security/sandbox/win/src/sandbox_policy.h@6474c204b198 (annotated)
security/sandbox/win/src/sandbox_policy.h
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
| michael@0 | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| michael@0 | 2 | // Use of this source code is governed by a BSD-style license that can be |
| michael@0 | 3 | // found in the LICENSE file. |
| michael@0 | 4 | |
| michael@0 | 5 | #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
| michael@0 | 6 | #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
| michael@0 | 7 | |
| michael@0 | 8 | #include <string> |
| michael@0 | 9 | |
| michael@0 | 10 | #include "base/basictypes.h" |
| michael@0 | 11 | #include "sandbox/win/src/sandbox_types.h" |
| michael@0 | 12 | #include "sandbox/win/src/security_level.h" |
| michael@0 | 13 | |
| michael@0 | 14 | namespace sandbox { |
| michael@0 | 15 | |
| michael@0 | 16 | class TargetPolicy { |
| michael@0 | 17 | public: |
| michael@0 | 18 | // Windows subsystems that can have specific rules. |
| michael@0 | 19 | // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request |
| michael@0 | 20 | // exactly like the CreateProcess API does. See the comment at the top of |
| michael@0 | 21 | // process_thread_dispatcher.cc for more details. |
| michael@0 | 22 | enum SubSystem { |
| michael@0 | 23 | SUBSYS_FILES, // Creation and opening of files and pipes. |
| michael@0 | 24 | SUBSYS_NAMED_PIPES, // Creation of named pipes. |
| michael@0 | 25 | SUBSYS_PROCESS, // Creation of child processes. |
| michael@0 | 26 | SUBSYS_REGISTRY, // Creation and opening of registry keys. |
| michael@0 | 27 | SUBSYS_SYNC, // Creation of named sync objects. |
| michael@0 | 28 | SUBSYS_HANDLES // Duplication of handles to other processes. |
| michael@0 | 29 | }; |
| michael@0 | 30 | |
| michael@0 | 31 | // Allowable semantics when a rule is matched. |
| michael@0 | 32 | enum Semantics { |
| michael@0 | 33 | FILES_ALLOW_ANY, // Allows open or create for any kind of access that |
| michael@0 | 34 | // the file system supports. |
| michael@0 | 35 | FILES_ALLOW_READONLY, // Allows open or create with read access only. |
| michael@0 | 36 | FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. |
| michael@0 | 37 | FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics |
| michael@0 | 38 | // only. |
| michael@0 | 39 | HANDLES_DUP_ANY, // Allows duplicating handles opened with any |
| michael@0 | 40 | // access permissions. |
| michael@0 | 41 | HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. |
| michael@0 | 42 | NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. |
| michael@0 | 43 | PROCESS_MIN_EXEC, // Allows to create a process with minimal rights |
| michael@0 | 44 | // over the resulting process and thread handles. |
| michael@0 | 45 | // No other parameters besides the command line are |
| michael@0 | 46 | // passed to the child process. |
| michael@0 | 47 | PROCESS_ALL_EXEC, // Allows the creation of a process and return fill |
| michael@0 | 48 | // access on the returned handles. |
| michael@0 | 49 | // This flag can be used only when the main token of |
| michael@0 | 50 | // the sandboxed application is at least INTERACTIVE. |
| michael@0 | 51 | EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. |
| michael@0 | 52 | EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access. |
| michael@0 | 53 | REG_ALLOW_READONLY, // Allows readonly access to a registry key. |
| michael@0 | 54 | REG_ALLOW_ANY // Allows read and write access to a registry key. |
| michael@0 | 55 | }; |
| michael@0 | 56 | |
| michael@0 | 57 | // Increments the reference count of this object. The reference count must |
| michael@0 | 58 | // be incremented if this interface is given to another component. |
| michael@0 | 59 | virtual void AddRef() = 0; |
| michael@0 | 60 | |
| michael@0 | 61 | // Decrements the reference count of this object. When the reference count |
| michael@0 | 62 | // is zero the object is automatically destroyed. |
| michael@0 | 63 | // Indicates that the caller is done with this interface. After calling |
| michael@0 | 64 | // release no other method should be called. |
| michael@0 | 65 | virtual void Release() = 0; |
| michael@0 | 66 | |
| michael@0 | 67 | // Sets the security level for the target process' two tokens. |
| michael@0 | 68 | // This setting is permanent and cannot be changed once the target process is |
| michael@0 | 69 | // spawned. |
| michael@0 | 70 | // initial: the security level for the initial token. This is the token that |
| michael@0 | 71 | // is used by the process from the creation of the process until the moment |
| michael@0 | 72 | // the process calls TargetServices::LowerToken() or the process calls |
| michael@0 | 73 | // win32's ReverToSelf(). Once this happens the initial token is no longer |
| michael@0 | 74 | // available and the lockdown token is in effect. Using an initial token is |
| michael@0 | 75 | // not compatible with AppContainer, see SetAppContainer. |
| michael@0 | 76 | // lockdown: the security level for the token that comes into force after the |
| michael@0 | 77 | // process calls TargetServices::LowerToken() or the process calls |
| michael@0 | 78 | // ReverToSelf(). See the explanation of each level in the TokenLevel |
