Google Git
Sign in
chromium / chromium / src / b03f16d1deeb064a32044bec7333457b02aee1be / . / sandbox / win / src / target_process.cc
blob: 69dce20a9600ddd1ecfb8bad5964d8e3e555d156 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/win/src/target_process.h"
#include "base/basictypes.h"
#include "base/macros.h"
#include "base/memory/scoped_ptr.h"
#include "base/win/pe_image.h"
#include "base/win/startup_information.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/policy_low_level.h"
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/sharedmem_ipc_server.h"
#include "sandbox/win/src/win_utils.h"
namespace {
void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
if (!source || !size)
return;
memcpy(dest, source, size);
sandbox::PolicyGlobal* policy =
reinterpret_cast<sandbox::PolicyGlobal*>(dest);
size_t offset = reinterpret_cast<size_t>(source);
for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) {
size_t buffer = reinterpret_cast<size_t>(policy->entry[i]);
if (buffer) {
buffer -= offset;
policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer);
}
}
}
} // namespace
namespace sandbox {
SANDBOX_INTERCEPT HANDLE g_shared_section;
SANDBOX_INTERCEPT size_t g_shared_IPC_size;
SANDBOX_INTERCEPT size_t g_shared_policy_size;
// Returns the address of the main exe module in memory taking in account
// address space layout randomization.
void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) {
HMODULE exe = ::LoadLibrary(exe_name);
if (NULL == exe)
return exe;
base::win::PEImage pe(exe);
if (!pe.VerifyMagic()) {
::FreeLibrary(exe);
return exe;
}
PIMAGE_NT_HEADERS nt_header = pe.GetNTHeaders();
char* base = reinterpret_cast<char*>(entry_point) -
nt_header->OptionalHeader.AddressOfEntryPoint;
::FreeLibrary(exe);
return base;
}
TargetProcess::TargetProcess(base::win::ScopedHandle initial_token,
base::win::ScopedHandle lockdown_token,
base::win::ScopedHandle lowbox_token,
HANDLE job,
ThreadProvider* thread_pool)
// This object owns everything initialized here except thread_pool and
// the job_ handle. The Job handle is closed by BrokerServices and results
// eventually in a call to our dtor.
: lockdown_token_(lockdown_token.Pass()),
initial_token_(initial_token.Pass()),
lowbox_token_(lowbox_token.Pass()),
job_(job),
thread_pool_(thread_pool),
base_address_(NULL) {}
TargetProcess::~TargetProcess() {
DWORD exit_code = 0;
// Give a chance to the process to die. In most cases the JOB_KILL_ON_CLOSE
// will take effect only when the context changes. As far as the testing went,
// this wait was enough to switch context and kill the processes in the job.
// If this process is already dead, the function will return without waiting.
// TODO(nsylvain): If the process is still alive at the end, we should kill
// it. http://b/893891
// For now, this wait is there only to do a best effort to prevent some leaks
// from showing up in purify.
if (sandbox_process_info_.IsValid()) {
::WaitForSingleObject(sandbox_process_info_.process_handle(), 50);
// At this point, the target process should have been killed. Check.
if (!::GetExitCodeProcess(sandbox_process_info_.process_handle(),
&exit_code) || (STILL_ACTIVE == exit_code)) {
// Something went wrong. We don't know if the target is in a state where
// it can manage to do another IPC call. If it can, and we've destroyed
// the |ipc_server_|, it will crash the broker. So we intentionally leak
// that.
if (shared_section_.IsValid())
shared_section_.Take();
ignore_result(ipc_server_.release());
sandbox_process_info_.TakeProcessHandle();
return;
}
}
// ipc_server_ references our process handle, so make sure the former is shut
// down before the latter is closed (by ScopedProcessInformation).
ipc_server_.reset();
}
// Creates the target (child) process suspended and assigns it to the job
// object.
