michael@0: // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ michael@0: #define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ michael@0: michael@0: #include michael@0: #include michael@0: michael@0: #include "sandbox/win/src/restricted_token.h" michael@0: #include "sandbox/win/src/security_level.h" michael@0: michael@0: // Contains the utility functions to be able to create restricted tokens based michael@0: // on a security profiles. michael@0: michael@0: namespace sandbox { michael@0: michael@0: // The type of the token returned by the CreateNakedToken. michael@0: enum TokenType { michael@0: IMPERSONATION = 0, michael@0: PRIMARY michael@0: }; michael@0: michael@0: // Creates a restricted token based on the effective token of the current michael@0: // process. The parameter security_level determines how much the token is michael@0: // restricted. The token_type determines if the token will be used as a primary michael@0: // token or impersonation token. The integrity level of the token is set to michael@0: // |integrity level| on Vista only. michael@0: // token_handle is the output value containing the handle of the michael@0: // newly created restricted token. michael@0: // If the function succeeds, the return value is ERROR_SUCCESS. If the michael@0: // function fails, the return value is the win32 error code corresponding to michael@0: // the error. michael@0: DWORD CreateRestrictedToken(HANDLE *token_handle, michael@0: TokenLevel security_level, michael@0: IntegrityLevel integrity_level, michael@0: TokenType token_type); michael@0: michael@0: // Starts the process described by the input parameter command_line in a job michael@0: // with a restricted token. Also set the main thread of this newly created michael@0: // process to impersonate a user with more rights so it can initialize michael@0: // correctly. michael@0: // michael@0: // Parameters: primary_level is the security level of the primary token. michael@0: // impersonation_level is the security level of the impersonation token used michael@0: // to initialize the process. job_level is the security level of the job michael@0: // object used to encapsulate the process. michael@0: // michael@0: // The output parameter job_handle is the handle to the job object. It has michael@0: // to be closed with CloseHandle() when not needed. Closing this handle will michael@0: // kill the process started. michael@0: // michael@0: // Note: The process started with this function has to call RevertToSelf() as michael@0: // soon as possible to stop using the impersonation token and start being michael@0: // secure. michael@0: // michael@0: // Note: The Unicode version of this function will fail if the command_line michael@0: // parameter is a const string. michael@0: DWORD StartRestrictedProcessInJob(wchar_t *command_line, michael@0: TokenLevel primary_level, michael@0: TokenLevel impersonation_level, michael@0: JobLevel job_level, michael@0: HANDLE *job_handle); michael@0: michael@0: // Sets the integrity label on a object handle. michael@0: DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type, michael@0: const wchar_t* ace_access, michael@0: const wchar_t* integrity_level_sid); michael@0: michael@0: // Sets the integrity level on a token. This is only valid on Vista. It returns michael@0: // without failing on XP. If the integrity level that you specify is greater michael@0: // than the current integrity level, the function will fail. michael@0: DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level); michael@0: michael@0: // Sets the integrity level on the current process on Vista. It returns without michael@0: // failing on XP. If the integrity level that you specify is greater than the michael@0: // current integrity level, the function will fail. michael@0: DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level); michael@0: michael@0: } // namespace sandbox michael@0: michael@0: #endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__