| Index: sandbox/src/target_process.cc
|
| diff --git a/sandbox/src/target_process.cc b/sandbox/src/target_process.cc
|
| deleted file mode 100644
|
| index 88e2751fe9b8d956627ceacaef63e8df28650563..0000000000000000000000000000000000000000
|
| --- a/sandbox/src/target_process.cc
|
| +++ /dev/null
|
| @@ -1,355 +0,0 @@
|
| -// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
| -// Use of this source code is governed by a BSD-style license that can be
|
| -// found in the LICENSE file.
|
| -
|
| -#include "sandbox/src/target_process.h"
|
| -
|
| -#include "base/basictypes.h"
|
| -#include "base/memory/scoped_ptr.h"
|
| -#include "base/win/pe_image.h"
|
| -#include "base/win/windows_version.h"
|
| -#include "sandbox/src/crosscall_server.h"
|
| -#include "sandbox/src/crosscall_client.h"
|
| -#include "sandbox/src/policy_low_level.h"
|
| -#include "sandbox/src/sandbox_types.h"
|
| -#include "sandbox/src/sharedmem_ipc_server.h"
|
| -
|
| -namespace {
|
| -
|
| -void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
|
| - if (!source || !size)
|
| - return;
|
| - memcpy(dest, source, size);
|
| - sandbox::PolicyGlobal* policy =
|
| - reinterpret_cast<sandbox::PolicyGlobal*>(dest);
|
| -
|
| - size_t offset = reinterpret_cast<size_t>(source);
|
| -
|
| - for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) {
|
| - size_t buffer = reinterpret_cast<size_t>(policy->entry[i]);
|
| - if (buffer) {
|
| - buffer -= offset;
|
| - policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer);
|
| - }
|
| - }
|
| -}
|
| -
|
| -// Reserve a random range at the bottom of the address space in the target
|
| -// process to prevent predictable alocations at low addresses.
|
| -void PoisonLowerAddressRange(HANDLE process) {
|
| - unsigned int limit;
|
| - rand_s(&limit);
|
| - char* ptr = 0;
|
| - const size_t kMask64k = 0xFFFF;
|
| - // Random range (512k-16.5mb) in 64k steps.
|
| - const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
|
| - while (ptr < end) {
|
| - MEMORY_BASIC_INFORMATION memory_info;
|
| - if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
|
| - break;
|
| - size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
|
| - static_cast<SIZE_T>(end - ptr));
|
| - if (ptr && memory_info.State == MEM_FREE)
|
| - ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
|
| - ptr += size;
|
| - }
|
| -}
|
| -
|
| -}
|
| -
|
| -namespace sandbox {
|
| -
|
| -SANDBOX_INTERCEPT HANDLE g_shared_section;
|
| -SANDBOX_INTERCEPT size_t g_shared_IPC_size;
|
| -SANDBOX_INTERCEPT size_t g_shared_policy_size;
|
| -
|
| -// Returns the address of the main exe module in memory taking in account
|
| -// address space layout randomization.
|
| -void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) {
|
| - HMODULE exe = ::LoadLibrary(exe_name);
|
| - if (NULL == exe)
|
| - return exe;
|
| -
|
| - base::win::PEImage pe(exe);
|
| - if (!pe.VerifyMagic()) {
|
| - ::FreeLibrary(exe);
|
| - return exe;
|
| - }
|
| - PIMAGE_NT_HEADERS nt_header = pe.GetNTHeaders();
|
| - char* base = reinterpret_cast<char*>(entry_point) -
|
| - nt_header->OptionalHeader.AddressOfEntryPoint;
|
| -
|
| - ::FreeLibrary(exe);
|
| - return base;
|
| -}
|
| -
|
| -
|
| -TargetProcess::TargetProcess(HANDLE initial_token, HANDLE lockdown_token,
|
| - HANDLE job, ThreadProvider* thread_pool)
|
| - // This object owns everything initialized here except thread_pool and
|
| - // the job_ handle. The Job handle is closed by BrokerServices and results
|
| - // eventually in a call to our dtor.
