Add sandbox support for Windows process mitigations

sandbox/win/src/process_mitigations.cc

Index: sandbox/win/src/process_mitigations.cc
===================================================================
--- sandbox/win/src/process_mitigations.cc	(revision 0)
+++ sandbox/win/src/process_mitigations.cc	(revision 0)
@@ -0,0 +1,295 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/win/src/process_mitigations.h"
+
+#include "base/win/windows_version.h"
+#include "sandbox/win/src/nt_internals.h"
+#include "sandbox/win/src/sandbox_policy.h"
+#include "sandbox/win/src/sandbox_utils.h"
+#include "sandbox/win/src/win_utils.h"
+
+namespace {
+
+// Functions for enabling policies.
+typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags);
+
+typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)(
+    PROCESS_MITIGATION_POLICY mitigation_policy,
+    PVOID buffer,
+    SIZE_T length);
+
+typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)(
+    DWORD DirectoryFlags);
+
+}  // namespace
+
+namespace sandbox {
+
+bool SetProcessMitigationsForCurrentProcess(uint64 flags) {
+  if (!CanSetProcessMitigationsPostStartup(flags))
+    return false;
+
+  HMODULE module = ::GetModuleHandleW(L"kernel32.dll");

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

use the Ansi version. This one of the rare cases where the ansi version is the
true one.

[jschuh, 2012/09/07 20:23:14]

Done.

+
+  // We can't apply anything before Win XP, so just return cleanly.
+  if (!IsXPSP2OrLater())
+    return true;
+
+  if (flags & TargetPolicy::MITIGATION_DLL_SEARCH_ORDER) {
+    SetDefaultDllDirectoriesFunction set_default_dll_directories =
+        reinterpret_cast<SetDefaultDllDirectoriesFunction>(
+            ::GetProcAddress(module, "SetDefaultDllDirectories"));
+
+    // Check for SetDefaultDllDirectories since it requires KB2533623.
+    if (set_default_dll_directories) {
+      if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS))
+        return false;
+    }
+  }
+
+  base::win::Version version = base::win::GetVersion();
+
+  // Set the heap to terminate on corruption
+  if (flags & TargetPolicy::MITIGATION_HEAP_TERMINATE) {
+    if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption,
+                              NULL, 0))
+      return false;
+  }
+
+#ifndef _WIN64  // DEP is always enabled on 64-bit.
+  if (flags & TargetPolicy::MITIGATION_DEP) {
+    DWORD dep_flags = PROCESS_DEP_ENABLE;
+
+    if (flags & TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK)
+      dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION;
+
+    SetProcessDEPPolicyFunction set_process_dep_policy =
+        reinterpret_cast<SetProcessDEPPolicyFunction>(
+            ::GetProcAddress(module, "SetProcessDEPPolicy"));
+    if (set_process_dep_policy) {
+      if (!set_process_dep_policy(dep_flags) &&
+          ERROR_ACCESS_DENIED != ::GetLastError()) {
+        return false;
+      }
+    } else {
+      // We're on XP sp2, so use the less standard approach.
+      // For reference: http://www.uninformed.org/?v=2&a=4
+      const int MEM_EXECUTE_OPTION_ENABLE = 1;
+      const int MEM_EXECUTE_OPTION_DISABLE = 2;
+      const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;
+      const int MEM_EXECUTE_OPTION_PERMANENT = 8;
+
+      NtSetInformationProcessFunction set_information_process = NULL;
+      ResolveNTFunctionPtr("NtSetInformationProcess",
+                           &set_information_process);
+      if (!set_information_process)
+        return false;
+      ULONG dep = MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT;
+      if (!(dep_flags & PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION))
+        dep |= MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION;
+      if (!SUCCEEDED(set_information_process(GetCurrentProcess(),
+                                             ProcessExecuteFlags,
+                                             &dep, sizeof(dep))) &&
+          ERROR_ACCESS_DENIED != ::GetLastError()) {
+        return false;
+      }
+    }
+  }
+#endif
+

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

line 52 can move down here?

[jschuh, 2012/09/07 20:23:14]

Done.

+  // This is all we can do in Win7 and below

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

period

[jschuh, 2012/09/07 20:23:14]

Done.

+  if (version < base::win::VERSION_WIN8)
+    return true;
+
+  // Load the Win8 API on demand.

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

remove comment line 106

[jschuh, 2012/09/07 20:23:14]

Done.

+  SetProcessMitigationPolicyFunction set_process_mitigation_policy =
+      reinterpret_cast<SetProcessMitigationPolicyFunction>(
+          ::GetProcAddress(module, "SetProcessMitigationPolicy"));
+  if (!set_process_mitigation_policy)
+    return false;
+
+  // Enable ASLR policies.
+  if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE) {
+    PROCESS_MITIGATION_ASLR_POLICY policy = { 0 };
+    policy.EnableForceRelocateImages = true;
+    policy.DisallowStrippedImages = (flags &
+        TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED) ==
+        TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED;
+
+    if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy,
+                                       sizeof(policy)) &&
+        ERROR_ACCESS_DENIED != ::GetLastError()) {
+      return false;
+    }
+  }
+
+  // Enable strict handle policies.
+  if (flags & TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS) {
+    PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = { 0 };
+    policy.HandleExceptionsPermanentlyEnabled =
+        policy.RaiseExceptionOnInvalidHandleReference = true;
+
+    if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy,
+                                       sizeof(policy)) &&
+        ERROR_ACCESS_DENIED != ::GetLastError()) {
+      return false;
+    }
+  }
+
+  // Enable system call policies.
+  if (flags & TargetPolicy::MITIGATION_WIN32K_DISABLE) {
+    PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = { 0 };
+    policy.DisallowWin32kSystemCalls = true;
+
+    if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy,
+                                       sizeof(policy)) &&
+        ERROR_ACCESS_DENIED != ::GetLastError()) {
+      return false;
+    }
+  }
+
+  // Enable system call policies.
+  if (flags & TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE) {
+    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = { 0 };
+    policy.DisableExtensionPoints = true;
+
+    if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy,
+                                       &policy, sizeof(policy)) &&
+        ERROR_ACCESS_DENIED != ::GetLastError()) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+DWORD64 GetProcessMitigationPolicyFlags(uint64 flags) {
+  base::win::Version version = base::win::GetVersion();
+
+  // Nothing for Win XP
+  if (version < base::win::VERSION_VISTA)
+    return 0;
+
+  DWORD64 real_flags = 0;
+  if (flags & TargetPolicy::MITIGATION_DEP) {
+    real_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE;
+    if (!(flags & TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK))
+      real_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE;
+  }
+
+  if (flags & TargetPolicy::MITIGATION_SEHOP)
+    real_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE;
+
+  // Win 7 and Vista
+  if (version < base::win::VERSION_WIN8)
+    return real_flags;
+
+  if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE) {
+    real_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON;
+    if (flags & TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED) {
+      real_flags |=
+          PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS;
+    }
+  }
+
+  if (flags & TargetPolicy::MITIGATION_HEAP_TERMINATE)
+    real_flags |= PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON;
+
+  if (flags & TargetPolicy::MITIGATION_BOTTOM_UP_ASLR)
+    real_flags |= PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON;
+
+  if (flags & TargetPolicy::MITIGATION_HIGH_ENTROPY_ASLR) {
+    real_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON;
+  }
+
+  if (flags & TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS) {
+    real_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON;
+  }
+
+  if (flags & TargetPolicy::MITIGATION_WIN32K_DISABLE) {
+    real_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON;
+  }
+
+  if (flags & TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE) {
+    real_flags |=
+        PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON;
+  }
+
+  // Windows 8
+  return real_flags;
+}
+
+uint64 GetPostStartupProcessMitigations(uint64 flags) {
+  base::win::Version version = base::win::GetVersion();
+
+  // Windows XP SP2

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

use IsXPSP2OrLater()? or maybe the comment is wrong.

[jschuh, 2012/09/07 20:23:14]

Done.

+  if (version < base::win::VERSION_VISTA) {
+    return flags & (TargetPolicy::MITIGATION_DEP |
+                    TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK);
+
+  // Windows 7 and Vista
+  } else if (version < base::win::VERSION_WIN8) {
+    return flags & (TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
+                    TargetPolicy::MITIGATION_DLL_SEARCH_ORDER |
+                    TargetPolicy::MITIGATION_HEAP_TERMINATE);
+  }
+
+  // Windows 8 and above.
+  return flags & (TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
+                  TargetPolicy::MITIGATION_DLL_SEARCH_ORDER);
+}
+
+bool SetProcessMitigationsForSuspendedProcess(HANDLE process, uint64 flags) {
+// This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
+#ifndef _WIN64
+  if (flags & TargetPolicy::MITIGATION_BOTTOM_UP_ASLR) {
+    unsigned int limit;
+    rand_s(&limit);
+    char* ptr = 0;
+    const size_t kMask64k = 0xFFFF;
+    // Random range (512k-16.5mb) in 64k steps.
+    const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
+    while (ptr < end) {
+      MEMORY_BASIC_INFORMATION memory_info;
+      if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
+        break;
+      size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
+                             static_cast<SIZE_T>(end - ptr));
+      if (ptr && memory_info.State == MEM_FREE)
+        ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
+      ptr += size;
+    }
+  }
+#endif
+
+  return true;
+}
+
+bool CanSetProcessMitigationsPostStartup(uint64 flags) {
+  // All of these can be set after startup.
+  return !(flags & ~(TargetPolicy::MITIGATION_HEAP_TERMINATE |
+                     TargetPolicy::MITIGATION_DEP |
+                     TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK |
+                     TargetPolicy::MITIGATION_RELOCATE_IMAGE |
+                     TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED |
+                     TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
+                     TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS |
+                     TargetPolicy::MITIGATION_WIN32K_DISABLE |
+                     TargetPolicy::MITIGATION_EXTENSION_DLL_DISABLE));
+}
+
+bool CanSetProcessMitigationsPreStartup(uint64 flags) {
+  // These flags must be set after startup.

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

comment seems wrong, also the function instead of 'Can' would rather be 'Should'
or 'Must' ?

+  return !(flags & (TargetPolicy::MITIGATION_STRICT_HANDLE_CHECKS |
+                    TargetPolicy::MITIGATION_WIN32K_DISABLE |
+                    TargetPolicy::MITIGATION_DLL_SEARCH_ORDER));
+}
+
+}  // namespace sandbox
+