final : public BrokerServices, // Provides a pool of threads that are used to wait on the IPC calls. std::unique_ptr<ThreadProvider> thread_pool_; - // The set representing the broker's active target processes including - // both sandboxed and unsandboxed peer processes. - std::set<DWORD> active_targets_; - - // Lock used to protect active_targets_ from being simultaneously accessed - // by multiple threads. - CRITICAL_SECTION lock_; - - ResultCode AddTargetPeerInternal(HANDLE peer_process_handle, - DWORD peer_process_id, - scoped_refptr<PolicyBase> policy_base, - DWORD* last_error); - DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase); }; diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc deleted file mode 100644 index 611e33d2a6..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sandbox/win/src/handle_dispatcher.h" - -#include <stdint.h> - -#include "base/win/scoped_handle.h" -#include "sandbox/win/src/handle_interception.h" -#include "sandbox/win/src/handle_policy.h" -#include "sandbox/win/src/ipc_tags.h" -#include "sandbox/win/src/policy_broker.h" -#include "sandbox/win/src/policy_params.h" -#include "sandbox/win/src/sandbox.h" -#include "sandbox/win/src/sandbox_nt_util.h" -#include "sandbox/win/src/sandbox_types.h" -#include "sandbox/win/src/sandbox_utils.h" - -namespace sandbox { - -HandleDispatcher::HandleDispatcher(PolicyBase* policy_base) - : policy_base_(policy_base) { - static const IPCCall duplicate_handle_proxy = { - {IpcTag::DUPLICATEHANDLEPROXY, - {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}}, - reinterpret_cast<CallbackGeneric>( - &HandleDispatcher::DuplicateHandleProxy)}; - - ipc_calls_.push_back(duplicate_handle_proxy); -} - -bool HandleDispatcher::SetupService(InterceptionManager* manager, - IpcTag service) { - // We perform no interceptions for handles right now. - switch (service) { - case IpcTag::DUPLICATEHANDLEPROXY: - return true; - - default: - return false; - } -} - -bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc, - HANDLE source_handle, - uint32_t target_process_id, - uint32_t desired_access, - uint32_t options) { - static NtQueryObject QueryObject = NULL; - if (!QueryObject) - ResolveNTFunctionPtr("NtQueryObject", &QueryObject); - - // Get a copy of the handle for use in the broker process. - HANDLE handle_temp; - if (!::DuplicateHandle(ipc->client_info->process, source_handle, - ::GetCurrentProcess(), &handle_temp, - 0, FALSE, DUPLICATE_SAME_ACCESS | options)) { - ipc->return_info.win32_result = ::GetLastError(); - return false; - } - options &= ~DUPLICATE_CLOSE_SOURCE; - base::win::ScopedHandle handle(handle_temp); - - // Get the object type (32 characters is safe; current max is 14). - BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)]; - OBJECT_TYPE_INFORMATION* type_info = - reinterpret_cast<OBJECT_TYPE_INFORMATION*>(buffer); - ULONG size = sizeof(buffer) - sizeof(wchar_t); - NTSTATUS error = - QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size); - if (!NT_SUCCESS(error)) { - ipc->return_info.nt_status = error; - return false; - } - type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0'; - - CountedParameterSet<HandleTarget> params; - params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer); - params[HandleTarget::TARGET] = ParamPickerMake(target_process_id); - - EvalResult eval = policy_base_->EvalPolicy(IpcTag::DUPLICATEHANDLEPROXY, - params.GetBase()); - ipc->return_info.win32_result = - HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(), - target_process_id, - &ipc->return_info.handle, - desired_access, options); - return true; -} - -} // namespace sandbox - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h deleted file mode 100644 index 6f9adbc10b..