tor-browser

28_derive_sid_from_name.patch (8181B)

---

# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1677499923 0
#      Mon Feb 27 12:12:03 2023 +0000
Expose Sid::FromNamedCapability through broker services.

diff --git a/base/win/sid.cc b/base/win/sid.cc
--- a/base/win/sid.cc
+++ b/base/win/sid.cc
@@ -17,18 +17,22 @@
#include "base/check.h"
#include "base/no_destructor.h"
#include "base/rand_util.h"
#include "base/ranges/algorithm.h"
#include "base/strings/string_util_win.h"
#include "base/win/scoped_handle.h"
#include "base/win/scoped_localalloc.h"
#include "base/win/windows_version.h"
-#include "third_party/boringssl/src/include/openssl/crypto.h"
-#include "third_party/boringssl/src/include/openssl/sha.h"
+#if defined(MOZ_SANDBOX)
+#include <winternl.h>
+#else
+#include "third_party/boringssl/src/include/openssl/crypto.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
+#endif

namespace base::win {

namespace {

template <typename Iterator>
Sid FromSubAuthorities(const SID_IDENTIFIER_AUTHORITY& identifier_authority,
                       size_t sub_authority_count,
@@ -94,16 +98,19 @@
}

Sid Sid::FromKnownCapability(WellKnownCapability capability) {
  int32_t capability_rid = WellKnownCapabilityToRid(capability);
  return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY,
                            {SECURITY_CAPABILITY_BASE_RID, capability_rid});
}

+typedef NTSTATUS(WINAPI* RtlDeriveCapabilitySidsFromNameFunction)(
+    PCUNICODE_STRING SourceString, PSID CapabilityGroupSid, PSID CapabilitySid);
+
Sid Sid::FromNamedCapability(const std::wstring& capability_name) {
  static const base::NoDestructor<std::map<std::wstring, WellKnownCapability>>
      known_capabilities(
          {{L"INTERNETCLIENT", WellKnownCapability::kInternetClient},
           {L"INTERNETCLIENTSERVER",
            WellKnownCapability::kInternetClientServer},
           {L"PRIVATENETWORKCLIENTSERVER",
            WellKnownCapability::kPrivateNetworkClientServer},
@@ -119,28 +126,37 @@
           {L"APPOINTMENTS", WellKnownCapability::kAppointments},
           {L"CONTACTS", WellKnownCapability::kContacts}});

  std::wstring cap_upper = base::ToUpperASCII(capability_name);
  auto known_cap = known_capabilities->find(cap_upper);
  if (known_cap != known_capabilities->end()) {
    return FromKnownCapability(known_cap->second);
  }
-  CRYPTO_library_init();
-  static_assert((SHA256_DIGEST_LENGTH / sizeof(DWORD)) ==
-                SECURITY_APP_PACKAGE_RID_COUNT);
-  DWORD rids[(SHA256_DIGEST_LENGTH / sizeof(DWORD)) + 2];
-  rids[0] = SECURITY_CAPABILITY_BASE_RID;
-  rids[1] = SECURITY_CAPABILITY_APP_RID;
-
-  SHA256(reinterpret_cast<const uint8_t*>(cap_upper.c_str()),
-         cap_upper.size() * sizeof(wchar_t),
-         reinterpret_cast<uint8_t*>(&rids[2]));
-  return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY, std::size(rids),
-                            rids);
+
+  HMODULE ntdll_handle = ::GetModuleHandleW(L"ntdll.dll");
+  CHECK(ntdll_handle);
+  auto derive_capability_sids =
+      reinterpret_cast<RtlDeriveCapabilitySidsFromNameFunction>(
+          ::GetProcAddress(ntdll_handle, "RtlDeriveCapabilitySidsFromName"));
+  if (!derive_capability_sids) {
+    return Sid();
+  }
+
+  UNICODE_STRING name = {};
+  ::RtlInitUnicodeString(&name, capability_name.c_str());
+  BYTE capability_sid[SECURITY_MAX_SID_SIZE];
+  BYTE group_sid[SECURITY_MAX_SID_SIZE];
+
+  NTSTATUS status = derive_capability_sids(&name, group_sid, capability_sid);
+  if (!NT_SUCCESS(status)) {
+    return Sid();
+  }
+
+  return Sid(capability_sid, ::GetLengthSid(capability_sid));
}

