1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/sandbox_policy.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,227 @@
1.4 +// Copyright (c) 2012 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
1.9 +#define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
1.10 +
1.11 +#include <string>
1.12 +
1.13 +#include "base/basictypes.h"
1.14 +#include "sandbox/win/src/sandbox_types.h"
1.15 +#include "sandbox/win/src/security_level.h"
1.16 +
1.17 +namespace sandbox {
1.18 +
1.19 +class TargetPolicy {
1.20 + public:
1.21 + // Windows subsystems that can have specific rules.
1.22 + // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
1.23 + // exactly like the CreateProcess API does. See the comment at the top of
1.24 + // process_thread_dispatcher.cc for more details.
1.25 + enum SubSystem {
1.26 + SUBSYS_FILES, // Creation and opening of files and pipes.
1.27 + SUBSYS_NAMED_PIPES, // Creation of named pipes.
1.28 + SUBSYS_PROCESS, // Creation of child processes.
1.29 + SUBSYS_REGISTRY, // Creation and opening of registry keys.
1.30 + SUBSYS_SYNC, // Creation of named sync objects.
1.31 + SUBSYS_HANDLES // Duplication of handles to other processes.
1.32 + };
1.33 +
1.34 + // Allowable semantics when a rule is matched.
1.35 + enum Semantics {
1.36 + FILES_ALLOW_ANY, // Allows open or create for any kind of access that
1.37 + // the file system supports.
1.38 + FILES_ALLOW_READONLY, // Allows open or create with read access only.
1.39 + FILES_ALLOW_QUERY, // Allows access to query the attributes of a file.
1.40 + FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics
1.41 + // only.
1.42 + HANDLES_DUP_ANY, // Allows duplicating handles opened with any
1.43 + // access permissions.
1.44 + HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process.
1.45 + NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe.
1.46 + PROCESS_MIN_EXEC, // Allows to create a process with minimal rights
1.47 + // over the resulting process and thread handles.
1.48 + // No other parameters besides the command line are
1.49 + // passed to the child process.
1.50 + PROCESS_ALL_EXEC, // Allows the creation of a process and return fill
1.51 + // access on the returned handles.
1.52 + // This flag can be used only when the main token of
1.53 + // the sandboxed application is at least INTERACTIVE.
1.54 + EVENTS_ALLOW_ANY, // Allows the creation of an event with full access.
1.55 + EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
1.56 + REG_ALLOW_READONLY, // Allows readonly access to a registry key.
1.57 + REG_ALLOW_ANY // Allows read and write access to a registry key.
1.58 + };
1.59 +
1.60 + // Increments the reference count of this object. The reference count must
1.61 + // be incremented if this interface is given to another component.
1.62 + virtual void AddRef() = 0;
1.63 +
1.64 + // Decrements the reference count of this object. When the reference count
1.65 + // is zero the object is automatically destroyed.
1.66 + // Indicates that the caller is done with this interface. After calling
1.67 + // release no other method should be called.
1.68 + virtual void Release() = 0;
1.69 +
1.70 + // Sets the security level for the target process' two tokens.
1.71 + // This setting is permanent and cannot be changed once the target process is
1.72 + // spawned.
1.73 + // initial: the security level for the initial token. This is the token that
1.74 + // is used by the process from the creation of the process until the moment
1.75 + // the process calls TargetServices::LowerToken() or the process calls
1.76 + // win32's ReverToSelf(). Once this happens the initial token is no longer
1.77 + // available and the lockdown token is in effect. Using an initial token is
1.78 + // not compatible with AppContainer, see SetAppContainer.
1.79 + // lockdown: the security level for the token that comes into force after the
1.80 + // process calls TargetServices::LowerToken() or the process calls
1.81 + // ReverToSelf(). See the explanation of each level in the TokenLevel
1.82 + // definition.
1.83 + // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
1.84 + // Returns false if the lockdown value is more permissive than the initial
1.85 + // value.
1.86 + //
1.87 + // Important: most of the sandbox-provided security relies on this single
1.88 + // setting. The caller should strive to set the lockdown level as restricted
1.89 + // as possible.
1.90 + virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
1.91 +
1.92 + // Sets the security level of the Job Object to which the target process will
1.93 + // belong. This setting is permanent and cannot be changed once the target
1.94 + // process is spawned. The job controls the global security settings which
1.95 + // can not be specified in the token security profile.
1.96 + // job_level: the security level for the job. See the explanation of each
1.97 + // level in the JobLevel definition.
1.98 + // ui_exceptions: specify what specific rights that are disabled in the
1.99 + // chosen job_level that need to be granted. Use this parameter to avoid
1.100 + // selecting the next permissive job level unless you need all the rights
1.101 + // that are granted in such level.
1.102 + // The exceptions can be specified as a combination of the following
1.103 + // constants:
1.104 + // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
1.105 + // include windows, icons, menus and various GDI objects. In addition the
1.106 + // target process can set hooks, and broadcast messages to other processes
1.107 + // that belong to the same desktop.
1.108 + // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
1.109 + // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
1.110 + // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
1.111 + // parameters as defined by the Win32 call SystemParametersInfo().
1.112 + // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
1.113 + // display settings.
