diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-02-04 17:20:24 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2022-02-12 08:15:25 +0000 |
commit | 8fa0776f1f79e91fc9c0b9c1ba11a0a29c05196b (patch) | |
tree | 788d8d7549712682703a0310ca4a0f0860d4802b /chromium/sandbox/win/src/sandbox_policy_base.cc | |
parent | 606d85f2a5386472314d39923da28c70c60dc8e7 (diff) | |
download | qtwebengine-chromium-8fa0776f1f79e91fc9c0b9c1ba11a0a29c05196b.tar.gz |
BASELINE: Update Chromium to 98.0.4758.90
Change-Id: Ib7c41539bf8a8e0376bd639f27d68294de90f3c8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/sandbox/win/src/sandbox_policy_base.cc')
-rw-r--r-- | chromium/sandbox/win/src/sandbox_policy_base.cc | 63 |
1 files changed, 16 insertions, 47 deletions
diff --git a/chromium/sandbox/win/src/sandbox_policy_base.cc b/chromium/sandbox/win/src/sandbox_policy_base.cc index 82950693ddb..580968c1ef1 100644 --- a/chromium/sandbox/win/src/sandbox_policy_base.cc +++ b/chromium/sandbox/win/src/sandbox_policy_base.cc @@ -12,10 +12,11 @@ #include "base/callback.h" #include "base/logging.h" -#include "base/macros.h" +#include "base/win/sid.h" #include "base/win/win_util.h" #include "base/win/windows_version.h" #include "sandbox/win/src/acl.h" +#include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/filesystem_policy.h" #include "sandbox/win/src/interception.h" #include "sandbox/win/src/job.h" @@ -26,14 +27,12 @@ #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/process_mitigations_win32k_policy.h" #include "sandbox/win/src/process_thread_policy.h" -#include "sandbox/win/src/registry_policy.h" #include "sandbox/win/src/restricted_token_utils.h" #include "sandbox/win/src/sandbox_policy.h" #include "sandbox/win/src/sandbox_policy_diagnostic.h" #include "sandbox/win/src/sandbox_utils.h" #include "sandbox/win/src/security_capabilities.h" #include "sandbox/win/src/signed_policy.h" -#include "sandbox/win/src/sync_policy.h" #include "sandbox/win/src/target_process.h" #include "sandbox/win/src/top_level_dispatcher.h" #include "sandbox/win/src/window.h" @@ -112,15 +111,12 @@ PolicyBase::PolicyBase() add_restricting_random_sid_(false), effective_token_(nullptr), allow_no_sandbox_job_(false) { - ::InitializeCriticalSection(&lock_); dispatcher_ = std::make_unique<TopLevelDispatcher>(this); } PolicyBase::~PolicyBase() { delete policy_maker_; delete policy_; - - ::DeleteCriticalSection(&lock_); } void PolicyBase::AddRef() { @@ -424,16 +420,17 @@ ResultCode PolicyBase::DropActiveProcessLimit(base::win::ScopedHandle* job) { ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, base::win::ScopedHandle* lockdown, base::win::ScopedHandle* lowbox) { - Sid random_sid = Sid::GenerateRandomSid(); - PSID random_sid_ptr = nullptr; - if (add_restricting_random_sid_) - random_sid_ptr = random_sid.GetPSID(); + absl::optional<base::win::Sid> random_sid = + add_restricting_random_sid_ ? base::win::Sid::GenerateRandomSid() + : absl::nullopt; + if (add_restricting_random_sid_ && !random_sid) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; // Create the 'naked' token. This will be the permanent token associated // with the process and therefore with any thread that is not impersonating. DWORD result = CreateRestrictedToken( effective_token_, lockdown_level_, integrity_level_, PRIMARY, - lockdown_default_dacl_, random_sid_ptr, lockdown); + lockdown_default_dacl_, random_sid, lockdown); if (ERROR_SUCCESS != result) return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; @@ -457,9 +454,8 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, } // If the desktop_handle hasn't been created for any reason, skip this. if (desktop_handle && desktop_integrity_level_label < integrity_level_) { - result = - SetObjectIntegrityLabel(desktop_handle, SE_WINDOW_OBJECT, L"", - GetIntegrityLevelString(integrity_level_)); + result = SetObjectIntegrityLabel( + desktop_handle, SecurityObjectType::kWindow, 0, integrity_level_); if (ERROR_SUCCESS != result) return SBOX_ERROR_CANNOT_SET_DESKTOP_INTEGRITY; @@ -483,9 +479,9 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, // Create the 'better' token. We use this token as the one that the main // thread uses when booting up the process. It should contain most of // what we need (before reaching main( )) - result = CreateRestrictedToken( - effective_token_, initial_level_, integrity_level_, IMPERSONATION, - lockdown_default_dacl_, random_sid_ptr, initial); + result = CreateRestrictedToken(effective_token_, initial_level_, + integrity_level_, IMPERSONATION, + lockdown_default_dacl_, random_sid, initial); if (ERROR_SUCCESS != result) return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN; @@ -541,13 +537,13 @@ ResultCode PolicyBase::AddTarget(std::unique_ptr<TargetProcess> target) { if (SBOX_ALL_OK != ret) return ret; - AutoLock lock(&lock_); + base::AutoLock lock(lock_); targets_.push_back(std::move(target)); return SBOX_ALL_OK; } bool PolicyBase::OnJobEmpty(HANDLE job) { - AutoLock lock(&lock_); + base::AutoLock lock(lock_); targets_.erase( std::remove_if(targets_.begin(), targets_.end(), [&](auto&& p) -> bool { return p->Job() == job; }), @@ -556,7 +552,7 @@ bool PolicyBase::OnJobEmpty(HANDLE job) { } bool PolicyBase::OnProcessFinished(DWORD process_id) { - AutoLock lock(&lock_); + base::AutoLock lock(lock_); targets_.erase(std::remove_if(targets_.begin(), targets_.end(), [&](auto&& p) -> bool { return p->ProcessId() == process_id; @@ -715,26 +711,6 @@ ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem, } break; } - case SUBSYS_SYNC: { - if (!SyncPolicy::GenerateRules(pattern, semantics, policy_maker_)) { - NOTREACHED(); - return SBOX_ERROR_BAD_PARAMS; - } - break; - } - case SUBSYS_PROCESS: { - if (lockdown_level_ < USER_INTERACTIVE && - TargetPolicy::PROCESS_ALL_EXEC == semantics) { - // This is unsupported. This is a huge security risk to give full access - // to a process handle. - return SBOX_ERROR_UNSUPPORTED; - } - if (!ProcessPolicy::GenerateRules(pattern, semantics, policy_maker_)) { - NOTREACHED(); - return SBOX_ERROR_BAD_PARAMS; - } - break; - } case SUBSYS_NAMED_PIPES: { if (!NamedPipePolicy::GenerateRules(pattern, semantics, policy_maker_)) { NOTREACHED(); @@ -742,13 +718,6 @@ ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem, } break; } - case SUBSYS_REGISTRY: { - if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { - NOTREACHED(); - return SBOX_ERROR_BAD_PARAMS; - } - break; - } case SUBSYS_WIN32K_LOCKDOWN: { // Win32k intercept rules only supported on Windows 8 and above. This must // match the version checks in process_mitigations.cc for consistency. |