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_SRC_HANDLE_DISPATCHER_H_ -#define SANDBOX_SRC_HANDLE_DISPATCHER_H_ - -#include <stdint.h> - -#include "base/macros.h" -#include "sandbox/win/src/crosscall_server.h" -#include "sandbox/win/src/sandbox_policy_base.h" - -namespace sandbox { - -// This class handles handle-related IPC calls. -class HandleDispatcher : public Dispatcher { - public: - explicit HandleDispatcher(PolicyBase* policy_base); - ~HandleDispatcher() override {} - - // Dispatcher interface. - bool SetupService(InterceptionManager* manager, IpcTag service) override; - - private: - // Processes IPC requests coming from calls to - // TargetServices::DuplicateHandle() in the target. - bool DuplicateHandleProxy(IPCInfo* ipc, - HANDLE source_handle, - uint32_t target_process_id, - uint32_t desired_access, - uint32_t options); - - PolicyBase* policy_base_; - DISALLOW_COPY_AND_ASSIGN(HandleDispatcher); -}; - -} // namespace sandbox - -#endif // SANDBOX_SRC_HANDLE_DISPATCHER_H_ - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc deleted file mode 100644 index 53db4a8b27..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc +++ /dev/null @@ -1,48 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sandbox/win/src/handle_interception.h" - -#include "sandbox/win/src/crosscall_client.h" -#include "sandbox/win/src/ipc_tags.h" -#include "sandbox/win/src/sandbox_factory.h" -#include "sandbox/win/src/sandbox_nt_util.h" -#include "sandbox/win/src/sharedmem_ipc_client.h" -#include "sandbox/win/src/target_services.h" -#include "mozilla/sandboxing/sandboxLogging.h" - -namespace sandbox { - -ResultCode DuplicateHandleProxy(HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options) { - *target_handle = NULL; - - void* memory = GetGlobalIPCMemory(); - if (NULL == memory) - return SBOX_ERROR_NO_SPACE; - - SharedMemIPCClient ipc(memory); - CrossCallReturn answer = {0}; - ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY, - source_handle, target_process_id, - desired_access, options, &answer); - if (SBOX_ALL_OK != code) - return code; - - if (answer.win32_result) { - ::SetLastError(answer.win32_result); - mozilla::sandboxing::LogBlocked("DuplicateHandle"); - return SBOX_ERROR_GENERIC; - } - - *target_handle = answer.handle; - mozilla::sandboxing::LogAllowed("DuplicateHandle"); - return SBOX_ALL_OK; -} - -} // namespace sandbox - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.h b/security/sandbox/chromium/sandbox/win/src/handle_interception.h deleted file mode 100644 index 6f60811f17..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_interception.h +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sandbox/win/src/nt_internals.h" -#include "sandbox/win/src/sandbox_types.h" - -#ifndef SANDBOX_SRC_HANDLE_INTERCEPTION_H_ -#define SANDBOX_SRC_HANDLE_INTERCEPTION_H_ - -namespace sandbox { - -// TODO(jschuh) Add an interception to catch dangerous DuplicateHandle calls. - -ResultCode DuplicateHandleProxy(HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options); - -} // namespace sandbox - -#endif // SANDBOX_SRC_HANDLE_INTERCEPTION_H_ - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc deleted file mode 100644 index fa3295ae3f..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sandbox/win/src/handle_policy.h" - -#include <string> - -#include "base/win/scoped_handle.h" -#include "sandbox/win/src/broker_services.h" -#include "sandbox/win/src/ipc_tags.h" -#include "sandbox/win/src/policy_engine_opcodes.h" -#include "sandbox/win/src/policy_params.h" -#include "sandbox/win/src/sandbox_types.h" -#include "sandbox/win/src/sandbox_utils.h" - -namespace sandbox { - -bool HandlePolicy::GenerateRules(const wchar_t* type_name, - TargetPolicy::Semantics semantics, - LowLevelPolicy* policy) { - PolicyRule duplicate_rule(ASK_BROKER); - - switch (semantics) { - case TargetPolicy::HANDLES_DUP_ANY: { - if (!duplicate_rule.AddNumberMatch(IF_NOT, HandleTarget::TARGET, - ::GetCurrentProcessId(), EQUAL)) { - return false; - } - break; - } - - case TargetPolicy::HANDLES_DUP_BROKER: { - if (!duplicate_rule.AddNumberMatch(IF, HandleTarget::TARGET, - ::GetCurrentProcessId(), EQUAL)) { - return false; - } - break; - } - - default: - return false; - } - if (!duplicate_rule.AddStringMatch(IF, HandleTarget::NAME, type_name, - CASE_INSENSITIVE)) { - return false; - } - if (!policy->AddRule(IpcTag::DUPLICATEHANDLEPROXY, &duplicate_rule)) { - return false; - } - return true; -} - -DWORD HandlePolicy::DuplicateHandleProxyAction(EvalResult eval_result, - HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options) { - // The only action supported is ASK_BROKER which means