michael@0: // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. michael@0: // Use of this source code is governed by a BSD-style license that can be michael@0: // found in the LICENSE file. michael@0: michael@0: #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ michael@0: #define SANDBOX_SRC_SECURITY_LEVEL_H_ michael@0: michael@0: #include "base/basictypes.h" michael@0: michael@0: namespace sandbox { michael@0: michael@0: // List of all the integrity levels supported in the sandbox. This is used michael@0: // only on Windows Vista. You can't set the integrity level of the process michael@0: // in the sandbox to a level higher than yours. michael@0: enum IntegrityLevel { michael@0: INTEGRITY_LEVEL_SYSTEM, michael@0: INTEGRITY_LEVEL_HIGH, michael@0: INTEGRITY_LEVEL_MEDIUM, michael@0: INTEGRITY_LEVEL_MEDIUM_LOW, michael@0: INTEGRITY_LEVEL_LOW, michael@0: INTEGRITY_LEVEL_BELOW_LOW, michael@0: INTEGRITY_LEVEL_UNTRUSTED, michael@0: INTEGRITY_LEVEL_LAST michael@0: }; michael@0: michael@0: // The Token level specifies a set of security profiles designed to michael@0: // provide the bulk of the security of sandbox. michael@0: // michael@0: // TokenLevel |Restricting |Deny Only |Privileges| michael@0: // |Sids |Sids | | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_LOCKDOWN | Null Sid | All | None | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_RESTRICTED | RESTRICTED | All | Traverse | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_LIMITED | Users | All except: | Traverse | michael@0: // | Everyone | Users | | michael@0: // | RESTRICTED | Everyone | | michael@0: // | | Interactive | | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_INTERACTIVE | Users | All except: | Traverse | michael@0: // | Everyone | Users | | michael@0: // | RESTRICTED | Everyone | | michael@0: // | Owner | Interactive | | michael@0: // | | Local | | michael@0: // | | Authent-users | | michael@0: // | | User | | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_NON_ADMIN | None | All except: | Traverse | michael@0: // | | Users | | michael@0: // | | Everyone | | michael@0: // | | Interactive | | michael@0: // | | Local | | michael@0: // | | Authent-users | | michael@0: // | | User | | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_RESTRICTED_SAME_ACCESS | All | None | All | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // USER_UNPROTECTED | None | None | All | michael@0: // ----------------------------|--------------|----------------|----------| michael@0: // michael@0: // The above restrictions are actually a transformation that is applied to michael@0: // the existing broker process token. The resulting token that will be michael@0: // applied to the target process depends both on the token level selected michael@0: // and on the broker token itself. michael@0: // michael@0: // The LOCKDOWN and RESTRICTED are designed to allow access to almost michael@0: // nothing that has security associated with and they are the recommended michael@0: // levels to run sandboxed code specially if there is a chance that the michael@0: // broker is process might be started by a user that belongs to the Admins michael@0: // or power users groups. michael@0: enum TokenLevel { michael@0: USER_LOCKDOWN = 0, michael@0: USER_RESTRICTED, michael@0: USER_LIMITED, michael@0: USER_INTERACTIVE, michael@0: USER_NON_ADMIN, michael@0: USER_RESTRICTED_SAME_ACCESS, michael@0: USER_UNPROTECTED michael@0: }; michael@0: michael@0: // The Job level specifies a set of decreasing security profiles for the michael@0: // Job object that the target process will be placed into. michael@0: // This table summarizes the security associated with each level: michael@0: // michael@0: // JobLevel |General |Quota | michael@0: // |restrictions |restrictions | michael@0: // -----------------|---------------------------------- |--------------------| michael@0: // JOB_NONE | No job is assigned to the | None | michael@0: // | sandboxed process. | | michael@0: // -----------------|---------------------------------- |--------------------| michael@0: // JOB_UNPROTECTED | None | *Kill on Job close.| michael@0: // -----------------|---------------------------------- |--------------------| michael@0: // JOB_INTERACTIVE | *Forbid system-wide changes using | | michael@0: // | SystemParametersInfo(). | *Kill on Job close.| michael@0: // | *Forbid the creation/switch of | | michael@0: // | Desktops. | | michael@0: // | *Forbids calls to ExitWindows(). | | michael@0: // -----------------|---------------------------------- |--------------------| michael@0: // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process| michael@0: // | *Forbid changes to the display | limit. | michael@0: // | settings. | *Kill on Job close.| michael@0: // -----------------|---------------------------------- |--------------------| michael@0: // JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process| michael@0: // | * No read/write to the clipboard. | limit. | michael@0: // | * No access to User Handles that | *Kill on Job close.