Move Windows Sandbox, trybots version (don't commit me!)

sandbox/src/target_services.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/src/target_services.h"
-
-#include <process.h>
-
-#include "base/basictypes.h"
-#include "sandbox/src/crosscall_client.h"
-#include "sandbox/src/handle_closer_agent.h"
-#include "sandbox/src/handle_interception.h"
-#include "sandbox/src/ipc_tags.h"
-#include "sandbox/src/restricted_token_utils.h"
-#include "sandbox/src/sandbox.h"
-#include "sandbox/src/sandbox_types.h"
-#include "sandbox/src/sharedmem_ipc_client.h"
-#include "sandbox/src/sandbox_nt_util.h"
-
-namespace {
-
-// Flushing a cached key is triggered by just opening the key and closing the
-// resulting handle. RegDisablePredefinedCache() is the documented way to flush
-// HKCU so do not use it with this function.
-bool FlushRegKey(HKEY root) {
-  HKEY key;
-  if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
-    if (ERROR_SUCCESS != ::RegCloseKey(key))
-      return false;
-  }
-  return true;
-}
-
-// This function forces advapi32.dll to release some internally cached handles
-// that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
-// with a more restrictive token. Returns true if the flushing is succesful
-// although this behavior is undocumented and there is no guarantee that in
-// fact this will happen in future versions of windows.
-bool FlushCachedRegHandles() {
-  return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
-          FlushRegKey(HKEY_CLASSES_ROOT) &&
-          FlushRegKey(HKEY_USERS));
-}
-
-// Checks if we have handle entries pending and runs the closer.
-bool CloseOpenHandles() {
-  if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
-    sandbox::HandleCloserAgent handle_closer;
-
-    handle_closer.InitializeHandlesToClose();
-    if (!handle_closer.CloseHandles())
-      return false;
-  }
-
-  return true;
-}
-
-}  // namespace
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
-    INTEGRITY_LEVEL_LAST;
-
-TargetServicesBase::TargetServicesBase() {
-}
-
-ResultCode TargetServicesBase::Init() {
-  process_state_.SetInitCalled();
-  return SBOX_ALL_OK;
-}
-
-// Failure here is a breach of security so the process is terminated.
-void TargetServicesBase::LowerToken() {
-  if (ERROR_SUCCESS !=
-      SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
-    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
-  process_state_.SetRevertedToSelf();
-  // If the client code as called RegOpenKey, advapi32.dll has cached some
-  // handles. The following code gets rid of them.
-  if (!::RevertToSelf())
-    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
-  if (!FlushCachedRegHandles())
-    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
-  if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
-    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
-  if (!CloseOpenHandles())
-    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
-}
-
-ProcessState* TargetServicesBase::GetState() {
-  return &process_state_;
-}
-
-TargetServicesBase* TargetServicesBase::GetInstance() {
-  static TargetServicesBase instance;
-  return &instance;
-}
-
-// The broker services a 'test' IPC service with the IPC_PING_TAG tag.
-bool TargetServicesBase::TestIPCPing(int version) {
-  void* memory = GetGlobalIPCMemory();
-  if (NULL == memory) {
-    return false;
-  }
-  SharedMemIPCClient ipc(memory);
-  CrossCallReturn answer = {0};
-
-  if (1 == version) {
-    uint32 tick1 = ::GetTickCount();
-    uint32 cookie = 717115;
-    ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
-
-    if (SBOX_ALL_OK != code) {
-      return false;
-    }
-    // We should get two extended returns values from the IPC, one is the
-    // tick count on the broker and the other is the cookie times two.
-    if ((answer.extended_count != 2)) {
-      return false;
-    }
-    // We test the first extended answer to be within the bounds of the tick
-    // count only if there was no tick count wraparound.
-    uint32 tick2 = ::GetTickCount();
-    if (tick2 >= tick1) {
-      if ((answer.extended[0].unsigned_int < tick1) ||
-          (answer.extended[0].unsigned_int > tick2)) {
-        return false;
-      }
-    }
-
-    if (answer.extended[1].unsigned_int != cookie * 2) {
-      return false;
-    }
-  } else if (2 == version) {
-    uint32 cookie = 717111;
-    InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
-    ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
-
-    if (SBOX_ALL_OK != code) {
-      return false;
-    }
-    if (cookie != 717111 * 3) {
-      return false;
-    }
-  } else {
-    return false;
-  }
-  return true;
-}
-
-bool ProcessState::IsKernel32Loaded() {
-  return process_state_ != 0;
-}
-
-bool ProcessState::InitCalled() {
-  return process_state_ > 1;
-}
-
-bool ProcessState::RevertedToSelf() {
-  return process_state_ > 2;
-}
-
-void ProcessState::SetKernel32Loaded() {
-  if (!process_state_)
-    process_state_ = 1;
-}
-
-void ProcessState::SetInitCalled() {
-  if (process_state_ < 2)
-    process_state_ = 2;
-}
-
-void ProcessState::SetRevertedToSelf() {
-  if (process_state_ < 3)
-    process_state_ = 3;
-}
-
-ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
-                                               DWORD target_process_id,
-                                               HANDLE* target_handle,
-                                               DWORD desired_access,
-                                               DWORD options) {
-  return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
-                                       target_handle, desired_access, options);
-}
-
-}  // namespace sandbox