security/sandbox/win/src/acl.cc@6474c204b198 (annotated)
security/sandbox/win/src/acl.cc
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #include "sandbox/win/src/acl.h" |
| michael@0 | 6 | |
| michael@0 | 7 | #include <aclapi.h> |
| michael@0 | 8 | #include <sddl.h> |
| michael@0 | 9 | |
| michael@0 | 10 | #include "base/logging.h" |
| michael@0 | 11 | |
| michael@0 | 12 | namespace sandbox { |
| michael@0 | 13 | |
| michael@0 | 14 | bool GetDefaultDacl(HANDLE token, |
| michael@0 | 15 | scoped_ptr_malloc<TOKEN_DEFAULT_DACL>* default_dacl) { |
| michael@0 | 16 | if (token == NULL) |
| michael@0 | 17 | return false; |
| michael@0 | 18 | |
| michael@0 | 19 | DCHECK(default_dacl != NULL); |
| michael@0 | 20 | |
| michael@0 | 21 | unsigned long length = 0; |
| michael@0 | 22 | ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length); |
| michael@0 | 23 | if (length == 0) { |
| michael@0 | 24 | NOTREACHED(); |
| michael@0 | 25 | return false; |
| michael@0 | 26 | } |
| michael@0 | 27 | |
| michael@0 | 28 | TOKEN_DEFAULT_DACL* acl = |
| michael@0 | 29 | reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length)); |
| michael@0 | 30 | default_dacl->reset(acl); |
| michael@0 | 31 | |
| michael@0 | 32 | if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(), |
| michael@0 | 33 | length, &length)) |
| michael@0 | 34 | return false; |
| michael@0 | 35 | |
| michael@0 | 36 | return true; |
| michael@0 | 37 | } |
| michael@0 | 38 | |
| michael@0 | 39 | bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MASK access, |
| michael@0 | 40 | ACL** new_dacl) { |
| michael@0 | 41 | EXPLICIT_ACCESS new_access = {0}; |
| michael@0 | 42 | new_access.grfAccessMode = GRANT_ACCESS; |
| michael@0 | 43 | new_access.grfAccessPermissions = access; |
| michael@0 | 44 | new_access.grfInheritance = NO_INHERITANCE; |
| michael@0 | 45 | |
| michael@0 | 46 | new_access.Trustee.pMultipleTrustee = NULL; |
| michael@0 | 47 | new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; |
| michael@0 | 48 | new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID; |
| michael@0 | 49 | new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>( |
| michael@0 | 50 | const_cast<SID*>(sid.GetPSID())); |
| michael@0 | 51 | |
| michael@0 | 52 | if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl)) |
| michael@0 | 53 | return false; |
| michael@0 | 54 | |
| michael@0 | 55 | return true; |
| michael@0 | 56 | } |
| michael@0 | 57 | |
| michael@0 | 58 | bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) { |
| michael@0 | 59 | if (token == NULL) |
| michael@0 | 60 | return false; |
| michael@0 | 61 | |
| michael@0 | 62 | scoped_ptr_malloc<TOKEN_DEFAULT_DACL> default_dacl; |
| michael@0 | 63 | if (!GetDefaultDacl(token, &default_dacl)) |
| michael@0 | 64 | return false; |
| michael@0 | 65 | |
| michael@0 | 66 | ACL* new_dacl = NULL; |
| michael@0 | 67 | if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access, &new_dacl)) |
| michael@0 | 68 | return false; |
| michael@0 | 69 | |
| michael@0 | 70 | TOKEN_DEFAULT_DACL new_token_dacl = {0}; |
| michael@0 | 71 | new_token_dacl.DefaultDacl = new_dacl; |
| michael@0 | 72 | |
| michael@0 | 73 | BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl, |
| michael@0 | 74 | sizeof(new_token_dacl)); |
| michael@0 | 75 | ::LocalFree(new_dacl); |
| michael@0 | 76 | return (TRUE == ret); |
| michael@0 | 77 | } |
| michael@0 | 78 | |
| michael@0 | 79 | bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) { |
| michael@0 | 80 | DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; |
| michael@0 | 81 | TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size)); |
| michael@0 | 82 | |
| michael@0 | 83 | scoped_ptr_malloc<TOKEN_USER> token_user_ptr(token_user); |
| michael@0 | 84 | |
| michael@0 | 85 | if (!::GetTokenInformation(token, TokenUser, token_user, size, &size)) |
| michael@0 | 86 | return false; |
| michael@0 | 87 | |
| michael@0 | 88 | return AddSidToDefaultDacl(token, |
| michael@0 | 89 | reinterpret_cast<SID*>(token_user->User.Sid), |
| michael@0 | 90 | access); |
| michael@0 | 91 | } |
| michael@0 | 92 | |
| michael@0 | 93 | bool AddKnownSidToKernelObject(HANDLE object, const Sid& sid, |
| michael@0 | 94 | ACCESS_MASK access) { |
| michael@0 | 95 | PSECURITY_DESCRIPTOR descriptor = NULL; |
| michael@0 | 96 | PACL old_dacl = NULL; |
| michael@0 | 97 | PACL new_dacl = NULL; |
| michael@0 | 98 | |
| michael@0 | 99 | if (ERROR_SUCCESS != ::GetSecurityInfo(object, SE_KERNEL_OBJECT, |
| michael@0 | 100 | DACL_SECURITY_INFORMATION, NULL, NULL, |
| michael@0 | 101 | &old_dacl, NULL, &descriptor)) |
| michael@0 | 102 | return false; |
| michael@0 | 103 | |
| michael@0 | 104 | if (!AddSidToDacl(sid.GetPSID(), old_dacl, access, &new_dacl)) { |
| michael@0 | 105 | ::LocalFree(descriptor); |
| michael@0 | 106 | return false; |
| michael@0 | 107 | } |
| michael@0 | 108 | |
| michael@0 | 109 | DWORD result = ::SetSecurityInfo(object, SE_KERNEL_OBJECT, |
| michael@0 | 110 | DACL_SECURITY_INFORMATION, NULL, NULL, |
| michael@0 | 111 | new_dacl, NULL); |
| michael@0 | 112 | |
| michael@0 | 113 | ::LocalFree(new_dacl); |
| michael@0 | 114 | ::LocalFree(descriptor); |
| michael@0 | 115 | |
| michael@0 | 116 | if (ERROR_SUCCESS != result) |
| michael@0 | 117 | return false; |
| michael@0 | 118 | |
| michael@0 | 119 | return true; |
| michael@0 | 120 | } |
| michael@0 | 121 | |
| michael@0 | 122 | } // namespace sandbox |
