Windows process with Untrusted Integrity level

Question

I couldn't find much information about Untrusted integrity level in Windows, and have some questions about it:

1. Is there a place where an untrusted integrity level process can create named objects? (mutexes, events, etc..)
2. Should untrusted integrity level process be able to open an existing named object, that was given a security descriptor in it's creation time with ACE with SYSTEM_MANDATORY_LABEL_NO_WRITE_UP to MandatoryLevelUntrusted? When I try it, it fails with 0xc0000022(access denied), while with MandatoryLevelLow it works great.
3. How do usually untrusted integrity processes communicate with their broker process? (like how does a google chrome tab communicates with the google chrome broker?)

Answer 1

Is there a place where an untrusted integrity level process can create named objects? (mutexes, events, etc..)

by default - no. code with untrusted token (thread or process) can create object only in directory with Untrusted Mandatory Level - no one standard folders have this kind of label. some have Low Mandatory Level but untrusted - no.

but you can easy create this folder yourself. with Untrusted Mandatory Level and NULL DACL - untrusted code can create objects in this folder.

NTSTATUS CreateUntrustedFolder(PHANDLE phObject, PCUNICODE_STRING ObjectName)
{
    ULONG cb = MAX_SID_SIZE;
    PSID UntrustedSid = (PSID)alloca(MAX_SID_SIZE);
    if (CreateWellKnownSid(WinUntrustedLabelSid, 0, UntrustedSid, &cb))
    {
        PACL Sacl = (PACL)alloca(cb += sizeof(ACL) + sizeof(ACE_HEADER) + sizeof(ACCESS_MASK));
        InitializeAcl(Sacl, cb, ACL_REVISION);
        if (AddMandatoryAce(Sacl, ACL_REVISION, 0, 0, UntrustedSid))
        {
            SECURITY_DESCRIPTOR sd;
            InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
            SetSecurityDescriptorDacl(&sd, TRUE, NULL, FALSE);
            SetSecurityDescriptorSacl(&sd, TRUE, Sacl, FALSE);

            OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, (PUNICODE_STRING)ObjectName, OBJ_CASE_INSENSITIVE|OBJ_OPENIF, &sd };

            return ZwCreateDirectoryObject(phObject, DIRECTORY_ALL_ACCESS, &oa);
        }
    }

    return STATUS_UNSUCCESSFUL;
}

about untrusted code creation - if start process at begin with token marked as untrusted integrity level - process fail to start. this when ntdll.dll try load kernel32.dll - it try open section \KnownDlls\kernel32.dll with SECTION_MAP_WRITE as well , but this object have Low Mandatory Level with SYSTEM_MANDATORY_LABEL_NO_WRITE_UP - as result untrusted code fail open this section with write access.

as result you need initially create process say with Low Mandatory Level and then set untrusted level

ULONG SetProcessUntrusted(HANDLE hProcess)
{
    TOKEN_MANDATORY_LABEL tml = { { (PSID)alloca(MAX_SID_SIZE), SE_GROUP_INTEGRITY } };

    ULONG cb = MAX_SID_SIZE;

    HANDLE hToken;

    if (!CreateWellKnownSid(WinUntrustedLabelSid, 0, tml.Label.Sid, &cb) ||
        !OpenProcessToken(hProcess, TOKEN_ADJUST_DEFAULT, &hToken))
    {
        return GetLastError();
    }

    ULONG dwError = NOERROR;
    if (!SetTokenInformation(hToken, TokenIntegrityLevel, &tml, sizeof(tml)))
    {
        dwError = GetLastError();
    }

    CloseHandle(hToken);

    return dwError;
}

Should untrusted integrity level process be able to open an existing named object

this depend from object label(level and mask) , code intergrity level and required access. if code intergrity level >= object label level - we can open object (if dacl let do this). otherwise need look for object label mask and required access. for example object have Low Mandatory Level with SYSTEM_MANDATORY_LABEL_NO_WRITE_UP and code Untrusted Mandatory Level - this code can open object with read and execute access, but fail open it for write access