michael@0: // Copyright (c) 2012 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ michael@0: #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ michael@0: michael@0: #include michael@0: michael@0: #include "base/basictypes.h" michael@0: #include "sandbox/win/src/sandbox_types.h" michael@0: #include "sandbox/win/src/security_level.h" michael@0: michael@0: namespace sandbox { michael@0: michael@0: class TargetPolicy { michael@0: public: michael@0: // Windows subsystems that can have specific rules. michael@0: // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request michael@0: // exactly like the CreateProcess API does. See the comment at the top of michael@0: // process_thread_dispatcher.cc for more details. michael@0: enum SubSystem { michael@0: SUBSYS_FILES, // Creation and opening of files and pipes. michael@0: SUBSYS_NAMED_PIPES, // Creation of named pipes. michael@0: SUBSYS_PROCESS, // Creation of child processes. michael@0: SUBSYS_REGISTRY, // Creation and opening of registry keys. michael@0: SUBSYS_SYNC, // Creation of named sync objects. michael@0: SUBSYS_HANDLES // Duplication of handles to other processes. michael@0: }; michael@0: michael@0: // Allowable semantics when a rule is matched. michael@0: enum Semantics { michael@0: FILES_ALLOW_ANY, // Allows open or create for any kind of access that michael@0: // the file system supports. michael@0: FILES_ALLOW_READONLY, // Allows open or create with read access only. michael@0: FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. michael@0: FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics michael@0: // only. michael@0: HANDLES_DUP_ANY, // Allows duplicating handles opened with any michael@0: // access permissions. michael@0: HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. michael@0: NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. michael@0: PROCESS_MIN_EXEC, // Allows to create a process with minimal rights michael@0: // over the resulting process and thread handles. michael@0: // No other parameters besides the command line are michael@0: // passed to the child process. michael@0: PROCESS_ALL_EXEC, // Allows the creation of a process and return fill michael@0: // access on the returned handles. michael@0: // This flag can be used only when the main token of michael@0: // the sandboxed application is at least INTERACTIVE. michael@0: EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. michael@0: EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access. michael@0: REG_ALLOW_READONLY, // Allows readonly access to a registry key. michael@0: REG_ALLOW_ANY // Allows read and write access to a registry key. michael@0: }; michael@0: michael@0: // Increments the reference count of this object. The reference count must michael@0: // be incremented if this interface is given to another component. michael@0: virtual void AddRef() = 0; michael@0: michael@0: // Decrements the reference count of this object. When the reference count michael@0: // is zero the object is automatically destroyed. michael@0: // Indicates that the caller is done with this interface. After calling michael@0: // release no other method should be called. michael@0: virtual void Release() = 0; michael@0: michael@0: // Sets the security level for the target process' two tokens. michael@0: // This setting is permanent and cannot be changed once the target process is michael@0: // spawned. michael@0: // initial: the security level for the initial token. This is the token that michael@0: // is used by the process from the creation of the process until the moment michael@0: // the process calls TargetServices::LowerToken() or the process calls michael@0: // win32's ReverToSelf(). Once this happens the initial token is no longer michael@0: // available and the lockdown token is in effect. Using an initial token is michael@0: // not compatible with AppContainer, see SetAppContainer. michael@0: // lockdown: the security level for the token that comes into force after the michael@0: // process calls TargetServices::LowerToken() or the process calls michael@0: // ReverToSelf(). See the explanation of each level in the TokenLevel michael@0: // definition. michael@0: // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. michael@0: // Returns false if the lockdown value is more permissive than the initial michael@0: // value. michael@0: // michael@0: // Important: most of the sandbox-provided security relies on this single michael@0: // setting. The caller should strive to set the lockdown level as restricted michael@0: // as possible. michael@0: virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; michael@0: michael@0: // Sets the security level of the Job Object to which the target process will michael@0: // belong. This setting is permanent and cannot be changed once the target michael@0: // process is spawned. The job controls the global security settings which michael@0: // can not be specified in the token security profile. michael@0: // job_level: the security level for the job. See the explanation of each michael@0: // level in the JobLevel definition. michael@0: // ui_exceptions: specify what specific rights that are disabled in the michael@0: // chosen job_level that need to be granted. Use this parameter to avoid michael@0: // selecting the next permissive job level unless you need all the rights michael@0: // that are granted in such level. michael@0: // The exceptions can be specified as a combination of the following michael@0: // constants: michael@0: // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These michael@0: // include windows, icons, menus and various GDI objects. In addition the michael@0: // target process can set hooks, and broadcast messages to other processes michael@0: // that belong to the same desktop. michael@0: // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard. michael@0: // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard. michael@0: // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide michael@0: // parameters as defined by the Win32 call SystemParametersInfo(). michael@0: // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the michael@0: // display settings. michael@0: // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table. michael@0: // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops. michael@0: // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows(). michael@0: // michael@0: // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. michael@0: // michael@0: // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at michael@0: // length in: michael@0: // http://msdn2.microsoft.com/en-us/library/ms684152.aspx michael@0: // michael@0: // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN. michael@0: virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0; michael@0: michael@0: // Specifies the desktop on which the application is going to run. If the michael@0: // desktop does not exist, it will be created. If alternate_winstation is michael@0: // set to true, the desktop will be created on an alternate window station. michael@0: virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0; michael@0: michael@0: // Returns the name of the alternate desktop used. If an alternate window michael@0: // station is specified, the name is prepended by the window station name, michael@0: // followed by a backslash. michael@0: virtual std::wstring GetAlternateDesktop() const = 0; michael@0: michael@0: // Precreates the desktop and window station, if any. michael@0: virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0; michael@0: michael@0: // Destroys the desktop and windows station. michael@0: virtual void DestroyAlternateDesktop() = 0; michael@0: michael@0: // Sets the integrity level of the process in the sandbox. Both the initial michael@0: // token and the main token will be affected by this. If the integrity level michael@0: // is set to a level higher than the current level, the sandbox will fail michael@0: // to start. michael@0: virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; michael@0: michael@0: // Sets the integrity level of the process in the sandbox. The integrity level michael@0: // will not take effect before you call LowerToken. User Interface Privilege michael@0: // Isolation is not affected by this setting and will remain off for the michael@0: // process in the sandbox. If the integrity level is set to a level higher michael@0: // than the current level, the sandbox will fail to start. michael@0: virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; michael@0: michael@0: // Sets the AppContainer to be used for the sandboxed process. Any capability michael@0: // to be enabled for the process should be added before this method is invoked michael@0: // (by calling SetCapability() as many times as needed). michael@0: // The desired AppContainer must be already installed on the system, otherwise michael@0: // launching the sandboxed process will fail. See BrokerServices for details michael@0: // about installing an AppContainer. michael@0: // Note that currently Windows restricts the use of impersonation within michael@0: // AppContainers, so this function is incompatible with the use of an initial michael@0: // token. michael@0: virtual ResultCode SetAppContainer(const wchar_t* sid) = 0; michael@0: michael@0: // Sets a capability to be enabled for the sandboxed process' AppContainer. michael@0: virtual ResultCode SetCapability(const wchar_t* sid) = 0; michael@0: michael@0: // Sets the mitigations enabled when the process is created. Most of these michael@0: // are implemented as attributes passed via STARTUPINFOEX. So they take michael@0: // effect before any thread in the target executes. The declaration of michael@0: // MitigationFlags is followed by a detailed description of each flag. michael@0: virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; michael@0: michael@0: // Returns the currently set mitigation flags. michael@0: virtual MitigationFlags GetProcessMitigations() = 0; michael@0: michael@0: // Sets process mitigation flags that don't take effect before the call to michael@0: // LowerToken(). michael@0: virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; michael@0: michael@0: // Returns the currently set delayed mitigation flags. michael@0: virtual MitigationFlags GetDelayedProcessMitigations() = 0; michael@0: michael@0: // Sets the interceptions to operate in strict mode. By default, interceptions michael@0: // are performed in "relaxed" mode, where if something inside NTDLL.DLL is michael@0: // already patched we attempt to intercept it anyway. Setting interceptions michael@0: // to strict mode means that when we detect that the function is patched we'll michael@0: // refuse to perform the interception. michael@0: virtual void SetStrictInterceptions() = 0; michael@0: michael@0: // Set the handles the target process should inherit for stdout and michael@0: // stderr. The handles the caller passes must remain valid for the michael@0: // lifetime of the policy object. This only has an effect on michael@0: // Windows Vista and later versions. These methods accept pipe and michael@0: // file handles, but not console handles. michael@0: virtual ResultCode SetStdoutHandle(HANDLE handle) = 0; michael@0: virtual ResultCode SetStderrHandle(HANDLE handle) = 0; michael@0: michael@0: // Adds a policy rule effective for processes spawned using this policy. michael@0: // subsystem: One of the above enumerated windows subsystems. michael@0: // semantics: One of the above enumerated FileSemantics. michael@0: // pattern: A specific full path or a full path with wildcard patterns. michael@0: // The valid wildcards are: michael@0: // '*' : Matches zero or more character. Only one in series allowed. michael@0: // '?' : Matches a single character. One or more in series are allowed. michael@0: // Examples: michael@0: // "c:\\documents and settings\\vince\\*.dmp" michael@0: // "c:\\documents and settings\\*\\crashdumps\\*.dmp" michael@0: // "c:\\temp\\app_log_?????_chrome.txt" michael@0: virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, michael@0: const wchar_t* pattern) = 0; michael@0: michael@0: // Adds a dll that will be unloaded in the target process before it gets michael@0: // a chance to initialize itself. Typically, dlls that cause the target michael@0: // to crash go here. michael@0: virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0; michael@0: michael@0: // Adds a handle that will be closed in the target process after lockdown. michael@0: // A NULL value for handle_name indicates all handles of the specified type. michael@0: // An empty string for handle_name indicates the handle is unnamed. michael@0: virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, michael@0: const wchar_t* handle_name) = 0; michael@0: }; michael@0: michael@0: } // namespace sandbox michael@0: michael@0: michael@0: #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_