diff options
| author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-09-14 16:52:41 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2016-09-14 14:57:58 +0000 |
| commit | 1ca3e7634f3989aec9631cfbcfd5a46bde4ebf24 (patch) | |
| tree | c9faa91be97094e1451ae126819a3672bd7358de /chromium/sandbox | |
| parent | e20ba3c57b50674f625b5088faa0fe9a076c0617 (diff) | |
| download | qtwebengine-chromium-1ca3e7634f3989aec9631cfbcfd5a46bde4ebf24.tar.gz | |
BASELINE: Update Chromium to 53.0.2785.117
Change-Id: Ie4ea15fc770a1973f58739ce99df06c98d3dda79
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/sandbox')
| -rw-r--r-- | chromium/sandbox/win/sandbox_poc/main_ui_window.cc | 8 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/broker_services.cc | 33 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/broker_services.h | 2 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/policy_target_test.cc | 21 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/sandbox.h | 7 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/target_process.cc | 53 | ||||
| -rw-r--r-- | chromium/sandbox/win/src/target_process.h | 9 |
7 files changed, 80 insertions, 53 deletions
diff --git a/chromium/sandbox/win/sandbox_poc/main_ui_window.cc b/chromium/sandbox/win/sandbox_poc/main_ui_window.cc index c000ce13d00..4ca6b07f25a 100644 --- a/chromium/sandbox/win/sandbox_poc/main_ui_window.cc +++ b/chromium/sandbox/win/sandbox_poc/main_ui_window.cc @@ -513,9 +513,11 @@ bool MainUIWindow::SpawnTarget() { policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, dll_path_.c_str()); - sandbox::ResultCode result = broker_->SpawnTarget(spawn_target_.c_str(), - arguments, policy, - &target_); + sandbox::ResultCode warning_result = sandbox::SBOX_ALL_OK; + DWORD last_error = ERROR_SUCCESS; + sandbox::ResultCode result = + broker_->SpawnTarget(spawn_target_.c_str(), arguments, policy, + &warning_result, &last_error, &target_); policy->Release(); policy = NULL; diff --git a/chromium/sandbox/win/src/broker_services.cc b/chromium/sandbox/win/src/broker_services.cc index 1339abffb6e..64a0afeca31 100644 --- a/chromium/sandbox/win/src/broker_services.cc +++ b/chromium/sandbox/win/src/broker_services.cc @@ -37,13 +37,9 @@ bool AssociateCompletionPort(HANDLE job, HANDLE port, void* key) { // Utility function to do the cleanup necessary when something goes wrong // while in SpawnTarget and we must terminate the target process. -sandbox::ResultCode SpawnCleanup(sandbox::TargetProcess* target, DWORD error) { - if (0 == error) - error = ::GetLastError(); - +sandbox::ResultCode SpawnCleanup(sandbox::TargetProcess* target) { target->Terminate(); delete target; - ::SetLastError(error); return sandbox::SBOX_ERROR_GENERIC; } @@ -273,6 +269,8 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) { ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, const wchar_t* command_line, TargetPolicy* policy, + ResultCode* last_warning, + DWORD* last_error, PROCESS_INFORMATION* target_info) { if (!exe_path) return SBOX_ERROR_BAD_PARAMS; @@ -286,6 +284,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, // the child process. static DWORD thread_id = ::GetCurrentThreadId(); DCHECK(thread_id == ::GetCurrentThreadId()); + *last_warning = SBOX_ALL_OK; AutoLock lock(&lock_); @@ -303,6 +302,11 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, policy_base->MakeTokens(&initial_token, &lockdown_token, &lowbox_token); if (SBOX_ALL_OK != result) return result; + if (lowbox_token.IsValid() && + base::win::GetVersion() < base::win::VERSION_WIN8) { + // We don't allow lowbox_token below Windows 8. + return SBOX_ERROR_BAD_PARAMS; + } base::win::ScopedHandle job; result = policy_base->MakeJobObject(&job); @@ -407,22 +411,31 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, base::win::ScopedProcessInformation process_info; TargetProcess* target = new TargetProcess(std::move(initial_token), std::move(lockdown_token), - std::move(lowbox_token), job.Get(), thread_pool_); + job.Get(), thread_pool_); - DWORD win_result; result = target->Create(exe_path, command_line, inherit_handles, startup_info, - &process_info, &win_result); + &process_info, last_error); if (result != SBOX_ALL_OK) { - SpawnCleanup(target, win_result); + SpawnCleanup(target); return result; } + if (lowbox_token.IsValid()) { + *last_warning = target->AssignLowBoxToken(lowbox_token); + // If this fails we continue, but report the error as a warning. + // This is due to certain configurations causing the setting of the + // token to fail post creation, and we'd rather continue if possible. + if (*last_warning != SBOX_ALL_OK) + *last_error = ::GetLastError(); + } + // Now the policy is the owner of the target. result = policy_base->AddTarget(target); if (result != SBOX_ALL_OK) { - SpawnCleanup(target, 0); + *last_error = ::GetLastError(); + SpawnCleanup(target); return result; } diff --git a/chromium/sandbox/win/src/broker_services.h b/chromium/sandbox/win/src/broker_services.h index 22e83b116e3..555f52bb47f 100644 --- a/chromium/sandbox/win/src/broker_services.h +++ b/chromium/sandbox/win/src/broker_services.h @@ -49,6 +49,8 @@ class BrokerServicesBase final : public BrokerServices, ResultCode SpawnTarget(const wchar_t* exe_path, const wchar_t* command_line, TargetPolicy* policy, + ResultCode* last_warning, + DWORD* last_error, PROCESS_INFORMATION* target) override; ResultCode WaitForAllTargets() override; diff --git a/chromium/sandbox/win/src/policy_target_test.cc b/chromium/sandbox/win/src/policy_target_test.cc index 71054abd3d5..e6a8ff3ed0e 100644 --- a/chromium/sandbox/win/src/policy_target_test.cc +++ b/chromium/sandbox/win/src/policy_target_test.cc @@ -238,14 +238,17 @@ TEST(PolicyTargetTest, DesktopPolicy) { // Launch the app. ResultCode result = SBOX_ALL_OK; + ResultCode warning_result = SBOX_ALL_OK; + DWORD last_error = ERROR_SUCCESS; base::win::ScopedProcessInformation target; TargetPolicy* policy = broker->CreatePolicy(); policy->SetAlternateDesktop(false); policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); PROCESS_INFORMATION temp_process_info = {}; - result = broker->SpawnTarget(prog_name, arguments.c_str(), policy, - &temp_process_info); + result = + broker->SpawnTarget(prog_name, arguments.c_str(), policy, &warning_result, + &last_error, &temp_process_info); base::string16 desktop_name = policy->GetAlternateDesktop(); policy->Release(); @@ -302,14 +305,17 @@ TEST(PolicyTargetTest, WinstaPolicy) { // Launch the app. ResultCode result = SBOX_ALL_OK; + ResultCode warning_result = SBOX_ALL_OK; base::win::ScopedProcessInformation target; TargetPolicy* policy = broker->CreatePolicy(); policy->SetAlternateDesktop(true); policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); PROCESS_INFORMATION temp_process_info = {}; - result = broker->SpawnTarget(prog_name, arguments.c_str(), policy, - &temp_process_info); + DWORD last_error = ERROR_SUCCESS; + result = + broker->SpawnTarget(prog_name, arguments.c_str(), policy, &warning_result, + &last_error, &temp_process_info); base::string16 desktop_name = policy->GetAlternateDesktop(); policy->Release(); @@ -382,12 +388,15 @@ TEST(PolicyTargetTest, ShareHandleTest) { // Launch the app. ResultCode result = SBOX_ALL_OK; + ResultCode warning_result = SBOX_ALL_OK; base::win::ScopedProcessInformation target; policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN); PROCESS_INFORMATION temp_process_info = {}; - result = broker->SpawnTarget(prog_name, arguments.c_str(), policy, - &temp_process_info); + DWORD last_error = ERROR_SUCCESS; + result = + broker->SpawnTarget(prog_name, arguments.c_str(), policy, &warning_result, + &last_error, &temp_process_info); policy->Release(); EXPECT_EQ(SBOX_ALL_OK, result); diff --git a/chromium/sandbox/win/src/sandbox.h b/chromium/sandbox/win/src/sandbox.h index fd9cd66b1a7..029868d4a7f 100644 --- a/chromium/sandbox/win/src/sandbox.h +++ b/chromium/sandbox/win/src/sandbox.h @@ -67,6 +67,11 @@ class BrokerServices { // process. This can be null if the exe_path parameter is not null. // policy: This is the pointer to the policy object for the sandbox to // be created. + // last_warning: The argument will contain an indication on whether + // the process security was initialized completely, Only set if the + // process can be used without a serious compromise in security. + // last_error: If an error or warning is returned from this method this + // parameter will hold the last Win32 error value. // target: returns the resulting target process information such as process // handle and PID just as if CreateProcess() had been called. The caller is // responsible for closing the handles returned in this structure. @@ -75,6 +80,8 @@ class BrokerServices { virtual ResultCode SpawnTarget(const wchar_t* exe_path, const wchar_t* command_line, TargetPolicy* policy, + ResultCode* last_warning, + DWORD* last_error, PROCESS_INFORMATION* target) = 0; // This call blocks (waits) for all the targets to terminate. diff --git a/chromium/sandbox/win/src/target_process.cc b/chromium/sandbox/win/src/target_process.cc index 7e09171e27a..7fddffb4c41 100644 --- a/chromium/sandbox/win/src/target_process.cc +++ b/chromium/sandbox/win/src/target_process.cc @@ -72,7 +72,6 @@ void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) { TargetProcess::TargetProcess(base::win::ScopedHandle