| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/src/sandbox_policy_base.h" | 5 #include "sandbox/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "sandbox/src/filesystem_dispatcher.h" | 10 #include "sandbox/src/filesystem_dispatcher.h" |
| 11 #include "sandbox/src/filesystem_policy.h" | 11 #include "sandbox/src/filesystem_policy.h" |
| 12 #include "sandbox/src/handle_dispatcher.h" |
| 13 #include "sandbox/src/handle_policy.h" |
| 12 #include "sandbox/src/job.h" | 14 #include "sandbox/src/job.h" |
| 13 #include "sandbox/src/interception.h" | 15 #include "sandbox/src/interception.h" |
| 14 #include "sandbox/src/named_pipe_dispatcher.h" | 16 #include "sandbox/src/named_pipe_dispatcher.h" |
| 15 #include "sandbox/src/named_pipe_policy.h" | 17 #include "sandbox/src/named_pipe_policy.h" |
| 16 #include "sandbox/src/policy_broker.h" | 18 #include "sandbox/src/policy_broker.h" |
| 17 #include "sandbox/src/policy_engine_processor.h" | 19 #include "sandbox/src/policy_engine_processor.h" |
| 18 #include "sandbox/src/policy_low_level.h" | 20 #include "sandbox/src/policy_low_level.h" |
| 19 #include "sandbox/src/process_thread_dispatcher.h" | 21 #include "sandbox/src/process_thread_dispatcher.h" |
| 20 #include "sandbox/src/process_thread_policy.h" | 22 #include "sandbox/src/process_thread_policy.h" |
| 21 #include "sandbox/src/registry_dispatcher.h" | 23 #include "sandbox/src/registry_dispatcher.h" |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 89 ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher; | 91 ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher; |
| 90 ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher; | 92 ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher; |
| 91 | 93 |
| 92 dispatcher = new SyncDispatcher(this); | 94 dispatcher = new SyncDispatcher(this); |
| 93 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; | 95 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; |
| 94 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; | 96 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; |
| 95 | 97 |
| 96 dispatcher = new RegistryDispatcher(this); | 98 dispatcher = new RegistryDispatcher(this); |
| 97 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; | 99 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; |
| 98 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; | 100 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; |
| 101 |
| 102 dispatcher = new HandleDispatcher(this); |
| 103 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; |
| 99 } | 104 } |
| 100 | 105 |
| 101 PolicyBase::~PolicyBase() { | 106 PolicyBase::~PolicyBase() { |
| 102 TargetSet::iterator it; | 107 TargetSet::iterator it; |
| 103 for (it = targets_.begin(); it != targets_.end(); ++it) { | 108 for (it = targets_.begin(); it != targets_.end(); ++it) { |
| 104 TargetProcess* target = (*it); | 109 TargetProcess* target = (*it); |
| 105 delete target; | 110 delete target; |
| 106 } | 111 } |
| 107 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; | 112 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; |
| 108 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; | 113 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; |
| 109 delete ipc_targets_[IPC_NTOPENTHREAD_TAG]; | 114 delete ipc_targets_[IPC_NTOPENTHREAD_TAG]; |
| 110 delete ipc_targets_[IPC_CREATEEVENT_TAG]; | 115 delete ipc_targets_[IPC_CREATEEVENT_TAG]; |
| 111 delete ipc_targets_[IPC_NTCREATEKEY_TAG]; | 116 delete ipc_targets_[IPC_NTCREATEKEY_TAG]; |
| 117 delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; |
| 112 delete policy_maker_; | 118 delete policy_maker_; |
| 113 delete policy_; | 119 delete policy_; |
| 114 ::DeleteCriticalSection(&lock_); | 120 ::DeleteCriticalSection(&lock_); |
| 115 } | 121 } |
| 116 | 122 |
| 117 DWORD PolicyBase::MakeJobObject(HANDLE* job) { | 123 DWORD PolicyBase::MakeJobObject(HANDLE* job) { |
| 118 // Create the windows job object. | 124 // Create the windows job object. |
| 119 Job job_obj; | 125 Job job_obj; |
| 120 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_); | 126 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_); |
| 121 if (ERROR_SUCCESS != result) { | 127 if (ERROR_SUCCESS != result) { |
| (...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 313 } | 319 } |
| 314 break; | 320 break; |
| 315 } | 321 } |
| 316 case SUBSYS_REGISTRY: { | 322 case SUBSYS_REGISTRY: { |
| 317 if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { | 323 if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { |
| 318 NOTREACHED(); | 324 NOTREACHED(); |
| 319 return SBOX_ERROR_BAD_PARAMS; | 325 return SBOX_ERROR_BAD_PARAMS; |
| 320 } | 326 } |
| 321 break; | 327 break; |
| 322 } | 328 } |
| 329 case SUBSYS_HANDLES: { |
| 330 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { |
| 331 NOTREACHED(); |
| 332 return SBOX_ERROR_BAD_PARAMS; |
| 333 } |
| 334 break; |
| 335 } |
| 323 default: { | 336 default: { |
| 324 return SBOX_ERROR_UNSUPPORTED; | 337 return SBOX_ERROR_UNSUPPORTED; |
| 325 } | 338 } |
| 326 } | 339 } |
| 327 | 340 |
| 328 return SBOX_ALL_OK; | 341 return SBOX_ALL_OK; |
| 329 } | 342 } |
| 330 | 343 |
| 331 EvalResult PolicyBase::EvalPolicy(int service, | 344 EvalResult PolicyBase::EvalPolicy(int service, |
| 332 CountedParameterSetBase* params) { | 345 CountedParameterSetBase* params) { |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 452 | 465 |
| 453 // Finally, setup imports on the target so the interceptions can work. | 466 // Finally, setup imports on the target so the interceptions can work. |
| 454 return SetupNtdllImports(target); | 467 return SetupNtdllImports(target); |
| 455 } | 468 } |
| 456 | 469 |
| 457 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 470 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 458 return handle_closer_.InitializeTargetHandles(target); | 471 return handle_closer_.InitializeTargetHandles(target); |
| 459 } | 472 } |
| 460 | 473 |
| 461 } // namespace sandbox | 474 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9838083:
Add a sandbox API for broker handle duplication (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/