-
Notifications
You must be signed in to change notification settings - Fork 15k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add creationTime / sandboxed / integrityLevel to app.getAppMetr…
…ics() (#18718) This is useful for checking which processes are sandboxed on OS level. Regarding creationTime, since the pid can be reused after a process dies, it is useful to use both the pid and the creationTime to uniquely identify a process.
- Loading branch information
1 parent
0bdc05b
commit d9215dd
Showing
7 changed files
with
222 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
// Copyright (c) 2019 GitHub, Inc. | ||
// Use of this source code is governed by the MIT license that can be | ||
// found in the LICENSE file. | ||
|
||
#include "atom/browser/api/process_metric.h" | ||
|
||
#include <memory> | ||
#include <utility> | ||
|
||
#if defined(OS_WIN) | ||
#include <windows.h> | ||
#endif | ||
|
||
#if defined(OS_MACOSX) | ||
extern "C" int sandbox_check(pid_t pid, const char* operation, int type, ...); | ||
#endif | ||
|
||
namespace atom { | ||
|
||
ProcessMetric::ProcessMetric(int type, | ||
base::ProcessHandle handle, | ||
std::unique_ptr<base::ProcessMetrics> metrics) { | ||
this->type = type; | ||
this->metrics = std::move(metrics); | ||
|
||
#if defined(OS_WIN) | ||
HANDLE duplicate_handle = INVALID_HANDLE_VALUE; | ||
::DuplicateHandle(::GetCurrentProcess(), handle, ::GetCurrentProcess(), | ||
&duplicate_handle, 0, false, DUPLICATE_SAME_ACCESS); | ||
this->process = base::Process(duplicate_handle); | ||
#else | ||
this->process = base::Process(handle); | ||
#endif | ||
} | ||
|
||
ProcessMetric::~ProcessMetric() = default; | ||
|
||
#if defined(OS_WIN) | ||
|
||
ProcessIntegrityLevel ProcessMetric::GetIntegrityLevel() const { | ||
HANDLE token = nullptr; | ||
if (!::OpenProcessToken(process.Handle(), TOKEN_QUERY, &token)) { | ||
return ProcessIntegrityLevel::Unknown; | ||
} | ||
|
||
base::win::ScopedHandle token_scoped(token); | ||
|
||
DWORD token_info_length = 0; | ||
if (::GetTokenInformation(token, TokenIntegrityLevel, nullptr, 0, | ||
&token_info_length) || | ||
::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { | ||
return ProcessIntegrityLevel::Unknown; | ||
} | ||
|
||
auto token_label_bytes = std::make_unique<char[]>(token_info_length); | ||
TOKEN_MANDATORY_LABEL* token_label = | ||
reinterpret_cast<TOKEN_MANDATORY_LABEL*>(token_label_bytes.get()); | ||
if (!::GetTokenInformation(token, TokenIntegrityLevel, token_label, | ||
token_info_length, &token_info_length)) { | ||
return ProcessIntegrityLevel::Unknown; | ||
} | ||
|
||
DWORD integrity_level = *::GetSidSubAuthority( | ||
token_label->Label.Sid, | ||
static_cast<DWORD>(*::GetSidSubAuthorityCount(token_label->Label.Sid) - | ||
1)); | ||
|
||
if (integrity_level >= SECURITY_MANDATORY_UNTRUSTED_RID && | ||
integrity_level < SECURITY_MANDATORY_LOW_RID) { | ||
return ProcessIntegrityLevel::Untrusted; | ||
} | ||
|
||
if (integrity_level >= SECURITY_MANDATORY_LOW_RID && | ||
integrity_level < SECURITY_MANDATORY_MEDIUM_RID) { | ||
return ProcessIntegrityLevel::Low; | ||
} | ||
|
||
if (integrity_level >= SECURITY_MANDATORY_MEDIUM_RID && | ||
integrity_level < SECURITY_MANDATORY_HIGH_RID) { | ||
return ProcessIntegrityLevel::Medium; | ||
} | ||
|
||
if (integrity_level >= SECURITY_MANDATORY_HIGH_RID && | ||
integrity_level < SECURITY_MANDATORY_SYSTEM_RID) { | ||
return ProcessIntegrityLevel::High; | ||
} | ||
|
||
return ProcessIntegrityLevel::Unknown; | ||
} | ||
|
||
// static | ||
bool ProcessMetric::IsSandboxed(ProcessIntegrityLevel integrity_level) { | ||
return integrity_level > ProcessIntegrityLevel::Unknown && | ||
integrity_level < ProcessIntegrityLevel::Medium; | ||
} | ||
|
||
#elif defined(OS_MACOSX) | ||
|
||
bool ProcessMetric::IsSandboxed() const { | ||
#if defined(MAS_BUILD) | ||
return true; | ||
#else | ||
return sandbox_check(process.Pid(), nullptr, 0) != 0; | ||
#endif | ||
} | ||
|
||
#endif // defined(OS_MACOSX) | ||
|
||
} // namespace atom |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
// Copyright (c) 2019 GitHub, Inc. | ||
// Use of this source code is governed by the MIT license that can be | ||
// found in the LICENSE file. | ||
|
||
#ifndef ATOM_BROWSER_API_PROCESS_METRIC_H_ | ||
#define ATOM_BROWSER_API_PROCESS_METRIC_H_ | ||
|
||
#include <memory> | ||
|
||
#include "base/process/process.h" | ||
#include "base/process/process_handle.h" | ||
#include "base/process/process_metrics.h" | ||
|
||
namespace atom { | ||
|
||
#if defined(OS_WIN) | ||
enum class ProcessIntegrityLevel { | ||
Unknown, | ||
Untrusted, | ||
Low, | ||
Medium, | ||
High, | ||
}; | ||
#endif | ||
|
||
struct ProcessMetric { | ||
int type; | ||
base::Process process; | ||
std::unique_ptr<base::ProcessMetrics> metrics; | ||
|
||
ProcessMetric(int type, | ||
base::ProcessHandle handle, | ||
std::unique_ptr<base::ProcessMetrics> metrics); | ||
~ProcessMetric(); | ||
|
||
#if defined(OS_WIN) | ||
ProcessIntegrityLevel GetIntegrityLevel() const; | ||
static bool IsSandboxed(ProcessIntegrityLevel integrity_level); | ||
#elif defined(OS_MACOSX) | ||
bool IsSandboxed() const; | ||
#endif | ||
}; | ||
|
||
} // namespace atom | ||
|
||
#endif // ATOM_BROWSER_API_PROCESS_METRIC_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters