1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/restricted_token_utils.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,83 @@
1.4 +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
1.9 +#define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
1.10 +
1.11 +#include <accctrl.h>
1.12 +#include <windows.h>
1.13 +
1.14 +#include "sandbox/win/src/restricted_token.h"
1.15 +#include "sandbox/win/src/security_level.h"
1.16 +
1.17 +// Contains the utility functions to be able to create restricted tokens based
1.18 +// on a security profiles.
1.19 +
1.20 +namespace sandbox {
1.21 +
1.22 +// The type of the token returned by the CreateNakedToken.
1.23 +enum TokenType {
1.24 + IMPERSONATION = 0,
1.25 + PRIMARY
1.26 +};
1.27 +
1.28 +// Creates a restricted token based on the effective token of the current
1.29 +// process. The parameter security_level determines how much the token is
1.30 +// restricted. The token_type determines if the token will be used as a primary
1.31 +// token or impersonation token. The integrity level of the token is set to
1.32 +// |integrity level| on Vista only.
1.33 +// token_handle is the output value containing the handle of the
1.34 +// newly created restricted token.
1.35 +// If the function succeeds, the return value is ERROR_SUCCESS. If the
1.36 +// function fails, the return value is the win32 error code corresponding to
1.37 +// the error.
1.38 +DWORD CreateRestrictedToken(HANDLE *token_handle,
1.39 + TokenLevel security_level,
1.40 + IntegrityLevel integrity_level,
1.41 + TokenType token_type);
1.42 +
1.43 +// Starts the process described by the input parameter command_line in a job
1.44 +// with a restricted token. Also set the main thread of this newly created
1.45 +// process to impersonate a user with more rights so it can initialize
1.46 +// correctly.
1.47 +//
1.48 +// Parameters: primary_level is the security level of the primary token.
1.49 +// impersonation_level is the security level of the impersonation token used
1.50 +// to initialize the process. job_level is the security level of the job
1.51 +// object used to encapsulate the process.
1.52 +//
1.53 +// The output parameter job_handle is the handle to the job object. It has
1.54 +// to be closed with CloseHandle() when not needed. Closing this handle will
1.55 +// kill the process started.
1.56 +//
1.57 +// Note: The process started with this function has to call RevertToSelf() as
1.58 +// soon as possible to stop using the impersonation token and start being
1.59 +// secure.
1.60 +//
1.61 +// Note: The Unicode version of this function will fail if the command_line
1.62 +// parameter is a const string.
1.63 +DWORD StartRestrictedProcessInJob(wchar_t *command_line,
1.64 + TokenLevel primary_level,
1.65 + TokenLevel impersonation_level,
1.66 + JobLevel job_level,
1.67 + HANDLE *job_handle);
1.68 +
1.69 +// Sets the integrity label on a object handle.
1.70 +DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type,
1.71 + const wchar_t* ace_access,
1.72 + const wchar_t* integrity_level_sid);
1.73 +
1.74 +// Sets the integrity level on a token. This is only valid on Vista. It returns
1.75 +// without failing on XP. If the integrity level that you specify is greater
1.76 +// than the current integrity level, the function will fail.
1.77 +DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level);
1.78 +
1.79 +// Sets the integrity level on the current process on Vista. It returns without
1.80 +// failing on XP. If the integrity level that you specify is greater than the
1.81 +// current integrity level, the function will fail.
1.82 +DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level);
1.83 +
1.84 +} // namespace sandbox
1.85 +
1.86 +#endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
