• file
• revisions
• annotate
• diff
• comparison
• raw

security/sandbox/win/src/security_level.h@b8a032363ba2 (annotated)

security/sandbox/win/src/security_level.h

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
michael@0	2	// Use of this source code is governed by a BSD-style license that can be
michael@0	3	// found in the LICENSE file.
michael@0	4
michael@0	5	#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
michael@0	6	#define SANDBOX_SRC_SECURITY_LEVEL_H_
michael@0	7
michael@0	8	#include "base/basictypes.h"
michael@0	9
michael@0	10	namespace sandbox {
michael@0	11
michael@0	12	// List of all the integrity levels supported in the sandbox. This is used
michael@0	13	// only on Windows Vista. You can't set the integrity level of the process
michael@0	14	// in the sandbox to a level higher than yours.
michael@0	15	enum IntegrityLevel {
michael@0	16	INTEGRITY_LEVEL_SYSTEM,
michael@0	17	INTEGRITY_LEVEL_HIGH,
michael@0	18	INTEGRITY_LEVEL_MEDIUM,
michael@0	19	INTEGRITY_LEVEL_MEDIUM_LOW,
michael@0	20	INTEGRITY_LEVEL_LOW,
michael@0	21	INTEGRITY_LEVEL_BELOW_LOW,
michael@0	22	INTEGRITY_LEVEL_UNTRUSTED,
michael@0	23	INTEGRITY_LEVEL_LAST
michael@0	24	};
michael@0	25
michael@0	26	// The Token level specifies a set of security profiles designed to
michael@0	27	// provide the bulk of the security of sandbox.
michael@0	28	//
michael@0	29	// TokenLevel |Restricting |Deny Only |Privileges|
michael@0	30	// |Sids |Sids | |
michael@0	31	// ----------------------------|--------------|----------------|----------|
michael@0	32	// USER_LOCKDOWN | Null Sid | All | None |
michael@0	33	// ----------------------------|--------------|----------------|----------|
michael@0	34	// USER_RESTRICTED | RESTRICTED | All | Traverse |
michael@0	35	// ----------------------------|--------------|----------------|----------|
michael@0	36	// USER_LIMITED | Users | All except: | Traverse |
michael@0	37	// | Everyone | Users | |
michael@0	38	// | RESTRICTED | Everyone | |
michael@0	39	// | | Interactive | |
michael@0	40	// ----------------------------|--------------|----------------|----------|
michael@0	41	// USER_INTERACTIVE | Users | All except: | Traverse |
michael@0	42	// | Everyone | Users | |
michael@0	43	// | RESTRICTED | Everyone | |
michael@0	44	// | Owner | Interactive | |
michael@0	45	// | | Local | |
michael@0	46	// | | Authent-users | |
michael@0	47	// | | User | |
michael@0	48	// ----------------------------|--------------|----------------|----------|
michael@0	49	// USER_NON_ADMIN | None | All except: | Traverse |
michael@0	50	// | | Users | |
michael@0	51	// | | Everyone | |
michael@0	52	// | | Interactive | |
michael@0	53	// | | Local | |
michael@0	54	// | | Authent-users | |
michael@0	55	// | | User | |
michael@0	56	// ----------------------------|--------------|----------------|----------|
michael@0	57	// USER_RESTRICTED_SAME_ACCESS | All | None | All |
michael@0	58	// ----------------------------|--------------|----------------|----------|
michael@0	59	// USER_UNPROTECTED | None | None | All |
michael@0	60	// ----------------------------|--------------|----------------|----------|
michael@0	61	//
michael@0	62	// The above restrictions are actually a transformation that is applied to
michael@0	63	// the existing broker process token. The resulting token that will be
michael@0	64	// applied to the target process depends both on the token level selected
michael@0	65	// and on the broker token itself.
michael@0	66	//
michael@0	67	// The LOCKDOWN and RESTRICTED are designed to allow access to almost
michael@0	68	// nothing that has security associated with and they are the recommended
michael@0	69	// levels to run sandboxed code specially if there is a chance that the
michael@0	70	// broker is process might be started by a user that belongs to the Admins
michael@0	71	// or power users groups.
michael@0	72	enum TokenLevel {
michael@0	73	USER_LOCKDOWN = 0,
michael@0	74	USER_RESTRICTED,
michael@0	75	USER_LIMITED,
michael@0	76	USER_INTERACTIVE,
michael@0	77	USER_NON_ADMIN,
michael@0	78	USER_RESTRICTED_SAME_ACCESS,
michael@0	79	USER_UNPROTECTED
michael@0	80	};
michael@0	81
michael@0	82	// The Job level specifies a set of decreasing security profiles for the
michael@0	83	// Job object that the target process will be placed into.
michael@0	84	// This table summarizes the security associated with each level:
michael@0	85	//
michael@0	86	// JobLevel |General |Quota |
michael@0	87	// |restrictions |restrictions |
michael@0	88	// -----------------|---------------------------------- |--------------------|
michael@0	89	// JOB_NONE | No job is assigned to the | None |
michael@0	90	// | sandboxed process. | |
michael@0	91	// -----------------|---------------------------------- |--------------------|
michael@0	92	// JOB_UNPROTECTED | None | *Kill on Job close.|
michael@0	93	// -----------------|---------------------------------- |--------------------|
michael@0	94	// JOB_INTERACTIVE | *Forbid system-wide changes using | |
michael@0	95	// | SystemParametersInfo(). | *Kill on Job close.|
michael@0	96	// | *Forbid the creation/switch of | |
michael@0	97	// | Desktops. | |
michael@0	98	// | *Forbids calls to ExitWindows(). | |
michael@0	99	// -----------------|---------------------------------- |--------------------|
michael@0	100	// JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process|
michael@0	101	// | *Forbid changes to the display | limit. |
michael@0	102	// | settings. | *Kill on Job close.|
michael@0	103	// -----------------|---------------------------------- |--------------------|
michael@0	104	// JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process|
