diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-09-03 13:32:17 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-10-01 14:31:55 +0200 |
| commit | 21ba0c5d4bf8fba15dddd97cd693bad2358b77fd (patch) | |
| tree | 91be119f694044dfc1ff9fdc054459e925de9df0 /chromium/sandbox | |
| parent | 03c549e0392f92c02536d3f86d5e1d8dfa3435ac (diff) | |
| download | qtwebengine-chromium-21ba0c5d4bf8fba15dddd97cd693bad2358b77fd.tar.gz | |
BASELINE: Update Chromium to 92.0.4515.166
Change-Id: I42a050486714e9e54fc271f2a8939223a02ae364
Diffstat (limited to 'chromium/sandbox')
119 files changed, 1095 insertions, 754 deletions
diff --git a/chromium/sandbox/DIR_METADATA b/chromium/sandbox/DIR_METADATA index 12ec3393f96..053acd72c78 100644 --- a/chromium/sandbox/DIR_METADATA +++ b/chromium/sandbox/DIR_METADATA @@ -1,10 +1,10 @@ # Metadata information for this directory. # # For more information on DIR_METADATA files, see: -# https://source.chromium.org/chromium/infra/infra/+/master:go/src/infra/tools/dirmd/README.md +# https://source.chromium.org/chromium/infra/infra/+/main:go/src/infra/tools/dirmd/README.md # # For the schema of this file, see Metadata message: -# https://source.chromium.org/chromium/infra/infra/+/master:go/src/infra/tools/dirmd/proto/dir_metadata.proto +# https://source.chromium.org/chromium/infra/infra/+/main:go/src/infra/tools/dirmd/proto/dir_metadata.proto monorail { component: "Internals>Sandbox" diff --git a/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h b/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h index f397321eddd..3633eb5e3cf 100644 --- a/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h +++ b/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h @@ -5,8 +5,6 @@ #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_IMPL_H_ #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_IMPL_H_ -#include <memory> - #include "base/macros.h" #include "sandbox/linux/bpf_dsl/codegen.h" #include "sandbox/sandbox_export.h" diff --git a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc index bc03be124b7..49937b519aa 100644 --- a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc +++ b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc @@ -391,7 +391,12 @@ class StackingPolicyPartTwo : public Policy { DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartTwo); }; -BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) { +// Depending on DCHECK being enabled or not the test may create some output. +// Therefore explicitly specify the death test to allow some noise. +BPF_DEATH_TEST_C(SandboxBPF, + StackingPolicy, + DEATH_SUCCESS_ALLOW_NOISE(), + StackingPolicyPartOne) { errno = 0; BPF_ASSERT(syscall(__NR_getppid, 0) > 0); BPF_ASSERT(errno == 0); diff --git a/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc index 40cc9548306..2bc6619a3e9 100644 --- a/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc +++ b/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc @@ -16,8 +16,8 @@ #include <vector> +#include "base/memory/page_size.h" #include "base/posix/eintr_wrapper.h" -#include "base/process/process_metrics.h" #include "base/stl_util.h" #include "build/build_config.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" diff --git a/chromium/sandbox/linux/services/credentials_unittest.cc b/chromium/sandbox/linux/services/credentials_unittest.cc index 7b47970ec12..745f8ca5f22 100644 --- a/chromium/sandbox/linux/services/credentials_unittest.cc +++ b/chromium/sandbox/linux/services/credentials_unittest.cc @@ -47,8 +47,22 @@ typedef std::unique_ptr<std::remove_reference<decltype(*((cap_t)0))>::type, bool WorkingDirectoryIsRoot() { char current_dir[PATH_MAX]; char* cwd = getcwd(current_dir, sizeof(current_dir)); - PCHECK(cwd); - if (strcmp("/", cwd)) return false; + + // Kernel commit 7bc3e6e55acf ("proc: Use a list of inodes to flush from + // proc"), present in 5.6 and later, changed how procfs inodes are cleaned up + // when a process exits. Credentials::DropFileSystemAccess() relies forking a + // child process which shares the same file system information (using + // clone(CLONE_FS)), and chroot()'ing to /proc/self/fdinfo/ in that process. + // However, when that child process exits, its procfs directories are + // unlinked, causing getcwd() to return ENOENT. getcwd() has been documented + // as returning ENOENT when the directory has been unlinked since at least + // 2004 (man-pages commit fea681daf). + if (cwd) { + if (strcmp("/", cwd)) + return false; + } else { + PCHECK(errno == ENOENT); + } // The current directory is the root. Add a few paranoid checks. struct stat current; @@ -147,7 +161,8 @@ SANDBOX_TEST(Credentials, CanDetectRoot) { // Disabled on ASAN because of crbug.com/451603. // Disabled on MSAN due to crbug.com/1180105 -SANDBOX_TEST(Credentials, DISABLE_ON_SANITIZERS(DropFileSystemAccessIsSafe)) { +SANDBOX_TEST_ALLOW_NOISE(Credentials, + DISABLE_ON_SANITIZERS(DropFileSystemAccessIsSafe)) { CHECK(Credentials::HasFileSystemAccess()); CHECK(Credentials::DropAllCapabilities()); // Probably missing kernel support. diff --git a/chromium/sandbox/linux/services/libc_interceptor.cc b/chromium/sandbox/linux/services/libc_interceptor.cc index 609605c2bcb..fd4ff9156a5 100644 --- a/chromium/sandbox/linux/services/libc_interceptor.cc +++ b/chromium/sandbox/linux/services/libc_interceptor.cc @@ -114,7 +114,7 @@ void WriteTimeStruct(base::Pickle* pickle, const struct tm& time) { } // See -// https://chromium.googlesource.com/chromium/src/+/master/docs/linux/zygote.md +// https://chromium.googlesource.com/chromium/src/+/main/docs/linux/zygote.md void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output, char* timezone_out, diff --git a/chromium/sandbox/linux/services/libc_interceptor.h b/chromium/sandbox/linux/services/libc_interceptor.h index a43460e11ab..8864f8736ef 100644 --- a/chromium/sandbox/linux/services/libc_interceptor.h +++ b/chromium/sandbox/linux/services/libc_interceptor.h @@ -32,7 +32,7 @@ namespace sandbox { // // Our replacement functions must handle both cases, and either proxy the call // to the parent over the IPC back-channel (see -// https://chromium.googlesource.com/chromium/src/+/master/docs/linux/sandbox_ipc.md) +// https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandbox_ipc.md) // or use dlsym with RTLD_NEXT to resolve the symbol, ignoring any symbols in // the current module. Use SetAmZygoteOrRenderer() below to control the mode of // operation, which defaults using the dlsym approach. diff --git a/chromium/sandbox/linux/suid/client/setuid_sandbox_host.cc b/chromium/sandbox/linux/suid/client/setuid_sandbox_host.cc index 0aaed76c1dd..f88c5077c6d 100644 --- a/chromium/sandbox/linux/suid/client/setuid_sandbox_host.cc +++ b/chromium/sandbox/linux/suid/client/setuid_sandbox_host.cc @@ -128,7 +128,7 @@ base::FilePath SetuidSandboxHost::GetSandboxBinaryPath() { // In user-managed builds, including development builds, an environment // variable is required to enable the sandbox. See - // https://chromium.googlesource.com/chromium/src/+/master/docs/linux/suid_sandbox_development.md + // https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md struct stat st; if (sandbox_binary.empty() && stat(base::kProcSelfExe, &st) == 0 && st.st_uid == getuid()) { diff --git a/chromium/sandbox/linux/suid/common/sandbox.h b/chromium/sandbox/linux/suid/common/sandbox.h index 52ef10cdc0f..423f31d75a6 100644 --- a/chromium/sandbox/linux/suid/common/sandbox.h +++ b/chromium/sandbox/linux/suid/common/sandbox.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_LINUX_SUID_SANDBOX_H_ -#define SANDBOX_LINUX_SUID_SANDBOX_H_ +#ifndef SANDBOX_LINUX_SUID_COMMON_SANDBOX_H_ +#define SANDBOX_LINUX_SUID_COMMON_SANDBOX_H_ #if defined(__cplusplus) namespace sandbox { @@ -38,4 +38,4 @@ static const char kSandboxNETNSEnvironmentVarName[] = "SBX_NET_NS"; } // namespace sandbox #endif -#endif // SANDBOX_LINUX_SUID_SANDBOX_H_ +#endif // SANDBOX_LINUX_SUID_COMMON_SANDBOX_H_ diff --git a/chromium/sandbox/linux/suid/sandbox.c b/chromium/sandbox/linux/suid/sandbox.c index 5fdb4817af8..5ee1689e234 100644 --- a/chromium/sandbox/linux/suid/sandbox.c +++ b/chromium/sandbox/linux/suid/sandbox.c @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -// https://chromium.googlesource.com/chromium/src/+/master/docs/linux/suid_sandbox.md +// https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox.md #include "sandbox/linux/suid/common/sandbox.h" @@ -403,7 +403,7 @@ bool CheckAndExportApiVersion() { "The setuid sandbox provides API version %d, " "but you need %d\n" "Please read " - "https://chromium.googlesource.com/chromium/src/+/master/docs/linux/suid_sandbox_development.md." + "https://chromium.googlesource.com/chromium/src/+/main/docs/linux/suid_sandbox_development.md." "\n\n", kSUIDSandboxApiNumber, api_number); diff --git a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc index 0d31776b0c8..d64cba22281 100644 --- a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc +++ b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc @@ -8,7 +8,6 @@ #include <unistd.h> #include "base/bind.h" -#include "base/callback_forward.h" #include "base/callback_helpers.h" #include "base/files/scoped_file.h" #include "base/logging.h" diff --git a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc index f73113c771a..1ba5890daff 100644 --- a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc +++ b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler.cc @@ -15,7 +15,7 @@ #include "base/check_op.h" #include "base/containers/span.h" #include "base/logging.h" -#include "base/process/process_metrics.h" +#include "base/memory/page_size.h" #include "sandbox/linux/system_headers/linux_seccomp.h" #include "sandbox/linux/system_headers/linux_syscalls.h" diff --git a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc index 4c22bc44b3c..fffa9bb7082 100644 --- a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +++ b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc @@ -10,12 +10,11 @@ #include <cstring> #include "base/bind.h" -#include "base/callback_forward.h" #include "base/callback_helpers.h" #include "base/files/scoped_file.h" #include "base/macros.h" +#include "base/memory/page_size.h" #include "base/posix/unix_domain_socket.h" -#include "base/process/process_metrics.h" #include "base/test/bind.h" #include "sandbox/linux/tests/unit_tests.h" #include "testing/gtest/include/gtest/gtest.h" diff --git a/chromium/sandbox/linux/system_headers/capability.h b/chromium/sandbox/linux/system_headers/capability.h index f91fcf78acf..773b817713c 100644 --- a/chromium/sandbox/linux/system_headers/capability.h +++ b/chromium/sandbox/linux/system_headers/capability.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_ -#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_ +#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_CAPABILITY_H_ +#define SANDBOX_LINUX_SYSTEM_HEADERS_CAPABILITY_H_ #include <stdint.h> @@ -39,4 +39,4 @@ struct cap_data { uint32_t inheritable; }; -#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_ +#endif // SANDBOX_LINUX_SYSTEM_HEADERS_CAPABILITY_H_ diff --git a/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h b/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h index 1a7b975de80..1d3c4a23dc9 100644 --- a/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h +++ b/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_ -#define SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_ +#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_I386_LINUX_UCONTEXT_H_ +#define SANDBOX_LINUX_SYSTEM_HEADERS_I386_LINUX_UCONTEXT_H_ #include <stddef.h> #include <stdint.h> @@ -82,4 +82,4 @@ typedef struct ucontext { struct _libc_fpstate __fpregs_mem; } ucontext_t; -#endif // SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_ +#endif // SANDBOX_LINUX_SYSTEM_HEADERS_I386_LINUX_UCONTEXT_H_ diff --git a/chromium/sandbox/mac/sandbox_logging.h b/chromium/sandbox/mac/sandbox_logging.h index 3f8191bb0dd..e056b6ecbbc 100644 --- a/chromium/sandbox/mac/sandbox_logging.h +++ b/chromium/sandbox/mac/sandbox_logging.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SANDBOX_LOGGING_H_ -#define SANDBOX_SANDBOX_LOGGING_H_ +#ifndef SANDBOX_MAC_SANDBOX_LOGGING_H_ +#define SANDBOX_MAC_SANDBOX_LOGGING_H_ namespace sandbox { @@ -28,4 +28,4 @@ void PFatal(const char* fmt, ...); } // namespace sandbox -#endif // SANDBOX_SANDBOX_LOGGING_H_ +#endif // SANDBOX_MAC_SANDBOX_LOGGING_H_ diff --git a/chromium/sandbox/mac/seatbelt_sandbox_design.md b/chromium/sandbox/mac/seatbelt_sandbox_design.md index 53b6566cba3..2eb6ef47e0a 100644 --- a/chromium/sandbox/mac/seatbelt_sandbox_design.md +++ b/chromium/sandbox/mac/seatbelt_sandbox_design.md @@ -80,7 +80,7 @@ continue its execution into the ChromeMain function. Both the main Chromium executable and all of the bundled Chromium Helper executables contain [a minimal amount of -code](https://source.chromium.org/chromium/chromium/src/+/master:chrome/app/chrome_exe_main_mac.cc;drc=05219ddeb8130389da9ad634ba3e021a70bff393). +code](https://source.chromium.org/chromium/chromium/src/+/main:chrome/app/chrome_exe_main_mac.cc;drc=05219ddeb8130389da9ad634ba3e021a70bff393). The bulk of the code lives in the Chromium Framework library, which is `dlopen()`ed at runtime to call `ChromeMain()`, after applying the sandbox. @@ -109,7 +109,7 @@ implementing the profiles for each process type. ## Sandbox Design The V1 sandbox code lives in -[sandbox_mac.mm](https://source.chromium.org/chromium/chromium/src/+/master:services/service_manager/sandbox/mac/sandbox_mac.mm;l=1;drc=efd8e880522dc1df3b8883648513016fab3d3956). +[sandbox_mac.mm](https://source.chromium.org/chromium/chromium/src/+/main:services/service_manager/sandbox/mac/sandbox_mac.mm;l=1;drc=efd8e880522dc1df3b8883648513016fab3d3956). This file will continue to exist until the V1 sandbox is removed for all process types. Chromium now uses the V2 sandbox for all process types except the GPU process. diff --git a/chromium/sandbox/policy/BUILD.gn b/chromium/sandbox/policy/BUILD.gn index c41a82ff483..7dfa7764de3 100644 --- a/chromium/sandbox/policy/BUILD.gn +++ b/chromium/sandbox/policy/BUILD.gn @@ -6,6 +6,8 @@ import("//build/buildflag_header.gni") import("//build/config/chromecast_build.gni") import("//build/config/chromeos/ui_mode.gni") import("//build/config/sanitizers/sanitizers.gni") +import("//chromeos/assistant/assistant.gni") +import("//printing/buildflags/buildflags.gni") import("//testing/test.gni") component("policy") { @@ -26,6 +28,7 @@ component("policy") { ":sanitizer_buildflags", "//base", "//build:chromeos_buildflags", + "//printing/buildflags", "//sandbox:common", ] public_deps = [] @@ -87,6 +90,14 @@ component("policy") { "linux/bpf_tts_policy_linux.cc", "linux/bpf_tts_policy_linux.h", ] + deps += [ "//chromeos/assistant:buildflags" ] + + if (enable_libassistant_sandbox) { + sources += [ + "linux/bpf_libassistant_policy_linux.cc", + "linux/bpf_libassistant_policy_linux.h", + ] + } } if (is_mac) { sources += [ @@ -160,6 +171,7 @@ source_set("tests") { ":policy", "//base", "//base/test:test_support", + "//printing/buildflags", "//testing/gtest", ] diff --git a/chromium/sandbox/policy/DEPS b/chromium/sandbox/policy/DEPS index 804a308655f..7e27dfda765 100644 --- a/chromium/sandbox/policy/DEPS +++ b/chromium/sandbox/policy/DEPS @@ -1,4 +1,6 @@ include_rules = [ + "+chromeos/assistant/buildflags.h", + "+printing/buildflags", "+sandbox/constants.h", "+sandbox", ] diff --git a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc index d0cc6e4a531..e105eee8c06 100644 --- a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc +++ b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc @@ -26,6 +26,7 @@ #include <utility> #include "base/base_paths_fuchsia.h" +#include "base/clang_profiling_buildflags.h" #include "base/command_line.h" #include "base/containers/span.h" #include "base/files/file_util.h" @@ -54,13 +55,8 @@ enum SandboxFeature { // Read only access to /config/ssl, which contains root certs info. kProvideSslConfig = 1 << 2, - // Uses a service directory channel that is explicitly passed by the caller - // instead of automatically connecting to the service directory of the current - // process' namespace. Intended for use by SandboxType::kWebContext. - kUseServiceDirectoryOverride = 1 << 3, - // Allows the process to use the ambient mark-vmo-as-executable capability. - kAmbientMarkVmoAsExecutable = 1 << 4, + kAmbientMarkVmoAsExecutable = 1 << 3, }; struct SandboxConfig { @@ -68,17 +64,6 @@ struct SandboxConfig { uint32_t features; }; -constexpr SandboxConfig kWebContextConfig = { - // Services directory is passed by calling SetServiceDirectory(). - base::span<const char* const>(), - - // Context processes only actually use the kUseServiceDirectoryOverride - // and kCloneJob |features| themselves. However, they must be granted - // all of the other features to delegate to child processes. - kCloneJob | kProvideVulkanResources | kProvideSslConfig | - kUseServiceDirectoryOverride, -}; - constexpr SandboxConfig kGpuConfig = { base::make_span((const char* const[]){ fuchsia::sysmem::Allocator::Name_, @@ -131,15 +116,12 @@ const SandboxConfig* GetConfigForSandboxType(SandboxType type) { return &kNetworkConfig; case SandboxType::kRenderer: return &kRendererConfig; - case SandboxType::kWebContext: - return &kWebContextConfig; case SandboxType::kVideoCapture: return &kVideoCaptureConfig; // Remaining types receive no-access-to-anything. case SandboxType::kAudio: case SandboxType::kCdm: case SandboxType::kPpapi: - case SandboxType::kPrintBackend: case SandboxType::kPrintCompositor: case SandboxType::kService: case SandboxType::kSpeechRecognition: @@ -149,9 +131,13 @@ const SandboxConfig* GetConfigForSandboxType(SandboxType type) { } // Services that are passed to all processes. -constexpr base::span<const char* const> kDefaultServices = base::make_span( - (const char* const[]){fuchsia::intl::PropertyProvider::Name_, - fuchsia::logger::LogSink::Name_}); +constexpr auto kDefaultServices = base::make_span((const char* const[]) { +// DebugData service is needed only for profiling. +#if BUILDFLAG(CLANG_PROFILING) + "fuchsia.debugdata.DebugData", +#endif + fuchsia::intl::PropertyProvider::Name_, fuchsia::logger::LogSink::Name_ +}); } // namespace @@ -161,12 +147,13 @@ SandboxPolicyFuchsia::SandboxPolicyFuchsia(SandboxType type) { } else { type_ = type; } + // If we need to pass some services for the given sandbox type then create // |sandbox_directory_| and initialize it with the corresponding list of // services. FilteredServiceDirectory must be initialized on a thread that has // async_dispatcher. const SandboxConfig* config = GetConfigForSandboxType(type_); - if (config && !