1// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ 6#define SANDBOX_SRC_SECURITY_LEVEL_H_ 7 8#include "base/basictypes.h" 9 10namespace sandbox { 11 12// List of all the integrity levels supported in the sandbox. This is used 13// only on Windows Vista. You can't set the integrity level of the process 14// in the sandbox to a level higher than yours. 15enum IntegrityLevel { 16 INTEGRITY_LEVEL_SYSTEM, 17 INTEGRITY_LEVEL_HIGH, 18 INTEGRITY_LEVEL_MEDIUM, 19 INTEGRITY_LEVEL_MEDIUM_LOW, 20 INTEGRITY_LEVEL_LOW, 21 INTEGRITY_LEVEL_BELOW_LOW, 22 INTEGRITY_LEVEL_UNTRUSTED, 23 INTEGRITY_LEVEL_LAST 24}; 25 26// The Token level specifies a set of security profiles designed to 27// provide the bulk of the security of sandbox. 28// 29// TokenLevel |Restricting |Deny Only |Privileges| 30// |Sids |Sids | | 31// ----------------------------|--------------|----------------|----------| 32// USER_LOCKDOWN | Null Sid | All | None | 33// ----------------------------|--------------|----------------|----------| 34// USER_RESTRICTED | RESTRICTED | All | Traverse | 35// ----------------------------|--------------|----------------|----------| 36// USER_LIMITED | Users | All except: | Traverse | 37// | Everyone | Users | | 38// | RESTRICTED | Everyone | | 39// | | Interactive | | 40// ----------------------------|--------------|----------------|----------| 41// USER_INTERACTIVE | Users | All except: | Traverse | 42// | Everyone | Users | | 43// | RESTRICTED | Everyone | | 44// | Owner | Interactive | | 45// | | Local | | 46// | | Authent-users | | 47// | | User | | 48// ----------------------------|--------------|----------------|----------| 49// USER_NON_ADMIN | None | All except: | Traverse | 50// | | Users | | 51// | | Everyone | | 52// | | Interactive | | 53// | | Local | | 54// | | Authent-users | | 55// | | User | | 56// ----------------------------|--------------|----------------|----------| 57// USER_RESTRICTED_SAME_ACCESS | All | None | All | 58// ----------------------------|--------------|----------------|----------| 59// USER_UNPROTECTED | None | None | All | 60// ----------------------------|--------------|----------------|----------| 61// 62// The above restrictions are actually a transformation that is applied to 63// the existing broker process token. The resulting token that will be 64// applied to the target process depends both on the token level selected 65// and on the broker token itself. 66// 67// The LOCKDOWN and RESTRICTED are designed to allow access to almost 68// nothing that has security associated with and they are the recommended 69// levels to run sandboxed code specially if there is a chance that the 70// broker is process might be started by a user that belongs to the Admins 71// or power users groups. 72enum TokenLevel { 73 USER_LOCKDOWN = 0, 74 USER_RESTRICTED, 75 USER_LIMITED, 76 USER_INTERACTIVE, 77 USER_NON_ADMIN, 78 USER_RESTRICTED_SAME_ACCESS, 79 USER_UNPROTECTED, 80 USER_LAST 81}; 82 83// The Job level specifies a set of decreasing security profiles for the 84// Job object that the target process will be placed into. 85// This table summarizes the security associated with each level: 86// 87// JobLevel |General |Quota | 88// |restrictions |restrictions | 89// -----------------|---------------------------------- |--------------------| 90// JOB_NONE | No job is assigned to the | None | 91// | sandboxed process. | | 92// -----------------|---------------------------------- |--------------------| 93// JOB_UNPROTECTED | None | *Kill on Job close.| 94// -----------------|---------------------------------- |--------------------| 95// JOB_INTERACTIVE | *Forbid system-wide changes using | | 96// | SystemParametersInfo(). | *Kill on Job close.| 97// | *Forbid the creation/switch of | | 98// | Desktops. | | 99// | *Forbids calls to ExitWindows(). | | 100// -----------------|---------------------------------- |--------------------| 101// JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process| 102// | *Forbid changes to the display | limit. | 103// | settings. | *Kill on Job close.| 104// -----------------|---------------------------------- |--------------------| 105// JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process| 106// | * No read/write to the clipboard. | limit. | 107// | * No access to User Handles that | *Kill on Job close.| 108// | belong to other processes. | | 109// | * Forbid message broadcasts. | | 110// | * Forbid setting global hooks. | | 111// | * No access to the global atoms | | 112// | table. | | 113// -----------------|-----------------------------------|--------------------| 114// JOB_LOCKDOWN | Same as RESTRICTED | *One active process| 115// | | limit. | 116// | | *Kill on Job close.| 117// | | *Kill on unhandled | 118// | | exception. | 119// | | | 120// In the context of the above table, 'user handles' refers to the handles of 121// windows, bitmaps, menus, etc. Files, treads and registry handles are kernel 122// handles and are not affected by the job level settings. 123enum JobLevel { 124 JOB_LOCKDOWN = 0, 125 JOB_RESTRICTED, 126 JOB_LIMITED_USER, 127 JOB_INTERACTIVE, 128 JOB_UNPROTECTED, 129 JOB_NONE 130}; 131 132// These flags correspond to various process-level mitigations (eg. ASLR and 133// DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for 134// the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented 135// here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 136// Some mitigations are implemented directly by the sandbox or emulated to 137// the greatest extent possible when not directly supported by the OS. 138// Flags that are unsupported for the target OS will be silently ignored. 139// Flags that are invalid for their application (pre or post startup) will 140// return SBOX_ERROR_BAD_PARAMS. 141typedef uint64 MitigationFlags; 142 143// Permanently enables DEP for the target process. Corresponds to 144// PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. 145const MitigationFlags MITIGATION_DEP = 0x00000001; 146 147// Permanently Disables ATL thunk emulation when DEP is enabled. Valid 148// only when MITIGATION_DEP is passed. Corresponds to not passing 149// PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. 150const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; 151 152// Enables Structured exception handling override prevention. Must be 153// enabled prior to process start. Corresponds to 154// PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. 155const MitigationFlags MITIGATION_SEHOP = 0x00000004; 156 157// Forces ASLR on all images in the child process. Corresponds to 158// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . 159const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008; 160 161// Refuses to load DLLs that cannot support ASLR. Corresponds to 162// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS. 163const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; 164 165// Terminates the process on Windows heap corruption. Coresponds to 166// PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. 167const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020; 168 169// Sets a random lower bound as the minimum user address. Must be 170// enabled prior to process start. On 32-bit processes this is 171// emulated to a much smaller degree. Corresponds to 172// PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. 173const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040; 174 175// Increases the randomness range of bottom-up ASLR to up to 1TB. Must be 176// enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. 177// Corresponds to 178// PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON 179const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; 180 181// Immediately raises an exception on a bad handle reference. Must be 182// enabled after startup. Corresponds to 183// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. 184const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; 185 186// Prevents the process from making Win32k calls. Must be enabled after 187// startup. Corresponds to 188// PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. 189const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; 190 191// Disables common DLL injection methods (e.g. window hooks and 192// App_InitDLLs). Corresponds to 193// PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. 194const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; 195 196// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional 197// directories can be added via the Windows AddDllDirectory() function. 198// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 199// Must be enabled after startup. 200const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; 201 202} // namespace sandbox 203 204#endif // SANDBOX_SRC_SECURITY_LEVEL_H_ 205