| michael@0: // | belong to other processes. | | michael@0: // | * Forbid message broadcasts. | | michael@0: // | * Forbid setting global hooks. | | michael@0: // | * No access to the global atoms | | michael@0: // | table. | | michael@0: // -----------------|-----------------------------------|--------------------| michael@0: // JOB_LOCKDOWN | Same as RESTRICTED | *One active process| michael@0: // | | limit. | michael@0: // | | *Kill on Job close.| michael@0: // | | *Kill on unhandled | michael@0: // | | exception. | michael@0: // | | | michael@0: // In the context of the above table, 'user handles' refers to the handles of michael@0: // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel michael@0: // handles and are not affected by the job level settings. michael@0: enum JobLevel { michael@0: JOB_LOCKDOWN = 0, michael@0: JOB_RESTRICTED, michael@0: JOB_LIMITED_USER, michael@0: JOB_INTERACTIVE, michael@0: JOB_UNPROTECTED, michael@0: JOB_NONE michael@0: }; michael@0: michael@0: // These flags correspond to various process-level mitigations (eg. ASLR and michael@0: // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for michael@0: // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented michael@0: // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 michael@0: // Some mitigations are implemented directly by the sandbox or emulated to michael@0: // the greatest extent possible when not directly supported by the OS. michael@0: // Flags that are unsupported for the target OS will be silently ignored. michael@0: // Flags that are invalid for their application (pre or post startup) will michael@0: // return SBOX_ERROR_BAD_PARAMS. michael@0: typedef uint64 MitigationFlags; michael@0: michael@0: // Permanently enables DEP for the target process. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. michael@0: const MitigationFlags MITIGATION_DEP = 0x00000001; michael@0: michael@0: // Permanently Disables ATL thunk emulation when DEP is enabled. Valid michael@0: // only when MITIGATION_DEP is passed. Corresponds to not passing michael@0: // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. michael@0: const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; michael@0: michael@0: // Enables Structured exception handling override prevention. Must be michael@0: // enabled prior to process start. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. michael@0: const MitigationFlags MITIGATION_SEHOP = 0x00000004; michael@0: michael@0: // Forces ASLR on all images in the child process. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . michael@0: const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008; michael@0: michael@0: // Refuses to load DLLs that cannot support ASLR. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS. michael@0: const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; michael@0: michael@0: // Terminates the process on Windows heap corruption. Coresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. michael@0: const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020; michael@0: michael@0: // Sets a random lower bound as the minimum user address. Must be michael@0: // enabled prior to process start. On 32-bit processes this is michael@0: // emulated to a much smaller degree. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. michael@0: const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040; michael@0: michael@0: // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be michael@0: // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. michael@0: // Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON michael@0: const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; michael@0: michael@0: // Immediately raises an exception on a bad handle reference. Must be michael@0: // enabled after startup. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. michael@0: const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; michael@0: michael@0: // Prevents the process from making Win32k calls. Must be enabled after michael@0: // startup. Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. michael@0: const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; michael@0: michael@0: // Disables common DLL injection methods (e.g. window hooks and michael@0: // App_InitDLLs). Corresponds to michael@0: // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. michael@0: const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; michael@0: michael@0: // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional michael@0: // directories can be added via the Windows AddDllDirectory() function. michael@0: // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 michael@0: // Must be enabled after startup. michael@0: const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; michael@0: michael@0: } // namespace sandbox michael@0: michael@0: #endif // SANDBOX_SRC_SECURITY_LEVEL_H_