| michael@0 | 79 | // definition. |
| michael@0 | 80 | // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. |
| michael@0 | 81 | // Returns false if the lockdown value is more permissive than the initial |
| michael@0 | 82 | // value. |
| michael@0 | 83 | // |
| michael@0 | 84 | // Important: most of the sandbox-provided security relies on this single |
| michael@0 | 85 | // setting. The caller should strive to set the lockdown level as restricted |
| michael@0 | 86 | // as possible. |
| michael@0 | 87 | virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; |
| michael@0 | 88 | |
| michael@0 | 89 | // Sets the security level of the Job Object to which the target process will |
| michael@0 | 90 | // belong. This setting is permanent and cannot be changed once the target |
| michael@0 | 91 | // process is spawned. The job controls the global security settings which |
| michael@0 | 92 | // can not be specified in the token security profile. |
| michael@0 | 93 | // job_level: the security level for the job. See the explanation of each |
| michael@0 | 94 | // level in the JobLevel definition. |
| michael@0 | 95 | // ui_exceptions: specify what specific rights that are disabled in the |
| michael@0 | 96 | // chosen job_level that need to be granted. Use this parameter to avoid |
| michael@0 | 97 | // selecting the next permissive job level unless you need all the rights |
| michael@0 | 98 | // that are granted in such level. |
| michael@0 | 99 | // The exceptions can be specified as a combination of the following |
| michael@0 | 100 | // constants: |
| michael@0 | 101 | // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These |
| michael@0 | 102 | // include windows, icons, menus and various GDI objects. In addition the |
| michael@0 | 103 | // target process can set hooks, and broadcast messages to other processes |
| michael@0 | 104 | // that belong to the same desktop. |
| michael@0 | 105 | // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard. |
| michael@0 | 106 | // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard. |
| michael@0 | 107 | // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide |
| michael@0 | 108 | // parameters as defined by the Win32 call SystemParametersInfo(). |
| michael@0 | 109 | // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the |
| michael@0 | 110 | // display settings. |
| michael@0 | 111 | // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table. |
| michael@0 | 112 | // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops. |
| michael@0 | 113 | // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows(). |
| michael@0 | 114 | // |
| michael@0 | 115 | // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. |
| michael@0 | 116 | // |
| michael@0 | 117 | // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at |
| michael@0 | 118 | // length in: |
| michael@0 | 119 | // http://msdn2.microsoft.com/en-us/library/ms684152.aspx |
| michael@0 | 120 | // |
| michael@0 | 121 | // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN. |
| michael@0 | 122 | virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0; |
| michael@0 | 123 | |
| michael@0 | 124 | // Specifies the desktop on which the application is going to run. If the |
| michael@0 | 125 | // desktop does not exist, it will be created. If alternate_winstation is |
| michael@0 | 126 | // set to true, the desktop will be created on an alternate window station. |
| michael@0 | 127 | virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0; |
| michael@0 | 128 | |
| michael@0 | 129 | // Returns the name of the alternate desktop used. If an alternate window |
| michael@0 | 130 | // station is specified, the name is prepended by the window station name, |
| michael@0 | 131 | // followed by a backslash. |
| michael@0 | 132 | virtual std::wstring GetAlternateDesktop() const = 0; |
| michael@0 | 133 | |
| michael@0 | 134 | // Precreates the desktop and window station, if any. |
| michael@0 | 135 | virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0; |
| michael@0 | 136 | |
| michael@0 | 137 | // Destroys the desktop and windows station. |
| michael@0 | 138 | virtual void DestroyAlternateDesktop() = 0; |
| michael@0 | 139 | |
| michael@0 | 140 | // Sets the integrity level of the process in the sandbox. Both the initial |
| michael@0 | 141 | // token and the main token will be affected by this. If the integrity level |
| michael@0 | 142 | // is set to a level higher than the current level, the sandbox will fail |
| michael@0 | 143 | // to start. |
| michael@0 | 144 | virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; |
| michael@0 | 145 | |
| michael@0 | 146 | // Sets the integrity level of the process in the sandbox. The integrity level |
| michael@0 | 147 | // will not take effect before you call LowerToken. User Interface Privilege |
| michael@0 | 148 | // Isolation is not affected by this setting and will remain off for the |
| michael@0 | 149 | // process in the sandbox. If the integrity level is set to a level higher |
| michael@0 | 150 | // than the current level, the sandbox will fail to start. |
| michael@0 | 151 | virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; |
