Add creation of AC object directory to fix issue with VS debugger.

This patch adds creation of an app container specific object directory when creating the lowbox token. Without this object directory the VS debugger will fail to attach to the process. No attempt is made to set the directory's DACL to ensure it can be used by the sandboxed process, it's only to fix the issue with the debugger which will run at normal user privilege. BUG=488318 Review URL: https://codereview.chromium.org/1151513003 Cr-Commit-Position: refs/heads/master@{#330996}
cbchan · May 21, 2015 · c38eaa1 · c38eaa1
1 parent 26e4032
commit c38eaa1
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 1 deletion.
diff --git a/sandbox/win/src/nt_internals.h b/sandbox/win/src/nt_internals.h
@@ -58,6 +58,7 @@ typedef PSTRING POEM_STRING;
 typedef CONST STRING* PCOEM_STRING;
 
 #define OBJ_CASE_INSENSITIVE 0x00000040L
+#define OBJ_OPENIF           0x00000080L
 
 typedef struct _OBJECT_ATTRIBUTES {
   ULONG Length;
@@ -635,6 +636,11 @@ typedef enum _EVENT_TYPE {
   SynchronizationEvent
 } EVENT_TYPE, *PEVENT_TYPE;
 
+typedef NTSTATUS (WINAPI* NtCreateDirectoryObjectFunction) (
+    PHANDLE DirectoryHandle,
+    ACCESS_MASK DesiredAccess,
+    POBJECT_ATTRIBUTES ObjectAttributes);
+
 typedef NTSTATUS (WINAPI* NtOpenDirectoryObjectFunction) (
     PHANDLE DirectoryHandle,
     ACCESS_MASK DesiredAccess,

diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
@@ -9,6 +9,7 @@
 #include "base/basictypes.h"
 #include "base/callback.h"
 #include "base/logging.h"
+#include "base/strings/stringprintf.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/filesystem_dispatcher.h"
@@ -31,6 +32,7 @@
 #include "sandbox/win/src/registry_policy.h"
 #include "sandbox/win/src/restricted_token_utils.h"
 #include "sandbox/win/src/sandbox_policy.h"
+#include "sandbox/win/src/sandbox_utils.h"
 #include "sandbox/win/src/sync_dispatcher.h"
 #include "sandbox/win/src/sync_policy.h"
 #include "sandbox/win/src/target_process.h"
@@ -67,6 +69,43 @@ bool IsInheritableHandle(HANDLE handle) {
   return handle_type == FILE_TYPE_DISK || handle_type == FILE_TYPE_PIPE;
 }
 
+HANDLE CreateLowBoxObjectDirectory(PSID lowbox_sid) {
+  DWORD session_id = 0;
+  if (!::ProcessIdToSessionId(::GetCurrentProcessId(), &session_id))
+    return NULL;
+
+  LPWSTR sid_string = NULL;
+  if (!::ConvertSidToStringSid(lowbox_sid, &sid_string))
+    return NULL;
+
+  base::string16 directory_path = base::StringPrintf(
+                   L"\\Sessions\\%d\\AppContainerNamedObjects\\%ls",
+                   session_id, sid_string).c_str();
+  ::LocalFree(sid_string);
+
+  NtCreateDirectoryObjectFunction CreateObjectDirectory = NULL;
+  ResolveNTFunctionPtr("NtCreateDirectoryObject", &CreateObjectDirectory);
+
+  OBJECT_ATTRIBUTES obj_attr;
+  UNICODE_STRING obj_name;
+  sandbox::InitObjectAttribs(directory_path,
+                             OBJ_CASE_INSENSITIVE | OBJ_OPENIF,
+                             NULL,
+                             &obj_attr,
+                             &obj_name,
+                             NULL);
+
+  HANDLE handle = NULL;
+  NTSTATUS status = CreateObjectDirectory(&handle,
+                                          DIRECTORY_ALL_ACCESS,
+                                          &obj_attr);
+
+  if (!NT_SUCCESS(status))
+    return NULL;
+
+  return handle;
+}
+
 }
 
 namespace sandbox {
@@ -559,9 +598,20 @@ ResultCode PolicyBase::MakeTokens(HANDLE* initial, HANDLE* lockdown) {
     OBJECT_ATTRIBUTES obj_attr;
     InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
     HANDLE token_lowbox = NULL;
+
+    if (!lowbox_directory_.IsValid())
+      lowbox_directory_.Set(CreateLowBoxObjectDirectory(lowbox_sid_));
+    DCHECK(lowbox_directory_.IsValid());
+
+    // The order of handles isn't important in the CreateLowBoxToken call.
+    // The kernel will maintain a reference to the object directory handle.
+    HANDLE saved_handles[1] = {lowbox_directory_.Get()};
+    DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0;
+
     NTSTATUS status = CreateLowBoxToken(&token_lowbox, *lockdown,
                                         TOKEN_ALL_ACCESS, &obj_attr,
-                                        lowbox_sid_, 0, NULL, 0, NULL);
+                                        lowbox_sid_, 0, NULL,
+                                        saved_handles_count, saved_handles);
     if (!NT_SUCCESS(status))
       return SBOX_ERROR_GENERIC;
 

diff --git a/sandbox/win/src/sandbox_policy_base.h b/sandbox/win/src/sandbox_policy_base.h
@@ -13,6 +13,7 @@
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/strings/string16.h"
+#include "base/win/scoped_handle.h"
 #include "sandbox/win/src/crosscall_server.h"
 #include "sandbox/win/src/handle_closer.h"
 #include "sandbox/win/src/ipc_tags.h"
@@ -167,6 +168,7 @@ class PolicyBase : public Dispatcher, public TargetPolicy {
   std::vector<base::string16> capabilities_;
   scoped_ptr<AppContainerAttributes> appcontainer_list_;
   PSID lowbox_sid_;
+  base::win::ScopedHandle lowbox_directory_;
 
   static HDESK alternate_desktop_handle_;
   static HWINSTA alternate_winstation_handle_;