OLD | NEW |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/src/restricted_token.h" | 5 #include "sandbox/src/restricted_token.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "sandbox/src/acl.h" | 10 #include "sandbox/src/acl.h" |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
80 privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size]; | 80 privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size]; |
81 | 81 |
82 for (unsigned int i = 0; i < privileges_size; ++i) { | 82 for (unsigned int i = 0; i < privileges_size; ++i) { |
83 privileges_to_disable_array[i].Attributes = 0; | 83 privileges_to_disable_array[i].Attributes = 0; |
84 privileges_to_disable_array[i].Luid = privileges_to_disable_[i]; | 84 privileges_to_disable_array[i].Luid = privileges_to_disable_[i]; |
85 } | 85 } |
86 } | 86 } |
87 | 87 |
88 BOOL result = TRUE; | 88 BOOL result = TRUE; |
89 HANDLE new_token = NULL; | 89 HANDLE new_token = NULL; |
| 90 // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell |
| 91 // if a token has ben restricted given the limiations of IsTokenRestricted() |
| 92 // but it appears that in Windows 7 it hints the AppLocker subsystem to |
| 93 // leave us alone. |
90 if (deny_size || restrict_size || privileges_size) { | 94 if (deny_size || restrict_size || privileges_size) { |
91 result = ::CreateRestrictedToken(effective_token_, | 95 result = ::CreateRestrictedToken(effective_token_, |
92 0, // No flags. | 96 SANDBOX_INERT, |
93 static_cast<DWORD>(deny_size), | 97 static_cast<DWORD>(deny_size), |
94 deny_only_array, | 98 deny_only_array, |
95 static_cast<DWORD>(privileges_size), | 99 static_cast<DWORD>(privileges_size), |
96 privileges_to_disable_array, | 100 privileges_to_disable_array, |
97 static_cast<DWORD>(restrict_size), | 101 static_cast<DWORD>(restrict_size), |
98 sids_to_restrict_array, | 102 sids_to_restrict_array, |
99 &new_token); | 103 &new_token); |
100 } else { | 104 } else { |
101 // Duplicate the token even if it's not modified at this point | 105 // Duplicate the token even if it's not modified at this point |
102 // because any subsequent changes to this token would also affect the | 106 // because any subsequent changes to this token would also affect the |
(...skipping 350 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
453 | 457 |
454 return ERROR_SUCCESS; | 458 return ERROR_SUCCESS; |
455 } | 459 } |
456 | 460 |
457 unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { | 461 unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { |
458 integrity_level_ = integrity_level; | 462 integrity_level_ = integrity_level; |
459 return ERROR_SUCCESS; | 463 return ERROR_SUCCESS; |
460 } | 464 } |
461 | 465 |
462 } // namespace sandbox | 466 } // namespace sandbox |
OLD | NEW |