1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/sandbox/win/src/security_level.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,203 @@
1.4 +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
1.5 +// Use of this source code is governed by a BSD-style license that can be
1.6 +// found in the LICENSE file.
1.7 +
1.8 +#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
1.9 +#define SANDBOX_SRC_SECURITY_LEVEL_H_
1.10 +
1.11 +#include "base/basictypes.h"
1.12 +
1.13 +namespace sandbox {
1.14 +
1.15 +// List of all the integrity levels supported in the sandbox. This is used
1.16 +// only on Windows Vista. You can't set the integrity level of the process
1.17 +// in the sandbox to a level higher than yours.
1.18 +enum IntegrityLevel {
1.19 + INTEGRITY_LEVEL_SYSTEM,
1.20 + INTEGRITY_LEVEL_HIGH,
1.21 + INTEGRITY_LEVEL_MEDIUM,
1.22 + INTEGRITY_LEVEL_MEDIUM_LOW,
1.23 + INTEGRITY_LEVEL_LOW,
1.24 + INTEGRITY_LEVEL_BELOW_LOW,
1.25 + INTEGRITY_LEVEL_UNTRUSTED,
1.26 + INTEGRITY_LEVEL_LAST
1.27 +};
1.28 +
1.29 +// The Token level specifies a set of security profiles designed to
1.30 +// provide the bulk of the security of sandbox.
1.31 +//
1.32 +// TokenLevel |Restricting |Deny Only |Privileges|
1.33 +// |Sids |Sids | |
1.34 +// ----------------------------|--------------|----------------|----------|
1.35 +// USER_LOCKDOWN | Null Sid | All | None |
1.36 +// ----------------------------|--------------|----------------|----------|
1.37 +// USER_RESTRICTED | RESTRICTED | All | Traverse |
1.38 +// ----------------------------|--------------|----------------|----------|
1.39 +// USER_LIMITED | Users | All except: | Traverse |
1.40 +// | Everyone | Users | |
1.41 +// | RESTRICTED | Everyone | |
1.42 +// | | Interactive | |
1.43 +// ----------------------------|--------------|----------------|----------|
1.44 +// USER_INTERACTIVE | Users | All except: | Traverse |
1.45 +// | Everyone | Users | |
1.46 +// | RESTRICTED | Everyone | |
1.47 +// | Owner | Interactive | |
1.48 +// | | Local | |
1.49 +// | | Authent-users | |
1.50 +// | | User | |
1.51 +// ----------------------------|--------------|----------------|----------|
1.52 +// USER_NON_ADMIN | None | All except: | Traverse |
1.53 +// | | Users | |
1.54 +// | | Everyone | |
1.55 +// | | Interactive | |
1.56 +// | | Local | |
1.57 +// | | Authent-users | |
1.58 +// | | User | |
1.59 +// ----------------------------|--------------|----------------|----------|
1.60 +// USER_RESTRICTED_SAME_ACCESS | All | None | All |
1.61 +// ----------------------------|--------------|----------------|----------|
1.62 +// USER_UNPROTECTED | None | None | All |
1.63 +// ----------------------------|--------------|----------------|----------|
1.64 +//
1.65 +// The above restrictions are actually a transformation that is applied to
1.66 +// the existing broker process token. The resulting token that will be
1.67 +// applied to the target process depends both on the token level selected
1.68 +// and on the broker token itself.
1.69 +//
1.70 +// The LOCKDOWN and RESTRICTED are designed to allow access to almost
1.71 +// nothing that has security associated with and they are the recommended
1.72 +// levels to run sandboxed code specially if there is a chance that the
1.73 +// broker is process might be started by a user that belongs to the Admins
1.74 +// or power users groups.
1.75 +enum TokenLevel {
1.76 + USER_LOCKDOWN = 0,
1.77 + USER_RESTRICTED,
1.78 + USER_LIMITED,
1.79 + USER_INTERACTIVE,
1.80 + USER_NON_ADMIN,
1.81 + USER_RESTRICTED_SAME_ACCESS,
1.82 + USER_UNPROTECTED
1.83 +};
1.84 +
1.85 +// The Job level specifies a set of decreasing security profiles for the
1.86 +// Job object that the target process will be placed into.
