OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "sandbox/src/handle_policy.h" | |
6 | |
7 #include <string> | |
8 | |
9 #include "base/win/scoped_handle.h" | |
10 #include "sandbox/src/broker_services.h" | |
11 #include "sandbox/src/ipc_tags.h" | |
12 #include "sandbox/src/policy_engine_opcodes.h" | |
13 #include "sandbox/src/policy_params.h" | |
14 #include "sandbox/src/sandbox_types.h" | |
15 #include "sandbox/src/sandbox_utils.h" | |
16 | |
17 namespace sandbox { | |
18 | |
19 bool HandlePolicy::GenerateRules(const wchar_t* type_name, | |
20 TargetPolicy::Semantics semantics, | |
21 LowLevelPolicy* policy) { | |
22 // We don't support any other semantics for handles yet. | |
23 if (TargetPolicy::HANDLES_DUP_ANY != semantics) { | |
24 return false; | |
25 } | |
26 PolicyRule duplicate_rule(ASK_BROKER); | |
27 if (!duplicate_rule.AddStringMatch(IF, NameBased::NAME, type_name, | |
28 CASE_INSENSITIVE)) { | |
29 return false; | |
30 } | |
31 if (!policy->AddRule(IPC_DUPLICATEHANDLEPROXY_TAG, &duplicate_rule)) { | |
32 return false; | |
33 } | |
34 return true; | |
35 } | |
36 | |
37 DWORD HandlePolicy::DuplicateHandleProxyAction(EvalResult eval_result, | |
38 const ClientInfo& client_info, | |
39 HANDLE source_handle, | |
40 DWORD target_process_id, | |
41 HANDLE* target_handle, | |
42 DWORD desired_access, | |
43 DWORD options) { | |
44 // The only action supported is ASK_BROKER which means duplicate the handle. | |
45 if (ASK_BROKER != eval_result) { | |
46 return ERROR_ACCESS_DENIED; | |
47 } | |
48 | |
49 // Make sure the target is one of our sandboxed children. | |
50 if (!BrokerServicesBase::GetInstance()->IsActiveTarget(target_process_id)) { | |
51 return ERROR_ACCESS_DENIED; | |
52 } | |
53 | |
54 base::win::ScopedHandle target_process(::OpenProcess(PROCESS_DUP_HANDLE, | |
55 FALSE, | |
56 target_process_id)); | |
57 if (NULL == target_process) | |
58 return ::GetLastError(); | |
59 | |
60 DWORD result = ERROR_SUCCESS; | |
61 if (!::DuplicateHandle(client_info.process, source_handle, target_process, | |
62 target_handle, desired_access, FALSE, | |
63 options)) { | |
64 return ::GetLastError(); | |
65 } | |
66 | |
67 return ERROR_SUCCESS; | |
68 } | |
69 | |
70 } // namespace sandbox | |
71 | |
OLD | NEW |