duplicate the handle. - if (ASK_BROKER != eval_result) { - return ERROR_ACCESS_DENIED; - } - - base::win::ScopedHandle remote_target_process; - if (target_process_id != ::GetCurrentProcessId()) { - // Sandboxed children are dynamic, so we check that manually. - if (!BrokerServicesBase::GetInstance()->IsSafeDuplicationTarget( - target_process_id)) { - return ERROR_ACCESS_DENIED; - } - - remote_target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE, - target_process_id)); - if (!remote_target_process.IsValid()) - return ::GetLastError(); - } - - // If the policy didn't block us and we have no valid target, then the broker - // (this process) is the valid target. - HANDLE target_process = remote_target_process.IsValid() ? - remote_target_process.Get() : ::GetCurrentProcess(); - if (!::DuplicateHandle(::GetCurrentProcess(), source_handle, target_process, - target_handle, desired_access, FALSE, - options)) { - return ::GetLastError(); - } - - return ERROR_SUCCESS; -} - -} // namespace sandbox - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.h b/security/sandbox/chromium/sandbox/win/src/handle_policy.h deleted file mode 100644 index 29ce5ab666..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_policy.h +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_SRC_HANDLE_POLICY_H_ -#define SANDBOX_SRC_HANDLE_POLICY_H_ - -#include <string> - -#include "sandbox/win/src/crosscall_server.h" -#include "sandbox/win/src/policy_low_level.h" -#include "sandbox/win/src/sandbox_policy.h" - -namespace sandbox { - -enum EvalResult; - -// This class centralizes most of the knowledge related to handle policy. -class HandlePolicy { - public: - // Creates the required low-level policy rules to evaluate a high-level - // policy rule for handles, in particular duplicate action. - static bool GenerateRules(const wchar_t* type_name, - TargetPolicy::Semantics semantics, - LowLevelPolicy* policy); - - // Processes a 'TargetPolicy::DuplicateHandle()' request from the target. - static DWORD DuplicateHandleProxyAction(EvalResult eval_result, - HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options); -}; - -} // namespace sandbox - -#endif // SANDBOX_SRC_HANDLE_POLICY_H_ - diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc deleted file mode 100644 index 11382da811..0000000000 --- a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "base/strings/stringprintf.h" -#include "sandbox/win/src/handle_policy.h" -#include "sandbox/win/src/nt_internals.h" -#include "sandbox/win/src/sandbox.h" -#include "sandbox/win/src/sandbox_factory.h" -#include "sandbox/win/src/sandbox_policy.h" -#include "sandbox/win/src/win_utils.h" -#include "sandbox/win/tests/common/controller.h" -#include "testing/gtest/include/gtest/gtest.h" - -namespace sandbox { - -// Just waits for the supplied number of milliseconds. -SBOX_TESTS_COMMAND int Handle_WaitProcess(int argc, wchar_t **argv) { - if (argc != 1) - return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; - - ::Sleep(::wcstoul(argv[0], NULL, 10)); - return SBOX_TEST_TIMED_OUT; -} - -// Attempts to duplicate an event handle into the target process. -SBOX_TESTS_COMMAND int Handle_DuplicateEvent(int argc, wchar_t **argv) { - if (argc != 1) - return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; - - // Create a test event to use as a handle. - base::win::ScopedHandle test_event; - test_event.Set(::CreateEvent(NULL, TRUE, TRUE, NULL)); - if (!test_event.IsValid()) - return SBOX_TEST_FIRST_ERROR; - - // Get the target process ID. - DWORD target_process_id = ::wcstoul(argv[0], NULL, 10); - - HANDLE handle = NULL; - ResultCode result = SandboxFactory::GetTargetServices()->DuplicateHandle( - test_event.Get(), target_process_id, &handle, 0, DUPLICATE_SAME_ACCESS); - - return (result == SBOX_ALL_OK) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED; -} - -// Tests that duplicating an object works only when the policy allows it. -TEST(HandlePolicyTest, DuplicateHandle) { - TestRunner target; - TestRunner runner; - - // Kick off an asynchronous target process for testing. - target.SetAsynchronous(true); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000")); - - // First test that