1.87 +// This table summarizes the security associated with each level:
1.88 +//
1.89 +// JobLevel |General |Quota |
1.90 +// |restrictions |restrictions |
1.91 +// -----------------|---------------------------------- |--------------------|
1.92 +// JOB_NONE | No job is assigned to the | None |
1.93 +// | sandboxed process. | |
1.94 +// -----------------|---------------------------------- |--------------------|
1.95 +// JOB_UNPROTECTED | None | *Kill on Job close.|
1.96 +// -----------------|---------------------------------- |--------------------|
1.97 +// JOB_INTERACTIVE | *Forbid system-wide changes using | |
1.98 +// | SystemParametersInfo(). | *Kill on Job close.|
1.99 +// | *Forbid the creation/switch of | |
1.100 +// | Desktops. | |
1.101 +// | *Forbids calls to ExitWindows(). | |
1.102 +// -----------------|---------------------------------- |--------------------|
1.103 +// JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process|
1.104 +// | *Forbid changes to the display | limit. |
1.105 +// | settings. | *Kill on Job close.|
1.106 +// -----------------|---------------------------------- |--------------------|
1.107 +// JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process|
1.108 +// | * No read/write to the clipboard. | limit. |
1.109 +// | * No access to User Handles that | *Kill on Job close.|
1.110 +// | belong to other processes. | |
1.111 +// | * Forbid message broadcasts. | |
1.112 +// | * Forbid setting global hooks. | |
1.113 +// | * No access to the global atoms | |
1.114 +// | table. | |
1.115 +// -----------------|-----------------------------------|--------------------|
1.116 +// JOB_LOCKDOWN | Same as RESTRICTED | *One active process|
1.117 +// | | limit. |
1.118 +// | | *Kill on Job close.|
1.119 +// | | *Kill on unhandled |
1.120 +// | | exception. |
1.121 +// | | |
1.122 +// In the context of the above table, 'user handles' refers to the handles of
1.123 +// windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
1.124 +// handles and are not affected by the job level settings.
1.125 +enum JobLevel {
1.126 + JOB_LOCKDOWN = 0,
1.127 + JOB_RESTRICTED,
1.128 + JOB_LIMITED_USER,
1.129 + JOB_INTERACTIVE,
1.130 + JOB_UNPROTECTED,
1.131 + JOB_NONE
1.132 +};
1.133 +
1.134 +// These flags correspond to various process-level mitigations (eg. ASLR and
1.135 +// DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
1.136 +// the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
1.137 +// here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
1.138 +// Some mitigations are implemented directly by the sandbox or emulated to
1.139 +// the greatest extent possible when not directly supported by the OS.
1.140 +// Flags that are unsupported for the target OS will be silently ignored.
1.141 +// Flags that are invalid for their application (pre or post startup) will
1.142 +// return SBOX_ERROR_BAD_PARAMS.
1.143 +typedef uint64 MitigationFlags;
1.144 +
1.145 +// Permanently enables DEP for the target process. Corresponds to
1.146 +// PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
1.147 +const MitigationFlags MITIGATION_DEP = 0x00000001;
1.148 +
1.149 +// Permanently Disables ATL thunk emulation when DEP is enabled. Valid
1.150 +// only when MITIGATION_DEP is passed. Corresponds to not passing
1.151 +// PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
1.152 +const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002;
1.153 +
1.154 +// Enables Structured exception handling override prevention. Must be
1.155 +// enabled prior to process start. Corresponds to
1.156 +// PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
1.157 +const MitigationFlags MITIGATION_SEHOP = 0x00000004;
1.158 +
1.159 +// Forces ASLR on all images in the child process. Corresponds to
1.160 +// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
1.161 +const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008;
1.162 +
1.163 +// Refuses to load DLLs that cannot support ASLR. Corresponds to
1.164 +// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
1.165 +const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010;
1.166 +
1.167 +// Terminates the process on Windows heap corruption. Coresponds to
1.168 +// PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
1.169 +const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020;
1.170 +
1.171 +// Sets a random lower bound as the minimum user address. Must be
1.172 +// enabled prior to process start. On 32-bit processes this is
1.173 +// emulated to a much smaller degree. Corresponds to
1.174 +// PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
1.175 +const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040;
1.176 +
1.177 +// Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
1.178 +// enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
1.179 +// Corresponds to
1.180 +// PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
1.181 +const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
1.182 +
1.183 +// Immediately raises an exception on a bad handle reference. Must be
1.184 +// enabled after startup. Corresponds to
1.185 +// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
1.186 +const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
1.187 +
1.188 +// Prevents the process from making Win32k calls. Must be enabled after
1.189 +// startup. Corresponds to
1.190 +// PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
1.191 +const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200;
1.192 +
1.193 +// Disables common DLL injection methods (e.g. window hooks and
1.194 +// App_InitDLLs). Corresponds to
1.195 +// PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
1.196 +const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400;
1.197 +
1.198 +// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
1.199 +// directories can be added via the Windows AddDllDirectory() function.
1.200 +// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
1.201 +// Must be enabled after startup.
1.202 +const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32;
1.203 +
1.204 +} // namespace sandbox
1.205 +
1.206 +#endif // SANDBOX_SRC_SECURITY_LEVEL_H_
