1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sandbox/win/src/policy_target.h"
6 
7 #include <stddef.h>
8 
9 #include "sandbox/win/src/crosscall_client.h"
10 #include "sandbox/win/src/ipc_tags.h"
11 #include "sandbox/win/src/policy_engine_processor.h"
12 #include "sandbox/win/src/policy_low_level.h"
13 #include "sandbox/win/src/policy_params.h"
14 #include "sandbox/win/src/sandbox_factory.h"
15 #include "sandbox/win/src/sandbox_nt_util.h"
16 #include "sandbox/win/src/sharedmem_ipc_client.h"
17 #include "sandbox/win/src/target_services.h"
18 
19 namespace sandbox {
20 
21 // Handle for our private heap.
22 extern void* g_heap;
23 
24 // This is the list of all imported symbols from ntdll.dll.
25 SANDBOX_INTERCEPT NtExports g_nt;
26 
27 // Policy data.
28 extern void* volatile g_shared_policy_memory;
29 SANDBOX_INTERCEPT size_t g_shared_policy_size;
30 
QueryBroker(IpcTag ipc_id,CountedParameterSetBase * params)31 bool QueryBroker(IpcTag ipc_id, CountedParameterSetBase* params) {
32   DCHECK_NT(static_cast<size_t>(ipc_id) < kMaxServiceCount);
33   DCHECK_NT(g_shared_policy_memory);
34   DCHECK_NT(g_shared_policy_size > 0);
35 
36   if (static_cast<size_t>(ipc_id) >= kMaxServiceCount)
37     return false;
38 
39   PolicyGlobal* global_policy =
40       reinterpret_cast<PolicyGlobal*>(g_shared_policy_memory);
41 
42   if (!global_policy->entry[static_cast<size_t>(ipc_id)])
43     return false;
44 
45   PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(
46       reinterpret_cast<char*>(g_shared_policy_memory) +
47       reinterpret_cast<size_t>(
48           global_policy->entry[static_cast<size_t>(ipc_id)]));
49 
50   if ((reinterpret_cast<size_t>(
51            global_policy->entry[static_cast<size_t>(ipc_id)]) >
52        global_policy->data_size) ||
53       (g_shared_policy_size < global_policy->data_size)) {
54     NOTREACHED_NT();
55     return false;
56   }
57 
58   for (size_t i = 0; i < params->count; i++) {
59     if (!params->parameters[i].IsValid()) {
60       NOTREACHED_NT();
61       return false;
62     }
63   }
64 
65   PolicyProcessor processor(policy);
66   PolicyResult result =
67       processor.Evaluate(kShortEval, params->parameters, params->count);
68   DCHECK_NT(POLICY_ERROR != result);
69 
70   return POLICY_MATCH == result && ASK_BROKER == processor.GetAction();
71 }
72 
73 // -----------------------------------------------------------------------
74 
75 // Hooks NtSetInformationThread to block RevertToSelf from being
76 // called before the actual call to LowerToken.
TargetNtSetInformationThread(NtSetInformationThreadFunction orig_SetInformationThread,HANDLE thread,NT_THREAD_INFORMATION_CLASS thread_info_class,PVOID thread_information,ULONG thread_information_bytes)77 NTSTATUS WINAPI TargetNtSetInformationThread(
78     NtSetInformationThreadFunction orig_SetInformationThread,
79     HANDLE thread,
80     NT_THREAD_INFORMATION_CLASS thread_info_class,
81     PVOID thread_information,
82     ULONG thread_information_bytes) {
83   do {
84     if (SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
85       break;
86     if (ThreadImpersonationToken != thread_info_class)
87       break;
88     if (!thread_information)
89       break;
90     HANDLE token;
91     if (sizeof(token) > thread_information_bytes)
92       break;
93 
94     NTSTATUS ret = CopyData(&token, thread_information, sizeof(token));
95     if (!NT_SUCCESS(ret) || NULL != token)
96       break;
97 
98     // This is a revert to self.
99     return STATUS_SUCCESS;
100   } while (false);
101 
102   return orig_SetInformationThread(
103       thread, thread_info_class, thread_information, thread_information_bytes);
104 }
105 
106 // Hooks NtOpenThreadToken to force the open_as_self parameter to be set to
107 // false if we are still running with the impersonation token. open_as_self set
108 // to true means that the token will be open using the process token instead of
109 // the impersonation token. This is bad because the process token does not have
110 // access to open the thread token.
111 NTSTATUS WINAPI
TargetNtOpenThreadToken(NtOpenThreadTokenFunction orig_OpenThreadToken,HANDLE thread,ACCESS_MASK desired_access,BOOLEAN open_as_self,PHANDLE token)112 TargetNtOpenThreadToken(NtOpenThreadTokenFunction orig_OpenThreadToken,
113                         HANDLE thread,
114                         ACCESS_MASK desired_access,
115                         BOOLEAN open_as_self,
116                         PHANDLE token) {
117   if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
118     open_as_self = false;
119 
120   return orig_OpenThreadToken(thread, desired_access, open_as_self, token);
121 }
122 
123 // See comment for TargetNtOpenThreadToken
124 NTSTATUS WINAPI
TargetNtOpenThreadTokenEx(NtOpenThreadTokenExFunction orig_OpenThreadTokenEx,HANDLE thread,ACCESS_MASK desired_access,BOOLEAN open_as_self,ULONG handle_attributes,PHANDLE token)125 TargetNtOpenThreadTokenEx(NtOpenThreadTokenExFunction orig_OpenThreadTokenEx,
126                           HANDLE thread,
127                           ACCESS_MASK desired_access,
128                           BOOLEAN open_as_self,
129                           ULONG handle_attributes,
130                           PHANDLE token) {
131   if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
132     open_as_self = false;
133 
134   return orig_OpenThreadTokenEx(thread, desired_access, open_as_self,
135                                 handle_attributes, token);
136 }
137 
138 }  // namespace sandbox
139