we fail to open the event. - base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", - target.process_id()); - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); - - // Now successfully open the event after adding a duplicate handle rule. - EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, - TargetPolicy::HANDLES_DUP_ANY, - L"Event")); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); -} - -// Tests that duplicating an object works only when the policy allows it. -TEST(HandlePolicyTest, DuplicatePeerHandle) { - TestRunner target; - TestRunner runner; - - // Kick off an asynchronous target process for testing. - target.SetAsynchronous(true); - target.SetUnsandboxed(true); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000")); - - // First test that we fail to open the event. - base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", - target.process_id()); - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); - - // Now successfully open the event after adding a duplicate handle rule. - EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, - TargetPolicy::HANDLES_DUP_ANY, - L"Event")); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); -} - -// Tests that duplicating an object works only when the policy allows it. -TEST(HandlePolicyTest, DuplicateBrokerHandle) { - TestRunner runner; - - // First test that we fail to open the event. - base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", - ::GetCurrentProcessId()); - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); - - // Add the peer rule and make sure we fail again. - EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, - TargetPolicy::HANDLES_DUP_ANY, - L"Event")); - EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); - - - // Now successfully open the event after adding a broker handle rule. - EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, - TargetPolicy::HANDLES_DUP_BROKER, - L"Event")); - EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); -} - -} // namespace sandbox - diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h index ec6de4a66a..e655fc4b9a 100644 --- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h @@ -28,7 +28,6 @@ enum class IpcTag { OPENEVENT, NTCREATEKEY, NTOPENKEY, - DUPLICATEHANDLEPROXY, GDI_GDIDLLINITIALIZE, GDI_GETSTOCKOBJECT, USER_REGISTERCLASSW, diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h index 858c350558..6133687f48 100644 --- a/security/sandbox/chromium/sandbox/win/src/sandbox.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h @@ -102,14 +102,6 @@ class BrokerServices { // more information. virtual ResultCode WaitForAllTargets() = 0; - // Adds an unsandboxed process as a peer for policy decisions (e.g. - // HANDLES_DUP_ANY policy). - // Returns: - // ALL_OK if successful. All other return values imply failure. - // If the return is ERROR_GENERIC, you can call ::GetLastError() to get - // more information. - virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0; - // This call creates a snapshot of policies managed by the sandbox and // returns them via a helper class. // Parameters: @@ -172,20 +164,6 @@ class TargetServices { // LowerToken has been called or not. virtual ProcessState* GetState() = 0; - // Requests the broker to duplicate the supplied handle into the target - // process. The target process must be an active sandbox child process - // and the source process must have a corresponding policy allowing - // handle duplication for this object type. - // Returns: - // ALL_OK if successful. All other return values imply failure. - // If the return is ERROR_GENERIC, you can call ::GetLastError() to get - // more information. - virtual ResultCode DuplicateHandle(HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options) = 0; - virtual ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length, uint8_t* break_before) = 0; diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h index 75514ef595..10a29d6f3b 100644 --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h @@ -30,7 +30,6 @@ class TargetPolicy { SUBSYS_PROCESS, // Creation of child processes. SUBSYS_REGISTRY, // Creation and opening of registry keys. SUBSYS_SYNC, // Creation