initial_token, base::win::ScopedHandle lockdown_token, - base::win::ScopedHandle lowbox_token, HANDLE job, ThreadProvider* thread_pool) // This object owns everything initialized here except thread_pool and @@ -80,7 +79,6 @@ TargetProcess::TargetProcess(base::win::ScopedHandle initial_token, // eventually in a call to our dtor. : lockdown_token_(std::move(lockdown_token)), initial_token_(std::move(initial_token)), - lowbox_token_(std::move(lowbox_token)), job_(job), thread_pool_(thread_pool), base_address_(NULL) {} @@ -126,12 +124,6 @@ ResultCode TargetProcess::Create( const base::win::StartupInformation& startup_info, base::win::ScopedProcessInformation* target_info, DWORD* win_error) { - if (lowbox_token_.IsValid() && - base::win::GetVersion() < base::win::VERSION_WIN8) { - // We don't allow lowbox_token below Windows 8. - return SBOX_ERROR_BAD_PARAMS; - } - exe_name_.reset(_wcsdup(exe_path)); // the command line needs to be writable by CreateProcess(). @@ -212,25 +204,6 @@ ResultCode TargetProcess::Create( return SBOX_ERROR_DUPLICATE_TARGET_INFO; } - if (lowbox_token_.IsValid()) { - PROCESS_ACCESS_TOKEN process_access_token; - process_access_token.thread = process_info.thread_handle(); - process_access_token.token = lowbox_token_.Get(); - - NtSetInformationProcess SetInformationProcess = NULL; - ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess); - - NTSTATUS status = SetInformationProcess( - process_info.process_handle(), - static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken), - &process_access_token, sizeof(process_access_token)); - if (!NT_SUCCESS(status)) { - *win_error = GetLastErrorFromNtStatus(status); - ::TerminateProcess(process_info.process_handle(), 0); // exit code - return SBOX_ERROR_SET_LOW_BOX_TOKEN; - } - } - base_address_ = GetBaseAddress(exe_path, entry_point); sandbox_process_info_.Set(process_info.Take()); return SBOX_ALL_OK; @@ -362,10 +335,30 @@ void TargetProcess::Terminate() { ::TerminateProcess(sandbox_process_info_.process_handle(), 0); } +ResultCode TargetProcess::AssignLowBoxToken( + const base::win::ScopedHandle& token) { + if (!token.IsValid()) + return SBOX_ALL_OK; + PROCESS_ACCESS_TOKEN process_access_token = {}; + process_access_token.token = token.Get(); + + NtSetInformationProcess SetInformationProcess = NULL; + ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess); + + NTSTATUS status = SetInformationProcess( + sandbox_process_info_.process_handle(), + static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken), + &process_access_token, sizeof(process_access_token)); + if (!NT_SUCCESS(status)) { + ::SetLastError(GetLastErrorFromNtStatus(status)); + return SBOX_ERROR_SET_LOW_BOX_TOKEN; + } + return SBOX_ALL_OK; +} + TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) { - TargetProcess* target = - new TargetProcess(base::win::ScopedHandle(), base::win::ScopedHandle(), - base::win::ScopedHandle(), NULL, NULL); + TargetProcess* target = new TargetProcess( + base::win::ScopedHandle(), base::win::ScopedHandle(), NULL, NULL); PROCESS_INFORMATION process_info = {}; process_info.hProcess = process; target->sandbox_process_info_.Set(process_info); diff --git a/chromium/sandbox/win/src/target_process.h b/chromium/sandbox/win/src/target_process.h index 384f2c18bc1..70b7b32c30e 100644 --- a/chromium/sandbox/win/src/target_process.h +++ b/chromium/sandbox/win/src/target_process.h @@ -40,7 +40,6 @@ class TargetProcess { // and |lowbox_token|. TargetProcess(base::win::ScopedHandle initial_token, base::win::ScopedHandle lockdown_token, - base::win::ScopedHandle lowbox_token, HANDLE job, ThreadProvider* thread_pool); ~TargetProcess(); @@ -60,6 +59,11 @@ class TargetProcess { base::win::ScopedProcessInformation* target_info, DWORD* win_error); + // Assign a new lowbox token to the process post creation. The process + // must still be in its initial suspended state, however this still + // might fail in the presence of third-party software. + ResultCode AssignLowBoxToken(const base::win::ScopedHandle& token); + // Destroys the target process. void Terminate(); @@ -114,9 +118,6 @@ class TargetProcess { // The token given to the initial thread so that the target process can // start. It has more powers than the lockdown_token. base::win::ScopedHandle initial_token_; - // The lowbox token associated with the process. This token is set after the - // process creation. - base::win::ScopedHandle lowbox_token_; // Kernel handle to the shared memory used by the IPC server. base::win::ScopedHandle shared_section_; // Job object containing the target process. |