|
| - : lockdown_token_(lockdown_token),
|
| - initial_token_(initial_token),
|
| - job_(job),
|
| - thread_pool_(thread_pool),
|
| - base_address_(NULL) {
|
| -}
|
| -
|
| -TargetProcess::~TargetProcess() {
|
| - DWORD exit_code = 0;
|
| - // Give a chance to the process to die. In most cases the JOB_KILL_ON_CLOSE
|
| - // will take effect only when the context changes. As far as the testing went,
|
| - // this wait was enough to switch context and kill the processes in the job.
|
| - // If this process is already dead, the function will return without waiting.
|
| - // TODO(nsylvain): If the process is still alive at the end, we should kill
|
| - // it. http://b/893891
|
| - // For now, this wait is there only to do a best effort to prevent some leaks
|
| - // from showing up in purify.
|
| - ::WaitForSingleObject(sandbox_process_info_.process_handle(), 50);
|
| - if (!::GetExitCodeProcess(sandbox_process_info_.process_handle(),
|
| - &exit_code) || (STILL_ACTIVE == exit_code)) {
|
| - // It is an error to destroy this object while the target process is still
|
| - // alive because we need to destroy the IPC subsystem and cannot risk to
|
| - // have an IPC reach us after this point.
|
| - shared_section_.Take();
|
| - SharedMemIPCServer* server = ipc_server_.release();
|
| - sandbox_process_info_.TakeProcessHandle();
|
| - return;
|
| - }
|
| -
|
| - // ipc_server_ references our process handle, so make sure the former is shut
|
| - // down before the latter is closed (by ScopedProcessInformation).
|
| - ipc_server_.reset();
|
| -}
|
| -
|
| -// Creates the target (child) process suspended and assigns it to the job
|
| -// object.
|
| -DWORD TargetProcess::Create(const wchar_t* exe_path,
|
| - const wchar_t* command_line,
|
| - const wchar_t* desktop,
|
| - base::win::ScopedProcessInformation* target_info) {
|
| - exe_name_.reset(_wcsdup(exe_path));
|
| -
|
| - // the command line needs to be writable by CreateProcess().
|
| - scoped_ptr_malloc<wchar_t> cmd_line(_wcsdup(command_line));
|
| - scoped_ptr_malloc<wchar_t> desktop_name(desktop ? _wcsdup(desktop) : NULL);
|
| -
|
| - // Start the target process suspended.
|
| - DWORD flags =
|
| - CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS;
|
| -
|
| - if (base::win::GetVersion() < base::win::VERSION_WIN8) {
|
| - // Windows 8 implements nested jobs, but for older systems we need to
|
| - // break out of any job we're in to enforce our restrictions.
|
| - flags |= CREATE_BREAKAWAY_FROM_JOB;
|
| - }
|
| -
|
| - STARTUPINFO startup_info = {sizeof(STARTUPINFO)};
|
| - if (desktop) {
|
| - startup_info.lpDesktop = desktop_name.get();
|
| - }
|
| -
|
| - base::win::ScopedProcessInformation process_info;
|
| -
|
| - if (!::CreateProcessAsUserW(lockdown_token_,
|
| - exe_path,
|
| - cmd_line.get(),
|
| - NULL, // No security attribute.
|
| - NULL, // No thread attribute.
|
| - FALSE, // Do not inherit handles.
|
| - flags,
|
| - NULL, // Use the environment of the caller.
|
| - NULL, // Use current directory of the caller.
|
| - &startup_info,
|
| - process_info.Receive())) {
|
| - return ::GetLastError();
|
| - }
|
| - lockdown_token_.Close();
|
| -
|
| - PoisonLowerAddressRange(process_info.process_handle());
|
| -
|
| - DWORD win_result = ERROR_SUCCESS;
|
| -
|
| - // Assign the suspended target to the windows job object
|
| - if (!::AssignProcessToJobObject(job_, process_info.process_handle())) {
|
| - win_result = ::GetLastError();
|
| - // It might be a security breach if we let the target run outside the job
|
| - // so kill it before it causes damage
|
| - ::TerminateProcess(process_info.process_handle(), 0);
|
| - return win_result;
|
| - }
|
| -
|
| - // Change the token of the main thread of the new process for the
|
| - // impersonation token with more rights. This allows the target to start;
|
| - // otherwise it will crash too early for us to help.
