1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ 7 8 #include <windows.h> 9 10 #include <stddef.h> 11 #include <stdint.h> 12 13 #include <list> 14 #include <memory> 15 #include <string> 16 #include <vector> 17 18 #include "base/compiler_specific.h" 19 #include "base/macros.h" 20 #include "base/memory/scoped_refptr.h" 21 #include "base/process/launch.h" 22 #include "base/win/scoped_handle.h" 23 #include "sandbox/win/src/app_container_profile_base.h" 24 #include "sandbox/win/src/crosscall_server.h" 25 #include "sandbox/win/src/handle_closer.h" 26 #include "sandbox/win/src/ipc_tags.h" 27 #include "sandbox/win/src/policy_engine_opcodes.h" 28 #include "sandbox/win/src/policy_engine_params.h" 29 #include "sandbox/win/src/sandbox_policy.h" 30 #include "sandbox/win/src/win_utils.h" 31 32 namespace sandbox { 33 34 class LowLevelPolicy; 35 class PolicyDiagnostic; 36 class PolicyInfo; 37 class TargetProcess; 38 struct PolicyGlobal; 39 40 class PolicyBase final : public TargetPolicy { 41 public: 42 PolicyBase(); 43 44 // TargetPolicy: 45 void AddRef() override; 46 void Release() override; 47 ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) override; 48 TokenLevel GetInitialTokenLevel() const override; 49 TokenLevel GetLockdownTokenLevel() const override; 50 ResultCode SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) override; 51 JobLevel GetJobLevel() const override; 52 ResultCode SetJobMemoryLimit(size_t memory_limit) override; 53 ResultCode SetAlternateDesktop(bool alternate_winstation) override; 54 std::wstring GetAlternateDesktop() const override; 55 ResultCode CreateAlternateDesktop(bool alternate_winstation) override; 56 void DestroyAlternateDesktop() override; 57 ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; 58 IntegrityLevel GetIntegrityLevel() const override; 59 ResultCode SetDelayedIntegrityLevel(IntegrityLevel integrity_level) override; 60 ResultCode SetLowBox(const wchar_t* sid) override; 61 ResultCode SetProcessMitigations(MitigationFlags flags) override; 62 MitigationFlags GetProcessMitigations() override; 63 ResultCode SetDelayedProcessMitigations(MitigationFlags flags) override; 64 MitigationFlags GetDelayedProcessMitigations() const override; 65 ResultCode SetDisconnectCsrss() override; 66 void SetStrictInterceptions() override; 67 ResultCode SetStdoutHandle(HANDLE handle) override; 68 ResultCode SetStderrHandle(HANDLE handle) override; 69 ResultCode AddRule(SubSystem subsystem, 70 Semantics semantics, 71 const wchar_t* pattern) override; 72 ResultCode AddDllToUnload(const wchar_t* dll_name) override; 73 ResultCode AddKernelObjectToClose(const wchar_t* handle_type, 74 const wchar_t* handle_name) override; 75 void AddHandleToShare(HANDLE handle) override; 76 void SetLockdownDefaultDacl() override; 77 void AddRestrictingRandomSid() override; 78 void SetEnableOPMRedirection() override; 79 bool GetEnableOPMRedirection() override; 80 ResultCode AddAppContainerProfile(const wchar_t* package_name, 81 bool create_profile) override; 82 scoped_refptr<AppContainerProfile> GetAppContainerProfile() override; 83 void SetEffectiveToken(HANDLE token) override; 84 std::unique_ptr<PolicyInfo> GetPolicyInfo() override; 85 86 // Get the AppContainer profile as its internal type. 87 scoped_refptr<AppContainerProfileBase> GetAppContainerProfileBase(); 88 89 // Creates a Job object with the level specified in a previous call to 90 // SetJobLevel(). 91 ResultCode MakeJobObject(base::win::ScopedHandle* job); 92 93 // Updates the active process limit on the job to zero. Has no effect 94 // if the job is allowed to spawn processes. 95 ResultCode DropActiveProcessLimit(base::win::ScopedHandle* job); 96 97 // Creates the two tokens with the levels specified in a previous call to 98 // SetTokenLevel(). Also creates a lowbox token if specified based on the 99 // lowbox SID. 100 ResultCode MakeTokens(base::win::ScopedHandle* initial, 101 base::win::ScopedHandle* lockdown, 102 base::win::ScopedHandle* lowbox); 103 104 PSID GetLowBoxSid() const; 105 106 // Adds a target process to the internal list of targets. Internally a 107 // call to TargetProcess::Init() is issued. 