| michael@0 | 152 | |
| michael@0 | 153 | // Sets the AppContainer to be used for the sandboxed process. Any capability |
| michael@0 | 154 | // to be enabled for the process should be added before this method is invoked |
| michael@0 | 155 | // (by calling SetCapability() as many times as needed). |
| michael@0 | 156 | // The desired AppContainer must be already installed on the system, otherwise |
| michael@0 | 157 | // launching the sandboxed process will fail. See BrokerServices for details |
| michael@0 | 158 | // about installing an AppContainer. |
| michael@0 | 159 | // Note that currently Windows restricts the use of impersonation within |
| michael@0 | 160 | // AppContainers, so this function is incompatible with the use of an initial |
| michael@0 | 161 | // token. |
| michael@0 | 162 | virtual ResultCode SetAppContainer(const wchar_t* sid) = 0; |
| michael@0 | 163 | |
| michael@0 | 164 | // Sets a capability to be enabled for the sandboxed process' AppContainer. |
| michael@0 | 165 | virtual ResultCode SetCapability(const wchar_t* sid) = 0; |
| michael@0 | 166 | |
| michael@0 | 167 | // Sets the mitigations enabled when the process is created. Most of these |
| michael@0 | 168 | // are implemented as attributes passed via STARTUPINFOEX. So they take |
| michael@0 | 169 | // effect before any thread in the target executes. The declaration of |
| michael@0 | 170 | // MitigationFlags is followed by a detailed description of each flag. |
| michael@0 | 171 | virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; |
| michael@0 | 172 | |
| michael@0 | 173 | // Returns the currently set mitigation flags. |
| michael@0 | 174 | virtual MitigationFlags GetProcessMitigations() = 0; |
| michael@0 | 175 | |
| michael@0 | 176 | // Sets process mitigation flags that don't take effect before the call to |
| michael@0 | 177 | // LowerToken(). |
| michael@0 | 178 | virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; |
| michael@0 | 179 | |
| michael@0 | 180 | // Returns the currently set delayed mitigation flags. |
| michael@0 | 181 | virtual MitigationFlags GetDelayedProcessMitigations() = 0; |
| michael@0 | 182 | |
| michael@0 | 183 | // Sets the interceptions to operate in strict mode. By default, interceptions |
| michael@0 | 184 | // are performed in "relaxed" mode, where if something inside NTDLL.DLL is |
| michael@0 | 185 | // already patched we attempt to intercept it anyway. Setting interceptions |
| michael@0 | 186 | // to strict mode means that when we detect that the function is patched we'll |
| michael@0 | 187 | // refuse to perform the interception. |
| michael@0 | 188 | virtual void SetStrictInterceptions() = 0; |
| michael@0 | 189 | |
| michael@0 | 190 | // Set the handles the target process should inherit for stdout and |
| michael@0 | 191 | // stderr. The handles the caller passes must remain valid for the |
| michael@0 | 192 | // lifetime of the policy object. This only has an effect on |
| michael@0 | 193 | // Windows Vista and later versions. These methods accept pipe and |
| michael@0 | 194 | // file handles, but not console handles. |
| michael@0 | 195 | virtual ResultCode SetStdoutHandle(HANDLE handle) = 0; |
| michael@0 | 196 | virtual ResultCode SetStderrHandle(HANDLE handle) = 0; |
| michael@0 | 197 | |
| michael@0 | 198 | // Adds a policy rule effective for processes spawned using this policy. |
| michael@0 | 199 | // subsystem: One of the above enumerated windows subsystems. |
| michael@0 | 200 | // semantics: One of the above enumerated FileSemantics. |
| michael@0 | 201 | // pattern: A specific full path or a full path with wildcard patterns. |
| michael@0 | 202 | // The valid wildcards are: |
| michael@0 | 203 | // '*' : Matches zero or more character. Only one in series allowed. |
| michael@0 | 204 | // '?' : Matches a single character. One or more in series are allowed. |
| michael@0 | 205 | // Examples: |
| michael@0 | 206 | // "c:\\documents and settings\\vince\\*.dmp" |
| michael@0 | 207 | // "c:\\documents and settings\\*\\crashdumps\\*.dmp" |
| michael@0 | 208 | // "c:\\temp\\app_log_?????_chrome.txt" |
| michael@0 | 209 | virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, |
| michael@0 | 210 | const wchar_t* pattern) = 0; |
| michael@0 | 211 | |
| michael@0 | 212 | // Adds a dll that will be unloaded in the target process before it gets |
| michael@0 | 213 | // a chance to initialize itself. Typically, dlls that cause the target |
| michael@0 | 214 | // to crash go here. |
| michael@0 | 215 | virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0; |
| michael@0 | 216 | |
| michael@0 | 217 | // Adds a handle that will be closed in the target process after lockdown. |
| michael@0 | 218 | // A NULL value for handle_name indicates all handles of the specified type. |
| michael@0 | 219 | // An empty string for handle_name indicates the handle is unnamed. |
| michael@0 | 220 | virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, |
| michael@0 | 221 | const wchar_t* handle_name) = 0; |
| michael@0 | 222 | }; |
| michael@0 | 223 | |
| michael@0 | 224 | } // namespace sandbox |
| michael@0 | 225 | |
| michael@0 | 226 | |
| michael@0 | 227 | #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
