PaperCutSoftware/GhostTrap
1
0
Fork 0
mirror of https://github.com/PaperCutSoftware/GhostTrap.git synced 2025-12-10 13:21:41 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merged in ghostpdl-10.02.1 (pull request #2)

Browse Source 
Ghostpdl 10.02.1

Approved-by: Nimesh Silva
This commit is contained in:
Kelby Murie 2023-11-14 03:34:42 +00:00
commit 512db2b699
5 changed files with 49 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -16,7 +16,7 @@ securely holds Ghostscripts in a laser containment field :-)
## Download
*Windows:* [ghost-trap-installer.exe](https://cdn1.papercut.com/files/open-source/ghost-trap/ghost-trap-installer-1.4.10.00.exe) (version 1.4)
*Windows:* [ghost-trap-installer.exe](https://cdn1.papercut.com/files/open-source/ghost-trap/ghost-trap-installer-1.4.10.02.1.exe) (version 1.4)
## Motivation
@ -65,7 +65,7 @@ To convert a multi-page PDF file into a JPEG images *WITH* sandboxing:
"C:\Program Files (x86)\GhostTrap\examples\annots.pdf"
`gsc-trapped.exe` is the sandboxed version of `gsc.exe`. It should behave the same
as the standard Ghostscript console command as [documented](https://ghostscript.readthedocs.io/en/gs10.0.0/Use.html),
as the standard Ghostscript console command as [documented](https://ghostscript.readthedocs.io/en/gs10.02.1/Use.html),
with the following known exceptions:
* The input and output files must be on a local disk (no network shares).
@ -94,7 +94,11 @@ escape vectors.
## Release History
### [1.4.10.00] - 2023-01-06
### [1.4.10.02.1] - 2023-11-10
* Updated to Ghostscript 10.02.1.20231101.
* Updated to the latest Chromium Sandbox [as of 2023-11-03](https://chromium.googlesource.com/chromium/src/+/b2d264b1585bd0d583a49dd91866e7d0ea02d387)).
### [1.4.10.00] - 2023-01-06 (internal)
* Updated to Ghostscript 10.00.0.20220921.
* Updated to the latest Chromium Sandbox [as of 2022-12-15](https://chromium.googlesource.com/chromium/src/+/1a554a4863f66c922398e91691212a54a8f11ea0)).
* Fixed the sandbox tests to no longer report a missing output file.
@ -194,6 +198,7 @@ The following future refinements are planned:
along with this program. If not, see <http://www.gnu.org/licenses/>.
[1.4.10.02.1]: https://github.com/PaperCutSoftware/GhostTrap/compare/v1.4.10.00...v1.4.10.02.1
[1.4.10.00]: https://github.com/PaperCutSoftware/GhostTrap/compare/v1.3.9.27...v1.4.10.00
[1.3.9.27]: https://github.com/PaperCutSoftware/GhostTrap/compare/v1.2.9.10...v1.3.9.27
[1.2.9.10]: https://github.com/PaperCutSoftware/GhostTrap/compare/v1.2.9.07...v1.2.9.10

2
build.bat
View File

@ -4,7 +4,7 @@ set INNO_COMPILER=%programfiles(x86)%\Inno Setup 6\ISCC.exe
SETLOCAL ENABLEDELAYEDEXPANSION
set starttime=%time%
set startdir=%cd%
set gsversion=10.00
set gsversion=10.02.1
echo .-. ___ _ _ _____
echo (o o) / _ \ ^|__ ___ ___^| ^|/__ \_ __ __ _ _ __

2
installer/win/ghost-trap.iss
View File

@ -17,7 +17,7 @@
#define gs_name "GPL Ghostscript"
#ifndef gs_version
#define gs_version "10.00.0"
#define gs_version "10.02.1"
#endif
#define gs_c_exe "gsc.exe"

32
src/gstrapped.cpp
View File

@ -43,7 +43,7 @@
* Ghost Trap version number starts at 1 and suffixes the Ghostscript version we've
* tested/written against.
*/
#define GHOST_TRAP_VERSION "1.4.10.00"
#define GHOST_TRAP_VERSION "1.4.10.02.1"
#define GHOST_TRAP_COPYRIGHT "Copyright (c) 2012-2023 PaperCut Software Pty Ltd"
const wchar_t* PARAM_OUTPUT_FILE = L"OutputFile=";
@ -236,9 +236,8 @@ static void AllowAccessToFile(sandbox::TargetPolicy &policy, wchar_t *file, BOOL
ext);
}
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowAny,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowAny,
path_rule
);
}
@ -388,9 +387,8 @@ static void ApplyPolicy(sandbox::TargetPolicy &policy, int argc, wchar_t* argv[]
_snwprintf(lib_path, MAX_PATH, L"%s\\*", part);
// Whitelist the LIB dir.
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowReadonly,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowReadonly,
lib_path
);
@ -406,9 +404,8 @@ static void ApplyPolicy(sandbox::TargetPolicy &policy, int argc, wchar_t* argv[]
GetTempPath(MAX_PATH - 1, temp_dir);
wchar_t dir_rule[MAX_PATH];
_snwprintf(dir_rule, MAX_PATH - 1, L"%s*", temp_dir);
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowAny,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowAny,
dir_rule
);
}
@ -420,9 +417,8 @@ static void ApplyPolicy(sandbox::TargetPolicy &policy, int argc, wchar_t* argv[]
GetWindowsDirectory(win_dir, MAX_PATH - 1);
wchar_t dir_rule[MAX_PATH];
_snwprintf(dir_rule, MAX_PATH - 1, L"%s\\Fonts\\*", win_dir);
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowReadonly,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowReadonly,
dir_rule
);
}
@ -466,9 +462,8 @@ static void ApplyPolicy(sandbox::TargetPolicy &policy, int argc, wchar_t* argv[]
GetWindowsDirectory(win_dir, MAX_PATH - 1);
wchar_t dir_rule[MAX_PATH];
_snwprintf(dir_rule, MAX_PATH - 1, L"%s\\Temp\\*", win_dir);
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowAny,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowAny,
dir_rule
);
}
@ -481,9 +476,8 @@ static void ApplyPolicy(sandbox::TargetPolicy &policy, int argc, wchar_t* argv[]
GetWindowsDirectory(win_dir, MAX_PATH - 1);
wchar_t dir_rule[MAX_PATH];
_snwprintf(dir_rule, MAX_PATH - 1, L"%s\\notepad.exe", win_dir);
(void) policy.GetConfig()->AddRule(
sandbox::SubSystem::kFiles,
sandbox::Semantics::kFilesAllowReadonly,
(void) policy.GetConfig()->AllowFileAccess(
sandbox::FileSemantics::kAllowReadonly,
dir_rule
);
}

