# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1677499923 0
#      Mon Feb 27 12:12:03 2023 +0000
Expose Sid::FromNamedCapability through broker services.

diff --git a/base/win/sid.cc b/base/win/sid.cc
--- a/base/win/sid.cc
+++ b/base/win/sid.cc
@@ -17,18 +17,22 @@
 #include "base/check.h"
 #include "base/no_destructor.h"
 #include "base/rand_util.h"
 #include "base/ranges/algorithm.h"
 #include "base/strings/string_util_win.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_localalloc.h"
 #include "base/win/windows_version.h"
-#include "third_party/boringssl/src/include/openssl/crypto.h"
-#include "third_party/boringssl/src/include/openssl/sha.h"
+#if defined(MOZ_SANDBOX)
+#include <winternl.h>
+#else
+#include "third_party/boringssl/src/include/openssl/crypto.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
+#endif
 
 namespace base::win {
 
 namespace {
 
 template <typename Iterator>
 Sid FromSubAuthorities(const SID_IDENTIFIER_AUTHORITY& identifier_authority,
                        size_t sub_authority_count,
@@ -94,16 +98,19 @@
 }
 
 Sid Sid::FromKnownCapability(WellKnownCapability capability) {
   int32_t capability_rid = WellKnownCapabilityToRid(capability);
   return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY,
                             {SECURITY_CAPABILITY_BASE_RID, capability_rid});
 }
 
+typedef NTSTATUS(WINAPI* RtlDeriveCapabilitySidsFromNameFunction)(
+    PCUNICODE_STRING SourceString, PSID CapabilityGroupSid, PSID CapabilitySid);
+
 Sid Sid::FromNamedCapability(const std::wstring& capability_name) {
   static const base::NoDestructor<std::map<std::wstring, WellKnownCapability>>
       known_capabilities(
           {{L"INTERNETCLIENT", WellKnownCapability::kInternetClient},
            {L"INTERNETCLIENTSERVER",
             WellKnownCapability::kInternetClientServer},
            {L"PRIVATENETWORKCLIENTSERVER",
             WellKnownCapability::kPrivateNetworkClientServer},
@@ -119,28 +126,37 @@
            {L"APPOINTMENTS", WellKnownCapability::kAppointments},
            {L"CONTACTS", WellKnownCapability::kContacts}});
 
   std::wstring cap_upper = base::ToUpperASCII(capability_name);
   auto known_cap = known_capabilities->find(cap_upper);
   if (known_cap != known_capabilities->end()) {
     return FromKnownCapability(known_cap->second);
   }
-  CRYPTO_library_init();
-  static_assert((SHA256_DIGEST_LENGTH / sizeof(DWORD)) ==
-                SECURITY_APP_PACKAGE_RID_COUNT);
-  DWORD rids[(SHA256_DIGEST_LENGTH / sizeof(DWORD)) + 2];
-  rids[0] = SECURITY_CAPABILITY_BASE_RID;
-  rids[1] = SECURITY_CAPABILITY_APP_RID;
-
-  SHA256(reinterpret_cast<const uint8_t*>(cap_upper.c_str()),
-         cap_upper.size() * sizeof(wchar_t),
-         reinterpret_cast<uint8_t*>(&rids[2]));
-  return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY, std::size(rids),
-                            rids);
+
+  HMODULE ntdll_handle = ::GetModuleHandleW(L"ntdll.dll");
+  CHECK(ntdll_handle);
+  auto derive_capability_sids =
+      reinterpret_cast<RtlDeriveCapabilitySidsFromNameFunction>(
+          ::GetProcAddress(ntdll_handle, "RtlDeriveCapabilitySidsFromName"));
+  if (!derive_capability_sids) {
+    return Sid();
+  }
+
+  UNICODE_STRING name = {};
+  ::RtlInitUnicodeString(&name, capability_name.c_str());
+  BYTE capability_sid[SECURITY_MAX_SID_SIZE];
+  BYTE group_sid[SECURITY_MAX_SID_SIZE];
+
+  NTSTATUS status = derive_capability_sids(&name, group_sid, capability_sid);
+  if (!NT_SUCCESS(status)) {
+    return Sid();
+  }
+
+  return Sid(capability_sid, ::GetLengthSid(capability_sid));
 }
 
