security/sandbox/chromium/sandbox/win/src/sync_policy.cc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243

// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "sandbox/win/src/sync_policy.h"

#include <stdint.h>

#include <string>

#include "base/logging.h"
#include "base/strings/stringprintf.h"
#include "sandbox/win/src/ipc_tags.h"
#include "sandbox/win/src/nt_internals.h"
#include "sandbox/win/src/policy_engine_opcodes.h"
#include "sandbox/win/src/policy_params.h"
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/sandbox_utils.h"
#include "sandbox/win/src/sync_interception.h"
#include "sandbox/win/src/win_utils.h"

namespace sandbox {

// Provides functionality to resolve a symbolic link within the object
// directory passed in.
NTSTATUS ResolveSymbolicLink(const std::wstring& directory_name,
                             const std::wstring& name,
                             std::wstring* target) {
  NtOpenDirectoryObjectFunction NtOpenDirectoryObject = nullptr;
  ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject);

  NtQuerySymbolicLinkObjectFunction NtQuerySymbolicLinkObject = nullptr;
  ResolveNTFunctionPtr("NtQuerySymbolicLinkObject", &NtQuerySymbolicLinkObject);

  NtOpenSymbolicLinkObjectFunction NtOpenSymbolicLinkObject = nullptr;
  ResolveNTFunctionPtr("NtOpenSymbolicLinkObject", &NtOpenSymbolicLinkObject);

  NtCloseFunction NtClose = nullptr;
  ResolveNTFunctionPtr("NtClose", &NtClose);

  OBJECT_ATTRIBUTES symbolic_link_directory_attributes = {};
  UNICODE_STRING symbolic_link_directory_string = {};
  InitObjectAttribs(directory_name, OBJ_CASE_INSENSITIVE, nullptr,
                    &symbolic_link_directory_attributes,
                    &symbolic_link_directory_string, nullptr);

  HANDLE symbolic_link_directory = nullptr;
  NTSTATUS status =
      NtOpenDirectoryObject(&symbolic_link_directory, DIRECTORY_QUERY,
                            &symbolic_link_directory_attributes);
  if (!NT_SUCCESS(status))
    return status;

  OBJECT_ATTRIBUTES symbolic_link_attributes = {};
  UNICODE_STRING name_string = {};
  InitObjectAttribs(name, OBJ_CASE_INSENSITIVE, symbolic_link_directory,
                    &symbolic_link_attributes, &name_string, nullptr);

  HANDLE symbolic_link = nullptr;
  status = NtOpenSymbolicLinkObject(&symbolic_link, GENERIC_READ,
                                    &symbolic_link_attributes);
  CHECK(NT_SUCCESS(NtClose(symbolic_link_directory)));
  if (!NT_SUCCESS(status))
    return status;

  UNICODE_STRING target_path = {};
  unsigned long target_length = 0;
  status =
      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length);
  if (status != STATUS_BUFFER_TOO_SMALL) {
    CHECK(NT_SUCCESS(NtClose(symbolic_link)));
    return status;
  }

  target_path.Length = 0;
  target_path.MaximumLength = static_cast<USHORT>(target_length);
  target_path.Buffer = new wchar_t[target_path.MaximumLength + 1];
  status =
      NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length);
  if (NT_SUCCESS(status))
    target->assign(target_path.Buffer, target_length);

  CHECK(NT_SUCCESS(NtClose(symbolic_link)));
  delete[] target_path.Buffer;
  return status;
}

NTSTATUS GetBaseNamedObjectsDirectory(HANDLE* directory) {
  static HANDLE base_named_objects_handle = nullptr;
  if (base_named_objects_handle) {
    *directory = base_named_objects_handle;
    return STATUS_SUCCESS;
  }

  NtOpenDirectoryObjectFunction NtOpenDirectoryObject = nullptr;
  ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject);

  DWORD session_id = 0;
  ProcessIdToSessionId(::GetCurrentProcessId(), &session_id);

  std::wstring base_named_objects_path;

  NTSTATUS status = ResolveSymbolicLink(L"\\Sessions\\BNOLINKS",
                                        base::StringPrintf(L"%d", session_id),
                                        &base_named_objects_path);
  if (!NT_SUCCESS(status)) {
    DLOG(ERROR) << "Failed to resolve BaseNamedObjects path. Error: " << status;
    return status;
  }