108 ResultCode AddTarget(std::unique_ptr<TargetProcess> target); 109 110 // Called when there are no more active processes in a Job. 111 // Removes a Job object associated with this policy and the target associated 112 // with the job. If a process is not in a job, call OnProcessFinished(). 113 bool OnJobEmpty(HANDLE job); 114 115 // Called when a process no longer needs to be tracked. Processes in jobs 116 // should be notified via OnJobEmpty instead. 117 bool OnProcessFinished(DWORD process_id); 118 119 EvalResult EvalPolicy(IpcTag service, CountedParameterSetBase* params); 120 121 HANDLE GetStdoutHandle(); 122 HANDLE GetStderrHandle(); 123 124 // Returns the list of handles being shared with the target process. 125 const base::HandlesToInheritVector& GetHandlesBeingShared(); 126 127 private: 128 // Allow PolicyInfo to snapshot PolicyBase for diagnostics. 129 friend class PolicyDiagnostic; 130 ~PolicyBase(); 131 132 // Sets up interceptions for a new target. This policy must own |target|. 133 ResultCode SetupAllInterceptions(TargetProcess& target); 134 135 // Sets up the handle closer for a new target. This policy must own |target|. 136 bool SetupHandleCloser(TargetProcess& target); 137 138 ResultCode AddRuleInternal(SubSystem subsystem, 139 Semantics semantics, 140 const wchar_t* pattern); 141 142 // This lock synchronizes operations on the targets_ collection. 143 CRITICAL_SECTION lock_; 144 // Maintains the list of target process associated with this policy. 145 // The policy takes ownership of them. 146 typedef std::list<std::unique_ptr<TargetProcess>> TargetSet; 147 TargetSet targets_; 148 // Standard object-lifetime reference counter. 149 volatile LONG ref_count; 150 // The user-defined global policy settings. 151 TokenLevel lockdown_level_; 152 TokenLevel initial_level_; 153 JobLevel job_level_; 154 uint32_t ui_exceptions_; 155 size_t memory_limit_; 156 bool use_alternate_desktop_; 157 bool use_alternate_winstation_; 158 // Helps the file system policy initialization. 159 bool file_system_init_; 160 bool relaxed_interceptions_; 161 HANDLE stdout_handle_; 162 HANDLE stderr_handle_; 163 IntegrityLevel integrity_level_; 164 IntegrityLevel delayed_integrity_level_; 165 MitigationFlags mitigations_; 166 MitigationFlags delayed_mitigations_; 167 bool is_csrss_connected_; 168 // Object in charge of generating the low level policy. 169 LowLevelPolicy* policy_maker_; 170 // Memory structure that stores the low level policy. 171 PolicyGlobal* policy_; 172 // The list of dlls to unload in the target process. 173 std::vector<std::wstring> blocklisted_dlls_; 174 // This is a map of handle-types to names that we need to close in the 175 // target process. A null set means we need to close all handles of the 176 // given type. 177 HandleCloser handle_closer_; 178 PSID lowbox_sid_; 179 base::win::ScopedHandle lowbox_directory_; 180 std::unique_ptr<Dispatcher> dispatcher_; 181 bool lockdown_default_dacl_; 182 bool add_restricting_random_sid_; 183 184 static HDESK alternate_desktop_handle_; 185 static HWINSTA alternate_winstation_handle_; 186 static HDESK alternate_desktop_local_winstation_handle_; 187 static IntegrityLevel alternate_desktop_integrity_level_label_; 188 static IntegrityLevel 189 alternate_desktop_local_winstation_integrity_level_label_; 190 191 // Contains the list of handles being shared with the target process. 192 // This list contains handles other than the stderr/stdout handles which are 193 // shared with the target at times. 194 base::HandlesToInheritVector handles_to_share_; 195 bool enable_opm_redirection_; 196 197 scoped_refptr<AppContainerProfileBase> app_container_profile_; 198 199 HANDLE effective_token_; 200 201 DISALLOW_COPY_AND_ASSIGN(PolicyBase); 202 }; 203 204 } // namespace sandbox 205 206 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ 207