1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/restricted_token.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,198 @@
1.4 +// Copyright (c) 2010 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_
1.9 +#define SANDBOX_SRC_RESTRICTED_TOKEN_H_
1.10 +
1.11 +#include <windows.h>
1.12 +#include <vector>
1.13 +
1.14 +#include "base/basictypes.h"
1.15 +#include "sandbox/win/src/restricted_token_utils.h"
1.16 +#include "sandbox/win/src/security_level.h"
1.17 +#include "sandbox/win/src/sid.h"
1.18 +
1.19 +// Flags present in the Group SID list. These 2 flags are new in Windows Vista
1.20 +#ifndef SE_GROUP_INTEGRITY
1.21 +#define SE_GROUP_INTEGRITY (0x00000020L)
1.22 +#endif
1.23 +#ifndef SE_GROUP_INTEGRITY_ENABLED
1.24 +#define SE_GROUP_INTEGRITY_ENABLED (0x00000040L)
1.25 +#endif
1.26 +
1.27 +namespace sandbox {
1.28 +
1.29 +// Handles the creation of a restricted token using the effective token or
1.30 +// any token handle.
1.31 +// Sample usage:
1.32 +// RestrictedToken restricted_token;
1.33 +// unsigned err_code = restricted_token.Init(NULL); // Use the current
1.34 +// // effective token
1.35 +// if (ERROR_SUCCESS != err_code) {
1.36 +// // handle error.
1.37 +// }
1.38 +//
1.39 +// restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID());
1.40 +// HANDLE token_handle;
1.41 +// err_code = restricted_token.GetRestrictedTokenHandle(&token_handle);
1.42 +// if (ERROR_SUCCESS != err_code) {
1.43 +// // handle error.
1.44 +// }
1.45 +// [...]
1.46 +// CloseHandle(token_handle);
1.47 +class RestrictedToken {
1.48 + public:
1.49 + // Init() has to be called before calling any other method in the class.
1.50 + RestrictedToken()
1.51 + : init_(false), effective_token_(NULL),
1.52 + integrity_level_(INTEGRITY_LEVEL_LAST) { }
1.53 +
1.54 + ~RestrictedToken() {
1.55 + if (effective_token_)
1.56 + CloseHandle(effective_token_);
1.57 + }
1.58 +
1.59 + // Initializes the RestrictedToken object with effective_token.
1.60 + // If effective_token is NULL, it initializes the RestrictedToken object with
1.61 + // the effective token of the current process.
1.62 + unsigned Init(HANDLE effective_token);
1.63 +
1.64 + // Creates a restricted token and returns its handle using the token_handle
1.65 + // output parameter. This handle has to be closed by the caller.
1.66 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.67 + // function fails, the return value is the win32 error code corresponding to
1.68 + // the error.
1.69 + unsigned GetRestrictedTokenHandle(HANDLE *token_handle) const;
1.70 +
1.71 + // Creates a restricted token and uses this new token to create a new token
1.72 + // for impersonation. Returns the handle of this impersonation token using
1.73 + // the token_handle output parameter. This handle has to be closed by
1.74 + // the caller.
1.75 + //
1.76 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.77 + // function fails, the return value is the win32 error code corresponding to
1.78 + // the error.
1.79 + //
1.80 + // The sample usage is the same as the GetRestrictedTokenHandle function.
1.81 + unsigned GetRestrictedTokenHandleForImpersonation(HANDLE *token_handle) const;
1.82 +
1.83 + // Lists all sids in the token and mark them as Deny Only except for those
1.84 + // present in the exceptions parameter. If there is no exception needed,
1.85 + // the caller can pass an empty list or NULL for the exceptions
1.86 + // parameter.
1.87 + //
1.88 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.89 + // function fails, the return value is the win32 error code corresponding to
1.90 + // the error.
1.91 + //
1.92 + // Sample usage:
1.93 + // std::vector<Sid> sid_exceptions;
1.94 + // sid_exceptions.push_back(ATL::Sids::Users().GetPSID());
1.95 + // sid_exceptions.push_back(ATL::Sids::World().GetPSID());
1.96 + // restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
1.97 + // Note: A Sid marked for Deny Only in a token cannot be used to grant
1.98 + // access to any resource. It can only be used to deny access.
1.99 + unsigned AddAllSidsForDenyOnly(std::vector<Sid> *exceptions);
1.100 +
1.101 + // Adds a user or group SID for Deny Only in the restricted token.
1.102 + // Parameter: sid is the SID to add in the Deny Only list.
1.103 + // The return value is always ERROR_SUCCESS.
1.104 + //
1.105 + // Sample Usage:
1.106 + // restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID());
1.107 + unsigned AddSidForDenyOnly(const Sid &sid);
1.108 +
1.109 + // Adds the user sid of the token for Deny Only in the restricted token.
1.110 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.111 + // function fails, the return value is the win32 error code corresponding to
1.112 + // the error.
1.113 + unsigned AddUserSidForDenyOnly();
1.114 +
1.115 + // Lists all privileges in the token and add them to the list of privileges
1.116 + // to remove except for those present in the exceptions parameter. If
1.117 + // there is no exception needed, the caller can pass an empty list or NULL
1.118 + // for the exceptions parameter.
1.119 + //
1.120 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.121 + // function fails, the return value is the win32 error code corresponding to
1.122 + // the error.
1.123 + //
1.124 + // Sample usage:
1.125 + // std::vector<std::wstring> privilege_exceptions;
1.126 + // privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
1.127 + // restricted_token.DeleteAllPrivileges(&privilege_exceptions);
1.128 + unsigned DeleteAllPrivileges(
1.129 + const std::vector<std::wstring> *exceptions);
1.130 +
1.131 + // Adds a privilege to the list of privileges to remove in the restricted
1.132 + // token.
1.133 + // Parameter: privilege is the privilege name to remove. This is the string
1.134 + // representing the privilege. (e.g. "SeChangeNotifyPrivilege").
1.135 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.136 + // function fails, the return value is the win32 error code corresponding to
1.137 + // the error.
1.138 + //
1.139 + // Sample usage:
1.140 + // restricted_token.DeletePrivilege(SE_LOAD_DRIVER_NAME);
1.141 + unsigned DeletePrivilege(const wchar_t *privilege);
1.142 +
1.143 + // Adds a SID to the list of restricting sids in the restricted token.
1.144 + // Parameter: sid is the sid to add to the list restricting sids.
1.145 + // The return value is always ERROR_SUCCESS.
1.146 + //
1.147 + // Sample usage:
1.148 + // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID());
1.149 + // Note: The list of restricting is used to force Windows to perform all
1.150 + // access checks twice. The first time using your user SID and your groups,
1.151 + // and the second time using your list of restricting sids. The access has
1.152 + // to be granted in both places to get access to the resource requested.
1.153 + unsigned AddRestrictingSid(const Sid &sid);
1.154 +
1.155 + // Adds the logon sid of the token in the list of restricting sids for the
1.156 + // restricted token.
1.157 + //
1.158 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.159 + // function fails, the return value is the win32 error code corresponding to
1.160 + // the error.
1.161 + unsigned AddRestrictingSidLogonSession();
1.162 +
1.163 + // Adds the owner sid of the token in the list of restricting sids for the
1.164 + // restricted token.
1.165 + //
1.166 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.167 + // function fails, the return value is the win32 error code corresponding to
1.168 + // the error.
1.169 + unsigned AddRestrictingSidCurrentUser();
1.170 +
1.171 + // Adds all group sids and the user sid to the restricting sids list.
1.172 + //
1.173 + // If the function succeeds, the return value is ERROR_SUCCESS. If the
1.174 + // function fails, the return value is the win32 error code corresponding to
1.175 + // the error.
1.176 + unsigned AddRestrictingSidAllSids();
1.177 +
1.178 + // Sets the token integrity level. This is only valid on Vista. The integrity
1.179 + // level cannot be higher than your current integrity level.
1.180 + unsigned SetIntegrityLevel(IntegrityLevel integrity_level);
1.181 +
1.182 + private:
1.183 + // The list of restricting sids in the restricted token.
1.184 + std::vector<Sid> sids_to_restrict_;
1.185 + // The list of privileges to remove in the restricted token.
1.186 + std::vector<LUID> privileges_to_disable_;
1.187 + // The list of sids to mark as Deny Only in the restricted token.
1.188 + std::vector<Sid> sids_for_deny_only_;
1.189 + // The token to restrict. Can only be set in a constructor.
1.190 + HANDLE effective_token_;
1.191 + // The token integrity level. Only valid on Vista.
1.192 + IntegrityLevel integrity_level_;
1.193 + // Tells if the object is initialized or not (if Init() has been called)
1.194 + bool init_;
1.195 +
1.196 + DISALLOW_COPY_AND_ASSIGN(RestrictedToken);
1.197 +};
1.198 +
1.199 +} // namespace sandbox
1.200 +
1.201 +#endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_