(config->features & kUseServiceDirectoryOverride)) { + if (config) { service_directory_task_runner_ = base::ThreadTaskRunnerHandle::Get(); service_directory_ = std::make_unique<base::FilteredServiceDirectory>( base::ComponentContextForProcess()->svc().get()); @@ -196,14 +183,6 @@ SandboxPolicyFuchsia::~SandboxPolicyFuchsia() { } } -void SandboxPolicyFuchsia::SetServiceDirectory( - fidl::InterfaceHandle<::fuchsia::io::Directory> service_directory_client) { - DCHECK(GetConfigForSandboxType(type_)->features & - kUseServiceDirectoryOverride); - DCHECK(!service_directory_client_); - - service_directory_client_ = std::move(service_directory_client); -} void SandboxPolicyFuchsia::UpdateLaunchOptionsForSandbox( base::LaunchOptions* options) { @@ -255,13 +234,13 @@ void SandboxPolicyFuchsia::UpdateLaunchOptionsForSandbox( if (base::PathExists(vulkan_icd_path)) options->paths_to_clone.push_back(vulkan_icd_path); - // /dev/class/goldfish-pipe, /dev/class/goldfish-address-space and - // /dev/class/goldfish-control are used for Fuchsia Emulator. + // The following devices are used for Fuchsia Emulator. options->paths_to_clone.insert( options->paths_to_clone.end(), - {base::FilePath("/dev/class/goldfish-pipe"), + {base::FilePath("/dev/class/goldfish-address-space"), base::FilePath("/dev/class/goldfish-control"), - base::FilePath("/dev/class/goldfish-address-space")}); + base::FilePath("/dev/class/goldfish-pipe"), + base::FilePath("/dev/class/goldfish-sync")}); } // If the process needs access to any services then transfer the diff --git a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h index ba370016300..a41fdddf923 100644 --- a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h +++ b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.h @@ -28,11 +28,8 @@ class SANDBOX_POLICY_EXPORT SandboxPolicyFuchsia { explicit SandboxPolicyFuchsia(SandboxType type); ~SandboxPolicyFuchsia(); - // Sets the service directory to pass to the child process when launching it. - // This is only supported for SandboxType::kWebContext processes. If this is - // not called for a WEB_CONTEXT process then it will receive no services. - void SetServiceDirectory( - fidl::InterfaceHandle<::fuchsia::io::Directory> service_directory_client); + SandboxPolicyFuchsia(const SandboxPolicyFuchsia&) = delete; + SandboxPolicyFuchsia& operator=(const SandboxPolicyFuchsia&) = delete; // Modifies the process launch |options| to achieve the level of // isolation appropriate for current the sandbox type. The caller may then add @@ -50,8 +47,6 @@ class SANDBOX_POLICY_EXPORT SandboxPolicyFuchsia { // Job in which the child process is launched. zx::job job_; - - DISALLOW_COPY_AND_ASSIGN(SandboxPolicyFuchsia); }; } // namespace policy diff --git a/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.cc new file mode 100644 index 00000000000..a00dd4fdc04 --- /dev/null +++ b/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.cc @@ -0,0 +1,40 @@ +// Copyright 2021 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/policy/linux/bpf_libassistant_policy_linux.h" + +#include <sys/socket.h> + +#include "sandbox/linux/bpf_dsl/bpf_dsl.h" +#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" +#include "sandbox/linux/syscall_broker/broker_process.h" +#include "sandbox/linux/system_headers/linux_syscalls.h" +#include "sandbox/policy/linux/sandbox_linux.h" + +using sandbox::bpf_dsl::Allow; +using sandbox::bpf_dsl::ResultExpr; +using sandbox::bpf_dsl::Trap; +using sandbox::syscall_broker::BrokerProcess; + +namespace sandbox { +namespace policy { + +LibassistantProcessPolicy::LibassistantProcessPolicy() = default; +LibassistantProcessPolicy::~LibassistantProcessPolicy() = default; + +ResultExpr LibassistantProcessPolicy::EvaluateSyscall(int sysno) const { +#if defined(__NR_sched_setscheduler) + if (sysno == __NR_sched_setscheduler) + return Allow(); +#endif + + auto* sandbox_linux = SandboxLinux::GetInstance(); + if (sandbox_linux->ShouldBrokerHandleSyscall(sysno)) + return sandbox_linux->HandleViaBroker(); + + return BPFBasePolicy::EvaluateSyscall(sysno); +} + +} // namespace policy +} // namespace sandbox diff --git a/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.h b/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.h new file mode 100644 index 00000000000..9e6b7773fa1 --- /dev/null +++ b/chromium/sandbox/policy/linux/bpf_libassistant_policy_linux.h @@ -0,0 +1,28 @@ +// Copyright 2021 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_ +#define SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_ + +#include "sandbox/policy/linux/bpf_base_policy_linux.h" + +namespace sandbox { +namespace policy { + +// This policy can be used by Libassistant utility processes. +class LibassistantProcessPolicy : public BPFBasePolicy { + public: + LibassistantProcessPolicy(); + LibassistantProcessPolicy(const LibassistantProcessPolicy&) = delete; + LibassistantProcessPolicy& operator=(const LibassistantProcessPolicy&) = + delete; + ~LibassistantProcessPolicy() override; + + bpf_dsl::ResultExpr EvaluateSyscall(int sysno) const override; +}; + +} // namespace policy +} // namespace sandbox + +#endif // SANDBOX_POLICY_LINUX_BPF_LIBASSISTANT_POLICY_LINUX_H_ diff --git a/chromium/sandbox/policy/linux/sandbox_linux.h b/chromium/sandbox/policy/linux/sandbox_linux.h index 4b32dc48c27..9054eb62d09 100644 --- a/chromium/sandbox/policy/linux/sandbox_linux.h +++ b/chromium/sandbox/policy/linux/sandbox_linux.h @@ -53,7 +53,7 @@ class SANDBOX_POLICY_EXPORT SandboxLinux { public: // This is a list of sandbox IPC methods which the renderer may send to the // sandbox host. See - // https://chromium.googlesource.com/chromium/src/+/master/docs/linux/sandbox_ipc.md + // https://chromium.googlesource.com/chromium/src/+/main/docs/linux/sandbox_ipc.md // This isn't the full list, values < 32 are reserved for methods called from // Skia, and values < 64 are reserved for libc_interceptor.cc. enum LinuxSandboxIPCMethods { diff --git a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index bfa47a118ab..5d572af56b4 100644 --- a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc +++ b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc @@ -19,6 +19,7 @@ #include "base/notreached.h" #include "build/build_config.h" #include "build/chromeos_buildflags.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/trap_registry.h" #include "sandbox/policy/sandbox_type.h" @@ -58,6 +59,11 @@ #include "sandbox/policy/features.h" #include "sandbox/policy/linux/bpf_ime_policy_linux.h" #include "sandbox/policy/linux/bpf_tts_policy_linux.h" + +#include "chromeos/assistant/buildflags.h" +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) +#include "sandbox/policy/linux/bpf_libassistant_policy_linux.h" +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) using sandbox::bpf_dsl::Allow; @@ -176,8 +182,10 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType( return std::make_unique<CdmProcessPolicy>(); case SandboxType::kPrintCompositor: return std::make_unique<PrintCompositorProcessPolicy>(); +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: return std::make_unique<PrintBackendProcessPolicy>(); +#endif case SandboxType::kNetwork: return std::make_unique<NetworkProcessPolicy>(); case SandboxType::kAudio: @@ -191,6 +199,10 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType( return std::make_unique<ImeProcessPolicy>(); case SandboxType::kTts: return std::make_unique<TtsProcessPolicy>(); +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + case SandboxType::kLibassistant: + return std::make_unique<LibassistantProcessPolicy>(); +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kZygoteIntermediateSandbox: case SandboxType::kNoSandbox: @@ -235,12 +247,17 @@ void SandboxSeccompBPF::RunSandboxSanityChecks( #if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + case SandboxType::kLibassistant: +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kAudio: case SandboxType::kService: case SandboxType::kSpeechRecognition: case SandboxType::kNetwork: +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: +#endif case SandboxType::kUtility: case SandboxType::kNoSandbox: case SandboxType::kVideoCapture: diff --git a/chromium/sandbox/policy/mac/BUILD.gn b/chromium/sandbox/policy/mac/BUILD.gn index 1bd2780d9bc..984fca87c36 100644 --- a/chromium/sandbox/policy/mac/BUILD.gn +++ b/chromium/sandbox/policy/mac/BUILD.gn @@ -4,22 +4,25 @@ import("//build/config/python.gni") +sb_files = [ + "audio.sb", + "cdm.sb", + "common.sb", + "gpu.sb", + "mirroring.sb", + "nacl_loader.sb", + "network.sb", + "ppapi.sb", + "print_backend.sb", + "print_compositor.sb", + "renderer.sb", + "speech_recognition.sb", + "utility.sb", +] + action_foreach("package_sb_files") { script = "package_sb_file.py" - sources = [ - "audio.sb", - "cdm.sb", - "common.sb", - "gpu.sb", - "nacl_loader.sb", - "network.sb", - "ppapi.sb", - "print_backend.sb", - "print_compositor.sb", - "renderer.sb", - "speech_recognition.sb", - "utility.sb", - ] + sources = sb_files outputs = [ "$target_gen_dir/{{source_name_part}}.sb.h", "$target_gen_dir/{{source_name_part}}.sb.cc", @@ -30,8 +33,24 @@ action_foreach("package_sb_files") { ] } +action("generate_params") { + script = "generate_params.py" + sources = sb_files + _filename_prefix = "$target_gen_dir/params" + outputs = [ + "${_filename_prefix}.cc", + "${_filename_prefix}.h", + ] + args = [ rebase_path(_filename_prefix, root_build_dir) ] + + rebase_path(sb_files, root_build_dir) +} + source_set("packaged_sb_files") { - sources = get_target_outputs(":package_sb_files") + sources = get_target_outputs(":package_sb_files") + + get_target_outputs(":generate_params") defines = [ "SANDBOX_POLICY_IMPL" ] - deps = [ ":package_sb_files" ] + deps = [ + ":generate_params", + ":package_sb_files", + ] } diff --git a/chromium/sandbox/policy/mac/generate_params.py b/chromium/sandbox/policy/mac/generate_params.py new file mode 100755 index 00000000000..685d941d544 --- /dev/null +++ b/chromium/sandbox/policy/mac/generate_params.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python +# Copyright 2021 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +"""generate_params.py processes input .sb seatbelt files and extracts +parameter definitions of the form + + (define "sandbox-param-name") + +And generates C++ constants of the form + + kParamSandboxParamName + +Usage: + + generate_sandbox_params.py path/to/params policy1.sb policy2.sb... + +Where |path/to/params| specifies the file prefix for the generated .h +and .cc files. +""" + +from __future__ import print_function + +import re +import sys + + +def generate_sandbox_params(argv): + if len(argv) < 3: + print('Usage: {} output_file_prefix file1.sb...'.format(argv[0]), + file=sys.stderr) + return 1 + + h_contents = '' + cc_contents = '' + for (name, value) in _process_policy_files(argv[2:]): + variable_name = 'kParam' + name.title().replace('-', '') + h_contents += 'SANDBOX_POLICY_EXPORT extern const char {}[];\n'.format( + variable_name) + cc_contents += 'const char {}[] = "{}";\n'.format(variable_name, value) + + with open(argv[1] + '.h', 'w') as f: + f.write( + FILE_TEMPLATE.format(includes='#include "sandbox/policy/export.h"', + contents=h_contents)) + + with open(argv[1] + '.cc', 'w') as f: + f.write( + FILE_TEMPLATE.format( + includes='#include "sandbox/policy/mac/params.h"', + contents=cc_contents)) + + return 0 + + +def _process_policy_files(files): + """Iterates the files in |files|, parsing out parameter definitions, and + yields the name-value pair. + """ + for sb_file in files: + with open(sb_file, 'r') as f: + for line in f: + comment_start = line.find(';') + if comment_start != -1: + line = line[:comment_start] + match = DEFINE_RE.match(line) + if match: + groups = match.groups() + yield (groups[0], groups[1]) + + +DEFINE_RE = re.compile(r'^\(define\s+([a-zA-Z0-9\-]+).*"(\w+)"\)') + +FILE_TEMPLATE = """// Generated by generate_params.py. Do not edit!!! + +{includes} + +namespace sandbox {{ +namespace policy {{ + +{contents} + +}} // namespace policy +}} // namespace sandbox +""" + +if __name__ == '__main__': + sys.exit(generate_sandbox_params(sys.argv)) diff --git a/chromium/sandbox/policy/mac/mirroring.sb b/chromium/sandbox/policy/mac/mirroring.sb new file mode 100644 index 00000000000..0b7794be499 --- /dev/null +++ b/chromium/sandbox/policy/mac/mirroring.sb @@ -0,0 +1,11 @@ +; Copyright 2021 The Chromium Authors. All rights reserved. +; Use of this source code is governed by a BSD-style license that can be +; found in the LICENSE file. + +; --- The contents of common.sb implicitly included here. --- + +; Needed for IOSurface GpuMemoryBuffer video frame access +; https://crbug.com/1204603 +(allow iokit-open + (iokit-registry-entry-class "IOSurfaceRootUserClient") +) diff --git a/chromium/sandbox/policy/mac/sandbox_mac.h b/chromium/sandbox/policy/mac/sandbox_mac.h index 76bdc209ffb..9e716acb8b9 100644 --- a/chromium/sandbox/policy/mac/sandbox_mac.h +++ b/chromium/sandbox/policy/mac/sandbox_mac.h @@ -19,36 +19,16 @@ class FilePath; namespace sandbox { namespace policy { -class SANDBOX_POLICY_EXPORT SandboxMac { - public: - // Convert provided path into a "canonical" path matching what the Sandbox - // expects i.e. one without symlinks. - // This path is not necessarily unique e.g. in the face of hardlinks. - static base::FilePath GetCanonicalPath(const base::FilePath& path); - - // Returns the sandbox profile string for a given sandbox type. - // It CHECKs that the sandbox profile is a valid type, so it always returns a - // valid result, or crashes. - static std::string GetSandboxProfile(SandboxType sandbox_type); - - static const char* kSandboxBrowserPID; - static const char* kSandboxBundlePath; - static const char* kSandboxChromeBundleId; - static const char* kSandboxSodaComponentPath; - static const char* kSandboxSodaLanguagePackPath; - static const char* kSandboxComponentPath; - static const char* kSandboxDisableDenialLogging; - static const char* kSandboxEnableLogging; - static const char* kSandboxHomedirAsLiteral; - static const char* kSandboxLoggingPathAsLiteral; - static const char* kSandboxOSVersion; - - static const char* kSandboxBundleVersionPath; - static const char* kSandboxDisableMetalShaderCache; - - private: - DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxMac); -}; +// Convert provided path into a "canonical" path matching what the Sandbox +// expects i.e. one without symlinks. +// This path is not necessarily unique e.g. in the face of hardlinks. +SANDBOX_POLICY_EXPORT base::FilePath GetCanonicalPath( + const base::FilePath& path); + +// Returns the sandbox profile string for a given sandbox type. +// It CHECKs that the sandbox profile is a valid type, so it always returns a +// valid result, or crashes. +SANDBOX_POLICY_EXPORT std::string GetSandboxProfile(SandboxType sandbox_type); } // namespace policy } // namespace sandbox diff --git a/chromium/sandbox/policy/mac/sandbox_mac.mm b/chromium/sandbox/policy/mac/sandbox_mac.mm index f63a70a7d65..c6605154cbb 100644 --- a/chromium/sandbox/policy/mac/sandbox_mac.mm +++ b/chromium/sandbox/policy/mac/sandbox_mac.mm @@ -16,6 +16,7 @@ #include "sandbox/policy/mac/cdm.sb.h" #include "sandbox/policy/mac/common.sb.h" #include "sandbox/policy/mac/gpu.sb.h" +#include "sandbox/policy/mac/mirroring.sb.h" #include "sandbox/policy/mac/nacl_loader.sb.h" #include "sandbox/policy/mac/network.sb.h" #include "sandbox/policy/mac/ppapi.sb.h" @@ -28,25 +29,7 @@ namespace sandbox { namespace policy { -const char* SandboxMac::kSandboxBrowserPID = "BROWSER_PID"; -const char* SandboxMac::kSandboxBundlePath = "BUNDLE_PATH"; -const char* SandboxMac::kSandboxChromeBundleId = "BUNDLE_ID"; -const char* SandboxMac::kSandboxSodaComponentPath = "SODA_COMPONENT_PATH"; -const char* SandboxMac::kSandboxSodaLanguagePackPath = - "SODA_LANGUAGE_PACK_PATH"; -const char* SandboxMac::kSandboxComponentPath = "COMPONENT_PATH"; -const char* SandboxMac::kSandboxDisableDenialLogging = - "DISABLE_SANDBOX_DENIAL_LOGGING"; -const char* SandboxMac::kSandboxEnableLogging = "ENABLE_LOGGING"; -const char* SandboxMac::kSandboxHomedirAsLiteral = "USER_HOMEDIR_AS_LITERAL"; -const char* SandboxMac::kSandboxLoggingPathAsLiteral = "LOG_FILE_PATH"; -const char* SandboxMac::kSandboxOSVersion = "OS_VERSION"; -const char* SandboxMac::kSandboxBundleVersionPath = "BUNDLE_VERSION_PATH"; -const char* SandboxMac::kSandboxDisableMetalShaderCache = - "DISABLE_METAL_SHADER_CACHE"; - -// static -base::FilePath SandboxMac::GetCanonicalPath(const base::FilePath& path) { +base::FilePath GetCanonicalPath(const base::FilePath& path) { base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(), O_RDONLY))); if (!fd.is_valid()) { DPLOG(ERROR) << "GetCanonicalSandboxPath() failed for: " << path.value(); @@ -62,8 +45,7 @@ base::FilePath SandboxMac::GetCanonicalPath(const base::FilePath& path) { return base::FilePath(canonical_path); } -// static -std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) { +std::string GetSandboxProfile(SandboxType sandbox_type) { std::string profile = std::string(kSeatbeltPolicyString_common); switch (sandbox_type) { @@ -76,6 +58,9 @@ std::string SandboxMac::GetSandboxProfile(SandboxType sandbox_type) { case SandboxType::kGpu: profile += kSeatbeltPolicyString_gpu; break; + case SandboxType::kMirroring: + profile += kSeatbeltPolicyString_mirroring; + break; case SandboxType::kNaClLoader: profile += kSeatbeltPolicyString_nacl_loader; break; diff --git a/chromium/sandbox/policy/sandbox_type.cc b/chromium/sandbox/policy/sandbox_type.cc index 071daec2867..21b207ca323 100644 --- a/chromium/sandbox/policy/sandbox_type.cc +++ b/chromium/sandbox/policy/sandbox_type.cc @@ -11,6 +11,7 @@ #include "base/logging.h" #include "base/notreached.h" #include "build/chromeos_buildflags.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/policy/features.h" #include "sandbox/policy/switches.h" @@ -47,17 +48,20 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { case SandboxType::kGpu: case SandboxType::kPpapi: case SandboxType::kCdm: +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: - case SandboxType::kPrintCompositor: -#if defined(OS_FUCHSIA) - case SandboxType::kWebContext: #endif + case SandboxType::kPrintCompositor: #if defined(OS_MAC) + case SandboxType::kMirroring: case SandboxType::kNaClLoader: #endif #if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + case SandboxType::kLibassistant: +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif #if !defined(OS_MAC) case SandboxType::kService: @@ -110,7 +114,9 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, case SandboxType::kUtility: case SandboxType::kNetwork: case SandboxType::kCdm: +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: +#endif case SandboxType::kPrintCompositor: case SandboxType::kAudio: case SandboxType::kVideoCapture: @@ -124,7 +130,13 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, #if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + case SandboxType::kLibassistant: +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) +#if defined(OS_MAC) + case SandboxType::kMirroring: +#endif // defined(OS_MAC) #if !defined(OS_MAC) case SandboxType::kService: #endif @@ -136,10 +148,6 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, switches::kServiceSandboxType, StringFromUtilitySandboxType(sandbox_type)); break; -#if defined(OS_FUCHSIA) - case SandboxType::kWebContext: - break; -#endif // defined(OS_FUCHSIA) #if defined(OS_MAC) case SandboxType::kNaClLoader: break; @@ -224,8 +232,10 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { return switches::kPpapiSandbox; case SandboxType::kCdm: return switches::kCdmSandbox; +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: return switches::kPrintBackendSandbox; +#endif case SandboxType::kPrintCompositor: return switches::kPrintCompositorSandbox; case SandboxType::kUtility: @@ -252,11 +262,19 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { case SandboxType::kMediaFoundationCdm: return switches::kMediaFoundationCdmSandbox; #endif // defined(OS_WIN) +#if defined(OS_MAC) + case SandboxType::kMirroring: + return switches::kMirroringSandbox; +#endif #if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: return switches::kImeSandbox; case SandboxType::kTts: return switches::kTtsSandbox; +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + case SandboxType::kLibassistant: + return switches::kLibassistantSandbox; +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) // The following are not utility processes so should not occur. case SandboxType::kRenderer: @@ -267,9 +285,6 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { #if defined(OS_MAC) case SandboxType::kNaClLoader: #endif // defined(OS_MAC) -#if defined(OS_FUCHSIA) - case SandboxType::kWebContext: -#endif // defined(OS_FUCHSIA) #if defined(OS_LINUX) || defined(OS_CHROMEOS) case SandboxType::kZygoteIntermediateSandbox: #endif @@ -294,8 +309,10 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { return SandboxType::kPpapi; if (sandbox_string == switches::kCdmSandbox) return SandboxType::kCdm; +#if BUILDFLAG(ENABLE_PRINTING) if (sandbox_string == switches::kPrintBackendSandbox) return SandboxType::kPrintBackend; +#endif if (sandbox_string == switches::kPrintCompositorSandbox) return SandboxType::kPrintCompositor; #if defined(OS_WIN) @@ -310,6 +327,10 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { if (sandbox_string == switches::kMediaFoundationCdmSandbox) return SandboxType::kMediaFoundationCdm; #endif +#if defined(OS_MAC) + if (sandbox_string == switches::kMirroringSandbox) + return SandboxType::kMirroring; +#endif if (sandbox_string == switches::kAudioSandbox) return SandboxType::kAudio; if (sandbox_string == switches::kSpeechRecognitionSandbox) @@ -321,6 +342,10 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { return SandboxType::kIme; if (sandbox_string == switches::kTtsSandbox) return SandboxType::kTts; +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + if (sandbox_string == switches::kLibassistantSandbox) + return SandboxType::kLibassistant; +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) return SandboxType::kUtility; } diff --git a/chromium/sandbox/policy/sandbox_type.h b/chromium/sandbox/policy/sandbox_type.h index 4b97b9cd17e..88903f72a3b 100644 --- a/chromium/sandbox/policy/sandbox_type.h +++ b/chromium/sandbox/policy/sandbox_type.h @@ -10,8 +10,13 @@ #include "base/command_line.h" #include "build/build_config.h" #include "build/chromeos_buildflags.