Sid Sid::FromKnownSid(WellKnownSid type) {
  switch (type) {
    case WellKnownSid::kNull:
      return FromSubAuthorities(SECURITY_NULL_SID_AUTHORITY,
                                {SECURITY_NULL_RID});
    case WellKnownSid::kWorld:
diff --git a/security/sandbox/chromium/base/win/sid.h b/security/sandbox/chromium/base/win/sid.h
--- a/base/win/sid.h
+++ b/base/win/sid.h
@@ -127,15 +127,16 @@ class BASE_EXPORT Sid {

  // Is this Sid equal to another Sid?
  bool operator==(const Sid& sid) const;

  // Is this Sid not equal to another Sid?
  bool operator!=(const Sid& sid) const;

 private:
+  Sid() {}
  Sid(const void* sid, size_t length);
  std::vector<char> sid_;
};

}  // namespace base::win

#endif  // BASE_WIN_SID_H_
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -11,16 +11,17 @@
#include "base/containers/contains.h"
#include "base/memory/ptr_util.h"
#include "base/notreached.h"
#include "base/threading/platform_thread.h"
#include "base/win/access_token.h"
#include "base/win/current_module.h"
#include "base/win/scoped_handle.h"
#include "base/win/scoped_process_information.h"
+#include "base/win/sid.h"
#include "base/win/windows_version.h"
#include "build/build_config.h"
#include "sandbox/win/src/app_container.h"
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_policy_base.h"
#include "sandbox/win/src/sandbox_policy_diagnostic.h"
#include "sandbox/win/src/startup_information_helper.h"
@@ -604,9 +604,16 @@ ResultCode BrokerServicesBase::GetPolicy
}

// static
void BrokerServicesBase::FreezeTargetConfigForTesting(TargetConfig* config) {
  CHECK(!config->IsConfigured());
  static_cast<ConfigBase*>(config)->Freeze();
}

+bool BrokerServicesBase::DeriveCapabilitySidFromName(const wchar_t* name,
+                                                     PSID derived_sid,
+                                                     DWORD sid_buffer_length) {
+  return ::CopySid(sid_buffer_length, derived_sid,
+                   base::win::Sid::FromNamedCapability(name).GetPSID());
+}
+
}  // namespace sandbox
diff --git a/sandbox/win/src/broker_services.h b/sandbox/win/src/broker_services.h
--- a/sandbox/win/src/broker_services.h
+++ b/sandbox/win/src/broker_services.h
@@ -64,16 +64,19 @@ class BrokerServicesBase final : public 
      std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override;
  void SetStartingMitigations(MitigationFlags starting_mitigations) override;
  bool RatchetDownSecurityMitigations(
      MitigationFlags additional_flags) override;
  std::wstring GetDesktopName(Desktop desktop) override;

  static void FreezeTargetConfigForTesting(TargetConfig* config);

+  bool DeriveCapabilitySidFromName(const wchar_t* name, PSID derived_sid,
+                                   DWORD sid_buffer_length) override;
+
 private:
  // Implements Init and InitForTesting.
  ResultCode Init(std::unique_ptr<BrokerServicesTargetTracker> target_tracker);

  // Ensures the desktop integrity suits any process we are launching.
  ResultCode UpdateDesktopIntegrity(Desktop desktop, IntegrityLevel integrity);

  // The completion port used by the job objects to communicate events to
diff --git a/sandbox/win/src/sandbox.h b/sandbox/win/src/sandbox.h
--- a/sandbox/win/src/sandbox.h
+++ b/sandbox/win/src/sandbox.h
@@ -149,16 +149,21 @@ class BrokerServices {
  // RatchetDownSecurityMitigations is then called by the broker process to
  // gradually increase our security as startup continues. It's designed to
  // be called multiple times. If you don't call SetStartingMitigations first
  // and there were mitigations applied early in startup, the new mitigations
  // may not be applied.
  virtual bool RatchetDownSecurityMitigations(
      MitigationFlags additional_flags) = 0;

+  // Derive a capability PSID from the given string.
+  virtual bool DeriveCapabilitySidFromName(const wchar_t* name,
+                                           PSID derived_sid,
+                                           DWORD sid_buffer_length) = 0;
+
 protected:
  ~BrokerServices() {}
};

// TargetServices models the current process from the perspective
// of a target process. To obtain a pointer to it use
// Sandbox::GetTargetServices(). Note that this call returns a non-null
// pointer only if this process is in fact a target. A process is a target