1// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
6#define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
7
8#include <accctrl.h>
9#include <windows.h>
10
11#include "sandbox/win/src/restricted_token.h"
12#include "sandbox/win/src/security_level.h"
13
14// Contains the utility functions to be able to create restricted tokens based
15// on a security profiles.
16
17namespace sandbox {
18
19// The type of the token returned by the CreateNakedToken.
20enum TokenType {
21  IMPERSONATION = 0,
22  PRIMARY
23};
24
25// Creates a restricted token based on the effective token of the current
26// process. The parameter security_level determines how much the token is
27// restricted. The token_type determines if the token will be used as a primary
28// token or impersonation token. The integrity level of the token is set to
29// |integrity level| on Vista only.
30// token_handle is the output value containing the handle of the
31// newly created restricted token.
32// If the function succeeds, the return value is ERROR_SUCCESS. If the
33// function fails, the return value is the win32 error code corresponding to
34// the error.
35DWORD CreateRestrictedToken(HANDLE *token_handle,
36                            TokenLevel security_level,
37                            IntegrityLevel integrity_level,
38                            TokenType token_type);
39
40// Starts the process described by the input parameter command_line in a job
41// with a restricted token. Also set the main thread of this newly created
42// process to impersonate a user with more rights so it can initialize
43// correctly.
44//
45// Parameters: primary_level is the security level of the primary token.
46// impersonation_level is the security level of the impersonation token used
47// to initialize the process. job_level is the security level of the job
48// object used to encapsulate the process.
49//
50// The output parameter job_handle is the handle to the job object. It has
51// to be closed with CloseHandle() when not needed. Closing this handle will
52// kill the process started.
53//
54// Note: The process started with this function has to call RevertToSelf() as
55// soon as possible to stop using the impersonation token and start being
56// secure.
57//
58// Note: The Unicode version of this function will fail if the command_line
59// parameter is a const string.
60DWORD StartRestrictedProcessInJob(wchar_t *command_line,
61                                  TokenLevel primary_level,
62                                  TokenLevel impersonation_level,
63                                  JobLevel job_level,
64                                  HANDLE *job_handle);
65
66// Sets the integrity label on a object handle.
67DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type,
68                              const wchar_t* ace_access,
69                              const wchar_t* integrity_level_sid);
70
71// Sets the integrity level on a token. This is only valid on Vista. It returns
72// without failing on XP. If the integrity level that you specify is greater
73// than the current integrity level, the function will fail.
74DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level);
75
76// Returns the integrity level SDDL string associated with a given
77// IntegrityLevel value.
78const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level);
79
80// Sets the integrity level on the current process on Vista. It returns without
81// failing on XP. If the integrity level that you specify is greater than the
82// current integrity level, the function will fail.
83DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level);
84
85}  // namespace sandbox
86
87#endif  // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
88