of named sync objects. - SUBSYS_HANDLES, // Duplication of handles to other processes. SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy. SUBSYS_SIGNED_BINARY, // Signed binary policy. SUBSYS_LINE_BREAK // Complex line break policy. @@ -44,9 +43,6 @@ class TargetPolicy { FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics // only. - HANDLES_DUP_ANY, // Allows duplicating handles opened with any - // access permissions. - HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. PROCESS_MIN_EXEC, // Allows to create a process with minimal rights // over the resulting process and thread handles. diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc index f228dbbc31..0a23cb4470 100644 --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc @@ -17,7 +17,6 @@ #include "base/win/windows_version.h" #include "sandbox/win/src/acl.h" #include "sandbox/win/src/filesystem_policy.h" -#include "sandbox/win/src/handle_policy.h" #include "sandbox/win/src/interception.h" #include "sandbox/win/src/job.h" #include "sandbox/win/src/line_break_policy.h" @@ -775,14 +774,6 @@ ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem, } break; } - case SUBSYS_HANDLES: { - if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { - NOTREACHED(); - return SBOX_ERROR_BAD_PARAMS; - } - break; - } - case SUBSYS_WIN32K_LOCKDOWN: { // Win32k intercept rules only supported on Windows 8 and above. This must // match the version checks in process_mitigations.cc for consistency. diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc index a80e0106ef..7bd0e87aab 100644 --- a/security/sandbox/chromium/sandbox/win/src/target_services.cc +++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc @@ -12,7 +12,6 @@ #include "base/win/windows_version.h" #include "sandbox/win/src/crosscall_client.h" #include "sandbox/win/src/handle_closer_agent.h" -#include "sandbox/win/src/handle_interception.h" #include "sandbox/win/src/heap_helper.h" #include "sandbox/win/src/line_break_interception.h" #include "sandbox/win/src/ipc_tags.h" @@ -246,15 +245,6 @@ void ProcessState::SetCsrssConnected(bool csrss_connected) { csrss_connected_ = csrss_connected; } -ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options) { - return sandbox::DuplicateHandleProxy(source_handle, target_process_id, - target_handle, desired_access, options); -} - ResultCode TargetServicesBase::GetComplexLineBreaks(const WCHAR* text, uint32_t length, uint8_t* break_before) { diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h index 1d70d4cd34..0231a250f3 100644 --- a/security/sandbox/chromium/sandbox/win/src/target_services.h +++ b/security/sandbox/chromium/sandbox/win/src/target_services.h @@ -45,11 +45,6 @@ class TargetServicesBase : public TargetServices { ResultCode Init() override; void LowerToken() override; ProcessState* GetState() override; - ResultCode DuplicateHandle(HANDLE source_handle, - DWORD target_process_id, - HANDLE* target_handle, - DWORD desired_access, - DWORD options) override; ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length, uint8_t* break_before) final; diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc index 3c8f8e25e5..7c072d5279 100644 --- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc +++ b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc @@ -10,7 +10,6 @@ #include "base/logging.h" #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/filesystem_dispatcher.h" -#include "sandbox/win/src/handle_dispatcher.h" #include "sandbox/win/src/interception.h" #include "sandbox/win/src/internal_types.h" #include "sandbox/win/src/ipc_tags.h" @@ -62,10 +61,6 @@ TopLevelDispatcher::TopLevelDispatcher(PolicyBase* policy) : policy_(policy) { ipc_targets_[static_cast<size_t>(IpcTag::NTOPENKEY)] = dispatcher; registry_dispatcher_.reset(dispatcher); - dispatcher = new HandleDispatcher(policy_); - ipc_targets_[static_cast<size_t>(IpcTag::DUPLICATEHANDLEPROXY)] = dispatcher; - handle_dispatcher_.reset(dispatcher); - dispatcher = new ProcessMitigationsWin32KDispatcher(policy_); ipc_targets_[static_cast<size_t>(IpcTag::GDI_GDIDLLINITIALIZE)] = dispatcher; ipc_targets_[static_cast<size_t>(IpcTag::GDI_GETSTOCKOBJECT)] = dispatcher; |