 Sid Sid::FromKnownSid(WellKnownSid type) {
   switch (type) {
     case WellKnownSid::kNull:
       return FromSubAuthorities(SECURITY_NULL_SID_AUTHORITY,
                                 {SECURITY_NULL_RID});
     case WellKnownSid::kWorld:
diff --git a/security/sandbox/chromium/base/win/sid.h b/security/sandbox/chromium/base/win/sid.h
--- a/base/win/sid.h
+++ b/base/win/sid.h
@@ -127,15 +127,16 @@ class BASE_EXPORT Sid {

   // Is this Sid equal to another Sid?
   bool operator==(const Sid& sid) const;

   // Is this Sid not equal to another Sid?
   bool operator!=(const Sid& sid) const;

  private:
+  Sid() {}
   Sid(const void* sid, size_t length);
   std::vector<char> sid_;
 };

 }  // namespace base::win

 #endif  // BASE_WIN_SID_H_
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -11,16 +11,17 @@
 #include "base/containers/contains.h"
 #include "base/memory/ptr_util.h"
 #include "base/notreached.h"
 #include "base/threading/platform_thread.h"
 #include "base/win/access_token.h"
 #include "base/win/current_module.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
+#include "base/win/sid.h"
 #include "base/win/windows_version.h"
 #include "build/build_config.h"
 #include "sandbox/win/src/app_container.h"
 #include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_policy_base.h"
 #include "sandbox/win/src/sandbox_policy_diagnostic.h"
 #include "sandbox/win/src/startup_information_helper.h"
@@ -604,9 +604,16 @@ ResultCode BrokerServicesBase::GetPolicy
 }
 
 // static
 void BrokerServicesBase::FreezeTargetConfigForTesting(TargetConfig* config) {
   CHECK(!config->IsConfigured());
   static_cast<ConfigBase*>(config)->Freeze();
 }
 
+bool BrokerServicesBase::DeriveCapabilitySidFromName(const wchar_t* name,
+                                                     PSID derived_sid,
+                                                     DWORD sid_buffer_length) {
+  return ::CopySid(sid_buffer_length, derived_sid,
+                   base::win::Sid::FromNamedCapability(name).GetPSID());
+}
+
 }  // namespace sandbox
diff --git a/sandbox/win/src/broker_services.h b/sandbox/win/src/broker_services.h
--- a/sandbox/win/src/broker_services.h
+++ b/sandbox/win/src/broker_services.h
@@ -64,16 +64,19 @@ class BrokerServicesBase final : public 
       std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override;
   void SetStartingMitigations(MitigationFlags starting_mitigations) override;
   bool RatchetDownSecurityMitigations(
       MitigationFlags additional_flags) override;
   std::wstring GetDesktopName(Desktop desktop) override;
 
   static void FreezeTargetConfigForTesting(TargetConfig* config);
 
+  bool DeriveCapabilitySidFromName(const wchar_t* name, PSID derived_sid,
+                                   DWORD sid_buffer_length) override;
+
  private:
   // Implements Init and InitForTesting.
   ResultCode Init(std::unique_ptr<BrokerServicesTargetTracker> target_tracker);
 
   // Ensures the desktop integrity suits any process we are launching.
   ResultCode UpdateDesktopIntegrity(Desktop desktop, IntegrityLevel integrity);
 
   // The completion port used by the job objects to communicate events to
diff --git a/sandbox/win/src/sandbox.h b/sandbox/win/src/sandbox.h
--- a/sandbox/win/src/sandbox.h
+++ b/sandbox/win/src/sandbox.h
@@ -149,16 +149,21 @@ class BrokerServices {
   // RatchetDownSecurityMitigations is then called by the broker process to
   // gradually increase our security as startup continues. It's designed to
   // be called multiple times. If you don't call SetStartingMitigations first
   // and there were mitigations applied early in startup, the new mitigations
   // may not be applied.
   virtual bool RatchetDownSecurityMitigations(
       MitigationFlags additional_flags) = 0;
 
+  // Derive a capability PSID from the given string.
+  virtual bool DeriveCapabilitySidFromName(const wchar_t* name,
+                                           PSID derived_sid,
+                                           DWORD sid_buffer_length) = 0;
+
  protected:
   ~BrokerServices() {}
 };
 
 // TargetServices models the current process from the perspective
 // of a target process. To obtain a pointer to it use
 // Sandbox::GetTargetServices(). Note that this call returns a non-null
 // pointer only if this process is in fact a target. A process is a target