-
erikchen authored
A newly created file mapping has two sets of permissions. It has access control permissions (WRITE_DAC, WRITE_OWNER, READ_CONTROL, and DELETE) and file permissions (FILE_MAP_READ, FILE_MAP_WRITE, etc.). ::DuplicateHandle() with the parameter DUPLICATE_SAME_ACCESS copies both sets of permissions. The Chrome sandbox prevents HANDLEs with the WRITE_DAC permission from being duplicated into unprivileged processes. But the only way to copy file permissions is with the parameter DUPLICATE_SAME_ACCESS. This means that there is no way for a privileged process to duplicate a file mapping into an unprivileged process while maintaining the previous file permissions. This CL removes all access control permissions of a file mapping immediately after creation, which effectively means that ::DuplicateHandle() only copies the file permissions. These permissions are only enforced if the file mapping has a name, so this CL also gives all file mappings a name. BUG=493414 Review URL: https://codereview.chromium.org/1677163003 Cr-Commit-Position: refs/heads/master@{#376358}
4b12c0a1