DWORD TargetProcess::Create(const wchar_t* exe_path,
const wchar_t* command_line,
bool inherit_handles,
const base::win::StartupInformation& startup_info,
base::win::ScopedProcessInformation* target_info) {
if (lowbox_token_.IsValid() &&
base::win::GetVersion() < base::win::VERSION_WIN8) {
// We don't allow lowbox_token below Windows 8.
return ERROR_INVALID_PARAMETER;
}
exe_name_.reset(_wcsdup(exe_path));
// the command line needs to be writable by CreateProcess().
scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(command_line));
// Start the target process suspended.
DWORD flags =
CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS;
if (startup_info.has_extended_startup_info())
flags |= EXTENDED_STARTUPINFO_PRESENT;
if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) {
// Windows 8 implements nested jobs, but for older systems we need to
// break out of any job we're in to enforce our restrictions.
flags |= CREATE_BREAKAWAY_FROM_JOB;
}
PROCESS_INFORMATION temp_process_info = {};
if (!::CreateProcessAsUserW(lockdown_token_.Get(), exe_path, cmd_line.get(),
NULL, // No security attribute.
NULL, // No thread attribute.
inherit_handles, flags,
NULL, // Use the environment of the caller.
NULL, // Use current directory of the caller.
startup_info.startup_info(),
&temp_process_info)) {
return ::GetLastError();
}
base::win::ScopedProcessInformation process_info(temp_process_info);
DWORD win_result = ERROR_SUCCESS;
if (job_) {
// Assign the suspended target to the windows job object.
if (!::AssignProcessToJobObject(job_, process_info.process_handle())) {
win_result = ::GetLastError();
::TerminateProcess(process_info.process_handle(), 0);
return win_result;
}
}
if (initial_token_.IsValid()) {
// Change the token of the main thread of the new process for the
// impersonation token with more rights. This allows the target to start;
// otherwise it will crash too early for us to help.
HANDLE temp_thread = process_info.thread_handle();
if (!::SetThreadToken(&temp_thread, initial_token_.Get())) {
win_result = ::GetLastError();
// It might be a security breach if we let the target run outside the job
// so kill it before it causes damage.
::TerminateProcess(process_info.process_handle(), 0);
return win_result;
}
initial_token_.Close();
}
CONTEXT context;
context.ContextFlags = CONTEXT_ALL;
if (!::GetThreadContext(process_info.thread_handle(), &context)) {
win_result = ::GetLastError();
::TerminateProcess(process_info.process_handle(), 0);
return win_result;
}
#if defined(_WIN64)
void* entry_point = reinterpret_cast<void*>(context.Rcx);
#else
#pragma warning(push)
#pragma warning(disable: 4312)
// This cast generates a warning because it is 32 bit specific.
void* entry_point = reinterpret_cast<void*>(context.Eax);
#pragma warning(pop)
#endif // _WIN64
if (!target_info->DuplicateFrom(process_info)) {
win_result = ::GetLastError(); // This may or may not be correct.
::TerminateProcess(process_info.process_handle(), 0);
return win_result;
}
if (lowbox_token_.IsValid()) {
PROCESS_ACCESS_TOKEN process_access_token;
process_access_token.thread = process_info.thread_handle();
process_access_token.token = lowbox_token_.Get();
NtSetInformationProcess SetInformationProcess = NULL;
ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess);
NTSTATUS status = SetInformationProcess(
process_info.process_handle(),
static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken),
&process_access_token, sizeof(process_access_token));
if (!NT_SUCCESS(status)) {
win_result = ERROR_INVALID_TOKEN;
::TerminateProcess(process_info.process_handle(), 0); // exit code
return win_result;
}
}
base_address_ = GetBaseAddress(exe_path, entry_point);
sandbox_process_info_.Set(process_info.Take());
return win_result;
}
ResultCode TargetProcess::TransferVariable(const char* name, void* address,
size_t size) {
if (!sandbox_process_info_.IsValid())
return SBOX_ERROR_UNEXPECTED_CALL;
void* child_var = address;
#if SANDBOX_EXPORTS
HMODULE module = ::LoadLibrary(exe_name_.get());
if (NULL == module)
return SBOX_ERROR_GENERIC;
child_var = ::GetProcAddress(module, name);
::FreeLibrary(module);
if (NULL == child_var)
return SBOX_ERROR_GENERIC;
size_t offset = reinterpret_cast<char*>(child_var) -
reinterpret_cast<char*>(module);
child_var = reinterpret_cast<char*>(MainModule()) + offset;
#endif
SIZE_T written;
if (!::WriteProcessMemory(sandbox_process_info_.process_handle(),
child_var, address, size, &written))
return SBOX_ERROR_GENERIC;
if (written != size)
return SBOX_ERROR_GENERIC;
return SBOX_ALL_OK;
}
// Construct the IPC server and the IPC dispatcher. When the target does
// an IPC it will eventually call the dispatcher.
