15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <accctrl.h> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <windows.h> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/restricted_token.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "sandbox/win/src/security_level.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Contains the utility functions to be able to create restricted tokens based 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// on a security profiles. 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace sandbox { 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The type of the token returned by the CreateNakedToken. 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)enum TokenType { 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IMPERSONATION = 0, 225821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PRIMARY 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Creates a restricted token based on the effective token of the current 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// process. The parameter security_level determines how much the token is 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// restricted. The token_type determines if the token will be used as a primary 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// token or impersonation token. The integrity level of the token is set to 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// |integrity level| on Vista only. 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// token_handle is the output value containing the handle of the 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// newly created restricted token. 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// If the function succeeds, the return value is ERROR_SUCCESS. If the 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// function fails, the return value is the win32 error code corresponding to 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// the error. 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)DWORD CreateRestrictedToken(HANDLE *token_handle, 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TokenLevel security_level, 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) IntegrityLevel integrity_level, 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TokenType token_type); 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Starts the process described by the input parameter command_line in a job 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// with a restricted token. Also set the main thread of this newly created 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// process to impersonate a user with more rights so it can initialize 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// correctly. 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Parameters: primary_level is the security level of the primary token. 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// impersonation_level is the security level of the impersonation token used 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// to initialize the process. job_level is the security level of the job 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// object used to encapsulate the process. 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// The output parameter job_handle is the handle to the job object. It has 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// to be closed with CloseHandle() when not needed. Closing this handle will 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// kill the process started. 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Note: The process started with this function has to call RevertToSelf() as 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// soon as possible to stop using the impersonation token and start being 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// secure. 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Note: The Unicode version of this function will fail if the command_line 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// parameter is a const string. 605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)DWORD StartRestrictedProcessInJob(wchar_t *command_line, 615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TokenLevel primary_level, 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) TokenLevel impersonation_level, 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) JobLevel job_level, 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) HANDLE *job_handle); 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Sets the integrity label on a object handle. 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type, 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const wchar_t* ace_access, 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const wchar_t* integrity_level_sid); 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Sets the integrity level on a token. This is only valid on Vista. It returns 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// without failing on XP. If the integrity level that you specify is greater 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// than the current integrity level, the function will fail. 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level); 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 76116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch// Returns the integrity level SDDL string associated with a given 77116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch// IntegrityLevel value. 78116680a4aac90f2aa7413d9095a592090648e557Ben Murdochconst wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level); 79116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch 805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Sets the integrity level on the current process on Vista. It returns without 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// failing on XP. If the integrity level that you specify is greater than the 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// current integrity level, the function will fail. 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level); 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace sandbox 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 88