| // Copyright 2012 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef SANDBOX_WIN_SRC_TARGET_PROCESS_H_ |
| #define SANDBOX_WIN_SRC_TARGET_PROCESS_H_ |
| |
| #include <stddef.h> |
| #include <stdint.h> |
| |
| #include <memory> |
| #include <string_view> |
| |
| #include "base/containers/span.h" |
| #include "base/gtest_prod_util.h" |
| #include "base/memory/free_deleter.h" |
| #include "base/memory/raw_ptr.h" |
| #include "base/strings/string_util.h" |
| #include "base/win/access_token.h" |
| #include "base/win/scoped_handle.h" |
| #include "base/win/scoped_process_information.h" |
| #include "base/win/sid.h" |
| #include "base/win/windows_types.h" |
| #include "sandbox/win/src/sandbox_types.h" |
| |
| namespace sandbox { |
| |
| class Dispatcher; |
| class SharedMemIPCServer; |
| class ThreadPool; |
| class StartupInformationHelper; |
| |
| // TargetProcess models a target instance (child process). Objects of this |
| // class are owned by the Policy used to create them. |
| class TargetProcess { |
| public: |
| TargetProcess() = delete; |
| |
| // The constructor takes ownership of `initial_token` and `lockdown_token`. |
| TargetProcess(base::win::AccessToken initial_token, |
| base::win::AccessToken lockdown_token, |
| ThreadPool* thread_pool); |
| |
| TargetProcess(const TargetProcess&) = delete; |
| TargetProcess& operator=(const TargetProcess&) = delete; |
| |
| ~TargetProcess(); |
| |
| // Creates the new target process. The process is created suspended. |
| ResultCode Create(const wchar_t* exe_path, |
| const wchar_t* command_line, |
| std::unique_ptr<StartupInformationHelper> startup_info, |
| base::win::ScopedProcessInformation* target_info, |
| DWORD* win_error); |
| |
| // Destroys the target process. |
| void Terminate(); |
| |
| // Creates the IPC objects such as the BrokerDispatcher and the |
| // IPC server. The IPC server uses the services of the thread_pool. |
| ResultCode Init(Dispatcher* ipc_dispatcher, |
| std::optional<base::span<const uint8_t>> policy, |
| std::optional<base::span<const uint8_t>> delegate_data, |
| uint32_t shared_IPC_size, |
| DWORD* win_error); |
| |
| // Returns the handle to the target process. |
| HANDLE Process() const { return sandbox_process_info_.process_handle(); } |
| |
| // Returns the address of the target main exe. This is used by the |
| // interceptions framework. |
| HMODULE MainModule() const { |
| return reinterpret_cast<HMODULE>(base_address_); |
| } |
| |
| // Returns the name of the executable. |
| const wchar_t* Name() const { return exe_name_.get(); } |
| |
| // Returns the process id. |
| DWORD ProcessId() const { return sandbox_process_info_.process_id(); } |
| |
| // Returns the handle to the main thread. |
| HANDLE MainThread() const { return sandbox_process_info_.thread_handle(); } |
| |
| // Transfers variable at `local_address` of `size` bytes from broker to |
| // `target_address` of target. |
| ResultCode TransferVariable(const char* name, |
| const void* local_address, |
| void* target_address, |
| size_t size); |
| |
| // Creates a mock TargetProcess used for testing interceptions. |
| static std::unique_ptr<TargetProcess> MakeTargetProcessForTesting( |
| HANDLE process, |
| HMODULE base_address); |
| |
| private: |
| FRIEND_TEST_ALL_PREFIXES(TargetProcessTest, FilterEnvironment); |
| // Verify the target process looks the same as the broker process. |
| ResultCode VerifySentinels(); |
| |
| // Filters an environment to only include those that have an entry in |
| // `to_keep`. |
| static std::wstring FilterEnvironment( |
| const wchar_t* env, |
| const base::span<const std::wstring_view> to_keep); |
| |
| // Details of the target process. |
| base::win::ScopedProcessInformation sandbox_process_info_; |
| // The token associated with the process. It provides the core of the |
| // sbox security. |
| base::win::AccessToken lockdown_token_; |
| // The token given to the initial thread so that the target process can |
| // start. It has more powers than the lockdown_token. |
| base::win::AccessToken initial_token_; |
| // Kernel handle to the shared memory used by the IPC server. |
| base::win::ScopedHandle shared_section_; |
| // Reference to the IPC subsystem. |
| std::unique_ptr<SharedMemIPCServer> ipc_server_; |
| // Provides the threads used by the IPC. This class does not own this pointer. |
| raw_ptr<ThreadPool> thread_pool_; |
| // Base address of the main executable |
| // |
| // `base_address_` is not a raw_ptr<void>, because pointer to address in |
| // another process could be confused as a pointer to PartitionMalloc memory, |
| // causing ref-counting mismatch. See also https://crbug.com/1173374. |
| RAW_PTR_EXCLUSION void* base_address_; |
| // Full name of the target executable. |
| std::unique_ptr<wchar_t, base::FreeDeleter> exe_name_; |
| }; |
| |
| } // namespace sandbox |
| |
| #endif // SANDBOX_WIN_SRC_TARGET_PROCESS_H_ |