DWORD TargetProcess::Init(Dispatcher* ipc_dispatcher, void* policy,
uint32 shared_IPC_size, uint32 shared_policy_size) {
// We need to map the shared memory on the target. This is necessary for
// any IPC that needs to take place, even if the target has not yet hit
// the main( ) function or even has initialized the CRT. So here we set
// the handle to the shared section. The target on the first IPC must do
// the rest, which boils down to calling MapViewofFile()
// We use this single memory pool for IPC and for policy.
DWORD shared_mem_size = static_cast<DWORD>(shared_IPC_size +
shared_policy_size);
shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, NULL,
PAGE_READWRITE | SEC_COMMIT,
0, shared_mem_size, NULL));
if (!shared_section_.IsValid()) {
return ::GetLastError();
}
DWORD access = FILE_MAP_READ | FILE_MAP_WRITE;
HANDLE target_shared_section;
if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(),
sandbox_process_info_.process_handle(),
&target_shared_section, access, FALSE, 0)) {
return ::GetLastError();
}
void* shared_memory = ::MapViewOfFile(shared_section_.Get(),
FILE_MAP_WRITE|FILE_MAP_READ,
0, 0, 0);
if (NULL == shared_memory) {
return ::GetLastError();
}
CopyPolicyToTarget(policy, shared_policy_size,
reinterpret_cast<char*>(shared_memory) + shared_IPC_size);
ResultCode ret;
// Set the global variables in the target. These are not used on the broker.
g_shared_section = target_shared_section;
ret = TransferVariable("g_shared_section", &g_shared_section,
sizeof(g_shared_section));
g_shared_section = NULL;
if (SBOX_ALL_OK != ret) {
return (SBOX_ERROR_GENERIC == ret)?
::GetLastError() : ERROR_INVALID_FUNCTION;
}
g_shared_IPC_size = shared_IPC_size;
ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size,
sizeof(g_shared_IPC_size));
g_shared_IPC_size = 0;
if (SBOX_ALL_OK != ret) {
return (SBOX_ERROR_GENERIC == ret) ?
::GetLastError() : ERROR_INVALID_FUNCTION;
}
g_shared_policy_size = shared_policy_size;
ret = TransferVariable("g_shared_policy_size", &g_shared_policy_size,
sizeof(g_shared_policy_size));
g_shared_policy_size = 0;
if (SBOX_ALL_OK != ret) {
return (SBOX_ERROR_GENERIC == ret) ?
::GetLastError() : ERROR_INVALID_FUNCTION;
}
ipc_server_.reset(
new SharedMemIPCServer(sandbox_process_info_.process_handle(),
sandbox_process_info_.process_id(),
thread_pool_, ipc_dispatcher));
if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize))
return ERROR_NOT_ENOUGH_MEMORY;
// After this point we cannot use this handle anymore.
::CloseHandle(sandbox_process_info_.TakeThreadHandle());
return ERROR_SUCCESS;
}
void TargetProcess::Terminate() {
if (!sandbox_process_info_.IsValid())
return;
::TerminateProcess(sandbox_process_info_.process_handle(), 0);
}
TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
TargetProcess* target =
new TargetProcess(base::win::ScopedHandle(), base::win::ScopedHandle(),
base::win::ScopedHandle(), NULL, NULL);
PROCESS_INFORMATION process_info = {};
process_info.hProcess = process;
target->sandbox_process_info_.Set(process_info);
target->base_address_ = base_address;
return target;
}
} // namespace sandbox