|
| - {
|
| - HANDLE temp_thread = process_info.thread_handle();
|
| - if (!::SetThreadToken(&temp_thread, initial_token_)) {
|
| - win_result = ::GetLastError();
|
| - ::TerminateProcess(process_info.process_handle(), 0);
|
| - return win_result;
|
| - }
|
| - initial_token_.Close();
|
| - }
|
| -
|
| - CONTEXT context;
|
| - context.ContextFlags = CONTEXT_ALL;
|
| - if (!::GetThreadContext(process_info.thread_handle(), &context)) {
|
| - win_result = ::GetLastError();
|
| - ::TerminateProcess(process_info.process_handle(), 0);
|
| - return win_result;
|
| - }
|
| -
|
| -#if defined(_WIN64)
|
| - void* entry_point = reinterpret_cast<void*>(context.Rcx);
|
| -#else
|
| -#pragma warning(push)
|
| -#pragma warning(disable: 4312)
|
| - // This cast generates a warning because it is 32 bit specific.
|
| - void* entry_point = reinterpret_cast<void*>(context.Eax);
|
| -#pragma warning(pop)
|
| -#endif // _WIN64
|
| -
|
| - if (!target_info->DuplicateFrom(process_info)) {
|
| - win_result = ::GetLastError(); // This may or may not be correct.
|
| - ::TerminateProcess(process_info.process_handle(), 0);
|
| - return win_result;
|
| - }
|
| -
|
| - base_address_ = GetBaseAddress(exe_path, entry_point);
|
| - sandbox_process_info_.Swap(&process_info);
|
| - return win_result;
|
| -}
|
| -
|
| -ResultCode TargetProcess::TransferVariable(const char* name, void* address,
|
| - size_t size) {
|
| - if (!sandbox_process_info_.IsValid())
|
| - return SBOX_ERROR_UNEXPECTED_CALL;
|
| -
|
| - void* child_var = address;
|
| -
|
| -#if SANDBOX_EXPORTS
|
| - HMODULE module = ::LoadLibrary(exe_name_.get());
|
| - if (NULL == module)
|
| - return SBOX_ERROR_GENERIC;
|
| -
|
| - child_var = ::GetProcAddress(module, name);
|
| - ::FreeLibrary(module);
|
| -
|
| - if (NULL == child_var)
|
| - return SBOX_ERROR_GENERIC;
|
| -
|
| - size_t offset = reinterpret_cast<char*>(child_var) -
|
| - reinterpret_cast<char*>(module);
|
| - child_var = reinterpret_cast<char*>(MainModule()) + offset;
|
| -#else
|
| - UNREFERENCED_PARAMETER(name);
|
| -#endif
|
| -
|
| - SIZE_T written;
|
| - if (!::WriteProcessMemory(sandbox_process_info_.process_handle(),
|
| - child_var, address, size, &written))
|
| - return SBOX_ERROR_GENERIC;
|
| -
|
| - if (written != size)
|
| - return SBOX_ERROR_GENERIC;
|
| -
|
| - return SBOX_ALL_OK;
|
| -}
|
| -
|
| -// Construct the IPC server and the IPC dispatcher. When the target does
|
| -// an IPC it will eventually call the dispatcher.
|
| -DWORD TargetProcess::Init(Dispatcher* ipc_dispatcher, void* policy,
|
| - uint32 shared_IPC_size, uint32 shared_policy_size) {
|
| - // We need to map the shared memory on the target. This is necessary for
|
| - // any IPC that needs to take place, even if the target has not yet hit
|
| - // the main( ) function or even has initialized the CRT. So here we set
|
| - // the handle to the shared section. The target on the first IPC must do
|
| - // the rest, which boils down to calling MapViewofFile()
|
| -
|
| - // We use this single memory pool for IPC and for policy.