michael@0	105	// | * No read/write to the clipboard. | limit. |
michael@0	106	// | * No access to User Handles that | *Kill on Job close.|
michael@0	107	// | belong to other processes. | |
michael@0	108	// | * Forbid message broadcasts. | |
michael@0	109	// | * Forbid setting global hooks. | |
michael@0	110	// | * No access to the global atoms | |
michael@0	111	// | table. | |
michael@0	112	// -----------------|-----------------------------------|--------------------|
michael@0	113	// JOB_LOCKDOWN | Same as RESTRICTED | *One active process|
michael@0	114	// | | limit. |
michael@0	115	// | | *Kill on Job close.|
michael@0	116	// | | *Kill on unhandled |
michael@0	117	// | | exception. |
michael@0	118	// | | |
michael@0	119	// In the context of the above table, 'user handles' refers to the handles of
michael@0	120	// windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
michael@0	121	// handles and are not affected by the job level settings.
michael@0	122	enum JobLevel {
michael@0	123	JOB_LOCKDOWN = 0,
michael@0	124	JOB_RESTRICTED,
michael@0	125	JOB_LIMITED_USER,
michael@0	126	JOB_INTERACTIVE,
michael@0	127	JOB_UNPROTECTED,
michael@0	128	JOB_NONE
michael@0	129	};
michael@0	130
michael@0	131	// These flags correspond to various process-level mitigations (eg. ASLR and
michael@0	132	// DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
michael@0	133	// the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
michael@0	134	// here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
michael@0	135	// Some mitigations are implemented directly by the sandbox or emulated to
michael@0	136	// the greatest extent possible when not directly supported by the OS.
michael@0	137	// Flags that are unsupported for the target OS will be silently ignored.
michael@0	138	// Flags that are invalid for their application (pre or post startup) will
michael@0	139	// return SBOX_ERROR_BAD_PARAMS.
michael@0	140	typedef uint64 MitigationFlags;
michael@0	141
michael@0	142	// Permanently enables DEP for the target process. Corresponds to
michael@0	143	// PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
michael@0	144	const MitigationFlags MITIGATION_DEP = 0x00000001;
michael@0	145
michael@0	146	// Permanently Disables ATL thunk emulation when DEP is enabled. Valid
michael@0	147	// only when MITIGATION_DEP is passed. Corresponds to not passing
michael@0	148	// PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
michael@0	149	const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002;
michael@0	150
michael@0	151	// Enables Structured exception handling override prevention. Must be
michael@0	152	// enabled prior to process start. Corresponds to
michael@0	153	// PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
michael@0	154	const MitigationFlags MITIGATION_SEHOP = 0x00000004;
michael@0	155
michael@0	156	// Forces ASLR on all images in the child process. Corresponds to
michael@0	157	// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
michael@0	158	const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008;
michael@0	159
michael@0	160	// Refuses to load DLLs that cannot support ASLR. Corresponds to
michael@0	161	// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
michael@0	162	const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010;
michael@0	163
michael@0	164	// Terminates the process on Windows heap corruption. Coresponds to
michael@0	165	// PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
michael@0	166	const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020;
michael@0	167
michael@0	168	// Sets a random lower bound as the minimum user address. Must be
michael@0	169	// enabled prior to process start. On 32-bit processes this is
michael@0	170	// emulated to a much smaller degree. Corresponds to
michael@0	171	// PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
michael@0	172	const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040;
michael@0	173
michael@0	174	// Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
michael@0	175	// enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
michael@0	176	// Corresponds to
michael@0	177	// PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
michael@0	178	const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
michael@0	179
michael@0	180	// Immediately raises an exception on a bad handle reference. Must be
michael@0	181	// enabled after startup. Corresponds to
michael@0	182	// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
michael@0	183	const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
michael@0	184
michael@0	185	// Prevents the process from making Win32k calls. Must be enabled after
michael@0	186	// startup. Corresponds to
michael@0	187	// PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
michael@0	188	const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200;
michael@0	189
michael@0	190	// Disables common DLL injection methods (e.g. window hooks and
michael@0	191	// App_InitDLLs). Corresponds to
michael@0	192	// PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
michael@0	193	const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400;
michael@0	194
michael@0	195	// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
michael@0	196	// directories can be added via the Windows AddDllDirectory() function.
michael@0	197	// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
michael@0	198	// Must be enabled after startup.
michael@0	199	const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32;
michael@0	200
michael@0	201	} // namespace sandbox
michael@0	202
michael@0	203	#endif // SANDBOX_SRC_SECURITY_LEVEL_H_