security/sandbox/win/src/security_level.h@b8a032363ba2
security/sandbox/win/src/security_level.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
6 #define SANDBOX_SRC_SECURITY_LEVEL_H_
8 #include "base/basictypes.h"
10 namespace sandbox {
12 // List of all the integrity levels supported in the sandbox. This is used
13 // only on Windows Vista. You can't set the integrity level of the process
14 // in the sandbox to a level higher than yours.
15 enum IntegrityLevel {
16 INTEGRITY_LEVEL_SYSTEM,
17 INTEGRITY_LEVEL_HIGH,
18 INTEGRITY_LEVEL_MEDIUM,
19 INTEGRITY_LEVEL_MEDIUM_LOW,
20 INTEGRITY_LEVEL_LOW,
21 INTEGRITY_LEVEL_BELOW_LOW,
22 INTEGRITY_LEVEL_UNTRUSTED,
23 INTEGRITY_LEVEL_LAST
24 };
26 // The Token level specifies a set of security profiles designed to
27 // provide the bulk of the security of sandbox.
28 //
29 // TokenLevel |Restricting |Deny Only |Privileges|
30 // |Sids |Sids | |
31 // ----------------------------|--------------|----------------|----------|
32 // USER_LOCKDOWN | Null Sid | All | None |
33 // ----------------------------|--------------|----------------|----------|
34 // USER_RESTRICTED | RESTRICTED | All | Traverse |
35 // ----------------------------|--------------|----------------|----------|
36 // USER_LIMITED | Users | All except: | Traverse |
37 // | Everyone | Users | |
38 // | RESTRICTED | Everyone | |
39 // | | Interactive | |
40 // ----------------------------|--------------|----------------|----------|
41 // USER_INTERACTIVE | Users | All except: | Traverse |
42 // | Everyone | Users | |
43 // | RESTRICTED | Everyone | |
44 // | Owner | Interactive | |
45 // | | Local | |
46 // | | Authent-users | |
47 // | | User | |
48 // ----------------------------|--------------|----------------|----------|
49 // USER_NON_ADMIN | None | All except: | Traverse |
50 // | | Users | |
51 // | | Everyone | |
52 // | | Interactive | |
53 // | | Local | |
54 // | | Authent-users | |
55 // | | User | |
56 // ----------------------------|--------------|----------------|----------|
57 // USER_RESTRICTED_SAME_ACCESS | All | None | All |
58 // ----------------------------|--------------|----------------|----------|
59 // USER_UNPROTECTED | None | None | All |
60 // ----------------------------|--------------|----------------|----------|
61 //
62 // The above restrictions are actually a transformation that is applied to
63 // the existing broker process token. The resulting token that will be
64 // applied to the target process depends both on the token level selected
65 // and on the broker token itself.
66 //
67 // The LOCKDOWN and RESTRICTED are designed to allow access to almost
68 // nothing that has security associated with and they are the recommended
69 // levels to run sandboxed code specially if there is a chance that the
70 // broker is process might be started by a user that belongs to the Admins
71 // or power users groups.
72 enum TokenLevel {
73 USER_LOCKDOWN = 0,
74 USER_RESTRICTED,
75 USER_LIMITED,
76 USER_INTERACTIVE,
77 USER_NON_ADMIN,
78 USER_RESTRICTED_SAME_ACCESS,
79 USER_UNPROTECTED
80 };
82 // The Job level specifies a set of decreasing security profiles for the
83 // Job object that the target process will be placed into.
84 // This table summarizes the security associated with each level:
85 //
86 // JobLevel |General |Quota |
87 // |restrictions |restrictions |
88 // -----------------|---------------------------------- |--------------------|
89 // JOB_NONE | No job is assigned to the | None |
90 // | sandboxed process. | |
91 // -----------------|---------------------------------- |--------------------|
92 // JOB_UNPROTECTED | None | *Kill on Job close.|
93 // -----------------|---------------------------------- |--------------------|
94 // JOB_INTERACTIVE | *Forbid system-wide changes using | |
95 // | SystemParametersInfo(). | *Kill on Job close.|
96 // | *Forbid the creation/switch of | |
97 // | Desktops. | |
98 // | *Forbids calls to ExitWindows(). | |
99 // -----------------|---------------------------------- |--------------------|
100 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process|
101 // | *Forbid changes to the display | limit. |
102 // | settings. | *Kill on Job close.|
103 // -----------------|---------------------------------- |--------------------|
104 // JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process|
105 // | * No read/write to the clipboard. | limit. |
106 // | * No access to User Handles that | *Kill on Job close.|
107 // | belong to other processes. | |
108 // | * Forbid message broadcasts. | |
109 // | * Forbid setting global hooks. | |
110 // | * No access to the global atoms | |
111 // | table. | |
112 // -----------------|-----------------------------------|--------------------|
113 // JOB_LOCKDOWN | Same as RESTRICTED | *One active process|
114 // | | limit. |
115 // | | *Kill on Job close.|
116 // | | *Kill on unhandled |
117 // | | exception. |
118 // | | |
119 // In the context of the above table, 'user handles' refers to the handles of
120 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
121 // handles and are not affected by the job level settings.
122 enum JobLevel {
123 JOB_LOCKDOWN = 0,
124 JOB_RESTRICTED,
125 JOB_LIMITED_USER,
126 JOB_INTERACTIVE,
127 JOB_UNPROTECTED,
128 JOB_NONE
129 };
131 // These flags correspond to various process-level mitigations (eg. ASLR and
132 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
133 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
134 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
135 // Some mitigations are implemented directly by the sandbox or emulated to
136 // the greatest extent possible when not directly supported by the OS.
137 // Flags that are unsupported for the target OS will be silently ignored.
138 // Flags that are invalid for their application (pre or post startup) will
139 // return SBOX_ERROR_BAD_PARAMS.
140 typedef uint64 MitigationFlags;
142 // Permanently enables DEP for the target process. Corresponds to
143 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
144 const MitigationFlags MITIGATION_DEP = 0x00000001;
146 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid
147 // only when MITIGATION_DEP is passed. Corresponds to not passing
148 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
149 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002;
151 // Enables Structured exception handling override prevention. Must be
152 // enabled prior to process start. Corresponds to
153 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
154 const MitigationFlags MITIGATION_SEHOP = 0x00000004;
156 // Forces ASLR on all images in the child process. Corresponds to
157 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
158 const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008;
160 // Refuses to load DLLs that cannot support ASLR. Corresponds to
161 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
162 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010;
164 // Terminates the process on Windows heap corruption. Coresponds to
165 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
166 const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020;
168 // Sets a random lower bound as the minimum user address. Must be
169 // enabled prior to process start. On 32-bit processes this is
170 // emulated to a much smaller degree. Corresponds to
171 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
172 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040;
174 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
175 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
176 // Corresponds to
177 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
178 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
180 // Immediately raises an exception on a bad handle reference. Must be
181 // enabled after startup. Corresponds to
182 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
183 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
185 // Prevents the process from making Win32k calls. Must be enabled after
186 // startup. Corresponds to
187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200;
190 // Disables common DLL injection methods (e.g. window hooks and
191 // App_InitDLLs). Corresponds to
192 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
193 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400;
195 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
196 // directories can be added via the Windows AddDllDirectory() function.
197 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
198 // Must be enabled after startup.
199 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32;
201 } // namespace sandbox
203 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_