1.114 + // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
1.115 + // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
1.116 + // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
1.117 + //
1.118 + // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
1.119 + //
1.120 + // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
1.121 + // length in:
1.122 + // http://msdn2.microsoft.com/en-us/library/ms684152.aspx
1.123 + //
1.124 + // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
1.125 + virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0;
1.126 +
1.127 + // Specifies the desktop on which the application is going to run. If the
1.128 + // desktop does not exist, it will be created. If alternate_winstation is
1.129 + // set to true, the desktop will be created on an alternate window station.
1.130 + virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
1.131 +
1.132 + // Returns the name of the alternate desktop used. If an alternate window
1.133 + // station is specified, the name is prepended by the window station name,
1.134 + // followed by a backslash.
1.135 + virtual std::wstring GetAlternateDesktop() const = 0;
1.136 +
1.137 + // Precreates the desktop and window station, if any.
1.138 + virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
1.139 +
1.140 + // Destroys the desktop and windows station.
1.141 + virtual void DestroyAlternateDesktop() = 0;
1.142 +
1.143 + // Sets the integrity level of the process in the sandbox. Both the initial
1.144 + // token and the main token will be affected by this. If the integrity level
1.145 + // is set to a level higher than the current level, the sandbox will fail
1.146 + // to start.
1.147 + virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
1.148 +
1.149 + // Sets the integrity level of the process in the sandbox. The integrity level
1.150 + // will not take effect before you call LowerToken. User Interface Privilege
1.151 + // Isolation is not affected by this setting and will remain off for the
1.152 + // process in the sandbox. If the integrity level is set to a level higher
1.153 + // than the current level, the sandbox will fail to start.
1.154 + virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
1.155 +
1.156 + // Sets the AppContainer to be used for the sandboxed process. Any capability
1.157 + // to be enabled for the process should be added before this method is invoked
1.158 + // (by calling SetCapability() as many times as needed).
1.159 + // The desired AppContainer must be already installed on the system, otherwise
1.160 + // launching the sandboxed process will fail. See BrokerServices for details
1.161 + // about installing an AppContainer.
1.162 + // Note that currently Windows restricts the use of impersonation within
1.163 + // AppContainers, so this function is incompatible with the use of an initial
1.164 + // token.
1.165 + virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
1.166 +
1.167 + // Sets a capability to be enabled for the sandboxed process' AppContainer.
1.168 + virtual ResultCode SetCapability(const wchar_t* sid) = 0;
1.169 +
1.170 + // Sets the mitigations enabled when the process is created. Most of these
1.171 + // are implemented as attributes passed via STARTUPINFOEX. So they take
1.172 + // effect before any thread in the target executes. The declaration of
1.173 + // MitigationFlags is followed by a detailed description of each flag.
1.174 + virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
1.175 +
1.176 + // Returns the currently set mitigation flags.
1.177 + virtual MitigationFlags GetProcessMitigations() = 0;
1.178 +
1.179 + // Sets process mitigation flags that don't take effect before the call to
1.180 + // LowerToken().
1.181 + virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
1.182 +
1.183 + // Returns the currently set delayed mitigation flags.
1.184 + virtual MitigationFlags GetDelayedProcessMitigations() = 0;
1.185 +
1.186 + // Sets the interceptions to operate in strict mode. By default, interceptions
1.187 + // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
1.188 + // already patched we attempt to intercept it anyway. Setting interceptions
1.189 + // to strict mode means that when we detect that the function is patched we'll
1.190 + // refuse to perform the interception.
1.191 + virtual void SetStrictInterceptions() = 0;
1.192 +
1.193 + // Set the handles the target process should inherit for stdout and
1.194 + // stderr. The handles the caller passes must remain valid for the
1.195 + // lifetime of the policy object. This only has an effect on
1.196 + // Windows Vista and later versions. These methods accept pipe and
1.197 + // file handles, but not console handles.
1.198 + virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
1.199 + virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
1.200 +
1.201 + // Adds a policy rule effective for processes spawned using this policy.
1.202 + // subsystem: One of the above enumerated windows subsystems.
1.203 + // semantics: One of the above enumerated FileSemantics.
1.204 + // pattern: A specific full path or a full path with wildcard patterns.
1.205 + // The valid wildcards are:
1.206 + // '*' : Matches zero or more character. Only one in series allowed.
1.207 + // '?' : Matches a single character. One or more in series are allowed.
1.208 + // Examples:
1.209 + // "c:\\documents and settings\\vince\\*.dmp"
1.210 + // "c:\\documents and settings\\*\\crashdumps\\*.dmp"
1.211 + // "c:\\temp\\app_log_?????_chrome.txt"
1.212 + virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
1.213 + const wchar_t* pattern) = 0;
1.214 +
1.215 + // Adds a dll that will be unloaded in the target process before it gets
1.216 + // a chance to initialize itself. Typically, dlls that cause the target
1.217 + // to crash go here.
1.218 + virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
1.219 +
1.220 + // Adds a handle that will be closed in the target process after lockdown.
1.221 + // A NULL value for handle_name indicates all handles of the specified type.
1.222 + // An empty string for handle_name indicates the handle is unnamed.
1.223 + virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
1.224 + const wchar_t* handle_name) = 0;
1.225 +};
1.226 +
1.227 +} // namespace sandbox
1.228 +
1.229 +
1.230 +#endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