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/policy/export.h" +#if BUILDFLAG(IS_CHROMEOS_ASH) +#include "chromeos/assistant/buildflags.h" +#endif // BUILDFLAG(IS_CHROMEOS_ASH) + namespace sandbox { namespace policy { @@ -40,12 +45,6 @@ enum class SandboxType { kMediaFoundationCdm, #endif -#if defined(OS_FUCHSIA) - // Sandbox type for the web::Context process on Fuchsia. Functionally it's an - // equivalent of the browser process on other platforms. - kWebContext, -#endif - // Renderer or worker process. Most common case. kRenderer, @@ -77,11 +76,16 @@ enum class SandboxType { #if defined(OS_MAC) // The NaCl loader process. kNaClLoader, + + // The mirroring service needs IOSurface access on macOS. + kMirroring, #endif // defined(OS_MAC) +#if BUILDFLAG(ENABLE_PRINTING) // The print backend service process which interfaces with operating system // print drivers. kPrintBackend, +#endif // The print compositor service process. kPrintCompositor, @@ -93,6 +97,11 @@ enum class SandboxType { kIme, // Text-to-speech. kTts, + +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + kLibassistant, +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) + #endif // BUILDFLAG(IS_CHROMEOS_ASH) #if defined(OS_LINUX) || defined(OS_CHROMEOS) diff --git a/chromium/sandbox/policy/sandbox_type_unittest.cc b/chromium/sandbox/policy/sandbox_type_unittest.cc index 2edf01d8001..e909a684c79 100644 --- a/chromium/sandbox/policy/sandbox_type_unittest.cc +++ b/chromium/sandbox/policy/sandbox_type_unittest.cc @@ -6,6 +6,7 @@ #include "base/command_line.h" #include "build/build_config.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/policy/switches.h" #include "testing/gtest/include/gtest/gtest.h" @@ -111,11 +112,13 @@ TEST(SandboxTypeTest, Utility) { SandboxTypeFromCommandLine(command_line12)); #endif +#if BUILDFLAG(ENABLE_PRINTING) base::CommandLine command_line13(command_line); SetCommandLineFlagsForSandboxType(&command_line13, SandboxType::kPrintBackend); EXPECT_EQ(SandboxType::kPrintBackend, SandboxTypeFromCommandLine(command_line13)); +#endif base::CommandLine command_line14(command_line); command_line14.AppendSwitchASCII(switches::kServiceSandboxType, diff --git a/chromium/sandbox/policy/switches.cc b/chromium/sandbox/policy/switches.cc index 58158d96912..c0438f62d61 100644 --- a/chromium/sandbox/policy/switches.cc +++ b/chromium/sandbox/policy/switches.cc @@ -6,6 +6,7 @@ #include "build/build_config.h" #include "build/chromeos_buildflags.h" +#include "printing/buildflags/buildflags.h" #if defined(OS_WIN) #include "base/command_line.h" @@ -28,7 +29,9 @@ const char kNetworkSandbox[] = "network"; const char kPpapiSandbox[] = "ppapi"; const char kUtilitySandbox[] = "utility"; const char kCdmSandbox[] = "cdm"; +#if BUILDFLAG(ENABLE_PRINTING) const char kPrintBackendSandbox[] = "print_backend"; +#endif const char kPrintCompositorSandbox[] = "print_compositor"; const char kAudioSandbox[] = "audio"; const char kServiceSandbox[] = "service"; @@ -43,9 +46,16 @@ const char kIconReaderSandbox[] = "icon_reader"; const char kMediaFoundationCdmSandbox[] = "mf_cdm"; #endif // OS_WIN +#if defined(OS_MAC) +const char kMirroringSandbox[] = "mirroring"; +#endif // OS_MAC + #if BUILDFLAG(IS_CHROMEOS_ASH) const char kImeSandbox[] = "ime"; const char kTtsSandbox[] = "tts"; +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) +const char kLibassistantSandbox[] = "libassistant"; +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) // Flags owned by the service manager sandbox. diff --git a/chromium/sandbox/policy/switches.h b/chromium/sandbox/policy/switches.h index 7dd86989dc6..a0315cd1ace 100644 --- a/chromium/sandbox/policy/switches.h +++ b/chromium/sandbox/policy/switches.h @@ -7,8 +7,13 @@ #include "build/build_config.h" #include "build/chromeos_buildflags.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/policy/export.h" +#if BUILDFLAG(IS_CHROMEOS_ASH) +#include "chromeos/assistant/buildflags.h" +#endif // BUILDFLAG(IS_CHROMEOS_ASH) + namespace sandbox { namespace policy { namespace switches { @@ -25,7 +30,9 @@ SANDBOX_POLICY_EXPORT extern const char kNetworkSandbox[]; SANDBOX_POLICY_EXPORT extern const char kPpapiSandbox[]; SANDBOX_POLICY_EXPORT extern const char kUtilitySandbox[]; SANDBOX_POLICY_EXPORT extern const char kCdmSandbox[]; +#if BUILDFLAG(ENABLE_PRINTING) SANDBOX_POLICY_EXPORT extern const char kPrintBackendSandbox[]; +#endif SANDBOX_POLICY_EXPORT extern const char kPrintCompositorSandbox[]; SANDBOX_POLICY_EXPORT extern const char kAudioSandbox[]; SANDBOX_POLICY_EXPORT extern const char kServiceSandbox[]; @@ -40,9 +47,16 @@ SANDBOX_POLICY_EXPORT extern const char kIconReaderSandbox[]; SANDBOX_POLICY_EXPORT extern const char kMediaFoundationCdmSandbox[]; #endif // OS_WIN +#if defined(OS_MAC) +SANDBOX_POLICY_EXPORT extern const char kMirroringSandbox[]; +#endif // OS_MAC + #if BUILDFLAG(IS_CHROMEOS_ASH) SANDBOX_POLICY_EXPORT extern const char kImeSandbox[]; SANDBOX_POLICY_EXPORT extern const char kTtsSandbox[]; +#if BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) +SANDBOX_POLICY_EXPORT extern const char kLibassistantSandbox[]; +#endif // BUILDFLAG(ENABLE_LIBASSISTANT_SANDBOX) #endif // BUILDFLAG(IS_CHROMEOS_ASH) // Flags owned by the service manager sandbox. diff --git a/chromium/sandbox/policy/win/sandbox_win.cc b/chromium/sandbox/policy/win/sandbox_win.cc index 21f6c792c1a..3b6543c4d49 100644 --- a/chromium/sandbox/policy/win/sandbox_win.cc +++ b/chromium/sandbox/policy/win/sandbox_win.cc @@ -38,11 +38,12 @@ #include "base/win/scoped_handle.h" #include "base/win/win_util.h" #include "base/win/windows_version.h" +#include "printing/buildflags/buildflags.h" #include "sandbox/policy/features.h" #include "sandbox/policy/sandbox_type.h" #include "sandbox/policy/switches.h" #include "sandbox/policy/win/sandbox_diagnostics.h" -#include "sandbox/win/src/app_container_profile.h" +#include "sandbox/win/src/app_container.h" #include "sandbox/win/src/job.h" #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/sandbox.h" @@ -649,7 +650,7 @@ std::wstring GetAppContainerProfileName(const std::string& appcontainer_id, return base::UTF8ToWide(profile_name); } -ResultCode SetupAppContainerProfile(AppContainerProfile* profile, +ResultCode SetupAppContainerProfile(AppContainer* container, const base::CommandLine& command_line, SandboxType sandbox_type) { if (sandbox_type != SandboxType::kMediaFoundationCdm && @@ -662,54 +663,52 @@ ResultCode SetupAppContainerProfile(AppContainerProfile* profile, base::FeatureList::IsEnabled(features::kNetworkServiceSandboxLPAC)); if (sandbox_type == SandboxType::kGpu && - !profile->AddImpersonationCapability(L"chromeInstallFiles")) { - DLOG(ERROR) << "AppContainerProfile::AddImpersonationCapability(" + !container->AddImpersonationCapability(L"chromeInstallFiles")) { + DLOG(ERROR) << "AppContainer::AddImpersonationCapability(" "chromeInstallFiles) failed"; - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } if ((sandbox_type == SandboxType::kXrCompositing || sandbox_type == SandboxType::kGpu) && - !profile->AddCapability(L"lpacPnpNotifications")) { - DLOG(ERROR) - << "AppContainerProfile::AddCapability(lpacPnpNotifications) failed"; - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + !container->AddCapability(L"lpacPnpNotifications")) { + DLOG(ERROR) << "AppContainer::AddCapability(lpacPnpNotifications) failed"; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } if (sandbox_type == SandboxType::kXrCompositing && - !profile->AddCapability(L"chromeInstallFiles")) { - DLOG(ERROR) - << "AppContainerProfile::AddCapability(chromeInstallFiles) failed"; - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + !container->AddCapability(L"chromeInstallFiles")) { + DLOG(ERROR) << "AppContainer::AddCapability(chromeInstallFiles) failed"; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } if (sandbox_type == SandboxType::kMediaFoundationCdm) { // Please refer to the following design doc on why we add the capabilities: // https://docs.google.com/document/d/19Y4Js5v3BlzA5uSuiVTvcvPNIOwmxcMSFJWtuc1A-w8/edit#heading=h.iqvhsrml3gl9 - if (!profile->AddCapability( + if (!container->AddCapability( sandbox::WellKnownCapabilities::kPrivateNetworkClientServer) || - !profile->AddCapability( + !container->AddCapability( sandbox::WellKnownCapabilities::kInternetClient)) { DLOG(ERROR) - << "AppContainerProfile::AddCapability() - " + << "AppContainer::AddCapability() - " << "SandboxType::kMediaFoundationCdm internet capabilities failed"; - return sandbox::SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + return sandbox::SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } - if (!profile->AddCapability(L"lpacCom") || - !profile->AddCapability(L"lpacIdentityServices") || - !profile->AddCapability(L"lpacMedia") || - !profile->AddCapability(L"lpacPnPNotifications") || - !profile->AddCapability(L"lpacServicesManagement") || - !profile->AddCapability(L"lpacSessionManagement") || - !profile->AddCapability(L"lpacAppExperience") || - !profile->AddCapability(L"lpacInstrumentation") || - !profile->AddCapability(L"lpacCryptoServices") || - !profile->AddCapability(L"lpacEnterprisePolicyChangeNotifications")) { + if (!container->AddCapability(L"lpacCom") || + !container->AddCapability(L"lpacIdentityServices") || + !container->AddCapability(L"lpacMedia") || + !container->AddCapability(L"lpacPnPNotifications") || + !container->AddCapability(L"lpacServicesManagement") || + !container->AddCapability(L"lpacSessionManagement") || + !container->AddCapability(L"lpacAppExperience") || + !container->AddCapability(L"lpacInstrumentation") || + !container->AddCapability(L"lpacCryptoServices") || + !container->AddCapability(L"lpacEnterprisePolicyChangeNotifications")) { DLOG(ERROR) - << "AppContainerProfile::AddCapability() - " + << "AppContainer::AddCapability() - " << "SandboxType::kMediaFoundationCdm lpac capabilities failed"; - return sandbox::SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + return sandbox::SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } } @@ -733,32 +732,32 @@ ResultCode SetupAppContainerProfile(AppContainerProfile* profile, } for (const auto& cap : base_caps) { - if (!profile->AddCapability(cap.c_str())) { - DLOG(ERROR) << "AppContainerProfile::AddCapability() failed"; - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY; + if (!container->AddCapability(cap.c_str())) { + DLOG(ERROR) << "AppContainer::AddCapability() failed"; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; } } // Enable LPAC for GPU process, but not for XRCompositor service. if (sandbox_type == SandboxType::kGpu && base::FeatureList::IsEnabled(features::kGpuLPAC)) { - profile->SetEnableLowPrivilegeAppContainer(true); + container->SetEnableLowPrivilegeAppContainer(true); } // Enable LPAC for Network service. if (sandbox_type == SandboxType::kNetwork) { - profile->AddCapability( + container->AddCapability( sandbox::WellKnownCapabilities::kPrivateNetworkClientServer); - profile->AddCapability(sandbox::WellKnownCapabilities::kInternetClient); - profile->AddCapability( + container->AddCapability(sandbox::WellKnownCapabilities::kInternetClient); + container->AddCapability( sandbox::WellKnownCapabilities::kEnterpriseAuthentication); - profile->AddCapability(L"lpacIdentityServices"); - profile->AddCapability(L"lpacCryptoServices"); - profile->SetEnableLowPrivilegeAppContainer(true); + container->AddCapability(L"lpacIdentityServices"); + container->AddCapability(L"lpacCryptoServices"); + container->SetEnableLowPrivilegeAppContainer(true); } if (sandbox_type == SandboxType::kMediaFoundationCdm) - profile->SetEnableLowPrivilegeAppContainer(true); + container->SetEnableLowPrivilegeAppContainer(true); return SBOX_ALL_OK; } @@ -891,20 +890,21 @@ ResultCode SandboxWin::AddAppContainerProfileToPolicy( if (result != SBOX_ALL_OK) return result; - scoped_refptr<AppContainerProfile> profile = policy->GetAppContainerProfile(); - result = SetupAppContainerProfile(profile.get(), command_line, sandbox_type); + scoped_refptr<AppContainer> container = policy->GetAppContainer(); + result = + SetupAppContainerProfile(container.get(), command_line, sandbox_type); if (result != SBOX_ALL_OK) return result; DWORD granted_access; BOOL granted_access_status; bool access_check = - profile->AccessCheck(command_line.GetProgram().value().c_str(), - SE_FILE_OBJECT, GENERIC_READ | GENERIC_EXECUTE, - &granted_access, &granted_access_status) && + container->AccessCheck(command_line.GetProgram().value().c_str(), + SE_FILE_OBJECT, GENERIC_READ | GENERIC_EXECUTE, + &granted_access, &granted_access_status) && granted_access_status; if (!access_check) - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_ACCESS_CHECK; + return SBOX_ERROR_CREATE_APPCONTAINER_ACCESS_CHECK; return SBOX_ALL_OK; } @@ -1213,8 +1213,10 @@ std::string SandboxWin::GetSandboxTypeInEnglish(SandboxType sandbox_type) { return "CDM"; case SandboxType::kPrintCompositor: return "Print Compositor"; +#if BUILDFLAG(ENABLE_PRINTING) case SandboxType::kPrintBackend: return "Print Backend"; +#endif case SandboxType::kAudio: return "Audio"; case SandboxType::kSpeechRecognition: diff --git a/chromium/sandbox/policy/win/sandbox_win_unittest.cc b/chromium/sandbox/policy/win/sandbox_win_unittest.cc index 12ee09f3899..44a6ea71829 100644 --- a/chromium/sandbox/policy/win/sandbox_win_unittest.cc +++ b/chromium/sandbox/policy/win/sandbox_win_unittest.cc @@ -26,7 +26,7 @@ #include "sandbox/policy/features.h" #include "sandbox/policy/sandbox_type.h" #include "sandbox/policy/switches.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/sandbox_policy.h" #include "sandbox/win/src/sandbox_policy_diagnostic.h" #include "sandbox/win/src/sid.h" @@ -115,22 +115,22 @@ class TestTargetPolicy : public TargetPolicy { ResultCode AddAppContainerProfile(const wchar_t* package_name, bool create_profile) override { if (create_profile) { - app_container_profile_ = - AppContainerProfileBase::Create(package_name, L"Sandbox", L"Sandbox"); + app_container_ = + AppContainerBase::CreateProfile(package_name, L"Sandbox", L"Sandbox"); } else { - app_container_profile_ = AppContainerProfileBase::Open(package_name); + app_container_ = AppContainerBase::Open(package_name); } - if (!app_container_profile_) - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE; + if (!app_container_) + return SBOX_ERROR_CREATE_APPCONTAINER; return SBOX_ALL_OK; } - scoped_refptr<AppContainerProfile> GetAppContainerProfile() override { - return app_container_profile_; + scoped_refptr<AppContainer> GetAppContainer() override { + return app_container_; } - scoped_refptr<AppContainerProfileBase> GetAppContainerProfileBase() { - return app_container_profile_; + scoped_refptr<AppContainerBase> GetAppContainerBase() { + return app_container_; } void SetEffectiveToken(HANDLE token) override {} @@ -143,7 +143,7 @@ class TestTargetPolicy : public TargetPolicy { private: std::vector<std::wstring> blocklisted_dlls_; - scoped_refptr<AppContainerProfileBase> app_container_profile_; + scoped_refptr<AppContainerBase> app_container_; }; std::vector<Sid> GetCapabilitySids( @@ -196,7 +196,7 @@ void EqualSidList(const std::vector<Sid>& left, const std::vector<Sid>& right) { } void CheckCapabilities( - AppContainerProfileBase* profile, + AppContainerBase* profile, const std::initializer_list<std::wstring>& additional_capabilities) { auto additional_caps = GetCapabilitySids(additional_capabilities); auto impersonation_caps = @@ -234,7 +234,7 @@ class SandboxWinTest : public ::testing::Test { const base::CommandLine& base_command_line, bool access_check_fail, SandboxType sandbox_type, - scoped_refptr<AppContainerProfileBase>* profile) { + scoped_refptr<AppContainerBase>* profile) { base::FilePath path; base::CommandLine command_line(base_command_line); @@ -249,7 +249,7 @@ class SandboxWinTest : public ::testing::Test { ResultCode result = SandboxWin::AddAppContainerProfileToPolicy( command_line, sandbox_type, kAppContainerId, &policy); if (result == SBOX_ALL_OK) - *profile = policy.GetAppContainerProfileBase(); + *profile = policy.GetAppContainerBase(); return result; } @@ -276,10 +276,10 @@ TEST_F(SandboxWinTest, AppContainerAccessCheckFail) { if (base::win::GetVersion() < base::win::Version::WIN10_RS1) return; base::CommandLine command_line(base::CommandLine::NO_PROGRAM); - scoped_refptr<AppContainerProfileBase> profile; + scoped_refptr<AppContainerBase> profile; ResultCode result = CreateAppContainerProfile(command_line, true, SandboxType::kGpu, &profile); - EXPECT_EQ(SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_ACCESS_CHECK, result); + EXPECT_EQ(SBOX_ERROR_CREATE_APPCONTAINER_ACCESS_CHECK, result); EXPECT_EQ(nullptr, profile); } @@ -287,7 +287,7 @@ TEST_F(SandboxWinTest, AppContainerCheckProfile) { if (base::win::GetVersion() < base::win::Version::WIN10_RS1) return; base::CommandLine command_line(base::CommandLine::NO_PROGRAM); - scoped_refptr<AppContainerProfileBase> profile; + scoped_refptr<AppContainerBase> profile; ResultCode result = CreateAppContainerProfile(command_line, false, SandboxType::kGpu, &profile); ASSERT_EQ(SBOX_ALL_OK, result); @@ -306,7 +306,7 @@ TEST_F(SandboxWinTest, AppContainerCheckProfileDisableLpac) { base::CommandLine command_line(base::CommandLine::NO_PROGRAM); base::test::ScopedFeatureList features; features.InitAndDisableFeature(features::kGpuLPAC); - scoped_refptr<AppContainerProfileBase> profile; + scoped_refptr<AppContainerBase> profile; ResultCode result = CreateAppContainerProfile(command_line, false, SandboxType::kGpu, &profile); ASSERT_EQ(SBOX_ALL_OK, result); @@ -320,7 +320,7 @@ TEST_F(SandboxWinTest, AppContainerCheckProfileAddCapabilities) { base::CommandLine command_line(base::CommandLine::NO_PROGRAM); command_line.AppendSwitchASCII(switches::kAddGpuAppContainerCaps, " cap1 , cap2 ,"); - scoped_refptr<AppContainerProfileBase> profile; + scoped_refptr<AppContainerBase> profile; ResultCode result = CreateAppContainerProfile(command_line, false, SandboxType::kGpu, &profile); ASSERT_EQ(SBOX_ALL_OK, result); diff --git a/chromium/sandbox/win/BUILD.gn b/chromium/sandbox/win/BUILD.gn index 56b81d5ce27..2dd5ef90d4b 100644 --- a/chromium/sandbox/win/BUILD.gn +++ b/chromium/sandbox/win/BUILD.gn @@ -13,9 +13,9 @@ static_library("sandbox") { sources = [ "src/acl.cc", "src/acl.h", - "src/app_container_profile.h", - "src/app_container_profile_base.cc", - "src/app_container_profile_base.h", + "src/app_container.h", + "src/app_container_base.cc", + "src/app_container_base.h", "src/broker_services.cc", "src/broker_services.h", "src/crosscall_client.h", @@ -95,8 +95,6 @@ static_library("sandbox") { "src/restricted_token_utils.h", "src/sandbox.cc", "src/sandbox.h", - "src/sandbox_constants.cc", - "src/sandbox_constants.h", "src/sandbox_factory.h", "src/sandbox_globals.cc", "src/sandbox_nt_types.h", @@ -184,11 +182,18 @@ static_library("sandbox") { configs += [ "//build/config:precompiled_headers" ] + public_deps = [ "//base" ] + deps = [ - "//base", "//base:base_static", "//sandbox:common", ] + + # NACL on 32-bit builds this target twice, once for 64-bit and once for 32-bit + # so avoid this dep from running twice with the same output in that case. + if (current_cpu == target_cpu) { + deps += [ ":set_appcontainer_acls" ] + } } test("sbox_integration_tests") { @@ -247,6 +252,20 @@ shared_library("sbox_integration_test_hijack_dll") { "tests/integration_tests/hijack_dll.cc", "tests/integration_tests/hijack_dll.def", ] + + deps = [ ":set_appcontainer_acls" ] +} + +action("set_appcontainer_acls") { + script = "//build/win/set_appcontainer_acls.py" + stamp_file = "$target_out_dir/acls.stamp" + inputs = [ script ] + outputs = [ stamp_file ] + + args = [ + "--stamp=" + rebase_path(stamp_file, root_out_dir), + "--dir=" + rebase_path(root_out_dir, root_out_dir), + ] } loadable_module("sbox_integration_test_hijack_shim_dll") { diff --git a/chromium/sandbox/win/sandbox_poc/main_ui_window.h b/chromium/sandbox/win/sandbox_poc/main_ui_window.h index 29f3b657af1..2287128a728 100644 --- a/chromium/sandbox/win/sandbox_poc/main_ui_window.h +++ b/chromium/sandbox/win/sandbox_poc/main_ui_window.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SANDBOX_POC_MAIN_UI_WINDOW_H__ -#define SANDBOX_SANDBOX_POC_MAIN_UI_WINDOW_H__ +#ifndef SANDBOX_WIN_SANDBOX_POC_MAIN_UI_WINDOW_H_ +#define SANDBOX_WIN_SANDBOX_POC_MAIN_UI_WINDOW_H_ #include <windows.h> @@ -191,4 +191,4 @@ class MainUIWindow { DISALLOW_COPY_AND_ASSIGN(MainUIWindow); }; -#endif // SANDBOX_SANDBOX_POC_MAIN_UI_WINDOW_H__ +#endif // SANDBOX_WIN_SANDBOX_POC_MAIN_UI_WINDOW_H_ diff --git a/chromium/sandbox/win/sandbox_poc/pocdll/exports.h b/chromium/sandbox/win/sandbox_poc/pocdll/exports.h index 66a07d6b78b..fb90bcc0a44 100644 --- a/chromium/sandbox/win/sandbox_poc/pocdll/exports.h +++ b/chromium/sandbox/win/sandbox_poc/pocdll/exports.