|
| - DWORD shared_mem_size = static_cast<DWORD>(shared_IPC_size +
|
| - shared_policy_size);
|
| - shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, NULL,
|
| - PAGE_READWRITE | SEC_COMMIT,
|
| - 0, shared_mem_size, NULL));
|
| - if (!shared_section_.IsValid()) {
|
| - return ::GetLastError();
|
| - }
|
| -
|
| - DWORD access = FILE_MAP_READ | FILE_MAP_WRITE;
|
| - HANDLE target_shared_section;
|
| - if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_,
|
| - sandbox_process_info_.process_handle(),
|
| - &target_shared_section, access, FALSE, 0)) {
|
| - return ::GetLastError();
|
| - }
|
| -
|
| - void* shared_memory = ::MapViewOfFile(shared_section_,
|
| - FILE_MAP_WRITE|FILE_MAP_READ,
|
| - 0, 0, 0);
|
| - if (NULL == shared_memory) {
|
| - return ::GetLastError();
|
| - }
|
| -
|
| - CopyPolicyToTarget(policy, shared_policy_size,
|
| - reinterpret_cast<char*>(shared_memory) + shared_IPC_size);
|
| -
|
| - ResultCode ret;
|
| - // Set the global variables in the target. These are not used on the broker.
|
| - g_shared_section = target_shared_section;
|
| - ret = TransferVariable("g_shared_section", &g_shared_section,
|
| - sizeof(g_shared_section));
|
| - g_shared_section = NULL;
|
| - if (SBOX_ALL_OK != ret) {
|
| - return (SBOX_ERROR_GENERIC == ret)?
|
| - ::GetLastError() : ERROR_INVALID_FUNCTION;
|
| - }
|
| - g_shared_IPC_size = shared_IPC_size;
|
| - ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size,
|
| - sizeof(g_shared_IPC_size));
|
| - g_shared_IPC_size = 0;
|
| - if (SBOX_ALL_OK != ret) {
|
| - return (SBOX_ERROR_GENERIC == ret) ?
|
| - ::GetLastError() : ERROR_INVALID_FUNCTION;
|
| - }
|
| - g_shared_policy_size = shared_policy_size;
|
| - ret = TransferVariable("g_shared_policy_size", &g_shared_policy_size,
|
| - sizeof(g_shared_policy_size));
|
| - g_shared_policy_size = 0;
|
| - if (SBOX_ALL_OK != ret) {
|
| - return (SBOX_ERROR_GENERIC == ret) ?
|
| - ::GetLastError() : ERROR_INVALID_FUNCTION;
|
| - }
|
| -
|
| - ipc_server_.reset(
|
| - new SharedMemIPCServer(sandbox_process_info_.process_handle(),
|
| - sandbox_process_info_.process_id(),
|
| - job_, thread_pool_, ipc_dispatcher));
|
| -
|
| - if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize))
|
| - return ERROR_NOT_ENOUGH_MEMORY;
|
| -
|
| - // After this point we cannot use this handle anymore.
|
| - ::CloseHandle(sandbox_process_info_.TakeThreadHandle());
|
| -
|
| - return ERROR_SUCCESS;
|
| -}
|
| -
|
| -void TargetProcess::Terminate() {
|
| - if (!sandbox_process_info_.IsValid())
|
| - return;
|
| -
|
| - ::TerminateProcess(sandbox_process_info_.process_handle(), 0);
|
| -}
|
| -
|
| -
|
| -TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
|
| - TargetProcess* target = new TargetProcess(NULL, NULL, NULL, NULL);
|
| - target->sandbox_process_info_.Receive()->hProcess = process;
|
| - target->base_address_ = base_address;
|
| - return target;
|
| -}
|
| -
|
| -} // namespace sandbox
|
|
|
Chromium Code Reviews
Issue 10689170:
Move the Windows sandbox to sandbox/win (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src