Revert 128016 - Make sandbox explicitly block opening broker and sandboxed processes

sandbox/src/broker_services.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/src/broker_services.h"
 
-#include <AclAPI.h>
-
 #include "base/logging.h"
 #include "base/threading/platform_thread.h"
 #include "sandbox/src/sandbox_policy_base.h"
 #include "sandbox/src/sandbox.h"
 #include "sandbox/src/target_process.h"
 #include "sandbox/src/win2k_threadpool.h"
 #include "sandbox/src/win_utils.h"
 
 namespace {
 
@@ skipping 18 matching lines @@
 }
 
 // the different commands that you can send to the worker thread that
 // executes TargetEventsThread().
 enum {
   THREAD_CTRL_NONE,
   THREAD_CTRL_QUIT,
   THREAD_CTRL_LAST
 };
 
-// Adds deny ACEs to broker and returns the security descriptor so it can
-// be applied to target processes. The returned descriptor must be freed by
-// calling LocalFree.
-PSECURITY_DESCRIPTOR SetSecurityDescriptorForBroker() {
-  static bool is_initialized = false;
-  DWORD error = ERROR_SUCCESS;
-  PSECURITY_DESCRIPTOR security_descriptor = NULL;
-
-  if (!is_initialized) {
-    error = sandbox::SetObjectDenyRestrictedAndNull(GetCurrentProcess(),
-                                                    SE_KERNEL_OBJECT);
-    if (error) {
-      ::SetLastError(error);
-      return NULL;
-    }
-
-    is_initialized = true;
-  }
-
-  // Save off resulting security descriptor for spawning the targets.
-  error = ::GetSecurityInfo(GetCurrentProcess(), SE_KERNEL_OBJECT,
-                            DACL_SECURITY_INFORMATION, NULL, NULL,
-                            NULL, NULL, &security_descriptor);
-  if (error) {
-    ::SetLastError(error);
-    return NULL;
-  }
-
-  return security_descriptor;
-}
-
 }
 
 namespace sandbox {
 
 BrokerServicesBase::BrokerServicesBase()
     : thread_pool_(NULL), job_port_(NULL), no_targets_(NULL),
-      security_descriptor_(NULL), job_thread_(NULL) {
+      job_thread_(NULL) {
 }
 
 // The broker uses a dedicated worker thread that services the job completion
 // port to perform policy notifications and associated cleanup tasks.
 ResultCode BrokerServicesBase::Init() {
-  if ((NULL != job_port_) || (NULL != thread_pool_) ||
-      (NULL != security_descriptor_)) {
+  if ((NULL != job_port_) || (NULL != thread_pool_))
     return SBOX_ERROR_UNEXPECTED_CALL;
-  }
 
   ::InitializeCriticalSection(&lock_);
 
   job_port_ = ::CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 0);
   if (NULL == job_port_)
     return SBOX_ERROR_GENERIC;
 
-  security_descriptor_ = SetSecurityDescriptorForBroker();
-  if (NULL == security_descriptor_)
-    return SBOX_ERROR_GENERIC;
-
   no_targets_ = ::CreateEventW(NULL, TRUE, FALSE, NULL);
 
   job_thread_ = ::CreateThread(NULL, 0,  // Default security and stack.
                                TargetEventsThread, this, NULL, NULL);
   if (NULL == job_thread_)
     return SBOX_ERROR_GENERIC;
 
   return SBOX_ALL_OK;
 }
 
@@ skipping 21 matching lines @@
 
   JobTrackerList::iterator it;
   for (it = tracker_list_.begin(); it != tracker_list_.end(); ++it) {
     JobTracker* tracker = (*it);
     FreeResources(tracker);
     delete tracker;
   }
   ::CloseHandle(job_thread_);
   delete thread_pool_;
   ::CloseHandle(no_targets_);
-
-  if (security_descriptor_)
-    ::LocalFree(security_descriptor_);
-
   // If job_port_ isn't NULL, assumes that the lock has been initialized.
   if (job_port_)
     ::DeleteCriticalSection(&lock_);
 }
 
 TargetPolicy* BrokerServicesBase::CreatePolicy() {
   // If you change the type of the object being created here you must also
   // change the downcast to it in SpawnTarget().
   return new PolicyBase;
 }
@@ skipping 139 matching lines @@
     return SBOX_ERROR_GENERIC;
 
   // Construct the thread pool here in case it is expensive.
   // The thread pool is shared by all the targets
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
   // Create the TargetProces object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   PROCESS_INFORMATION process_info = {0};
-
   TargetProcess* target = new TargetProcess(initial_token, lockdown_token,
                                             job, thread_pool_);
 
   std::wstring desktop = policy_base->GetAlternateDesktop();
 
-  // Set the security descriptor so the target picks up deny ACEs.
-  SECURITY_ATTRIBUTES security_attributes = {sizeof(security_attributes),
-                                             security_descriptor_,
-                                             FALSE};
-
   win_result = target->Create(exe_path, command_line,
                               desktop.empty() ? NULL : desktop.c_str(),
-                              &security_attributes,
                               &process_info);
   if (ERROR_SUCCESS != win_result)
     return SpawnCleanup(target, win_result);
 
   if ((INVALID_HANDLE_VALUE == process_info.hProcess) ||
       (INVALID_HANDLE_VALUE == process_info.hThread))
     return SpawnCleanup(target, win_result);
 
   // Now the policy is the owner of the target.
   if (!policy_base->AddTarget(target)) {
@@ skipping 23 matching lines @@
   return SBOX_ALL_OK;
 }
 
 
 ResultCode BrokerServicesBase::WaitForAllTargets() {
   ::WaitForSingleObject(no_targets_, INFINITE);
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox