security/sandbox/win/src/restricted_token.h@6474c204b198 (annotated)
security/sandbox/win/src/restricted_token.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
| michael@0 | 6 | #define SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
| michael@0 | 7 | |
| michael@0 | 8 | #include <windows.h> |
| michael@0 | 9 | #include <vector> |
| michael@0 | 10 | |
| michael@0 | 11 | #include "base/basictypes.h" |
| michael@0 | 12 | #include "sandbox/win/src/restricted_token_utils.h" |
| michael@0 | 13 | #include "sandbox/win/src/security_level.h" |
| michael@0 | 14 | #include "sandbox/win/src/sid.h" |
| michael@0 | 15 | |
| michael@0 | 16 | // Flags present in the Group SID list. These 2 flags are new in Windows Vista |
| michael@0 | 17 | #ifndef SE_GROUP_INTEGRITY |
| michael@0 | 18 | #define SE_GROUP_INTEGRITY (0x00000020L) |
| michael@0 | 19 | #endif |
| michael@0 | 20 | #ifndef SE_GROUP_INTEGRITY_ENABLED |
| michael@0 | 21 | #define SE_GROUP_INTEGRITY_ENABLED (0x00000040L) |
| michael@0 | 22 | #endif |
| michael@0 | 23 | |
| michael@0 | 24 | namespace sandbox { |
| michael@0 | 25 | |
| michael@0 | 26 | // Handles the creation of a restricted token using the effective token or |
| michael@0 | 27 | // any token handle. |
| michael@0 | 28 | // Sample usage: |
| michael@0 | 29 | // RestrictedToken restricted_token; |
| michael@0 | 30 | // unsigned err_code = restricted_token.Init(NULL); // Use the current |
| michael@0 | 31 | // // effective token |
| michael@0 | 32 | // if (ERROR_SUCCESS != err_code) { |
| michael@0 | 33 | // // handle error. |
| michael@0 | 34 | // } |
| michael@0 | 35 | // |
| michael@0 | 36 | // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID()); |
| michael@0 | 37 | // HANDLE token_handle; |
| michael@0 | 38 | // err_code = restricted_token.GetRestrictedTokenHandle(&token_handle); |
| michael@0 | 39 | // if (ERROR_SUCCESS != err_code) { |
| michael@0 | 40 | // // handle error. |
| michael@0 | 41 | // } |
| michael@0 | 42 | // [...] |
| michael@0 | 43 | // CloseHandle(token_handle); |
| michael@0 | 44 | class RestrictedToken { |
| michael@0 | 45 | public: |
| michael@0 | 46 | // Init() has to be called before calling any other method in the class. |
| michael@0 | 47 | RestrictedToken() |
| michael@0 | 48 | : init_(false), effective_token_(NULL), |
| michael@0 | 49 | integrity_level_(INTEGRITY_LEVEL_LAST) { } |
| michael@0 | 50 | |
| michael@0 | 51 | ~RestrictedToken() { |
| michael@0 | 52 | if (effective_token_) |
| michael@0 | 53 | CloseHandle(effective_token_); |
| michael@0 | 54 | } |
| michael@0 | 55 | |
| michael@0 | 56 | // Initializes the RestrictedToken object with effective_token. |
| michael@0 | 57 | // If effective_token is NULL, it initializes the RestrictedToken object with |
| michael@0 | 58 | // the effective token of the current process. |
| michael@0 | 59 | unsigned Init(HANDLE effective_token); |
| michael@0 | 60 | |
| michael@0 | 61 | // Creates a restricted token and returns its handle using the token_handle |
| michael@0 | 62 | // output parameter. This handle has to be closed by the caller. |
| michael@0 | 63 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 64 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 65 | // the error. |
| michael@0 | 66 | unsigned GetRestrictedTokenHandle(HANDLE *token_handle) const; |
| michael@0 | 67 | |
| michael@0 | 68 | // Creates a restricted token and uses this new token to create a new token |
| michael@0 | 69 | // for impersonation. Returns the handle of this impersonation token using |
| michael@0 | 70 | // the token_handle output parameter. This handle has to be closed by |
| michael@0 | 71 | // the caller. |
| michael@0 | 72 | // |
| michael@0 | 73 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 74 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 75 | // the error. |
| michael@0 | 76 | // |
| michael@0 | 77 | // The sample usage is the same as the GetRestrictedTokenHandle function. |
| michael@0 | 78 | unsigned GetRestrictedTokenHandleForImpersonation(HANDLE *token_handle) const; |
| michael@0 | 79 | |
| michael@0 | 80 | // Lists all sids in the token and mark them as Deny Only except for those |
| michael@0 | 81 | // present in the exceptions parameter. If there is no exception needed, |
| michael@0 | 82 | // the caller can pass an empty list or NULL for the exceptions |
| michael@0 | 83 | // parameter. |
| michael@0 | 84 | // |
| michael@0 | 85 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 86 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 87 | // the error. |
| michael@0 | 88 | // |
| michael@0 | 89 | // Sample usage: |
| michael@0 | 90 | // std::vector<Sid> sid_exceptions; |
| michael@0 | 91 | // sid_exceptions.push_back(ATL::Sids::Users().GetPSID()); |
| michael@0 | 92 | // sid_exceptions.push_back(ATL::Sids::World().GetPSID()); |
| michael@0 | 93 | // restricted_token.AddAllSidsForDenyOnly(&sid_exceptions); |
| michael@0 | 94 | // Note: A Sid marked for Deny Only in a token cannot be used to grant |
| michael@0 | 95 | // access to any resource. It can only be used to deny access. |
| michael@0 | 96 | unsigned AddAllSidsForDenyOnly(std::vector<Sid> *exceptions); |
| michael@0 | 97 | |
| michael@0 | 98 | // Adds a user or group SID for Deny Only in the restricted token. |
| michael@0 | 99 | // Parameter: sid is the SID to add in the Deny Only list. |
| michael@0 | 100 | // The return value is always ERROR_SUCCESS. |
| michael@0 | 101 | // |
| michael@0 | 102 | // Sample Usage: |
| michael@0 | 103 | // restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID()); |
| michael@0 | 104 | unsigned AddSidForDenyOnly(const Sid &sid); |
| michael@0 | 105 | |
| michael@0 | 106 | // Adds the user sid of the token for Deny Only in the restricted token. |
| michael@0 | 107 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 108 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 109 | // the error. |
| michael@0 | 110 | unsigned AddUserSidForDenyOnly(); |
| michael@0 | 111 | |
| michael@0 | 112 | // Lists all privileges in the token and add them to the list of privileges |
| michael@0 | 113 | // to remove except for those present in the exceptions parameter. If |
| michael@0 | 114 | // there is no exception needed, the caller can pass an empty list or NULL |
| michael@0 | 115 | // for the exceptions parameter. |
| michael@0 | 116 | // |
| michael@0 | 117 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 118 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 119 | // the error. |
| michael@0 | 120 | // |
| michael@0 | 121 | // Sample usage: |
| michael@0 | 122 | // std::vector<std::wstring> privilege_exceptions; |
| michael@0 | 123 | // privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); |
| michael@0 | 124 | // restricted_token.DeleteAllPrivileges(&privilege_exceptions); |
| michael@0 | 125 | unsigned DeleteAllPrivileges( |
| michael@0 | 126 | const std::vector<std::wstring> *exceptions); |
| michael@0 | 127 | |
| michael@0 | 128 | // Adds a privilege to the list of privileges to remove in the restricted |
| michael@0 | 129 | // token. |
| michael@0 | 130 | // Parameter: privilege is the privilege name to remove. This is the string |
| michael@0 | 131 | // representing the privilege. (e.g. "SeChangeNotifyPrivilege"). |
| michael@0 | 132 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 133 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 134 | // the error. |
| michael@0 | 135 | // |
| michael@0 | 136 | // Sample usage: |
| michael@0 | 137 | // restricted_token.DeletePrivilege(SE_LOAD_DRIVER_NAME); |
| michael@0 | 138 | unsigned DeletePrivilege(const wchar_t *privilege); |
| michael@0 | 139 | |
| michael@0 | 140 | // Adds a SID to the list of restricting sids in the restricted token. |
| michael@0 | 141 | // Parameter: sid is the sid to add to the list restricting sids. |
| michael@0 | 142 | // The return value is always ERROR_SUCCESS. |
| michael@0 | 143 | // |
| michael@0 | 144 | // Sample usage: |
| michael@0 | 145 | // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID()); |
| michael@0 | 146 | // Note: The list of restricting is used to force Windows to perform all |
| michael@0 | 147 | // access checks twice. The first time using your user SID and your groups, |
| michael@0 | 148 | // and the second time using your list of restricting sids. The access has |
| michael@0 | 149 | // to be granted in both places to get access to the resource requested. |
| michael@0 | 150 | unsigned AddRestrictingSid(const Sid &sid); |
| michael@0 | 151 | |
| michael@0 | 152 | // Adds the logon sid of the token in the list of restricting sids for the |
| michael@0 | 153 | // restricted token. |
| michael@0 | 154 | // |
| michael@0 | 155 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 156 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 157 | // the error. |
| michael@0 | 158 | unsigned AddRestrictingSidLogonSession(); |
| michael@0 | 159 | |
| michael@0 | 160 | // Adds the owner sid of the token in the list of restricting sids for the |
| michael@0 | 161 | // restricted token. |
| michael@0 | 162 | // |
| michael@0 | 163 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 164 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 165 | // the error. |
| michael@0 | 166 | unsigned AddRestrictingSidCurrentUser(); |
| michael@0 | 167 | |
| michael@0 | 168 | // Adds all group sids and the user sid to the restricting sids list. |
| michael@0 | 169 | // |
| michael@0 | 170 | // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| michael@0 | 171 | // function fails, the return value is the win32 error code corresponding to |
| michael@0 | 172 | // the error. |
| michael@0 | 173 | unsigned AddRestrictingSidAllSids(); |
| michael@0 | 174 | |
| michael@0 | 175 | // Sets the token integrity level. This is only valid on Vista. The integrity |
| michael@0 | 176 | // level cannot be higher than your current integrity level. |
| michael@0 | 177 | unsigned SetIntegrityLevel(IntegrityLevel integrity_level); |
| michael@0 | 178 | |
| michael@0 | 179 | private: |
| michael@0 | 180 | // The list of restricting sids in the restricted token. |
| michael@0 | 181 | std::vector<Sid> sids_to_restrict_; |
| michael@0 | 182 | // The list of privileges to remove in the restricted token. |
| michael@0 | 183 | std::vector<LUID> privileges_to_disable_; |
| michael@0 | 184 | // The list of sids to mark as Deny Only in the restricted token. |
| michael@0 | 185 | std::vector<Sid> sids_for_deny_only_; |
| michael@0 | 186 | // The token to restrict. Can only be set in a constructor. |
| michael@0 | 187 | HANDLE effective_token_; |
| michael@0 | 188 | // The token integrity level. Only valid on Vista. |
| michael@0 | 189 | IntegrityLevel integrity_level_; |
| michael@0 | 190 | // Tells if the object is initialized or not (if Init() has been called) |
| michael@0 | 191 | bool init_; |
| michael@0 | 192 | |
| michael@0 | 193 | DISALLOW_COPY_AND_ASSIGN(RestrictedToken); |
| michael@0 | 194 | }; |
| michael@0 | 195 | |
| michael@0 | 196 | } // namespace sandbox |
| michael@0 | 197 | |
| michael@0 | 198 | #endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