35
src/sandbox_procmgmt.cpp
View File

@ -159,6 +159,25 @@ static DWORD WINAPI ProvideStdIn(void *param) {
return 0;
}
/*
* The functionality to add a known SID to an object in the Chromium sandbox was removed in the following commit:
* https://chromium.googlesource.com/chromium/src/+/9ad0f7e70e53156c6331d3a7819343b5b7e1e487
* Fortunately, the underlying wrapper code to perform all the necessary operations was included in the removal.
* This method copies the original wrappers' behaviour with optimization for common parameters.
*/
bool GrantAccessToObject(HANDLE object, base::win::WellKnownSid known_sid) {
absl::optional<base::win::SecurityDescriptor> sd = base::win::SecurityDescriptor::FromHandle(
object, base::win::SecurityObjectType::kKernel, DACL_SECURITY_INFORMATION);
if (!sd) {
return false;
}
if (!sd->SetDaclEntry(base::win::Sid(known_sid), base::win::SecurityAccessMode::kGrant, FILE_ALL_ACCESS, 0)) {
return false;
}
return sd->WriteToHandle(object, base::win::SecurityObjectType::kKernel, DACL_SECURITY_INFORMATION);
}
/*
* The parent (unsandboxed process). This function intializes the sandbox service broker,
@ -199,7 +218,6 @@ static int RunParent(int argc, wchar_t* argv[],
}
PROCESS_INFORMATION pi;
sandbox::ResultCode warning_result = sandbox::SBOX_ALL_OK;
DWORD last_error = ERROR_SUCCESS;
{
@ -209,7 +227,7 @@ static int RunParent(int argc, wchar_t* argv[],
swprintf(args_plus_id, arg_max_len, L"%s %d", orig_args, process_id);
args_plus_id[arg_max_len - 1] = L'\0';
result = broker_service->SpawnTarget(argv[0], args_plus_id, std::move(targetPolicy), &warning_result, &last_error, &pi);
result = broker_service->SpawnTarget(argv[0], args_plus_id, std::move(targetPolicy), &last_error, &pi);
delete[] args_plus_id;
}
@ -233,8 +251,7 @@ static int RunParent(int argc, wchar_t* argv[],
NMPWAIT_USE_DEFAULT_WAIT,
NULL);
// Set the security on
if (!sandbox::AddKnownSidToObject(stdout_pipe, sandbox::SecurityObjectType::kKernel,
base::win::WellKnownSid::kWorld, sandbox::SecurityAccessMode::kGrant, FILE_ALL_ACCESS)) {
if (!GrantAccessToObject(stdout_pipe, base::win::WellKnownSid::kWorld)) {
fprintf(stderr, "Sandbox: Failed to set security on stdout pipe.\n");
return 52;
}
@ -263,8 +280,7 @@ static int RunParent(int argc, wchar_t* argv[],
NMPWAIT_USE_DEFAULT_WAIT,
NULL);
if (!sandbox::AddKnownSidToObject(stderr_pipe, sandbox::SecurityObjectType::kKernel,
base::win::WellKnownSid::kCreatorOwner, sandbox::SecurityAccessMode::kGrant, FILE_ALL_ACCESS)) {
if (!GrantAccessToObject(stderr_pipe, base::win::WellKnownSid::kCreatorOwner)) {
fprintf(stderr, "Sandbox: Failed to set security on stderr pipe.\n");
return 52;
}
@ -290,8 +306,7 @@ static int RunParent(int argc, wchar_t* argv[],
NMPWAIT_USE_DEFAULT_WAIT,
NULL);
if (!sandbox::AddKnownSidToObject(stdin_pipe, sandbox::SecurityObjectType::kKernel,
base::win::WellKnownSid::kCreatorOwner, sandbox::SecurityAccessMode::kGrant, FILE_ALL_ACCESS)) {
if (!GrantAccessToObject(stdin_pipe, base::win::WellKnownSid::kCreatorOwner)) {
fprintf(stderr, "Sandbox: Failed to set security on stdin pipe.\n");
return 52;
}
@ -317,7 +332,9 @@ static int RunParent(int argc, wchar_t* argv[],
::CloseHandle(pi.hThread);
::CloseHandle(pi.hProcess);
broker_service->WaitForAllTargets();
// According to the following commit where WaitForAllTargets was removed, it appears it was only leveraged in tests.
// https://chromium.googlesource.com/chromium/src/+/0287f0eef35bef9e62917ec94640e9a5f01ce920%5E%21/#F2
// broker_service->WaitForAllTargets();
// Wait for BOTH our consuming std(out|err) threads to finish.
WaitForSingleObject(stdout_thread, 1000);