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SANDBOX_POC_POCDLL_EXPORTS_H__ -#define SANDBOX_SANDBOX_POC_POCDLL_EXPORTS_H__ +#ifndef SANDBOX_WIN_SANDBOX_POC_POCDLL_EXPORTS_H_ +#define SANDBOX_WIN_SANDBOX_POC_POCDLL_EXPORTS_H_ #include <windows.h> @@ -86,4 +86,4 @@ void POCDLL_API TestSpyScreen(HANDLE log); void POCDLL_API Run(HANDLE log); } -#endif // SANDBOX_SANDBOX_POC_POCDLL_EXPORTS_H__ +#endif // SANDBOX_WIN_SANDBOX_POC_POCDLL_EXPORTS_H_ diff --git a/chromium/sandbox/win/sandbox_poc/pocdll/ntundoc.h b/chromium/sandbox/win/sandbox_poc/pocdll/ntundoc.h index dc8c3a57cb1..f06b47a4a89 100644 --- a/chromium/sandbox/win/sandbox_poc/pocdll/ntundoc.h +++ b/chromium/sandbox/win/sandbox_poc/pocdll/ntundoc.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_TOOLS_FINDER_NTUNDOC_H__ -#define SANDBOX_TOOLS_FINDER_NTUNDOC_H__ +#ifndef SANDBOX_WIN_SANDBOX_POC_POCDLL_NTUNDOC_H_ +#define SANDBOX_WIN_SANDBOX_POC_POCDLL_NTUNDOC_H_ #define NTSTATUS ULONG #define STATUS_SUCCESS 0x00000000 @@ -272,4 +272,4 @@ typedef NTSTATUS (WINAPI* NTCLOSE) (HANDLE); #define DIRECTORY_CREATE_SUBDIRECTORY 0x0008 #define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF) -#endif // SANDBOX_TOOLS_FINDER_NTUNDOC_H__ +#endif // SANDBOX_WIN_SANDBOX_POC_POCDLL_NTUNDOC_H_ diff --git a/chromium/sandbox/win/sandbox_poc/pocdll/utils.h b/chromium/sandbox/win/sandbox_poc/pocdll/utils.h index d8fd31f7fe0..09c4d2e6670 100644 --- a/chromium/sandbox/win/sandbox_poc/pocdll/utils.h +++ b/chromium/sandbox/win/sandbox_poc/pocdll/utils.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SANDBOX_POC_POCDLL_UTILS_H__ -#define SANDBOX_SANDBOX_POC_POCDLL_UTILS_H__ +#ifndef SANDBOX_WIN_SANDBOX_POC_POCDLL_UTILS_H_ +#define SANDBOX_WIN_SANDBOX_POC_POCDLL_UTILS_H_ #include <stdio.h> #include <io.h> @@ -61,4 +61,4 @@ class HandleToFile { DISALLOW_COPY_AND_ASSIGN(HandleToFile); }; -#endif // SANDBOX_SANDBOX_POC_POCDLL_UTILS_H__ +#endif // SANDBOX_WIN_SANDBOX_POC_POCDLL_UTILS_H_ diff --git a/chromium/sandbox/win/sandbox_poc/sandbox.h b/chromium/sandbox/win/sandbox_poc/sandbox.h index 65c09a119fa..65991a286ac 100644 --- a/chromium/sandbox/win/sandbox_poc/sandbox.h +++ b/chromium/sandbox/win/sandbox_poc/sandbox.h @@ -2,9 +2,9 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SANDBOX_POC_SANDBOX_H__ -#define SANDBOX_SANDBOX_POC_SANDBOX_H__ +#ifndef SANDBOX_WIN_SANDBOX_POC_SANDBOX_H_ +#define SANDBOX_WIN_SANDBOX_POC_SANDBOX_H_ #include "sandbox/win/sandbox_poc/resource.h" -#endif // SANDBOX_SANDBOX_POC_SANDBOX_H__ +#endif // SANDBOX_WIN_SANDBOX_POC_SANDBOX_H_ diff --git a/chromium/sandbox/win/src/acl.h b/chromium/sandbox/win/src/acl.h index 194edb09881..e1e97c21a18 100644 --- a/chromium/sandbox/win/src/acl.h +++ b/chromium/sandbox/win/src/acl.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_ACL_H_ -#define SANDBOX_SRC_ACL_H_ +#ifndef SANDBOX_WIN_SRC_ACL_H_ +#define SANDBOX_WIN_SRC_ACL_H_ #include <accctrl.h> #include <windows.h> @@ -61,4 +61,4 @@ bool ReplacePackageSidInDacl(HANDLE object, } // namespace sandbox -#endif // SANDBOX_SRC_ACL_H_ +#endif // SANDBOX_WIN_SRC_ACL_H_ diff --git a/chromium/sandbox/win/src/app_container_profile.h b/chromium/sandbox/win/src/app_container.h index c95c68e5526..73f71c17384 100644 --- a/chromium/sandbox/win/src/app_container_profile.h +++ b/chromium/sandbox/win/src/app_container.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_APP_CONTAINER_PROFILE_H_ -#define SANDBOX_SRC_APP_CONTAINER_PROFILE_H_ +#ifndef SANDBOX_WIN_SRC_APP_CONTAINER_H_ +#define SANDBOX_WIN_SRC_APP_CONTAINER_H_ #include <windows.h> @@ -15,7 +15,9 @@ namespace sandbox { -class AppContainerProfile { +enum AppContainerType { kNone, kDerived, kProfile, kLowbox }; + +class AppContainer { public: // Increments the reference count of this object. The reference count must // be incremented if this interface is given to another component. @@ -67,8 +69,10 @@ class AppContainerProfile { // Enable Low Privilege AC. virtual void SetEnableLowPrivilegeAppContainer(bool enable) = 0; virtual bool GetEnableLowPrivilegeAppContainer() = 0; + + virtual AppContainerType GetAppContainerType() = 0; }; } // namespace sandbox -#endif // SANDBOX_SRC_APP_CONTAINER_PROFILE_H_ +#endif // SANDBOX_WIN_SRC_APP_CONTAINER_H_ diff --git a/chromium/sandbox/win/src/app_container_profile_base.cc b/chromium/sandbox/win/src/app_container_base.cc index 411ff62db9c..ca99779109b 100644 --- a/chromium/sandbox/win/src/app_container_profile_base.cc +++ b/chromium/sandbox/win/src/app_container_base.cc @@ -5,12 +5,14 @@ #include <memory> #include <aclapi.h> +#include <sddl.h> #include <userenv.h> #include "base/strings/stringprintf.h" #include "base/win/scoped_co_mem.h" #include "base/win/scoped_handle.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/acl.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/restricted_token_utils.h" #include "sandbox/win/src/win_utils.h" @@ -79,10 +81,9 @@ class ScopedImpersonation { } // namespace // static -AppContainerProfileBase* AppContainerProfileBase::Create( - const wchar_t* package_name, - const wchar_t* display_name, - const wchar_t* description) { +AppContainerBase* AppContainerBase::CreateProfile(const wchar_t* package_name, + const wchar_t* display_name, + const wchar_t* description) { static auto create_app_container_profile = reinterpret_cast<CreateAppContainerProfileFunc*>(GetProcAddress( GetModuleHandle(L"userenv"), "CreateAppContainerProfile")); @@ -98,12 +99,11 @@ AppContainerProfileBase* AppContainerProfileBase::Create( if (FAILED(hr)) return nullptr; std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid); - return new AppContainerProfileBase(Sid(package_sid)); + return new AppContainerBase(Sid(package_sid), AppContainerType::kProfile); } // static -AppContainerProfileBase* AppContainerProfileBase::Open( - const wchar_t* package_name) { +AppContainerBase* AppContainerBase::Open(const wchar_t* package_name) { static auto derive_app_container_sid = reinterpret_cast<DeriveAppContainerSidFromAppContainerNameFunc*>( GetProcAddress(GetModuleHandle(L"userenv"), @@ -117,11 +117,21 @@ AppContainerProfileBase* AppContainerProfileBase::Open( return nullptr; std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid); - return new AppContainerProfileBase(Sid(package_sid)); + return new AppContainerBase(Sid(package_sid), AppContainerType::kDerived); } // static -bool AppContainerProfileBase::Delete(const wchar_t* package_name) { +AppContainerBase* AppContainerBase::CreateLowbox(const wchar_t* sid) { + PSID package_sid; + if (!ConvertStringSidToSid(sid, &package_sid)) + return nullptr; + + std::unique_ptr<void, LocalFreeDeleter> sid_deleter(package_sid); + return new AppContainerBase(Sid(package_sid), AppContainerType::kLowbox); +} + +// static +bool AppContainerBase::Delete(const wchar_t* package_name) { static auto delete_app_container_profile = reinterpret_cast<DeleteAppContainerProfileFunc*>(GetProcAddress( GetModuleHandle(L"userenv"), "DeleteAppContainerProfile")); @@ -131,19 +141,21 @@ bool AppContainerProfileBase::Delete(const wchar_t* package_name) { return SUCCEEDED(delete_app_container_profile(package_name)); } -AppContainerProfileBase::AppContainerProfileBase(const Sid& package_sid) +AppContainerBase::AppContainerBase(const Sid& package_sid, + AppContainerType type) : ref_count_(0), package_sid_(package_sid), - enable_low_privilege_app_container_(false) {} + enable_low_privilege_app_container_(false), + type_(type) {} -AppContainerProfileBase::~AppContainerProfileBase() {} +AppContainerBase::~AppContainerBase() {} -void AppContainerProfileBase::AddRef() { +void AppContainerBase::AddRef() { // ref_count starts at 0 for this class so can increase from 0 (once). CHECK(::InterlockedIncrement(&ref_count_) > 0); } -void AppContainerProfileBase::Release() { +void AppContainerBase::Release() { LONG result = ::InterlockedDecrement(&ref_count_); CHECK(result >= 0); if (result == 0) { @@ -151,9 +163,8 @@ void AppContainerProfileBase::Release() { } } -bool AppContainerProfileBase::GetRegistryLocation( - REGSAM desired_access, - base::win::ScopedHandle* key) { +bool AppContainerBase::GetRegistryLocation(REGSAM desired_access, + base::win::ScopedHandle* key) { static GetAppContainerRegistryLocationFunc* get_app_container_registry_location = reinterpret_cast<GetAppContainerRegistryLocationFunc*>(GetProcAddress( @@ -162,7 +173,7 @@ bool AppContainerProfileBase::GetRegistryLocation( return false; base::win::ScopedHandle token; - if (!BuildLowBoxToken(&token)) + if (BuildLowBoxToken(&token) != SBOX_ALL_OK) return false; ScopedImpersonation impersonation(token); @@ -173,7 +184,7 @@ bool AppContainerProfileBase::GetRegistryLocation( return true; } -bool AppContainerProfileBase::GetFolderPath(base::FilePath* file_path) { +bool AppContainerBase::GetFolderPath(base::FilePath* file_path) { static GetAppContainerFolderPathFunc* get_app_container_folder_path = reinterpret_cast<GetAppContainerFolderPathFunc*>(GetProcAddress( GetModuleHandle(L"userenv"), "GetAppContainerFolderPath")); @@ -189,8 +200,8 @@ bool AppContainerProfileBase::GetFolderPath(base::FilePath* file_path) { return true; } -bool AppContainerProfileBase::GetPipePath(const wchar_t* pipe_name, - base::FilePath* pipe_path) { +bool AppContainerBase::GetPipePath(const wchar_t* pipe_name, + base::FilePath* pipe_path) { std::wstring sddl_str; if (!package_sid_.ToSddlString(&sddl_str)) return false; @@ -199,11 +210,11 @@ bool AppContainerProfileBase::GetPipePath(const wchar_t* pipe_name, return true; } -bool AppContainerProfileBase::AccessCheck(const wchar_t* object_name, - SE_OBJECT_TYPE object_type, - DWORD desired_access, - DWORD* granted_access, - BOOL* access_status) { +bool AppContainerBase::AccessCheck(const wchar_t* object_name, + SE_OBJECT_TYPE object_type, + DWORD desired_access, + DWORD* granted_access, + BOOL* access_status) { GENERIC_MAPPING generic_mapping; if (!GetGenericMappingForType(object_type, &generic_mapping)) return false; @@ -248,7 +259,7 @@ bool AppContainerProfileBase::AccessCheck(const wchar_t* object_name, DWORD priv_set_length = sizeof(PRIVILEGE_SET); base::win::ScopedHandle token; - if (!BuildLowBoxToken(&token)) + if (BuildLowBoxToken(&token) != SBOX_ALL_OK) return false; return !!::AccessCheck(sd, token.Get(), desired_access, &generic_mapping, @@ -256,20 +267,20 @@ bool AppContainerProfileBase::AccessCheck(const wchar_t* object_name, access_status); } -bool AppContainerProfileBase::AddCapability(const wchar_t* capability_name) { +bool AppContainerBase::AddCapability(const wchar_t* capability_name) { return AddCapability(Sid::FromNamedCapability(capability_name), false); } -bool AppContainerProfileBase::AddCapability(WellKnownCapabilities capability) { +bool AppContainerBase::AddCapability(WellKnownCapabilities capability) { return AddCapability(Sid::FromKnownCapability(capability), false); } -bool AppContainerProfileBase::AddCapabilitySddl(const wchar_t* sddl_sid) { +bool AppContainerBase::AddCapabilitySddl(const wchar_t* sddl_sid) { return AddCapability(Sid::FromSddlString(sddl_sid), false); } -bool AppContainerProfileBase::AddCapability(const Sid& capability_sid, - bool impersonation_only) { +bool AppContainerBase::AddCapability(const Sid& capability_sid, + bool impersonation_only) { if (!capability_sid.IsValid()) return false; if (!impersonation_only) @@ -278,52 +289,81 @@ bool AppContainerProfileBase::AddCapability(const Sid& capability_sid, return true; } -bool AppContainerProfileBase::AddImpersonationCapability( +bool AppContainerBase::AddImpersonationCapability( const wchar_t* capability_name) { return AddCapability(Sid::FromNamedCapability(capability_name), true); } -bool AppContainerProfileBase::AddImpersonationCapability( +bool AppContainerBase::AddImpersonationCapability( WellKnownCapabilities capability) { return AddCapability(Sid::FromKnownCapability(capability), true); } -bool AppContainerProfileBase::AddImpersonationCapabilitySddl( - const wchar_t* sddl_sid) { +bool AppContainerBase::AddImpersonationCapabilitySddl(const wchar_t* sddl_sid) { return AddCapability(Sid::FromSddlString(sddl_sid), true); } -const std::vector<Sid>& AppContainerProfileBase::GetCapabilities() { +const std::vector<Sid>& AppContainerBase::GetCapabilities() { return capabilities_; } -const std::vector<Sid>& -AppContainerProfileBase::GetImpersonationCapabilities() { +const std::vector<Sid>& AppContainerBase::GetImpersonationCapabilities() { return impersonation_capabilities_; } -Sid AppContainerProfileBase::GetPackageSid() const { +Sid AppContainerBase::GetPackageSid() const { return package_sid_; } -void AppContainerProfileBase::SetEnableLowPrivilegeAppContainer(bool enable) { +void AppContainerBase::SetEnableLowPrivilegeAppContainer(bool enable) { enable_low_privilege_app_container_ = enable; } -bool AppContainerProfileBase::GetEnableLowPrivilegeAppContainer() { +bool AppContainerBase::GetEnableLowPrivilegeAppContainer() { return enable_low_privilege_app_container_; } +AppContainerType AppContainerBase::GetAppContainerType() { + return type_; +} + std::unique_ptr<SecurityCapabilities> -AppContainerProfileBase::GetSecurityCapabilities() { - return std::unique_ptr<SecurityCapabilities>( - new SecurityCapabilities(package_sid_, capabilities_)); +AppContainerBase::GetSecurityCapabilities() { + return std::make_unique<SecurityCapabilities>(package_sid_, capabilities_); } -bool AppContainerProfileBase::BuildLowBoxToken(base::win::ScopedHandle* token) { - return CreateLowBoxToken(nullptr, IMPERSONATION, - GetSecurityCapabilities().get(), nullptr, 0, - token) == ERROR_SUCCESS; +ResultCode AppContainerBase::BuildLowBoxToken( + base::win::ScopedHandle* token, + base::win::ScopedHandle* lockdown) { + if (type_ == AppContainerType::kLowbox) { + if (!lowbox_directory_.IsValid()) { + DWORD result = CreateLowBoxObjectDirectory(package_sid_.GetPSID(), true, + &lowbox_directory_); + DCHECK(result == ERROR_SUCCESS); + } + + // The order of handles isn't important in the CreateLowBoxToken call. + // The kernel will maintain a reference to the object directory handle. + HANDLE saved_handles[1] = {lowbox_directory_.Get()}; + DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0; + + if (CreateLowBoxToken(lockdown->Get(), PRIMARY, + GetSecurityCapabilities().get(), saved_handles, + saved_handles_count, token) != ERROR_SUCCESS) { + return SBOX_ERROR_CANNOT_CREATE_LOWBOX_TOKEN; + } + + if (!ReplacePackageSidInDacl(token->Get(), SE_KERNEL_OBJECT, package_sid_, + TOKEN_ALL_ACCESS)) { + return SBOX_ERROR_CANNOT_MODIFY_LOWBOX_TOKEN_DACL; + } + } else if (CreateLowBoxToken(nullptr, IMPERSONATION, + GetSecurityCapabilities().get(), nullptr, 0, + token) != ERROR_SUCCESS) { + return SBOX_ERROR_CANNOT_CREATE_LOWBOX_IMPERSONATION_TOKEN; + } + + return SBOX_ALL_OK; } } // namespace sandbox diff --git a/chromium/sandbox/win/src/app_container_profile_base.h b/chromium/sandbox/win/src/app_container_base.h index 35fb4efdf57..44a87ef101d 100644 --- a/chromium/sandbox/win/src/app_container_profile_base.h +++ b/chromium/sandbox/win/src/app_container_base.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_APP_CONTAINER_PROFILE_BASE_H_ -#define SANDBOX_SRC_APP_CONTAINER_PROFILE_BASE_H_ +#ifndef SANDBOX_WIN_SRC_APP_CONTAINER_BASE_H_ +#define SANDBOX_WIN_SRC_APP_CONTAINER_BASE_H_ #include <windows.h> @@ -15,13 +15,14 @@ #include "base/files/file_path.h" #include "base/memory/ref_counted.h" #include "base/win/scoped_handle.h" -#include "sandbox/win/src/app_container_profile.h" +#include "sandbox/win/src/app_container.h" +#include "sandbox/win/src/sandbox_types.h" #include "sandbox/win/src/security_capabilities.h" #include "sandbox/win/src/sid.h" namespace sandbox { -class AppContainerProfileBase final : public AppContainerProfile { +class AppContainerBase final : public AppContainer { public: void AddRef() override; void Release() override; @@ -43,6 +44,7 @@ class AppContainerProfileBase final : public AppContainerProfile { bool AddImpersonationCapabilitySddl(const wchar_t* sddl_sid) override; void SetEnableLowPrivilegeAppContainer(bool enable) override; bool GetEnableLowPrivilegeAppContainer() override; + AppContainerType GetAppContainerType() override; // Get the package SID for this AC. Sid GetPackageSid() const; @@ -57,26 +59,33 @@ class AppContainerProfileBase final : public AppContainerProfile { // a more privileged token to start. const std::vector<Sid>& GetImpersonationCapabilities(); - // Creates a new AppContainerProfile object. This will create a new profile + // Creates a new AppContainer object. This will create a new profile // if it doesn't already exist. The profile must be deleted manually using // the Delete method if it's no longer required. - static AppContainerProfileBase* Create(const wchar_t* package_name, + static AppContainerBase* CreateProfile(const wchar_t* package_name, const wchar_t* display_name, const wchar_t* description); - // Opens an AppContainerProfile object. No checks will be made on + // Opens a derived AppContainer object. No checks will be made on // whether the package exists or not. - static AppContainerProfileBase* Open(const wchar_t* package_name); + static AppContainerBase* Open(const wchar_t* package_name); + + // Creates a new Lowbox object. Need to followup with a call to build lowbox + // token + static AppContainerBase* CreateLowbox(const wchar_t* sid); // Delete a profile based on name. Returns true if successful, or if the // package doesn't already exist. static bool Delete(const wchar_t* package_name); + // Build the token for the lowbox + ResultCode BuildLowBoxToken(base::win::ScopedHandle* token, + base::win::ScopedHandle* lockdown = nullptr); + private: - AppContainerProfileBase(const Sid& package_sid); - ~AppContainerProfileBase(); + AppContainerBase(const Sid& package_sid, AppContainerType type); + ~AppContainerBase(); - bool BuildLowBoxToken(base::win::ScopedHandle* token); bool AddCapability(const Sid& capability_sid, bool impersonation_only); // Standard object-lifetime reference counter. @@ -85,10 +94,12 @@ class AppContainerProfileBase final : public AppContainerProfile { bool enable_low_privilege_app_container_; std::vector<Sid> capabilities_; std::vector<Sid> impersonation_capabilities_; + AppContainerType type_; + base::win::ScopedHandle lowbox_directory_; - DISALLOW_COPY_AND_ASSIGN(AppContainerProfileBase); + DISALLOW_COPY_AND_ASSIGN(AppContainerBase); }; } // namespace sandbox -#endif // SANDBOX_SRC_APP_CONTAINER_PROFILE_BASE_H_ +#endif // SANDBOX_WIN_SRC_APP_CONTAINER_BASE_H_ diff --git a/chromium/sandbox/win/src/app_container_test.cc b/chromium/sandbox/win/src/app_container_test.cc index a6c0948a942..3e231971cd3 100644 --- a/chromium/sandbox/win/src/app_container_test.cc +++ b/chromium/sandbox/win/src/app_container_test.cc @@ -10,12 +10,19 @@ #include <string> #include <vector> +#include "base/command_line.h" +#include "base/files/file_path.h" +#include "base/hash/sha1.h" +#include "base/logging.h" #include "base/rand_util.h" +#include "base/scoped_native_library.h" +#include "base/strings/strcat.h" #include "base/strings/stringprintf.h" +#include "base/strings/utf_string_conversions.h" #include "base/win/scoped_handle.h" #include "base/win/scoped_process_information.h" #include "base/win/windows_version.