private SafeProcThreadAttributeList AllocateAttributeList() { using (var localDisposalEscrow = new DisposalEscrow()) { SECURITY_CAPABILITIES securityCapabilities = new SECURITY_CAPABILITIES(); this.SetSecurityCapabilities( ref securityCapabilities, this.securityIdentifierHandle, new WELL_KNOWN_SID_TYPE[] { WELL_KNOWN_SID_TYPE.WinCapabilityInternetClientSid }); var attributeListHandle = localDisposalEscrow.Add(new SafeProcThreadAttributeList(1)); var securityCapabilitiesMemory = localDisposalEscrow.Add(new SafeHGlobalBuffer(Marshal.SizeOf(securityCapabilities))); Marshal.StructureToPtr(securityCapabilities, securityCapabilitiesMemory.DangerousGetHandle(), fDeleteOld: false); if (!Methods.UpdateProcThreadAttribute( attributeListHandle.DangerousGetHandle(), dwFlags: 0, attribute: PROC_THREAD_ATTRIBUTES.PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, securityCapabilitiesMemory.DangerousGetHandle(), securityCapabilitiesMemory.Size, lpPreviousValue: IntPtr.Zero, lpReturnSize: IntPtr.Zero)) { throw new SandboxException( $"Failed to update proc thread attribute list (0x{Marshal.GetLastWin32Error():X08})", new Win32Exception());; } this.disposalEscrow.Subsume(localDisposalEscrow); return(attributeListHandle); } }
private void SetSecurityCapabilities( ref SECURITY_CAPABILITIES securityCapabilities, SafeSecurityIdentifier appContainerSid, WELL_KNOWN_SID_TYPE[] appCapabilities) { using (var localDisposalEscrow = new DisposalEscrow()) { securityCapabilities.AppContainerSid = appContainerSid.DangerousGetHandle(); securityCapabilities.Capabilities = IntPtr.Zero; securityCapabilities.CapabilityCount = 0; securityCapabilities.Reserved = 0; if (appCapabilities != null && appCapabilities.Length > 0) { var attributesMemory = localDisposalEscrow.Add(new SafeHGlobalBuffer(Marshal.SizeOf(typeof(SID_AND_ATTRIBUTES)) * appCapabilities.Length)); for (int i = 0; i < appCapabilities.Length; i++) { Int32 sidSize = Constants.SECURITY_MAX_SID_SIZE; var safeMemory = localDisposalEscrow.Add(new SafeHGlobalBuffer(sidSize)); if (!Methods.CreateWellKnownSid(appCapabilities[i], IntPtr.Zero, safeMemory, ref sidSize)) { throw new SandboxException( "Unable to create well known sid.", new Win32Exception()); } var attribute = new SID_AND_ATTRIBUTES { Attributes = SID_ATTRIBUTES.SE_GROUP_ENABLED, Sid = safeMemory.DangerousGetHandle(), }; Marshal.StructureToPtr(attribute, IntPtr.Add(attributesMemory.DangerousGetHandle(), i * Marshal.SizeOf(typeof(SID_AND_ATTRIBUTES))), fDeleteOld: false); } securityCapabilities.Capabilities = attributesMemory.DangerousGetHandle(); securityCapabilities.CapabilityCount = appCapabilities.Length; } this.disposalEscrow.Subsume(localDisposalEscrow); } }