| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/src/sandbox_policy_base.h" | 5 #include "sandbox/src/sandbox_policy_base.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/callback.h" | 8 #include "base/callback.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "sandbox/src/filesystem_dispatcher.h" | 10 #include "sandbox/src/filesystem_dispatcher.h" |
| 11 #include "sandbox/src/filesystem_policy.h" | 11 #include "sandbox/src/filesystem_policy.h" |
| 12 #include "sandbox/src/handle_dispatcher.h" | |
| 13 #include "sandbox/src/handle_policy.h" | |
| 14 #include "sandbox/src/job.h" | 12 #include "sandbox/src/job.h" |
| 15 #include "sandbox/src/interception.h" | 13 #include "sandbox/src/interception.h" |
| 16 #include "sandbox/src/named_pipe_dispatcher.h" | 14 #include "sandbox/src/named_pipe_dispatcher.h" |
| 17 #include "sandbox/src/named_pipe_policy.h" | 15 #include "sandbox/src/named_pipe_policy.h" |
| 18 #include "sandbox/src/policy_broker.h" | 16 #include "sandbox/src/policy_broker.h" |
| 19 #include "sandbox/src/policy_engine_processor.h" | 17 #include "sandbox/src/policy_engine_processor.h" |
| 20 #include "sandbox/src/policy_low_level.h" | 18 #include "sandbox/src/policy_low_level.h" |
| 21 #include "sandbox/src/process_thread_dispatcher.h" | 19 #include "sandbox/src/process_thread_dispatcher.h" |
| 22 #include "sandbox/src/process_thread_policy.h" | 20 #include "sandbox/src/process_thread_policy.h" |
| 23 #include "sandbox/src/registry_dispatcher.h" | 21 #include "sandbox/src/registry_dispatcher.h" |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 91 ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher; | 89 ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher; |
| 92 ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher; | 90 ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher; |
| 93 | 91 |
| 94 dispatcher = new SyncDispatcher(this); | 92 dispatcher = new SyncDispatcher(this); |
| 95 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; | 93 ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher; |
| 96 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; | 94 ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; |
| 97 | 95 |
| 98 dispatcher = new RegistryDispatcher(this); | 96 dispatcher = new RegistryDispatcher(this); |
| 99 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; | 97 ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; |
| 100 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; | 98 ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; |
| 101 | |
| 102 dispatcher = new HandleDispatcher(this); | |
| 103 ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; | |
| 104 } | 99 } |
| 105 | 100 |
| 106 PolicyBase::~PolicyBase() { | 101 PolicyBase::~PolicyBase() { |
| 107 TargetSet::iterator it; | 102 TargetSet::iterator it; |
| 108 for (it = targets_.begin(); it != targets_.end(); ++it) { | 103 for (it = targets_.begin(); it != targets_.end(); ++it) { |
| 109 TargetProcess* target = (*it); | 104 TargetProcess* target = (*it); |
| 110 delete target; | 105 delete target; |
| 111 } | 106 } |
| 112 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; | 107 delete ipc_targets_[IPC_NTCREATEFILE_TAG]; |
| 113 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; | 108 delete ipc_targets_[IPC_CREATENAMEDPIPEW_TAG]; |
| 114 delete ipc_targets_[IPC_NTOPENTHREAD_TAG]; | 109 delete ipc_targets_[IPC_NTOPENTHREAD_TAG]; |
| 115 delete ipc_targets_[IPC_CREATEEVENT_TAG]; | 110 delete ipc_targets_[IPC_CREATEEVENT_TAG]; |
| 116 delete ipc_targets_[IPC_NTCREATEKEY_TAG]; | 111 delete ipc_targets_[IPC_NTCREATEKEY_TAG]; |
| 117 delete ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG]; | |
| 118 delete policy_maker_; | 112 delete policy_maker_; |
| 119 delete policy_; | 113 delete policy_; |
| 120 ::DeleteCriticalSection(&lock_); | 114 ::DeleteCriticalSection(&lock_); |
| 121 } | 115 } |
| 122 | 116 |
| 123 DWORD PolicyBase::MakeJobObject(HANDLE* job) { | 117 DWORD PolicyBase::MakeJobObject(HANDLE* job) { |
| 124 // Create the windows job object. | 118 // Create the windows job object. |
| 125 Job job_obj; | 119 Job job_obj; |
| 126 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_); | 120 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_); |
| 127 if (ERROR_SUCCESS != result) { | 121 if (ERROR_SUCCESS != result) { |
| (...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 319 } | 313 } |
| 320 break; | 314 break; |
| 321 } | 315 } |
| 322 case SUBSYS_REGISTRY: { | 316 case SUBSYS_REGISTRY: { |
| 323 if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { | 317 if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { |
| 324 NOTREACHED(); | 318 NOTREACHED(); |
| 325 return SBOX_ERROR_BAD_PARAMS; | 319 return SBOX_ERROR_BAD_PARAMS; |
| 326 } | 320 } |
| 327 break; | 321 break; |
| 328 } | 322 } |
| 329 case SUBSYS_HANDLES: { | |
| 330 if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { | |
| 331 NOTREACHED(); | |
| 332 return SBOX_ERROR_BAD_PARAMS; | |
| 333 } | |
| 334 break; | |
| 335 } | |
| 336 default: { | 323 default: { |
| 337 return SBOX_ERROR_UNSUPPORTED; | 324 return SBOX_ERROR_UNSUPPORTED; |
| 338 } | 325 } |
| 339 } | 326 } |
| 340 | 327 |
| 341 return SBOX_ALL_OK; | 328 return SBOX_ALL_OK; |
| 342 } | 329 } |
| 343 | 330 |
| 344 EvalResult PolicyBase::EvalPolicy(int service, | 331 EvalResult PolicyBase::EvalPolicy(int service, |
| 345 CountedParameterSetBase* params) { | 332 CountedParameterSetBase* params) { |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 465 | 452 |
| 466 // Finally, setup imports on the target so the interceptions can work. | 453 // Finally, setup imports on the target so the interceptions can work. |
| 467 return SetupNtdllImports(target); | 454 return SetupNtdllImports(target); |
| 468 } | 455 } |
| 469 | 456 |
| 470 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 457 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
| 471 return handle_closer_.InitializeTargetHandles(target); | 458 return handle_closer_.InitializeTargetHandles(target); |
| 472 } | 459 } |
| 473 | 460 |
| 474 } // namespace sandbox | 461 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9924010:
Revert 129627 - Add a sandbox API for broker handle duplication (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/