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/sync_policy_test.h" #include "sandbox/win/src/win_utils.h" #include "sandbox/win/tests/common/controller.h" @@ -137,7 +144,63 @@ void CheckLpacToken(HANDLE process) { ASSERT_EQ(DWORD{2}, granted_access); } -class AppContainerProfileTest : public ::testing::Test { +// Generate a unique sandbox AC profile for the appcontainer based on the SHA1 +// hash of the appcontainer_id. This does not need to be secure so using SHA1 +// isn't a security concern. +std::wstring GetAppContainerProfileName() { + std::string sandbox_base_name = std::string("cr.sb.net"); + std::string appcontainer_id = base::WideToUTF8( + base::CommandLine::ForCurrentProcess()->GetProgram().value()); + auto sha1 = base::SHA1HashString(appcontainer_id); + std::string profile_name = base::StrCat( + {sandbox_base_name, base::HexEncode(sha1.data(), sha1.size())}); + // CreateAppContainerProfile requires that the profile name is at most 64 + // characters but 50 on WCOS systems. The size of sha1 is a constant 40, so + // validate that the base names are sufficiently short that the total length + // is valid on all systems. + DCHECK_LE(profile_name.length(), 50U); + return base::UTF8ToWide(profile_name); +} + +// Adds an app container policy similar to network service. +ResultCode AddNetworkAppContainerPolicy(TargetPolicy* policy) { + std::wstring profile_name = GetAppContainerProfileName(); + ResultCode ret = policy->AddAppContainerProfile(profile_name.c_str(), true); + if (SBOX_ALL_OK != ret) + return ret; + ret = policy->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); + if (SBOX_ALL_OK != ret) + return ret; + scoped_refptr<AppContainer> app_container = policy->GetAppContainer(); + + constexpr const wchar_t* kBaseCapsSt[] = { + L"lpacChromeInstallFiles", L"registryRead", L"lpacIdentityServices", + L"lpacCryptoServices"}; + constexpr const WellKnownCapabilities kBaseCapsWK[] = { + WellKnownCapabilities::kPrivateNetworkClientServer, + WellKnownCapabilities::kInternetClient, + WellKnownCapabilities::kEnterpriseAuthentication}; + + for (const auto* cap : kBaseCapsSt) { + if (!app_container->AddCapability(cap)) { + DLOG(ERROR) << "AppContainerProfile::AddCapability() failed"; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; + } + } + + for (const auto cap : kBaseCapsWK) { + if (!app_container->AddCapability(cap)) { + DLOG(ERROR) << "AppContainerProfile::AddCapability() failed"; + return SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY; + } + } + + app_container->SetEnableLowPrivilegeAppContainer(true); + + return SBOX_ALL_OK; +} + +class AppContainerTest : public ::testing::Test { public: void SetUp() override { if (base::win::GetVersion() < base::win::Version::WIN8) @@ -150,15 +213,15 @@ class AppContainerProfileTest : public ::testing::Test { ASSERT_EQ(SBOX_ALL_OK, policy_->AddAppContainerProfile(package_name_.c_str(), true)); // For testing purposes we known the base class so cast directly. - profile_ = static_cast<AppContainerProfileBase*>( - policy_->GetAppContainerProfile().get()); + container_ = + static_cast<AppContainerBase*>(policy_->GetAppContainer().get()); } void TearDown() override { if (scoped_process_info_.IsValid()) ::TerminateProcess(scoped_process_info_.process_handle(), 0); - if (profile_) - AppContainerProfileBase::Delete(package_name_.c_str()); + if (container_) + AppContainerBase::Delete(package_name_.c_str()); } protected: @@ -179,15 +242,14 @@ class AppContainerProfileTest : public ::testing::Test { std::wstring package_name_; BrokerServices* broker_services_; - scoped_refptr<AppContainerProfileBase> profile_; + scoped_refptr<AppContainerBase> container_; scoped_refptr<TargetPolicy> policy_; base::win::ScopedProcessInformation scoped_process_info_; }; } // namespace - -TEST(AppContainerTest, DenyOpenEventForLowBox) { +TEST_F(AppContainerTest, DenyOpenEventForLowBox) { if (base::win::GetVersion() < base::win::Version::WIN8) return; @@ -208,8 +270,8 @@ TEST(AppContainerTest, DenyOpenEventForLowBox) { EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test")); } -TEST_F(AppContainerProfileTest, CheckIncompatibleOptions) { - if (!profile_) +TEST_F(AppContainerTest, CheckIncompatibleOptions) { + if (!container_) return; EXPECT_EQ(SBOX_ERROR_BAD_PARAMS, policy_->SetIntegrityLevel(INTEGRITY_LEVEL_UNTRUSTED)); @@ -231,15 +293,15 @@ TEST_F(AppContainerProfileTest, CheckIncompatibleOptions) { policy_->SetProcessMitigations(MITIGATION_HEAP_TERMINATE)); } -TEST_F(AppContainerProfileTest, NoCapabilities) { - if (!profile_) +TEST_F(AppContainerTest, NoCapabilities) { + if (!container_) return; policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), FALSE); @@ -247,15 +309,15 @@ TEST_F(AppContainerProfileTest, NoCapabilities) { security_capabilities.get(), FALSE); } -TEST_F(AppContainerProfileTest, NoCapabilitiesRestricted) { - if (!profile_) +TEST_F(AppContainerTest, NoCapabilitiesRestricted) { + if (!container_) return; policy_->SetTokenLevel(USER_LOCKDOWN, USER_RESTRICTED_SAME_ACCESS); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), TRUE); @@ -263,17 +325,17 @@ TEST_F(AppContainerProfileTest, NoCapabilitiesRestricted) { security_capabilities.get(), TRUE); } -TEST_F(AppContainerProfileTest, WithCapabilities) { - if (!profile_) +TEST_F(AppContainerTest, WithCapabilities) { + if (!container_) return; - profile_->AddCapability(kInternetClient); - profile_->AddCapability(kInternetClientServer); + container_->AddCapability(kInternetClient); + container_->AddCapability(kInternetClientServer); policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), FALSE); @@ -281,17 +343,17 @@ TEST_F(AppContainerProfileTest, WithCapabilities) { security_capabilities.get(), FALSE); } -TEST_F(AppContainerProfileTest, WithCapabilitiesRestricted) { - if (!profile_) +TEST_F(AppContainerTest, WithCapabilitiesRestricted) { + if (!container_) return; - profile_->AddCapability(kInternetClient); - profile_->AddCapability(kInternetClientServer); + container_->AddCapability(kInternetClient); + container_->AddCapability(kInternetClientServer); policy_->SetTokenLevel(USER_LOCKDOWN, USER_RESTRICTED_SAME_ACCESS); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), TRUE); @@ -299,38 +361,38 @@ TEST_F(AppContainerProfileTest, WithCapabilitiesRestricted) { security_capabilities.get(), TRUE); } -TEST_F(AppContainerProfileTest, WithImpersonationCapabilities) { - if (!profile_) +TEST_F(AppContainerTest, WithImpersonationCapabilities) { + if (!container_) return; - profile_->AddCapability(kInternetClient); - profile_->AddCapability(kInternetClientServer); - profile_->AddImpersonationCapability(kPrivateNetworkClientServer); - profile_->AddImpersonationCapability(kPicturesLibrary); + container_->AddCapability(kInternetClient); + container_->AddCapability(kInternetClientServer); + container_->AddImpersonationCapability(kPrivateNetworkClientServer); + container_->AddImpersonationCapability(kPicturesLibrary); policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), FALSE); SecurityCapabilities impersonation_security_capabilities( - profile_->GetPackageSid(), profile_->GetImpersonationCapabilities()); + container_->GetPackageSid(), container_->GetImpersonationCapabilities()); CheckThreadToken(scoped_process_info_.thread_handle(), &impersonation_security_capabilities, FALSE); } -TEST_F(AppContainerProfileTest, NoCapabilitiesLPAC) { +TEST_F(AppContainerTest, NoCapabilitiesLPAC) { if (base::win::GetVersion() < base::win::Version::WIN10_RS1) return; - profile_->SetEnableLowPrivilegeAppContainer(true); + container_->SetEnableLowPrivilegeAppContainer(true); policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED); policy_->SetJobLevel(JOB_NONE, 0); CreateProcess(); - auto security_capabilities = profile_->GetSecurityCapabilities(); + auto security_capabilities = container_->GetSecurityCapabilities(); CheckProcessToken(scoped_process_info_.process_handle(), security_capabilities.get(), FALSE); @@ -339,4 +401,25 @@ TEST_F(AppContainerProfileTest, NoCapabilitiesLPAC) { CheckLpacToken(scoped_process_info_.process_handle()); } +SBOX_TESTS_COMMAND int LoadDLL(int argc, wchar_t** argv) { + // DLL here doesn't matter as long as it's in the output directory: re-use one + // from another sbox test. + base::ScopedNativeLibrary test_dll(base::FilePath( + FILE_PATH_LITERAL("sbox_integration_test_hijack_dll.dll"))); + if (test_dll.is_valid()) + return SBOX_TEST_SUCCEEDED; + return SBOX_TEST_FAILED; +} + +TEST(AppContainerLaunchTest, CheckLPACACE) { + if (base::win::GetVersion() < base::win::Version::WIN10_RS1) + return; + TestRunner runner; + AddNetworkAppContainerPolicy(runner.GetPolicy()); + + EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"LoadDLL")); + + AppContainerBase::Delete(GetAppContainerProfileName().c_str()); +} + } // namespace sandbox diff --git a/chromium/sandbox/win/src/app_container_unittest.cc b/chromium/sandbox/win/src/app_container_unittest.cc index d2689e295f2..3f22a49b187 100644 --- a/chromium/sandbox/win/src/app_container_unittest.cc +++ b/chromium/sandbox/win/src/app_container_unittest.cc @@ -17,7 +17,7 @@ #include "base/rand_util.h" #include "base/strings/stringprintf.h" #include "base/win/windows_version.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/security_capabilities.h" #include "sandbox/win/src/sid.h" #include "sandbox/win/src/win_utils.h" @@ -127,7 +127,7 @@ std::wstring CreateSddlWithSid(const Sid& sid) { return base_sddl + sddl_string + L")"; } -void AccessCheckFile(AppContainerProfile* profile, +void AccessCheckFile(AppContainer* container, const base::FilePath& path, const Sid& sid, DWORD desired_access, @@ -142,9 +142,9 @@ void AccessCheckFile(AppContainerProfile* profile, ASSERT_TRUE(file_handle.IsValid()); DWORD granted_access; BOOL access_status; - ASSERT_TRUE(profile->AccessCheck(path.value().c_str(), SE_FILE_OBJECT, - desired_access, &granted_access, - &access_status)); + ASSERT_TRUE(container->AccessCheck(path.value().c_str(), SE_FILE_OBJECT, + desired_access, &granted_access, + &access_status)); ASSERT_EQ(expected_status, access_status); if (access_status) ASSERT_EQ(expected_access, granted_access); @@ -181,35 +181,35 @@ TEST(AppContainerTest, CreateAndDeleteAppContainerProfile) { std::wstring package_name = GenerateRandomPackageName(); EXPECT_FALSE(ProfileExist(package_name)); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Create(package_name.c_str(), L"Name", + scoped_refptr<AppContainerBase> profile_container = + AppContainerBase::CreateProfile(package_name.c_str(), L"Name", L"Description"); - ASSERT_NE(nullptr, profile.get()); + ASSERT_NE(nullptr, profile_container.get()); EXPECT_TRUE(ProfileExist(package_name)); - EXPECT_TRUE(AppContainerProfileBase::Delete(package_name.c_str())); + EXPECT_TRUE(AppContainerBase::Delete(package_name.c_str())); EXPECT_FALSE(ProfileExist(package_name)); } -TEST(AppContainerTest, CreateAndOpenAppContainerProfile) { +TEST(AppContainerTest, CreateAndOpenAppContainer) { if (base::win::GetVersion() < base::win::Version::WIN8) return; std::wstring package_name = GenerateRandomPackageName(); EXPECT_FALSE(ProfileExist(package_name)); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Create(package_name.c_str(), L"Name", + scoped_refptr<AppContainerBase> profile_container = + AppContainerBase::CreateProfile(package_name.c_str(), L"Name", L"Description"); - ASSERT_NE(nullptr, profile.get()); + ASSERT_NE(nullptr, profile_container.get()); EXPECT_TRUE(ProfileExist(package_name)); - scoped_refptr<AppContainerProfileBase> open_profile = - AppContainerProfileBase::Open(package_name.c_str()); - ASSERT_NE(nullptr, profile.get()); - EXPECT_TRUE(::EqualSid(profile->GetPackageSid().GetPSID(), - open_profile->GetPackageSid().GetPSID())); - EXPECT_TRUE(AppContainerProfileBase::Delete(package_name.c_str())); + scoped_refptr<AppContainerBase> open_container = + AppContainerBase::Open(package_name.c_str()); + ASSERT_NE(nullptr, open_container.get()); + EXPECT_TRUE(::EqualSid(profile_container->GetPackageSid().GetPSID(), + open_container->GetPackageSid().GetPSID())); + EXPECT_TRUE(AppContainerBase::Delete(package_name.c_str())); EXPECT_FALSE(ProfileExist(package_name)); - scoped_refptr<AppContainerProfileBase> open_profile2 = - AppContainerProfileBase::Open(package_name.c_str()); + scoped_refptr<AppContainerBase> open_container2 = + AppContainerBase::Open(package_name.c_str()); EXPECT_FALSE(ProfileExist(package_name)); } @@ -218,41 +218,41 @@ TEST(AppContainerTest, SetLowPrivilegeAppContainer) { if (base::win::GetVersion() < base::win::Version::WIN10_RS1) return; std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Open(package_name.c_str()); - ASSERT_NE(nullptr, profile.get()); - profile->SetEnableLowPrivilegeAppContainer(true); - EXPECT_TRUE(profile->GetEnableLowPrivilegeAppContainer()); + scoped_refptr<AppContainerBase> container = + AppContainerBase::Open(package_name.c_str()); + ASSERT_NE(nullptr, container.get()); + container->SetEnableLowPrivilegeAppContainer(true); + EXPECT_TRUE(container->GetEnableLowPrivilegeAppContainer()); } -TEST(AppContainerTest, OpenAppContainerProfileAndGetSecurityCapabilities) { +TEST(AppContainerTest, OpenAppContainerAndGetSecurityCapabilities) { if (base::win::GetVersion() < base::win::Version::WIN8) return; std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Open(package_name.c_str()); - ASSERT_NE(nullptr, profile.get()); + scoped_refptr<AppContainerBase> container = + AppContainerBase::Open(package_name.c_str()); + ASSERT_NE(nullptr, container.get()); std::vector<Sid> capabilities; - auto no_capabilities = profile->GetSecurityCapabilities(); + auto no_capabilities = container->GetSecurityCapabilities(); ASSERT_TRUE(ValidSecurityCapabilities( - no_capabilities.get(), profile->GetPackageSid(), capabilities)); + no_capabilities.get(), container->GetPackageSid(), capabilities)); // No support for named capabilities prior to Win10. if (base::win::GetVersion() >= base::win::Version::WIN10) { - ASSERT_TRUE(profile->AddCapability(L"FakeCapability")); + ASSERT_TRUE(container->AddCapability(L"FakeCapability")); capabilities.push_back(Sid::FromNamedCapability(L"FakeCapability")); } - ASSERT_TRUE(profile->AddCapability(kInternetClient)); + ASSERT_TRUE(container->AddCapability(kInternetClient)); capabilities.push_back(Sid::FromKnownCapability(kInternetClient)); const wchar_t kSddlSid[] = L"S-1-15-3-1"; - ASSERT_TRUE(profile->AddCapabilitySddl(kSddlSid)); + ASSERT_TRUE(container->AddCapabilitySddl(kSddlSid)); capabilities.push_back(Sid::FromSddlString(kSddlSid)); - auto with_capabilities = profile->GetSecurityCapabilities(); + auto with_capabilities = container->GetSecurityCapabilities(); ASSERT_TRUE(ValidSecurityCapabilities( - with_capabilities.get(), profile->GetPackageSid(), capabilities)); + with_capabilities.get(), container->GetPackageSid(), capabilities)); } TEST(AppContainerTest, GetResources) { @@ -260,25 +260,25 @@ TEST(AppContainerTest, GetResources) { return; std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Create(package_name.c_str(), L"Name", + scoped_refptr<AppContainerBase> profile_container = + AppContainerBase::CreateProfile(package_name.c_str(), L"Name", L"Description"); - ASSERT_NE(nullptr, profile.get()); + ASSERT_NE(nullptr, profile_container.get()); base::win::ScopedHandle key; - EXPECT_TRUE(profile->GetRegistryLocation(KEY_READ, &key)); + EXPECT_TRUE(profile_container->GetRegistryLocation(KEY_READ, &key)); EXPECT_TRUE(key.IsValid()); key.Close(); base::FilePath path; - EXPECT_TRUE(profile->GetFolderPath(&path)); + EXPECT_TRUE(profile_container->GetFolderPath(&path)); EXPECT_TRUE(base::PathExists(path)); base::FilePath pipe_path; - EXPECT_TRUE(profile->GetPipePath(package_name.c_str(), &pipe_path)); + EXPECT_TRUE(profile_container->GetPipePath(package_name.c_str(), &pipe_path)); base::win::ScopedHandle pipe_handle; pipe_handle.Set(::CreateNamedPipe( pipe_path.value().c_str(), PIPE_ACCESS_DUPLEX, PIPE_TYPE_BYTE, PIPE_UNLIMITED_INSTANCES, 0, 0, 0, nullptr)); EXPECT_TRUE(pipe_handle.IsValid()); - EXPECT_TRUE(AppContainerProfileBase::Delete(package_name.c_str())); + EXPECT_TRUE(AppContainerBase::Delete(package_name.c_str())); } TEST(AppContainerTest, AccessCheckFile) { @@ -287,34 +287,36 @@ TEST(AppContainerTest, AccessCheckFile) { // We don't need a valid profile to do the access check tests. std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Open(package_name.c_str()); - profile->AddCapability(kInternetClient); + scoped_refptr<AppContainerBase> container = + AppContainerBase::Open(package_name.c_str()); + container->AddCapability(kInternetClient); base::ScopedTempDir temp_dir; ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); base::FilePath path = temp_dir.GetPath().Append(package_name); - AccessCheckFile(profile.get(), path, ::WinNullSid, FILE_READ_DATA, 0, FALSE); - AccessCheckFile(profile.get(), path, ::WinBuiltinAnyPackageSid, + AccessCheckFile(container.get(), path, ::WinNullSid, FILE_READ_DATA, 0, + FALSE); + AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid, FILE_READ_DATA, FILE_READ_DATA, TRUE); - AccessCheckFile(profile.get(), path, profile->GetPackageSid(), FILE_READ_DATA, - FILE_READ_DATA, TRUE); - AccessCheckFile(profile.get(), path, + AccessCheckFile(container.get(), path, container->GetPackageSid(), + FILE_READ_DATA, FILE_READ_DATA, TRUE); + AccessCheckFile(container.get(), path, Sid::FromKnownCapability(kInternetClient), FILE_READ_DATA, FILE_READ_DATA, TRUE); // Check mapping generic access rights. - AccessCheckFile(profile.get(), path, ::WinBuiltinAnyPackageSid, + AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid, GENERIC_READ | GENERIC_EXECUTE, FILE_GENERIC_READ | FILE_GENERIC_EXECUTE, TRUE); // No support for LPAC less than Win10 RS1. if (base::win::GetVersion() < base::win::Version::WIN10_RS1) return; - profile->SetEnableLowPrivilegeAppContainer(true); - AccessCheckFile(profile.get(), path, ::WinBuiltinAnyPackageSid, + container->SetEnableLowPrivilegeAppContainer(true); + AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid, FILE_READ_DATA, 0, FALSE); - AccessCheckFile(profile.get(), path, Sid::AllRestrictedApplicationPackages(), - FILE_READ_DATA, FILE_READ_DATA, TRUE); + AccessCheckFile(container.get(), path, + Sid::AllRestrictedApplicationPackages(), FILE_READ_DATA, + FILE_READ_DATA, TRUE); } TEST(AppContainerTest, AccessCheckRegistry) { @@ -323,8 +325,8 @@ TEST(AppContainerTest, AccessCheckRegistry) { // We don't need a valid profile to do the access check tests. std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Open(package_name.c_str()); + scoped_refptr<AppContainerBase> container = + AppContainerBase::Open(package_name.c_str()); // Ensure the key doesn't exist. RegDeleteKey(HKEY_CURRENT_USER, package_name.c_str()); SECURITY_ATTRIBUTES_SDDL sa( @@ -340,9 +342,9 @@ TEST(AppContainerTest, AccessCheckRegistry) { DWORD granted_access; BOOL access_status; - ASSERT_TRUE(profile->AccessCheck(key_name.c_str(), SE_REGISTRY_KEY, - KEY_QUERY_VALUE, &granted_access, - &access_status)); + ASSERT_TRUE(container->AccessCheck(key_name.c_str(), SE_REGISTRY_KEY, + KEY_QUERY_VALUE, &granted_access, + &access_status)); ASSERT_TRUE(access_status); ASSERT_EQ(DWORD{KEY_QUERY_VALUE}, granted_access); RegDeleteKey(HKEY_CURRENT_USER, package_name.c_str()); @@ -353,36 +355,37 @@ TEST(AppContainerTest, ImpersonationCapabilities) { return; std::wstring package_name = GenerateRandomPackageName(); - scoped_refptr<AppContainerProfileBase> profile = - AppContainerProfileBase::Open(package_name.c_str()); - ASSERT_NE(nullptr, profile.get()); + scoped_refptr<AppContainerBase> container = + AppContainerBase::Open(package_name.c_str()); + ASSERT_NE(nullptr, container.get()); std::vector<Sid> capabilities; std::vector<Sid> impersonation_capabilities; - ASSERT_TRUE(profile->AddCapability(kInternetClient)); + ASSERT_TRUE(container->AddCapability(kInternetClient)); capabilities.push_back(Sid::FromKnownCapability(kInternetClient)); impersonation_capabilities.push_back( Sid::FromKnownCapability(kInternetClient)); - ASSERT_TRUE(CompareSidVectors(profile->GetCapabilities(), capabilities)); - ASSERT_TRUE(CompareSidVectors(profile->GetImpersonationCapabilities(), + ASSERT_TRUE(CompareSidVectors(container->GetCapabilities(), capabilities)); + ASSERT_TRUE(CompareSidVectors(container->GetImpersonationCapabilities(), impersonation_capabilities)); - ASSERT_TRUE(profile->AddImpersonationCapability(kPrivateNetworkClientServer)); + ASSERT_TRUE( + container->AddImpersonationCapability(kPrivateNetworkClientServer)); impersonation_capabilities.push_back( Sid::FromKnownCapability(kPrivateNetworkClientServer)); // No support for named capabilities prior to Win10. if (base::win::GetVersion() >= base::win::Version::WIN10) { - ASSERT_TRUE(profile->AddImpersonationCapability(L"FakeCapability")); + ASSERT_TRUE(container->AddImpersonationCapability(L"FakeCapability")); impersonation_capabilities.push_back( Sid::FromNamedCapability(L"FakeCapability")); } const wchar_t kSddlSid[] = L"S-1-15-3-1"; - ASSERT_TRUE(profile->AddImpersonationCapabilitySddl(kSddlSid)); + ASSERT_TRUE(container->AddImpersonationCapabilitySddl(kSddlSid)); impersonation_capabilities.push_back(Sid::FromSddlString(kSddlSid)); - ASSERT_TRUE(CompareSidVectors(profile->GetCapabilities(), capabilities)); - ASSERT_TRUE(CompareSidVectors(profile->GetImpersonationCapabilities(), + ASSERT_TRUE(CompareSidVectors(container->GetCapabilities(), capabilities)); + ASSERT_TRUE(CompareSidVectors(container->GetImpersonationCapabilities(), impersonation_capabilities)); } diff --git a/chromium/sandbox/win/src/broker_services.cc b/chromium/sandbox/win/src/broker_services.cc index 2c36a265ff3..c61ad9410ed 100644 --- a/chromium/sandbox/win/src/broker_services.cc +++ b/chromium/sandbox/win/src/broker_services.cc @@ -19,7 +19,7 @@ #include "base/win/scoped_process_information.h" #include "base/win/windows_version.h" #include "build/build_config.h" -#include "sandbox/win/src/app_container_profile.h" +#include "sandbox/win/src/app_container.h" #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_policy_base.h" @@ -29,6 +29,10 @@ #include "sandbox/win/src/threadpool.h" #include "sandbox/win/src/win_utils.h" +#if DCHECK_IS_ON() +#include "base/win/current_module.h" +#endif + namespace { // Utility function to associate a completion port to a job object. @@ -433,6 +437,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, ResultCode* last_warning, DWORD* last_error, PROCESS_INFORMATION* target_info) { +#if DCHECK_IS_ON() + // This code should only be called from the exe, ensure that this is always + // the case. + HMODULE exe_module = nullptr; + CHECK(::GetModuleHandleEx(NULL, exe_path, &exe_module)); + DCHECK_EQ(CURRENT_MODULE(), exe_module); +#endif + if (!exe_path) return SBOX_ERROR_BAD_PARAMS; @@ -505,10 +517,10 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, for (HANDLE handle : policy_handle_list) startup_info->AddInheritedHandle(handle); - scoped_refptr<AppContainerProfileBase> profile = - policy_base->GetAppContainerProfileBase(); - if (profile) - startup_info->SetAppContainerProfile(profile); + scoped_refptr<AppContainerBase> container = + policy_base->GetAppContainerBase(); + if (container) + startup_info->SetAppContainer(container); // On Win10, jobs are associated via startup_info. if (base::win::GetVersion() >= base::win::Version::WIN10 && job.IsValid()) { @@ -524,7 +536,8 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, std::unique_ptr<TargetProcess> target = std::make_unique<TargetProcess>( std::move(initial_token), std::move(lockdown_token), job.Get(), thread_pool_, - profile ? profile->GetImpersonationCapabilities() : std::vector<Sid>()); + container ? container->GetImpersonationCapabilities() + : std::vector<Sid>()); result = target->Create(exe_path, command_line, std::move(startup_info), &process_info, last_error); diff --git a/chromium/sandbox/win/src/crosscall_client.h b/chromium/sandbox/win/src/crosscall_client.h index 84fd090a72a..af13651ddce 100644 --- a/chromium/sandbox/win/src/crosscall_client.h +++ b/chromium/sandbox/win/src/crosscall_client.