  UNICODE_STRING directory_name = {};
  OBJECT_ATTRIBUTES object_attributes = {};
  InitObjectAttribs(base_named_objects_path, OBJ_CASE_INSENSITIVE, nullptr,
                    &object_attributes, &directory_name, nullptr);
  status = NtOpenDirectoryObject(&base_named_objects_handle,
                                 DIRECTORY_ALL_ACCESS, &object_attributes);
  if (NT_SUCCESS(status))
    *directory = base_named_objects_handle;
  return status;
}

bool SyncPolicy::GenerateRules(const wchar_t* name,
                               TargetPolicy::Semantics semantics,
                               LowLevelPolicy* policy) {
  std::wstring mod_name(name);
  if (mod_name.empty()) {
    return false;
  }

  if (TargetPolicy::EVENTS_ALLOW_ANY != semantics &&
      TargetPolicy::EVENTS_ALLOW_READONLY != semantics) {
    // Other flags are not valid for sync policy yet.
    NOTREACHED();
    return false;
  }

  // Add the open rule.
  EvalResult result = ASK_BROKER;
  PolicyRule open(result);

  if (!open.AddStringMatch(IF, OpenEventParams::NAME, name, CASE_INSENSITIVE))
    return false;

  if (TargetPolicy::EVENTS_ALLOW_READONLY == semantics) {
    // We consider all flags that are not known to be readonly as potentially
    // used for write.
    uint32_t allowed_flags = SYNCHRONIZE | GENERIC_READ | READ_CONTROL;
    uint32_t restricted_flags = ~allowed_flags;
    open.AddNumberMatch(IF_NOT, OpenEventParams::ACCESS, restricted_flags, AND);
  }

  if (!policy->AddRule(IpcTag::OPENEVENT, &open))
    return false;

  // If it's not a read only, add the create rule.
  if (TargetPolicy::EVENTS_ALLOW_READONLY != semantics) {
    PolicyRule create(result);
    if (!create.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE))
      return false;

    if (!policy->AddRule(IpcTag::CREATEEVENT, &create))
      return false;
  }

  return true;
}

NTSTATUS SyncPolicy::CreateEventAction(EvalResult eval_result,
                                       const ClientInfo& client_info,
                                       const std::wstring& event_name,
                                       uint32_t event_type,
                                       uint32_t initial_state,
                                       HANDLE* handle) {
  NtCreateEventFunction NtCreateEvent = nullptr;
  ResolveNTFunctionPtr("NtCreateEvent", &NtCreateEvent);

  // The only action supported is ASK_BROKER which means create the requested
  // file as specified.
  if (ASK_BROKER != eval_result)
    return false;

  HANDLE object_directory = nullptr;
  NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory);
  if (status != STATUS_SUCCESS)
    return status;

  UNICODE_STRING unicode_event_name = {};
  OBJECT_ATTRIBUTES object_attributes = {};
  InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory,
                    &object_attributes, &unicode_event_name, nullptr);

  HANDLE local_handle = nullptr;
  status = NtCreateEvent(&local_handle, EVENT_ALL_ACCESS, &object_attributes,
                         static_cast<EVENT_TYPE>(event_type),
                         static_cast<BOOLEAN>(initial_state != 0));
  if (!local_handle)
    return status;

  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         client_info.process, handle, 0, false,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
    return STATUS_ACCESS_DENIED;
  }
  return status;
}

NTSTATUS SyncPolicy::OpenEventAction(EvalResult eval_result,
                                     const ClientInfo& client_info,
                                     const std::wstring& event_name,
                                     uint32_t desired_access,
                                     HANDLE* handle) {
  NtOpenEventFunction NtOpenEvent = nullptr;
  ResolveNTFunctionPtr("NtOpenEvent", &NtOpenEvent);

  // The only action supported is ASK_BROKER which means create the requested
  // event as specified.
  if (ASK_BROKER != eval_result)
    return false;

  HANDLE object_directory = nullptr;
  NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory);
  if (status != STATUS_SUCCESS)
    return status;

  UNICODE_STRING unicode_event_name = {};
  OBJECT_ATTRIBUTES object_attributes = {};
  InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory,
                    &object_attributes, &unicode_event_name, nullptr);

  HANDLE local_handle = nullptr;
  status = NtOpenEvent(&local_handle, desired_access, &object_attributes);
  if (!local_handle)
    return status;

  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         client_info.process, handle, 0, false,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
    return STATUS_ACCESS_DENIED;
  }
  return status;
}

}  // namespace sandbox