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_CROSSCALL_CLIENT_H_ -#define SANDBOX_SRC_CROSSCALL_CLIENT_H_ +#ifndef SANDBOX_WIN_SRC_CROSSCALL_CLIENT_H_ +#define SANDBOX_WIN_SRC_CROSSCALL_CLIENT_H_ #include <stddef.h> #include <stdint.h> @@ -484,4 +484,4 @@ ResultCode CrossCall(IPCProvider& ipc_provider, } } // namespace sandbox -#endif // SANDBOX_SRC_CROSSCALL_CLIENT_H__ +#endif // SANDBOX_WIN_SRC_CROSSCALL_CLIENT_H_ diff --git a/chromium/sandbox/win/src/crosscall_params.h b/chromium/sandbox/win/src/crosscall_params.h index 3c97f3faa5a..b507fc4b3ee 100644 --- a/chromium/sandbox/win/src/crosscall_params.h +++ b/chromium/sandbox/win/src/crosscall_params.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_CROSSCALL_PARAMS_H__ -#define SANDBOX_SRC_CROSSCALL_PARAMS_H__ +#ifndef SANDBOX_WIN_SRC_CROSSCALL_PARAMS_H_ +#define SANDBOX_WIN_SRC_CROSSCALL_PARAMS_H_ #if !defined(SANDBOX_FUZZ_TARGET) #include <windows.h> @@ -16,8 +16,6 @@ #include <stddef.h> #include <stdint.h> -#include <memory> - #include "base/macros.h" #include "sandbox/win/src/internal_types.h" #if !defined(SANDBOX_FUZZ_TARGET) @@ -300,4 +298,4 @@ static_assert(sizeof(ActualCallParams<3, 1024>) == 1024, "bad size buffer"); } // namespace sandbox -#endif // SANDBOX_SRC_CROSSCALL_PARAMS_H__ +#endif // SANDBOX_WIN_SRC_CROSSCALL_PARAMS_H_ diff --git a/chromium/sandbox/win/src/crosscall_server.h b/chromium/sandbox/win/src/crosscall_server.h index d5291887840..9773f245561 100644 --- a/chromium/sandbox/win/src/crosscall_server.h +++ b/chromium/sandbox/win/src/crosscall_server.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_CROSSCALL_SERVER_H_ -#define SANDBOX_SRC_CROSSCALL_SERVER_H_ +#ifndef SANDBOX_WIN_SRC_CROSSCALL_SERVER_H_ +#define SANDBOX_WIN_SRC_CROSSCALL_SERVER_H_ #include <stdint.h> @@ -218,4 +218,4 @@ class Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_CROSSCALL_SERVER_H_ +#endif // SANDBOX_WIN_SRC_CROSSCALL_SERVER_H_ diff --git a/chromium/sandbox/win/src/eat_resolver.h b/chromium/sandbox/win/src/eat_resolver.h index cbc5516f8cd..a8df0b443cf 100644 --- a/chromium/sandbox/win/src/eat_resolver.h +++ b/chromium/sandbox/win/src/eat_resolver.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_EAT_RESOLVER_H__ -#define SANDBOX_SRC_EAT_RESOLVER_H__ +#ifndef SANDBOX_WIN_SRC_EAT_RESOLVER_H_ +#define SANDBOX_WIN_SRC_EAT_RESOLVER_H_ #include <stddef.h> @@ -46,4 +46,4 @@ class EatResolverThunk : public ResolverThunk { } // namespace sandbox -#endif // SANDBOX_SRC_EAT_RESOLVER_H__ +#endif // SANDBOX_WIN_SRC_EAT_RESOLVER_H_ diff --git a/chromium/sandbox/win/src/filesystem_dispatcher.h b/chromium/sandbox/win/src/filesystem_dispatcher.h index 5551656e62d..5ebe0fb0b3a 100644 --- a/chromium/sandbox/win/src/filesystem_dispatcher.h +++ b/chromium/sandbox/win/src/filesystem_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__ -#define SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__ +#ifndef SANDBOX_WIN_SRC_FILESYSTEM_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_FILESYSTEM_DISPATCHER_H_ #include <stdint.h> @@ -73,4 +73,4 @@ class FilesystemDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__ +#endif // SANDBOX_WIN_SRC_FILESYSTEM_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/filesystem_policy.h b/chromium/sandbox/win/src/filesystem_policy.h index 81dd1d0d1d0..38d7484e269 100644 --- a/chromium/sandbox/win/src/filesystem_policy.h +++ b/chromium/sandbox/win/src/filesystem_policy.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_FILESYSTEM_POLICY_H__ -#define SANDBOX_SRC_FILESYSTEM_POLICY_H__ +#ifndef SANDBOX_WIN_SRC_FILESYSTEM_POLICY_H_ +#define SANDBOX_WIN_SRC_FILESYSTEM_POLICY_H_ #include <stdint.h> @@ -109,4 +109,4 @@ std::wstring FixNTPrefixForMatch(const std::wstring& name); } // namespace sandbox -#endif // SANDBOX_SRC_FILESYSTEM_POLICY_H__ +#endif // SANDBOX_WIN_SRC_FILESYSTEM_POLICY_H_ diff --git a/chromium/sandbox/win/src/handle_closer.h b/chromium/sandbox/win/src/handle_closer.h index 948eddca538..d00a13f5ac3 100644 --- a/chromium/sandbox/win/src/handle_closer.h +++ b/chromium/sandbox/win/src/handle_closer.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_HANDLE_CLOSER_H_ -#define SANDBOX_SRC_HANDLE_CLOSER_H_ +#ifndef SANDBOX_WIN_SRC_HANDLE_CLOSER_H_ +#define SANDBOX_WIN_SRC_HANDLE_CLOSER_H_ #include <stddef.h> @@ -76,4 +76,4 @@ bool GetHandleName(HANDLE handle, std::wstring* handle_name); } // namespace sandbox -#endif // SANDBOX_SRC_HANDLE_CLOSER_H_ +#endif // SANDBOX_WIN_SRC_HANDLE_CLOSER_H_ diff --git a/chromium/sandbox/win/src/handle_closer_agent.h b/chromium/sandbox/win/src/handle_closer_agent.h index 91f8e74c7ea..fc7a83584eb 100644 --- a/chromium/sandbox/win/src/handle_closer_agent.h +++ b/chromium/sandbox/win/src/handle_closer_agent.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_ -#define SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_ +#ifndef SANDBOX_WIN_SRC_HANDLE_CLOSER_AGENT_H_ +#define SANDBOX_WIN_SRC_HANDLE_CLOSER_AGENT_H_ #include <string> @@ -43,4 +43,4 @@ class HandleCloserAgent { } // namespace sandbox -#endif // SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_ +#endif // SANDBOX_WIN_SRC_HANDLE_CLOSER_AGENT_H_ diff --git a/chromium/sandbox/win/src/interception.cc b/chromium/sandbox/win/src/interception.cc index 97c4e969f74..369beebac9f 100644 --- a/chromium/sandbox/win/src/interception.cc +++ b/chromium/sandbox/win/src/interception.cc @@ -432,7 +432,7 @@ ResultCode InterceptionManager::PatchClientFunctions( std::unique_ptr<ServiceResolverThunk> thunk; #if defined(_WIN64) - thunk.reset(new ServiceResolverThunk(child_.Process(), relaxed_)); + thunk = std::make_unique<ServiceResolverThunk>(child_.Process(), relaxed_); #else base::win::OSInfo* os_info = base::win::OSInfo::GetInstance(); base::win::Version real_os_version = os_info->Kernel32Version(); diff --git a/chromium/sandbox/win/src/interception.h b/chromium/sandbox/win/src/interception.h index 35c37e700f7..0f1b3416080 100644 --- a/chromium/sandbox/win/src/interception.h +++ b/chromium/sandbox/win/src/interception.h @@ -6,8 +6,8 @@ // for the sandboxed process. For more details see // http://dev.chromium.org/developers/design-documents/sandbox . -#ifndef SANDBOX_SRC_INTERCEPTION_H_ -#define SANDBOX_SRC_INTERCEPTION_H_ +#ifndef SANDBOX_WIN_SRC_INTERCEPTION_H_ +#define SANDBOX_WIN_SRC_INTERCEPTION_H_ #include <stddef.h> @@ -253,4 +253,4 @@ class InterceptionManager { } // namespace sandbox -#endif // SANDBOX_SRC_INTERCEPTION_H_ +#endif // SANDBOX_WIN_SRC_INTERCEPTION_H_ diff --git a/chromium/sandbox/win/src/interception_agent.h b/chromium/sandbox/win/src/interception_agent.h index b2bce08b09a..7a96e44218f 100644 --- a/chromium/sandbox/win/src/interception_agent.h +++ b/chromium/sandbox/win/src/interception_agent.h @@ -6,8 +6,8 @@ // from the inside of the sandboxed process. For more details see // http://dev.chromium.org/developers/design-documents/sandbox . -#ifndef SANDBOX_SRC_INTERCEPTION_AGENT_H__ -#define SANDBOX_SRC_INTERCEPTION_AGENT_H__ +#ifndef SANDBOX_WIN_SRC_INTERCEPTION_AGENT_H_ +#define SANDBOX_WIN_SRC_INTERCEPTION_AGENT_H_ #include "base/macros.h" #include "sandbox/win/src/nt_internals.h" @@ -84,4 +84,4 @@ class InterceptionAgent { } // namespace sandbox -#endif // SANDBOX_SRC_INTERCEPTION_AGENT_H__ +#endif // SANDBOX_WIN_SRC_INTERCEPTION_AGENT_H_ diff --git a/chromium/sandbox/win/src/interception_internal.h b/chromium/sandbox/win/src/interception_internal.h index bf452e049ed..67d860b5dcc 100644 --- a/chromium/sandbox/win/src/interception_internal.h +++ b/chromium/sandbox/win/src/interception_internal.h @@ -6,8 +6,8 @@ // for the sandboxed process. For more details see: // http://dev.chromium.org/developers/design-documents/sandbox . -#ifndef SANDBOX_SRC_INTERCEPTION_INTERNAL_H_ -#define SANDBOX_SRC_INTERCEPTION_INTERNAL_H_ +#ifndef SANDBOX_WIN_SRC_INTERCEPTION_INTERNAL_H_ +#define SANDBOX_WIN_SRC_INTERCEPTION_INTERNAL_H_ #include <stddef.h> @@ -74,4 +74,4 @@ struct DllInterceptionData { } // namespace sandbox -#endif // SANDBOX_SRC_INTERCEPTION_INTERNAL_H_ +#endif // SANDBOX_WIN_SRC_INTERCEPTION_INTERNAL_H_ diff --git a/chromium/sandbox/win/src/interceptors.h b/chromium/sandbox/win/src/interceptors.h index eac14de9f51..1035b7e4b34 100644 --- a/chromium/sandbox/win/src/interceptors.h +++ b/chromium/sandbox/win/src/interceptors.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_INTERCEPTORS_H_ -#define SANDBOX_SRC_INTERCEPTORS_H_ +#ifndef SANDBOX_WIN_SRC_INTERCEPTORS_H_ +#define SANDBOX_WIN_SRC_INTERCEPTORS_H_ #if defined(_WIN64) #include "sandbox/win/src/interceptors_64.h" @@ -55,4 +55,4 @@ typedef void* OriginalFunctions[INTERCEPTOR_MAX_ID]; } // namespace sandbox -#endif // SANDBOX_SRC_INTERCEPTORS_H_ +#endif // SANDBOX_WIN_SRC_INTERCEPTORS_H_ diff --git a/chromium/sandbox/win/src/ipc_leak_test.cc b/chromium/sandbox/win/src/ipc_leak_test.cc index 3dd1c1d67e7..7abcc4cd3c4 100644 --- a/chromium/sandbox/win/src/ipc_leak_test.cc +++ b/chromium/sandbox/win/src/ipc_leak_test.cc @@ -8,7 +8,7 @@ #include <stdlib.h> -#include "base/process/process_metrics.h" +#include "base/memory/page_size.h" #include "base/stl_util.h" #include "base/win/win_util.h" #include "sandbox/win/src/crosscall_client.h" diff --git a/chromium/sandbox/win/src/ipc_tags.h b/chromium/sandbox/win/src/ipc_tags.h index 1d6b1cb00a5..91e06dbc36e 100644 --- a/chromium/sandbox/win/src/ipc_tags.h +++ b/chromium/sandbox/win/src/ipc_tags.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_IPC_TAGS_H__ -#define SANDBOX_SRC_IPC_TAGS_H__ +#ifndef SANDBOX_WIN_SRC_IPC_TAGS_H_ +#define SANDBOX_WIN_SRC_IPC_TAGS_H_ namespace sandbox { @@ -42,4 +42,4 @@ static_assert(kMaxIpcTag <= kMaxServiceCount, "kMaxServiceCount is too low"); } // namespace sandbox -#endif // SANDBOX_SRC_IPC_TAGS_H__ +#endif // SANDBOX_WIN_SRC_IPC_TAGS_H_ diff --git a/chromium/sandbox/win/src/job.h b/chromium/sandbox/win/src/job.h index 4a4778016a1..3f57426611b 100644 --- a/chromium/sandbox/win/src/job.h +++ b/chromium/sandbox/win/src/job.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_JOB_H_ -#define SANDBOX_SRC_JOB_H_ +#ifndef SANDBOX_WIN_SRC_JOB_H_ +#define SANDBOX_WIN_SRC_JOB_H_ #include <stddef.h> @@ -67,4 +67,4 @@ class Job { } // namespace sandbox -#endif // SANDBOX_SRC_JOB_H_ +#endif // SANDBOX_WIN_SRC_JOB_H_ diff --git a/chromium/sandbox/win/src/named_pipe_dispatcher.h b/chromium/sandbox/win/src/named_pipe_dispatcher.h index a14f658506a..14d15bade6f 100644 --- a/chromium/sandbox/win/src/named_pipe_dispatcher.h +++ b/chromium/sandbox/win/src/named_pipe_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__ -#define SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__ +#ifndef SANDBOX_WIN_SRC_NAMED_PIPE_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_NAMED_PIPE_DISPATCHER_H_ #include <stdint.h> @@ -43,4 +43,4 @@ class NamedPipeDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__ +#endif // SANDBOX_WIN_SRC_NAMED_PIPE_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/named_pipe_policy.h b/chromium/sandbox/win/src/named_pipe_policy.h index 4ad272f16ff..3f303a56b0c 100644 --- a/chromium/sandbox/win/src/named_pipe_policy.h +++ b/chromium/sandbox/win/src/named_pipe_policy.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_NAMED_PIPE_POLICY_H__ -#define SANDBOX_SRC_NAMED_PIPE_POLICY_H__ +#ifndef SANDBOX_WIN_SRC_NAMED_PIPE_POLICY_H_ +#define SANDBOX_WIN_SRC_NAMED_PIPE_POLICY_H_ #include <string> @@ -40,4 +40,4 @@ class NamedPipePolicy { } // namespace sandbox -#endif // SANDBOX_SRC_NAMED_PIPE_POLICY_H__ +#endif // SANDBOX_WIN_SRC_NAMED_PIPE_POLICY_H_ diff --git a/chromium/sandbox/win/src/policy_broker.h b/chromium/sandbox/win/src/policy_broker.h index d146cfd1e20..913a57a2c76 100644 --- a/chromium/sandbox/win/src/policy_broker.h +++ b/chromium/sandbox/win/src/policy_broker.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_POLICY_BROKER_H_ -#define SANDBOX_SRC_POLICY_BROKER_H_ +#ifndef SANDBOX_WIN_SRC_POLICY_BROKER_H_ +#define SANDBOX_WIN_SRC_POLICY_BROKER_H_ #include "sandbox/win/src/interception.h" @@ -24,4 +24,4 @@ bool SetupNtdllImports(TargetProcess& child); } // namespace sandbox -#endif // SANDBOX_SRC_POLICY_BROKER_H_ +#endif // SANDBOX_WIN_SRC_POLICY_BROKER_H_ diff --git a/chromium/sandbox/win/src/policy_engine_params.h b/chromium/sandbox/win/src/policy_engine_params.h index 07fd7eac82d..d7ffdc47df6 100644 --- a/chromium/sandbox/win/src/policy_engine_params.h +++ b/chromium/sandbox/win/src/policy_engine_params.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__ -#define SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__ +#ifndef SANDBOX_WIN_SRC_POLICY_ENGINE_PARAMS_H_ +#define SANDBOX_WIN_SRC_POLICY_ENGINE_PARAMS_H_ #include <stdint.h> @@ -187,4 +187,4 @@ struct CountedParameterSet { } // namespace sandbox -#endif // SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__ +#endif // SANDBOX_WIN_SRC_POLICY_ENGINE_PARAMS_H_ diff --git a/chromium/sandbox/win/src/policy_engine_processor.h b/chromium/sandbox/win/src/policy_engine_processor.h index b62973b14a4..102b6a74676 100644 --- a/chromium/sandbox/win/src/policy_engine_processor.h +++ b/chromium/sandbox/win/src/policy_engine_processor.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ -#define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ +#ifndef SANDBOX_WIN_SRC_POLICY_ENGINE_PROCESSOR_H_ +#define SANDBOX_WIN_SRC_POLICY_ENGINE_PROCESSOR_H_ #include <stddef.h> #include <stdint.h> @@ -140,4 +140,4 @@ class PolicyProcessor { } // namespace sandbox -#endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__ +#endif // SANDBOX_WIN_SRC_POLICY_ENGINE_PROCESSOR_H_ diff --git a/chromium/sandbox/win/src/policy_low_level.h b/chromium/sandbox/win/src/policy_low_level.h index 1586f96af90..f0726e81081 100644 --- a/chromium/sandbox/win/src/policy_low_level.h +++ b/chromium/sandbox/win/src/policy_low_level.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_POLICY_LOW_LEVEL_H__ -#define SANDBOX_SRC_POLICY_LOW_LEVEL_H__ +#ifndef SANDBOX_WIN_SRC_POLICY_LOW_LEVEL_H_ +#define SANDBOX_WIN_SRC_POLICY_LOW_LEVEL_H_ #include <stddef.h> #include <stdint.h> @@ -186,4 +186,4 @@ class PolicyRule { } // namespace sandbox -#endif // SANDBOX_SRC_POLICY_LOW_LEVEL_H__ +#endif // SANDBOX_WIN_SRC_POLICY_LOW_LEVEL_H_ diff --git a/chromium/sandbox/win/src/policy_params.h b/chromium/sandbox/win/src/policy_params.h index dbab8307d42..485ecb14c80 100644 --- a/chromium/sandbox/win/src/policy_params.h +++ b/chromium/sandbox/win/src/policy_params.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_POLICY_PARAMS_H__ -#define SANDBOX_SRC_POLICY_PARAMS_H__ +#ifndef SANDBOX_WIN_SRC_POLICY_PARAMS_H_ +#define SANDBOX_WIN_SRC_POLICY_PARAMS_H_ #include "sandbox/win/src/policy_engine_params.h" @@ -63,4 +63,4 @@ POLPARAMS_END(HandleTarget) } // namespace sandbox -#endif // SANDBOX_SRC_POLICY_PARAMS_H__ +#endif // SANDBOX_WIN_SRC_POLICY_PARAMS_H_ diff --git a/chromium/sandbox/win/src/process_mitigations.h b/chromium/sandbox/win/src/process_mitigations.h index 3b511fe2bd9..c9a0ee0b161 100644 --- a/chromium/sandbox/win/src/process_mitigations.h +++ b/chromium/sandbox/win/src/process_mitigations.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_ -#define SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_ +#ifndef SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_H_ +#define SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_H_ #include <windows.h> @@ -75,4 +75,4 @@ bool CanSetMitigationsPerThread(MitigationFlags flags); } // namespace sandbox -#endif // SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_H_ diff --git a/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h b/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h index 6eb49ccc7ed..0892b845ff4 100644 --- a/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h +++ b/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h @@ -2,11 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ -#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ - -#include <map> -#include <string> +#ifndef SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ #include "base/macros.h" #include "base/memory/ref_counted.h" @@ -35,4 +32,4 @@ class ProcessMitigationsWin32KDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/process_mitigations_win32k_interception.h b/chromium/sandbox/win/src/process_mitigations_win32k_interception.h index f81b1f08ca3..19274f76a0d 100644 --- a/chromium/sandbox/win/src/process_mitigations_win32k_interception.h +++ b/chromium/sandbox/win/src/process_mitigations_win32k_interception.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ -#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ +#ifndef SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ +#define SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ #include <windows.h> @@ -41,4 +41,4 @@ TargetRegisterClassW(RegisterClassWFunction orig_register_class_function, } // namespace sandbox -#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_ diff --git a/chromium/sandbox/win/src/process_mitigations_win32k_policy.h b/chromium/sandbox/win/src/process_mitigations_win32k_policy.h index dbaede5e9a8..d2b8be6cedf 100644 --- a/chromium/sandbox/win/src/process_mitigations_win32k_policy.h +++ b/chromium/sandbox/win/src/process_mitigations_win32k_policy.h @@ -2,10 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ -#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ - -#include <string> +#ifndef SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ +#define SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/policy_low_level.h" @@ -29,4 +27,4 @@ class ProcessMitigationsWin32KLockdownPolicy { } // namespace sandbox -#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_ diff --git a/chromium/sandbox/win/src/process_mitigations_win32k_unittest.cc b/chromium/sandbox/win/src/process_mitigations_win32k_unittest.cc index af4b2071ff0..b1494fbc134 100644 --- a/chromium/sandbox/win/src/process_mitigations_win32k_unittest.cc +++ b/chromium/sandbox/win/src/process_mitigations_win32k_unittest.cc @@ -6,7 +6,6 @@ #include <windows.h> -#include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/win/windows_version.h" #include "sandbox/win/src/nt_internals.h" diff --git a/chromium/sandbox/win/src/process_thread_dispatcher.h b/chromium/sandbox/win/src/process_thread_dispatcher.h index 07466c46e2f..7d193ea29c2 100644 --- a/chromium/sandbox/win/src/process_thread_dispatcher.h +++ b/chromium/sandbox/win/src/process_thread_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_ -#define SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_ +#ifndef SANDBOX_WIN_SRC_PROCESS_THREAD_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_PROCESS_THREAD_DISPATCHER_H_ #include <stdint.h> @@ -66,4 +66,4 @@ class ThreadProcessDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_THREAD_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/process_thread_policy.cc b/chromium/sandbox/win/src/process_thread_policy.cc index 20146a83dfc..b851c5ba852 100644 --- a/chromium/sandbox/win/src/process_thread_policy.cc +++ b/chromium/sandbox/win/src/process_thread_policy.cc @@ -82,11 +82,11 @@ bool ProcessPolicy::GenerateRules(const wchar_t* name, std::unique_ptr<PolicyRule> process; switch (semantics) { case TargetPolicy::PROCESS_MIN_EXEC: { - process.reset(new PolicyRule(GIVE_READONLY)); + process = std::make_unique<PolicyRule>(GIVE_READONLY); break; }; case TargetPolicy::PROCESS_ALL_EXEC: { - process.reset(new PolicyRule(GIVE_ALLACCESS)); + process = std::make_unique<PolicyRule>(GIVE_ALLACCESS); break; }; default: { return false; }; diff --git a/chromium/sandbox/win/src/process_thread_policy.h b/chromium/sandbox/win/src/process_thread_policy.h index f6f96dd0ff9..407e08e6244 100644 --- a/chromium/sandbox/win/src/process_thread_policy.h +++ b/chromium/sandbox/win/src/process_thread_policy.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ -#define SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ +#ifndef SANDBOX_WIN_SRC_PROCESS_THREAD_POLICY_H_ +#define SANDBOX_WIN_SRC_PROCESS_THREAD_POLICY_H_ #include <stdint.h> @@ -88,4 +88,4 @@ class ProcessPolicy { } // namespace sandbox -#endif // SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ +#endif // SANDBOX_WIN_SRC_PROCESS_THREAD_POLICY_H_ diff --git a/chromium/sandbox/win/src/registry_dispatcher.h b/chromium/sandbox/win/src/registry_dispatcher.h index c23b95098b8..520837ab12c 100644 --- a/chromium/sandbox/win/src/registry_dispatcher.h +++ b/chromium/sandbox/win/src/registry_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_REGISTRY_DISPATCHER_H_ -#define SANDBOX_SRC_REGISTRY_DISPATCHER_H_ +#ifndef SANDBOX_WIN_SRC_REGISTRY_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_REGISTRY_DISPATCHER_H_ #include <stdint.h> @@ -48,4 +48,4 @@ class RegistryDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_REGISTRY_DISPATCHER_H_ +#endif // SANDBOX_WIN_SRC_REGISTRY_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/registry_policy.h b/chromium/sandbox/win/src/registry_policy.h index 9a36932869b..9d629f19530 100644 --- a/chromium/sandbox/win/src/registry_policy.h +++ b/chromium/sandbox/win/src/registry_policy.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_REGISTRY_POLICY_H__ -#define SANDBOX_SRC_REGISTRY_POLICY_H__ +#ifndef SANDBOX_WIN_SRC_REGISTRY_POLICY_H_ +#define SANDBOX_WIN_SRC_REGISTRY_POLICY_H_ #include <stdint.h> @@ -53,4 +53,4 @@ class RegistryPolicy { } // namespace sandbox -#endif // SANDBOX_SRC_REGISTRY_POLICY_H__ +#endif // SANDBOX_WIN_SRC_REGISTRY_POLICY_H_ diff --git a/chromium/sandbox/win/src/restricted_token.h b/chromium/sandbox/win/src/restricted_token.h index 4ee90bdb93d..49b4b488968 100644 --- a/chromium/sandbox/win/src/restricted_token.h +++ b/chromium/sandbox/win/src/restricted_token.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ -#define SANDBOX_SRC_RESTRICTED_TOKEN_H_ +#ifndef SANDBOX_WIN_SRC_RESTRICTED_TOKEN_H_ +#define SANDBOX_WIN_SRC_RESTRICTED_TOKEN_H_ #include <windows.h> @@ -204,4 +204,4 @@ class RestrictedToken { } // namespace sandbox -#endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_ +#endif // SANDBOX_WIN_SRC_RESTRICTED_TOKEN_H_ diff --git a/chromium/sandbox/win/src/restricted_token_utils.h b/chromium/sandbox/win/src/restricted_token_utils.h index 0e41e01acdd..415776f6f4f 100644 --- a/chromium/sandbox/win/src/restricted_token_utils.h +++ b/chromium/sandbox/win/src/restricted_token_utils.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ -#define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ +#ifndef SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_ +#define SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_ #include <accctrl.h> #include <windows.h> @@ -101,4 +101,4 @@ DWORD CreateLowBoxObjectDirectory(PSID lowbox_sid, } // namespace sandbox -#endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ +#endif // SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_ diff --git a/chromium/sandbox/win/src/sandbox.h b/chromium/sandbox/win/src/sandbox.h index 9dfebfcc172..35996c1726e 100644 --- a/chromium/sandbox/win/src/sandbox.h +++ b/chromium/sandbox/win/src/sandbox.h @@ -55,7 +55,10 @@ class TargetServices; // // -- later you can call: // broker->WaitForAllTargets(option); // -class BrokerServices { +// We need [[clang::lto_visibility_public]] because instances of this class are +// passed across module boundaries. This means different modules must have +// compatible definitions of the class even when LTO is enabled. +class [[clang::lto_visibility_public]] BrokerServices { public: // Initializes the broker. Must be called before any other on this class. // returns ALL_OK if successful. All other return values imply failure. diff --git a/chromium/sandbox/win/src/sandbox_constants.cc b/chromium/sandbox/win/src/sandbox_constants.cc deleted file mode 100644 index 81723f9271e..00000000000 --- a/chromium/sandbox/win/src/sandbox_constants.cc +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "sandbox/win/src/sandbox_constants.h" - -namespace sandbox { -// Strings used as keys in base::Value snapshots of Policies for WebUI. -extern const char kAppContainerCapabilities[] = "appContainerCapabilities"; -extern const char kAppContainerInitialCapabilities[] = - "appContainerInitialCapabilities"; -extern const char kAppContainerSid[] = "appContainerSid"; -extern const char kDesiredIntegrityLevel[] = "desiredIntegrityLevel"; -extern const char kDesiredMitigations[] = "desiredMitigations"; -extern const char kDisconnectCsrss[] = "disconnectCsrss"; -extern const char kHandlesToClose[] = "handlesToClose"; -extern const char kJobLevel[] = "jobLevel"; -extern const char kLockdownLevel[] = "lockdownLevel"; -extern const char kLowboxSid[] = "lowboxSid"; -extern const char kPlatformMitigations[] = "platformMitigations"; -extern const char kPolicyRules[] = "policyRules"; -extern const char kProcessIds[] = "processIds"; - -// Strings used as values in snapshots of Policies. -extern const char kDisabled[] = "disabled"; -extern const char kEnabled[] = "enabled"; -} // namespace sandbox diff --git a/chromium/sandbox/win/src/sandbox_constants.h b/chromium/sandbox/win/src/sandbox_constants.h deleted file mode 100644 index 65718ef12cd..00000000000 --- a/chromium/sandbox/win/src/sandbox_constants.h +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_WIN_SRC_SANDBOX_CONSTANTS_H_ -#define SANDBOX_WIN_SRC_SANDBOX_CONSTANTS_H_ - -namespace sandbox { -// Strings used as keys in base::Value snapshots of Policies. -extern const char kAppContainerCapabilities[]; -extern const char kAppContainerInitialCapabilities[]; -extern const char kAppContainerSid[]; -extern const char kDesiredIntegrityLevel[]; -extern const char kDesiredMitigations[]; -extern const char kDisconnectCsrss[]; -extern const char kHandlesToClose[]; -extern const char kJobLevel[]; -extern const char kLockdownLevel[]; -extern const char kLowboxSid[]; -extern const char kPlatformMitigations[]; -extern const char kPolicyRules[]; -extern const char kProcessIds[]; - -// Strings used as values in snapshots of Policies. -extern const char kDisabled[]; -extern const char kEnabled[]; -} // namespace sandbox - -#endif // SANDBOX_WIN_SRC_SANDBOX_CONSTANTS_H_ diff --git a/chromium/sandbox/win/src/sandbox_factory.h b/chromium/sandbox/win/src/sandbox_factory.h index 07402521dc5..ecb18eb98de 100644 --- a/chromium/sandbox/win/src/sandbox_factory.h +++ b/chromium/sandbox/win/src/sandbox_factory.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_FACTORY_H__ -#define SANDBOX_SRC_SANDBOX_FACTORY_H__ +#ifndef SANDBOX_WIN_SRC_SANDBOX_FACTORY_H_ +#define SANDBOX_WIN_SRC_SANDBOX_FACTORY_H_ #include "base/macros.h" #include "sandbox/win/src/sandbox.h" @@ -49,4 +49,4 @@ class SandboxFactory { } // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_FACTORY_H__ +#endif // SANDBOX_WIN_SRC_SANDBOX_FACTORY_H_ diff --git a/chromium/sandbox/win/src/sandbox_nt_types.h b/chromium/sandbox/win/src/sandbox_nt_types.h index eff0f019d3d..6700e5c51ac 100644 --- a/chromium/sandbox/win/src/sandbox_nt_types.h +++ b/chromium/sandbox/win/src/sandbox_nt_types.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_NT_TYPES_H__ -#define SANDBOX_SRC_SANDBOX_NT_TYPES_H__ +#ifndef SANDBOX_WIN_SRC_SANDBOX_NT_TYPES_H_ +#define SANDBOX_WIN_SRC_SANDBOX_NT_TYPES_H_ #include "sandbox/win/src/nt_internals.h" @@ -44,4 +44,4 @@ enum AllocationType { } // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_NT_TYPES_H__ +#endif // SANDBOX_WIN_SRC_SANDBOX_NT_TYPES_H_ diff --git a/chromium/sandbox/win/src/sandbox_nt_util.h b/chromium/sandbox/win/src/sandbox_nt_util.h index e32e4ccb569..89766f7b762 100644 --- a/chromium/sandbox/win/src/sandbox_nt_util.h +++ b/chromium/sandbox/win/src/sandbox_nt_util.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_NT_UTIL_H_ -#define SANDBOX_SRC_SANDBOX_NT_UTIL_H_ +#ifndef SANDBOX_WIN_SRC_SANDBOX_NT_UTIL_H_ +#define SANDBOX_WIN_SRC_SANDBOX_NT_UTIL_H_ #include <intrin.h> #include <stddef.h> @@ -214,4 +214,4 @@ bool IsSupportedRenameCall(FILE_RENAME_INFORMATION* file_info, } // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_NT_UTIL_H__ +#endif // SANDBOX_WIN_SRC_SANDBOX_NT_UTIL_H_ diff --git a/chromium/sandbox/win/src/sandbox_policy.h b/chromium/sandbox/win/src/sandbox_policy.h index a6af72d5aac..89713514f28 100644 --- a/chromium/sandbox/win/src/sandbox_policy.h +++ b/chromium/sandbox/win/src/sandbox_policy.h @@ -16,7 +16,7 @@ namespace sandbox { -class AppContainerProfile; +class AppContainer; class PolicyInfo; class TargetPolicy { @@ -261,8 +261,8 @@ class TargetPolicy { virtual ResultCode AddAppContainerProfile(const wchar_t* package_name, bool create_profile) = 0; - // Get the configured AppContainerProfile. - virtual scoped_refptr<AppContainerProfile> GetAppContainerProfile() = 0; + // Get the configured AppContainer. + virtual scoped_refptr<AppContainer> GetAppContainer() = 0; // Set effective token that will be used for creating the initial and // lockdown tokens. The token the caller passes must remain valid for the diff --git a/chromium/sandbox/win/src/sandbox_policy_base.cc b/chromium/sandbox/win/src/sandbox_policy_base.cc index 39383ef957d..0c8896a78a8 100644 --- a/chromium/sandbox/win/src/sandbox_policy_base.cc +++ b/chromium/sandbox/win/src/sandbox_policy_base.cc @@ -8,11 +8,12 @@ #include <stddef.h> #include <stdint.h> +#include <memory> + #include "base/callback.h" #include "base/logging.h" #include "base/macros.h" #include "base/stl_util.h" -#include "base/strings/stringprintf.h" #include "base/win/win_util.h" #include "base/win/windows_version.h" #include "sandbox/win/src/acl.h" @@ -108,21 +109,17 @@ PolicyBase::PolicyBase() is_csrss_connected_(true), policy_maker_(nullptr), policy_(nullptr), - lowbox_sid_(nullptr), lockdown_default_dacl_(false), add_restricting_random_sid_(false), effective_token_(nullptr) { ::InitializeCriticalSection(&lock_); - dispatcher_.reset(new TopLevelDispatcher(this)); + dispatcher_ = std::make_unique<TopLevelDispatcher>(this); } PolicyBase::~PolicyBase() { delete policy_maker_; delete policy_; - if (lowbox_sid_) - ::LocalFree(lowbox_sid_); - ::DeleteCriticalSection(&lock_); } @@ -274,7 +271,7 @@ void PolicyBase::DestroyAlternateDesktop() { } ResultCode PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level) { - if (app_container_profile_) + if (app_container_) return SBOX_ERROR_BAD_PARAMS; integrity_level_ = integrity_level; return SBOX_ALL_OK; @@ -295,10 +292,11 @@ ResultCode PolicyBase::SetLowBox(const wchar_t* sid) { return SBOX_ERROR_UNSUPPORTED; DCHECK(sid); - if (lowbox_sid_ || app_container_profile_) + if (app_container_) return SBOX_ERROR_BAD_PARAMS; - if (!ConvertStringSidToSid(sid, &lowbox_sid_)) + app_container_ = AppContainerBase::CreateLowbox(sid); + if (!app_container_) return SBOX_ERROR_INVALID_LOWBOX_SID; return SBOX_ALL_OK; @@ -308,7 +306,7 @@ ResultCode PolicyBase::SetProcessMitigations(MitigationFlags flags) { // Prior to Win10 RS5 CreateProcess fails when AppContainer and mitigation // flags are enabled. Return an error on downlevel platforms if trying to // set new mitigations. - if (app_container_profile_ && + if (app_container_ && base::win::GetVersion() < base::win::Version::WIN10_RS5) { return SBOX_ERROR_BAD_PARAMS; } @@ -474,29 +472,12 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, } } - if (lowbox_sid_) { - if (!lowbox_directory_.IsValid()) { - result = - CreateLowBoxObjectDirectory(lowbox_sid_, true, &lowbox_directory_); - DCHECK(result == ERROR_SUCCESS); - } - - // The order of handles isn't important in the CreateLowBoxToken call. - // The kernel will maintain a reference to the object directory handle. - HANDLE saved_handles[1] = {lowbox_directory_.Get()}; - DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0; + if (app_container_ && + app_container_->GetAppContainerType() == AppContainerType::kLowbox) { + ResultCode result_code = app_container_->BuildLowBoxToken(lowbox, lockdown); - Sid package_sid(lowbox_sid_); - SecurityCapabilities caps(package_sid); - if (CreateLowBoxToken(lockdown->Get(), PRIMARY, &caps, saved_handles, - saved_handles_count, lowbox) != ERROR_SUCCESS) { - return SBOX_ERROR_CANNOT_CREATE_LOWBOX_TOKEN; - } - - if (!ReplacePackageSidInDacl(lowbox->Get(), SE_KERNEL_OBJECT, package_sid, - TOKEN_ALL_ACCESS)) { - return SBOX_ERROR_CANNOT_MODIFY_LOWBOX_TOKEN_DACL; - } + if (result_code != SBOX_ALL_OK) + return result_code; } // Create the 'better' token. We use this token as the one that the main @@ -511,10 +492,6 @@ ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, return SBOX_ALL_OK; } -PSID PolicyBase::GetLowBoxSid() const { - return lowbox_sid_; -} - ResultCode PolicyBase::AddTarget(std::unique_ptr<TargetProcess> target) { if (policy_) { if (!policy_maker_->Done()) @@ -641,19 +618,18 @@ ResultCode PolicyBase::AddAppContainerProfile(const wchar_t* package_name, return SBOX_ERROR_UNSUPPORTED; DCHECK(package_name); - if (lowbox_sid_ || app_container_profile_ || - integrity_level_ != INTEGRITY_LEVEL_LAST) { + if (app_container_ || integrity_level_ != INTEGRITY_LEVEL_LAST) { return SBOX_ERROR_BAD_PARAMS; } if (create_profile) { - app_container_profile_ = AppContainerProfileBase::Create( + app_container_ = AppContainerBase::CreateProfile( package_name, L"Chrome Sandbox", L"Profile for Chrome Sandbox"); } else { - app_container_profile_ = AppContainerProfileBase::Open(package_name); + app_container_ = AppContainerBase::Open(package_name); } - if (!app_container_profile_) - return SBOX_ERROR_CREATE_APPCONTAINER_PROFILE; + if (!app_container_) + return SBOX_ERROR_CREATE_APPCONTAINER; // A bug exists in CreateProcess where enabling an AppContainer profile and // passing a set of mitigation flags will generate ERROR_INVALID_PARAMETER. @@ -671,8 +647,8 @@ ResultCode PolicyBase::AddAppContainerProfile(const wchar_t* package_name, return SBOX_ALL_OK; } -scoped_refptr<AppContainerProfile> PolicyBase::GetAppContainerProfile() { - return GetAppContainerProfileBase(); +scoped_refptr<AppContainer> PolicyBase::GetAppContainer() { + return GetAppContainerBase(); } void PolicyBase::SetEffectiveToken(HANDLE token) { @@ -680,9 +656,8 @@ void PolicyBase::SetEffectiveToken(HANDLE token) { effective_token_ = token; } -scoped_refptr<AppContainerProfileBase> -PolicyBase::GetAppContainerProfileBase() { - return app_container_profile_; +scoped_refptr<AppContainerBase> PolicyBase::GetAppContainerBase() { + return app_container_; } ResultCode PolicyBase::SetupAllInterceptions(TargetProcess& target) { diff --git a/chromium/sandbox/win/src/sandbox_policy_base.h b/chromium/sandbox/win/src/sandbox_policy_base.h index c878c8163c8..60041948297 100644 --- a/chromium/sandbox/win/src/sandbox_policy_base.h +++ b/chromium/sandbox/win/src/sandbox_policy_base.h @@ -20,7 +20,7 @@ #include "base/memory/scoped_refptr.h" #include "base/process/launch.h" #include "base/win/scoped_handle.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/handle_closer.h" #include "sandbox/win/src/ipc_tags.h" @@ -77,12 +77,12 @@ class PolicyBase final : public TargetPolicy { void AddRestrictingRandomSid() override; ResultCode AddAppContainerProfile(const wchar_t* package_name, bool create_profile) override; - scoped_refptr<AppContainerProfile> GetAppContainerProfile() override; + scoped_refptr<AppContainer> GetAppContainer() override; void SetEffectiveToken(HANDLE token) override; std::unique_ptr<PolicyInfo> GetPolicyInfo() override; // Get the AppContainer profile as its internal type. - scoped_refptr<AppContainerProfileBase> GetAppContainerProfileBase(); + scoped_refptr<AppContainerBase> GetAppContainerBase(); // Creates a Job object with the level specified in a previous call to // SetJobLevel(). @@ -173,8 +173,6 @@ class PolicyBase final : public TargetPolicy { // target process. A null set means we need to close all handles of the // given type. HandleCloser handle_closer_; - PSID lowbox_sid_; - base::win::ScopedHandle lowbox_directory_; std::unique_ptr<Dispatcher> dispatcher_; bool lockdown_default_dacl_; bool add_restricting_random_sid_; @@ -191,7 +189,7 @@ class PolicyBase final : public TargetPolicy { // shared with the target at times. base::HandlesToInheritVector handles_to_share_; - scoped_refptr<AppContainerProfileBase> app_container_profile_; + scoped_refptr<AppContainerBase> app_container_; HANDLE effective_token_; diff --git a/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc b/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc index a5fb6ba2a01..bc1da58d028 100644 --- a/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc +++ b/chromium/sandbox/win/src/sandbox_policy_diagnostic.cc @@ -21,7 +21,6 @@ #include "base/values.h" #include "sandbox/win/src/ipc_tags.h" #include "sandbox/win/src/policy_engine_opcodes.h" -#include "sandbox/win/src/sandbox_constants.h" #include "sandbox/win/src/sandbox_policy_base.h" #include "sandbox/win/src/target_process.h" #include "sandbox/win/src/win_utils.h" @@ -30,6 +29,26 @@ namespace sandbox { namespace { +// Keys in base::Value snapshots of Policies for chrome://sandbox. +const char kAppContainerCapabilities[] = "appContainerCapabilities"; +const char kAppContainerInitialCapabilities[] = + "appContainerInitialCapabilities"; +const char kAppContainerSid[] = "appContainerSid"; +const char kDesiredIntegrityLevel[] = "desiredIntegrityLevel"; +const char kDesiredMitigations[] = "desiredMitigations"; +const char kDisconnectCsrss[] = "disconnectCsrss"; +const char kHandlesToClose[] = "handlesToClose"; +const char kJobLevel[] = "jobLevel"; +const char kLockdownLevel[] = "lockdownLevel"; +const char kLowboxSid[] = "lowboxSid"; +const char kPlatformMitigations[] = "platformMitigations"; +const char kPolicyRules[] = "policyRules"; +const char kProcessIds[] = "processIds"; + +// Values in snapshots of Policies. +const char kDisabled[] = "disabled"; +const char kEnabled[] = "enabled"; + base::Value ProcessIdList(std::vector<uint32_t> process_ids) { base::Value results(base::Value::Type::LIST); for (const auto pid : process_ids) { @@ -378,19 +397,19 @@ PolicyDiagnostic::PolicyDiagnostic(PolicyBase* policy) { desired_mitigations_ = policy->mitigations_ | policy->delayed_mitigations_; - if (policy->app_container_profile_) { + if (policy->app_container_) { app_container_sid_ = - std::make_unique<Sid>(policy->app_container_profile_->GetPackageSid()); - for (const auto& sid : policy->app_container_profile_->GetCapabilities()) { + std::make_unique<Sid>(policy->app_container_->GetPackageSid()); + for (const auto& sid : policy->app_container_->GetCapabilities()) { capabilities_.push_back(sid); } for (const auto& sid : - policy->app_container_profile_->GetImpersonationCapabilities()) { + policy->app_container_->GetImpersonationCapabilities()) { initial_capabilities_.push_back(sid); } + + app_container_type_ = policy->app_container_->GetAppContainerType(); } - if (policy->lowbox_sid_) - lowbox_sid_ = std::make_unique<Sid>(policy->lowbox_sid_); if (policy->policy_) { size_t policy_mem_size = policy->policy_->data_size + sizeof(PolicyGlobal); @@ -455,11 +474,11 @@ const char* PolicyDiagnostic::JsonString() { value.SetKey(kAppContainerInitialCapabilities, base::Value(std::move(imp_caps))); } - } - if (lowbox_sid_) { - value.SetStringKey( - kLowboxSid, base::AsStringPiece16(GetSidAsString(lowbox_sid_.get()))); + if (app_container_type_ == AppContainerType::kLowbox) + value.SetStringKey( + kLowboxSid, + base::AsStringPiece16(GetSidAsString(app_container_sid_.get()))); } if (policy_rules_) diff --git a/chromium/sandbox/win/src/sandbox_policy_diagnostic.h b/chromium/sandbox/win/src/sandbox_policy_diagnostic.h index 4b6dc4d7239..89982a3f115 100644 --- a/chromium/sandbox/win/src/sandbox_policy_diagnostic.h +++ b/chromium/sandbox/win/src/sandbox_policy_diagnostic.h @@ -12,7 +12,7 @@ #include <vector> #include "base/macros.h" -#include "base/values.h" +#include "sandbox/win/src/app_container.h" #include "sandbox/win/src/handle_closer.h" #include "sandbox/win/src/policy_low_level.h" #include "sandbox/win/src/process_mitigations.h" @@ -42,15 +42,13 @@ class PolicyDiagnostic final : public PolicyInfo { JobLevel job_level_ = JOB_NONE; IntegrityLevel desired_integrity_level_ = INTEGRITY_LEVEL_LAST; MitigationFlags desired_mitigations_ = 0; - // Cannot have both |lowbox_sid_| and |app_container_sid_|. May have neither. - std::unique_ptr<Sid> app_container_sid_ = nullptr; + std::unique_ptr<Sid> app_container_sid_; // Only populated if |app_container_sid_| is present. std::vector<Sid> capabilities_; // Only populated if |app_container_sid_| is present. std::vector<Sid> initial_capabilities_; - // Cannot have both |lowbox_sid_| and |app_container_sid_|. May have neither. - std::unique_ptr<Sid> lowbox_sid_ = nullptr; - std::unique_ptr<PolicyGlobal> policy_rules_ = nullptr; + AppContainerType app_container_type_ = AppContainerType::kNone; + std::unique_ptr<PolicyGlobal> policy_rules_; bool is_csrss_connected_ = false; HandleMap handles_to_close_; diff --git a/chromium/sandbox/win/src/sandbox_rand.h b/chromium/sandbox/win/src/sandbox_rand.h index f4662f9a848..ce8fae42a5c 100644 --- a/chromium/sandbox/win/src/sandbox_rand.h +++ b/chromium/sandbox/win/src/sandbox_rand.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_RAND_H_ -#define SANDBOX_SRC_SANDBOX_RAND_H_ +#ifndef SANDBOX_WIN_SRC_SANDBOX_RAND_H_ +#define SANDBOX_WIN_SRC_SANDBOX_RAND_H_ namespace sandbox { @@ -12,4 +12,4 @@ bool GetRandom(unsigned int* random_value); } // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_RAND_H_ +#endif // SANDBOX_WIN_SRC_SANDBOX_RAND_H_ diff --git a/chromium/sandbox/win/src/sandbox_types.h b/chromium/sandbox/win/src/sandbox_types.h index dda31bdaec9..5b6ab9fa7ca 100644 --- a/chromium/sandbox/win/src/sandbox_types.h +++ b/chromium/sandbox/win/src/sandbox_types.h @@ -108,11 +108,11 @@ enum ResultCode : int { // Cannot find the base address of the new process. SBOX_ERROR_CANNOT_FIND_BASE_ADDRESS = 43, // Cannot create the AppContainer profile. - SBOX_ERROR_CREATE_APPCONTAINER_PROFILE = 44, + SBOX_ERROR_CREATE_APPCONTAINER = 44, // Cannot create the AppContainer as the main executable can't be accessed. - SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_ACCESS_CHECK = 45, + SBOX_ERROR_CREATE_APPCONTAINER_ACCESS_CHECK = 45, // Cannot create the AppContainer as adding a capability failed. - SBOX_ERROR_CREATE_APPCONTAINER_PROFILE_CAPABILITY = 46, + SBOX_ERROR_CREATE_APPCONTAINER_CAPABILITY = 46, // Cannot initialize a job object. SBOX_ERROR_CANNOT_INIT_JOB = 47, // Invalid LowBox SID string. @@ -141,6 +141,8 @@ enum ResultCode : int { SBOX_ERROR_CANNOT_INIT_BROKERSERVICES = 59, // Cannot update job active process limit. SBOX_ERROR_CANNOT_UPDATE_JOB_PROCESS_LIMIT = 60, + // Cannot create an impersonation lowbox token + SBOX_ERROR_CANNOT_CREATE_LOWBOX_IMPERSONATION_TOKEN = 61, // Placeholder for last item of the enum. SBOX_ERROR_LAST }; diff --git a/chromium/sandbox/win/src/sandbox_utils.h b/chromium/sandbox/win/src/sandbox_utils.h index 580d1298f6e..9a0e04cb635 100644 --- a/chromium/sandbox/win/src/sandbox_utils.h +++ b/chromium/sandbox/win/src/sandbox_utils.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SANDBOX_UTILS_H_ -#define SANDBOX_SRC_SANDBOX_UTILS_H_ +#ifndef SANDBOX_WIN_SRC_SANDBOX_UTILS_H_ +#define SANDBOX_WIN_SRC_SANDBOX_UTILS_H_ #include <windows.h> #include <string> @@ -21,4 +21,4 @@ void InitObjectAttribs(const std::wstring& name, } // namespace sandbox -#endif // SANDBOX_SRC_SANDBOX_UTILS_H_ +#endif // SANDBOX_WIN_SRC_SANDBOX_UTILS_H_ diff --git a/chromium/sandbox/win/src/security_capabilities.h b/chromium/sandbox/win/src/security_capabilities.h index 7a66e59743a..c125b7e4afb 100644 --- a/chromium/sandbox/win/src/security_capabilities.h +++ b/chromium/sandbox/win/src/security_capabilities.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SECURITY_CAPABILITIES_H_ -#define SANDBOX_SRC_SECURITY_CAPABILITIES_H_ +#ifndef SANDBOX_WIN_SRC_SECURITY_CAPABILITIES_H_ +#define SANDBOX_WIN_SRC_SECURITY_CAPABILITIES_H_ #include <windows.h> @@ -31,4 +31,4 @@ class SecurityCapabilities final : public SECURITY_CAPABILITIES { } // namespace sandbox -#endif // SANDBOX_SRC_SECURITY_CAPABILITIES_H_
\ No newline at end of file +#endif // SANDBOX_WIN_SRC_SECURITY_CAPABILITIES_H_ diff --git a/chromium/sandbox/win/src/security_level.h b/chromium/sandbox/win/src/security_level.h index bdeac002826..f15cf04985d 100644 --- a/chromium/sandbox/win/src/security_level.h +++ b/chromium/sandbox/win/src/security_level.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ -#define SANDBOX_SRC_SECURITY_LEVEL_H_ +#ifndef SANDBOX_WIN_SRC_SECURITY_LEVEL_H_ +#define SANDBOX_WIN_SRC_SECURITY_LEVEL_H_ #include <stdint.h> @@ -299,4 +299,4 @@ const MitigationFlags MITIGATION_KTM_COMPONENT = 0x00800000; } // namespace sandbox -#endif // SANDBOX_SRC_SECURITY_LEVEL_H_ +#endif // SANDBOX_WIN_SRC_SECURITY_LEVEL_H_ diff --git a/chromium/sandbox/win/src/service_resolver.h b/chromium/sandbox/win/src/service_resolver.h index ee292f6a371..31cedbeb59b 100644 --- a/chromium/sandbox/win/src/service_resolver.h +++ b/chromium/sandbox/win/src/service_resolver.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SERVICE_RESOLVER_H__ -#define SANDBOX_SRC_SERVICE_RESOLVER_H__ +#ifndef SANDBOX_WIN_SRC_SERVICE_RESOLVER_H_ +#define SANDBOX_WIN_SRC_SERVICE_RESOLVER_H_ #include <stddef.h> @@ -155,4 +155,4 @@ class Wow64W10ResolverThunk : public ServiceResolverThunk { } // namespace sandbox -#endif // SANDBOX_SRC_SERVICE_RESOLVER_H__ +#endif // SANDBOX_WIN_SRC_SERVICE_RESOLVER_H_ diff --git a/chromium/sandbox/win/src/sharedmem_ipc_client.h b/chromium/sandbox/win/src/sharedmem_ipc_client.h index 73f739dece2..2c4b917703a 100644 --- a/chromium/sandbox/win/src/sharedmem_ipc_client.h +++ b/chromium/sandbox/win/src/sharedmem_ipc_client.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__ -#define SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__ +#ifndef SANDBOX_WIN_SRC_SHAREDMEM_IPC_CLIENT_H_ +#define SANDBOX_WIN_SRC_SHAREDMEM_IPC_CLIENT_H_ #include <stddef.h> #include <stdint.h> @@ -137,4 +137,4 @@ class SharedMemIPCClient { } // namespace sandbox -#endif // SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__ +#endif // SANDBOX_WIN_SRC_SHAREDMEM_IPC_CLIENT_H_ diff --git a/chromium/sandbox/win/src/sharedmem_ipc_server.h b/chromium/sandbox/win/src/sharedmem_ipc_server.h index 8530985a3e9..03e87f8b1af 100644 --- a/chromium/sandbox/win/src/sharedmem_ipc_server.h +++ b/chromium/sandbox/win/src/sharedmem_ipc_server.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_ -#define SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_ +#ifndef SANDBOX_WIN_SRC_SHAREDMEM_IPC_SERVER_H_ +#define SANDBOX_WIN_SRC_SHAREDMEM_IPC_SERVER_H_ #include <stdint.h> @@ -135,4 +135,4 @@ class SharedMemIPCServer { } // namespace sandbox -#endif // SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_ +#endif // SANDBOX_WIN_SRC_SHAREDMEM_IPC_SERVER_H_ diff --git a/chromium/sandbox/win/src/sid.h b/chromium/sandbox/win/src/sid.h index 7436442229c..f6f0ff27723 100644 --- a/chromium/sandbox/win/src/sid.h +++ b/chromium/sandbox/win/src/sid.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SID_H_ -#define SANDBOX_SRC_SID_H_ +#ifndef SANDBOX_WIN_SRC_SID_H_ +#define SANDBOX_WIN_SRC_SID_H_ #include <windows.h> @@ -72,4 +72,4 @@ class Sid { } // namespace sandbox -#endif // SANDBOX_SRC_SID_H_ +#endif // SANDBOX_WIN_SRC_SID_H_ diff --git a/chromium/sandbox/win/src/sidestep/mini_disassembler.h b/chromium/sandbox/win/src/sidestep/mini_disassembler.h index eae6538f074..501ab638296 100644 --- a/chromium/sandbox/win/src/sidestep/mini_disassembler.h +++ b/chromium/sandbox/win/src/sidestep/mini_disassembler.h @@ -4,8 +4,8 @@ // Definition of MiniDisassembler. -#ifndef SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__ -#define SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__ +#ifndef SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_H_ +#define SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_H_ #include "sandbox/win/src/sidestep/mini_disassembler_types.h" @@ -150,4 +150,4 @@ class MiniDisassembler { } // namespace sidestep -#endif // SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__ +#endif // SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_H_ diff --git a/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h b/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h index a9e7c98a0fe..394d8d8d61b 100644 --- a/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h +++ b/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h @@ -5,8 +5,8 @@ // Several simple types used by the disassembler and some of the patching // mechanisms. -#ifndef SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__ -#define SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__ +#ifndef SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H_ +#define SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H_ namespace sidestep { @@ -194,4 +194,4 @@ struct ModrmEntry { } // namespace sidestep -#endif // SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__ +#endif // SANDBOX_WIN_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H_ diff --git a/chromium/sandbox/win/src/sidestep/preamble_patcher.h b/chromium/sandbox/win/src/sidestep/preamble_patcher.h index 3d7afbc1ef3..1083e89f44e 100644 --- a/chromium/sandbox/win/src/sidestep/preamble_patcher.h +++ b/chromium/sandbox/win/src/sidestep/preamble_patcher.h @@ -4,8 +4,8 @@ // Definition of PreamblePatcher -#ifndef SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__ -#define SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__ +#ifndef SANDBOX_WIN_SRC_SIDESTEP_PREAMBLE_PATCHER_H_ +#define SANDBOX_WIN_SRC_SIDESTEP_PREAMBLE_PATCHER_H_ #include <stddef.h> @@ -109,4 +109,4 @@ class PreamblePatcher { } // namespace sidestep -#endif // SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__ +#endif // SANDBOX_WIN_SRC_SIDESTEP_PREAMBLE_PATCHER_H_ diff --git a/chromium/sandbox/win/src/sidestep_resolver.h b/chromium/sandbox/win/src/sidestep_resolver.h index 1e2d1f76646..3ac5bf962b3 100644 --- a/chromium/sandbox/win/src/sidestep_resolver.h +++ b/chromium/sandbox/win/src/sidestep_resolver.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SIDESTEP_RESOLVER_H__ -#define SANDBOX_SRC_SIDESTEP_RESOLVER_H__ +#ifndef SANDBOX_WIN_SRC_SIDESTEP_RESOLVER_H_ +#define SANDBOX_WIN_SRC_SIDESTEP_RESOLVER_H_ #include <stddef.h> @@ -71,4 +71,4 @@ class SmartSidestepResolverThunk : public SidestepResolverThunk { } // namespace sandbox -#endif // SANDBOX_SRC_SIDESTEP_RESOLVER_H__ +#endif // SANDBOX_WIN_SRC_SIDESTEP_RESOLVER_H_ diff --git a/chromium/sandbox/win/src/startup_information_helper.cc b/chromium/sandbox/win/src/startup_information_helper.cc index d25d46d3eee..7251205d8b3 100644 --- a/chromium/sandbox/win/src/startup_information_helper.cc +++ b/chromium/sandbox/win/src/startup_information_helper.cc @@ -13,7 +13,7 @@ #include "base/memory/scoped_refptr.h" #include "base/win/startup_information.h" #include "base/win/windows_version.h" -#include "sandbox/win/src/app_container_profile.h" +#include "sandbox/win/src/app_container.h" #include "sandbox/win/src/nt_internals.h" #include "sandbox/win/src/security_capabilities.h" #include "sandbox/win/src/win_utils.h" @@ -67,16 +67,16 @@ void StartupInformationHelper::AddInheritedHandle(HANDLE handle) { } } -void StartupInformationHelper::SetAppContainerProfile( - scoped_refptr<AppContainerProfileBase> profile) { +void StartupInformationHelper::SetAppContainer( + scoped_refptr<AppContainerBase> container) { // Only supported for Windows 8+. DCHECK(base::win::GetVersion() >= base::win::Version::WIN8); // LowPrivilegeAppContainer only supported for Windows 10+ - DCHECK(!profile->GetEnableLowPrivilegeAppContainer() || + DCHECK(!container->GetEnableLowPrivilegeAppContainer() || base::win::GetVersion() >= base::win::Version::WIN10_RS1); - app_container_profile_ = profile; - security_capabilities_ = app_container_profile_->GetSecurityCapabilities(); + app_container_ = container; + security_capabilities_ = app_container_->GetSecurityCapabilities(); } void StartupInformationHelper::AddJobToAssociate(HANDLE job_handle) { @@ -97,9 +97,10 @@ int StartupInformationHelper::CountAttributes() { if (!inherited_handle_list_.empty()) ++attribute_count; - if (app_container_profile_) { + if (app_container_ && + app_container_->GetAppContainerType() != AppContainerType::kLowbox) { ++attribute_count; - if (app_container_profile_->GetEnableLowPrivilegeAppContainer()) + if (app_container_->GetEnableLowPrivilegeAppContainer()) ++attribute_count; } @@ -171,14 +172,15 @@ bool StartupInformationHelper::BuildStartupInformation() { expected_attributes--; } - if (app_container_profile_) { + if (app_container_ && + app_container_->GetAppContainerType() != AppContainerType::kLowbox) { if (!startup_info_.UpdateProcThreadAttribute( PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, security_capabilities_.get(), sizeof(SECURITY_CAPABILITIES))) { return false; } expected_attributes--; - if (app_container_profile_->GetEnableLowPrivilegeAppContainer()) { + if (app_container_->GetEnableLowPrivilegeAppContainer()) { all_applications_package_policy_ = PROCESS_CREATION_ALL_APPLICATION_PACKAGES_OPT_OUT; if (!startup_info_.UpdateProcThreadAttribute( diff --git a/chromium/sandbox/win/src/startup_information_helper.h b/chromium/sandbox/win/src/startup_information_helper.h index 532719530da..87034d2ec0d 100644 --- a/chromium/sandbox/win/src/startup_information_helper.h +++ b/chromium/sandbox/win/src/startup_information_helper.h @@ -12,7 +12,7 @@ #include "base/memory/scoped_refptr.h" #include "base/win/startup_information.h" #include "base/win/windows_version.h" -#include "sandbox/win/src/app_container_profile_base.h" +#include "sandbox/win/src/app_container_base.h" #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/security_capabilities.h" @@ -42,8 +42,8 @@ class StartupInformationHelper { void AddInheritedHandle(HANDLE handle); // Create PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES and // PROC_THREAD_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY - // based on |profile|. |profile| should be valid. - void SetAppContainerProfile(scoped_refptr<AppContainerProfileBase> profile); + // based on |container|. |container| should be valid. + void SetAppContainer(scoped_refptr<AppContainerBase> container); // Creates PROC_THREAD_ATTRIBUTE_JOB_LIST with |job_handle|. Not valid before // Windows 10. void AddJobToAssociate(HANDLE job_handle); @@ -69,7 +69,7 @@ class StartupInformationHelper { int CountAttributes(); // Fields that are not passed into CreateProcessAsUserW(). - scoped_refptr<AppContainerProfileBase> app_container_profile_ = nullptr; + scoped_refptr<AppContainerBase> app_container_; bool restrict_child_process_creation_ = false; HANDLE stdout_handle_ = INVALID_HANDLE_VALUE; HANDLE stderr_handle_ = INVALID_HANDLE_VALUE; @@ -87,7 +87,7 @@ class StartupInformationHelper { DWORD all_applications_package_policy_ = 0; std::vector<HANDLE> inherited_handle_list_; std::vector<HANDLE> job_handle_list_; - std::unique_ptr<SecurityCapabilities> security_capabilities_ = nullptr; + std::unique_ptr<SecurityCapabilities> security_capabilities_; }; } // namespace sandbox diff --git a/chromium/sandbox/win/src/sync_dispatcher.h b/chromium/sandbox/win/src/sync_dispatcher.h index d4bc025a0b6..3f3082aac56 100644 --- a/chromium/sandbox/win/src/sync_dispatcher.h +++ b/chromium/sandbox/win/src/sync_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SYNC_DISPATCHER_H_ -#define SANDBOX_SRC_SYNC_DISPATCHER_H_ +#ifndef SANDBOX_WIN_SRC_SYNC_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_SYNC_DISPATCHER_H_ #include <stdint.h> @@ -41,4 +41,4 @@ class SyncDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_SYNC_DISPATCHER_H_ +#endif // SANDBOX_WIN_SRC_SYNC_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/sync_policy.h b/chromium/sandbox/win/src/sync_policy.h index 2eb4124a823..375b462c56b 100644 --- a/chromium/sandbox/win/src/sync_policy.h +++ b/chromium/sandbox/win/src/sync_policy.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_SYNC_POLICY_H__ -#define SANDBOX_SRC_SYNC_POLICY_H__ +#ifndef SANDBOX_WIN_SRC_SYNC_POLICY_H_ +#define SANDBOX_WIN_SRC_SYNC_POLICY_H_ #include <stdint.h> @@ -46,4 +46,4 @@ class SyncPolicy { } // namespace sandbox -#endif // SANDBOX_SRC_SYNC_POLICY_H__ +#endif // SANDBOX_WIN_SRC_SYNC_POLICY_H_ diff --git a/chromium/sandbox/win/src/target_process.cc b/chromium/sandbox/win/src/target_process.cc index 70e700112b6..e93cf37923c 100644 --- a/chromium/sandbox/win/src/target_process.cc +++ b/chromium/sandbox/win/src/target_process.cc @@ -67,7 +67,7 @@ bool GetTokenAppContainerSid(HANDLE token_handle, app_container_info.data()); if (!info->TokenAppContainer) return false; - *app_container_sid = std::unique_ptr<Sid>(new Sid(info->TokenAppContainer)); + *app_container_sid = std::make_unique<Sid>(info->TokenAppContainer); return true; } @@ -299,9 +299,9 @@ ResultCode TargetProcess::Init(Dispatcher* ipc_dispatcher, return ret; } - ipc_server_.reset(new SharedMemIPCServer( + ipc_server_ = std::make_unique<SharedMemIPCServer>( sandbox_process_info_.process_handle(), - sandbox_process_info_.process_id(), thread_pool_, ipc_dispatcher)); + sandbox_process_info_.process_id(), thread_pool_, ipc_dispatcher); if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize)) return SBOX_ERROR_NO_SPACE; diff --git a/chromium/sandbox/win/src/target_services.h b/chromium/sandbox/win/src/target_services.h index e50b7fb97c4..359ead4c41f 100644 --- a/chromium/sandbox/win/src/target_services.h +++ b/chromium/sandbox/win/src/target_services.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_TARGET_SERVICES_H__ -#define SANDBOX_SRC_TARGET_SERVICES_H__ +#ifndef SANDBOX_WIN_SRC_TARGET_SERVICES_H_ +#define SANDBOX_WIN_SRC_TARGET_SERVICES_H_ #include "base/macros.h" #include "sandbox/win/src/sandbox.h" @@ -63,4 +63,4 @@ class TargetServicesBase : public TargetServices { } // namespace sandbox -#endif // SANDBOX_SRC_TARGET_SERVICES_H__ +#endif // SANDBOX_WIN_SRC_TARGET_SERVICES_H_ diff --git a/chromium/sandbox/win/src/threadpool.h b/chromium/sandbox/win/src/threadpool.h index 045a9d2b7d2..9264abe720d 100644 --- a/chromium/sandbox/win/src/threadpool.h +++ b/chromium/sandbox/win/src/threadpool.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_THREADPOOL_H_ -#define SANDBOX_SRC_THREADPOOL_H_ +#ifndef SANDBOX_WIN_SRC_THREADPOOL_H_ +#define SANDBOX_WIN_SRC_THREADPOOL_H_ #include <stddef.h> @@ -84,4 +84,4 @@ class ThreadPool { } // namespace sandbox -#endif // SANDBOX_SRC_THREADPOOL_H_ +#endif // SANDBOX_WIN_SRC_THREADPOOL_H_ diff --git a/chromium/sandbox/win/src/top_level_dispatcher.h b/chromium/sandbox/win/src/top_level_dispatcher.h index b440d86f1df..94a923cee4c 100644 --- a/chromium/sandbox/win/src/top_level_dispatcher.h +++ b/chromium/sandbox/win/src/top_level_dispatcher.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__ -#define SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__ +#ifndef SANDBOX_WIN_SRC_TOP_LEVEL_DISPATCHER_H_ +#define SANDBOX_WIN_SRC_TOP_LEVEL_DISPATCHER_H_ #include <memory> @@ -50,4 +50,4 @@ class TopLevelDispatcher : public Dispatcher { } // namespace sandbox -#endif // SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__ +#endif // SANDBOX_WIN_SRC_TOP_LEVEL_DISPATCHER_H_ diff --git a/chromium/sandbox/win/src/win_utils.h b/chromium/sandbox/win/src/win_utils.h index 2e79eeb78bb..5945cd60965 100644 --- a/chromium/sandbox/win/src/win_utils.h +++ b/chromium/sandbox/win/src/win_utils.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_WIN_UTILS_H_ -#define SANDBOX_SRC_WIN_UTILS_H_ +#ifndef SANDBOX_WIN_SRC_WIN_UTILS_H_ +#define SANDBOX_WIN_SRC_WIN_UTILS_H_ #include <stddef.h> #include <windows.h> @@ -152,4 +152,4 @@ DWORD GetTokenInformation(HANDLE token, // is a pointer to the function pointer. void ResolveNTFunctionPtr(const char* name, void* ptr); -#endif // SANDBOX_SRC_WIN_UTILS_H_ +#endif // SANDBOX_WIN_SRC_WIN_UTILS_H_ diff --git a/chromium/sandbox/win/src/window.h b/chromium/sandbox/win/src/window.h index 1fe5b6cc72c..ddc17e52df4 100644 --- a/chromium/sandbox/win/src/window.h +++ b/chromium/sandbox/win/src/window.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef SANDBOX_SRC_WINDOW_H_ -#define SANDBOX_SRC_WINDOW_H_ +#ifndef SANDBOX_WIN_SRC_WINDOW_H_ +#define SANDBOX_WIN_SRC_WINDOW_H_ #include <windows.h> @@ -34,4 +34,4 @@ std::wstring GetFullDesktopName(HWINSTA winsta, HDESK desktop); } // namespace sandbox -#endif // SANDBOX_SRC_WINDOW_H_ +#endif // SANDBOX_WIN_SRC_WINDOW_H_ |