| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/src/restricted_token.h" | 5 #include "sandbox/src/restricted_token.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "sandbox/src/acl.h" | 10 #include "sandbox/src/acl.h" |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 80 privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size]; | 80 privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size]; |
| 81 | 81 |
| 82 for (unsigned int i = 0; i < privileges_size; ++i) { | 82 for (unsigned int i = 0; i < privileges_size; ++i) { |
| 83 privileges_to_disable_array[i].Attributes = 0; | 83 privileges_to_disable_array[i].Attributes = 0; |
| 84 privileges_to_disable_array[i].Luid = privileges_to_disable_[i]; | 84 privileges_to_disable_array[i].Luid = privileges_to_disable_[i]; |
| 85 } | 85 } |
| 86 } | 86 } |
| 87 | 87 |
| 88 BOOL result = TRUE; | 88 BOOL result = TRUE; |
| 89 HANDLE new_token = NULL; | 89 HANDLE new_token = NULL; |
| 90 // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell |
| 91 // if a token has ben restricted given the limiations of IsTokenRestricted() |
| 92 // but it appears that in Windows 7 it hints the AppLocker subsystem to |
| 93 // leave us alone. |
| 90 if (deny_size || restrict_size || privileges_size) { | 94 if (deny_size || restrict_size || privileges_size) { |
| 91 result = ::CreateRestrictedToken(effective_token_, | 95 result = ::CreateRestrictedToken(effective_token_, |
| 92 0, // No flags. | 96 SANDBOX_INERT, |
| 93 static_cast<DWORD>(deny_size), | 97 static_cast<DWORD>(deny_size), |
| 94 deny_only_array, | 98 deny_only_array, |
| 95 static_cast<DWORD>(privileges_size), | 99 static_cast<DWORD>(privileges_size), |
| 96 privileges_to_disable_array, | 100 privileges_to_disable_array, |
| 97 static_cast<DWORD>(restrict_size), | 101 static_cast<DWORD>(restrict_size), |
| 98 sids_to_restrict_array, | 102 sids_to_restrict_array, |
| 99 &new_token); | 103 &new_token); |
| 100 } else { | 104 } else { |
| 101 // Duplicate the token even if it's not modified at this point | 105 // Duplicate the token even if it's not modified at this point |
| 102 // because any subsequent changes to this token would also affect the | 106 // because any subsequent changes to this token would also affect the |
| (...skipping 350 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 453 | 457 |
| 454 return ERROR_SUCCESS; | 458 return ERROR_SUCCESS; |
| 455 } | 459 } |
| 456 | 460 |
| 457 unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { | 461 unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { |
| 458 integrity_level_ = integrity_level; | 462 integrity_level_ = integrity_level; |
| 459 return ERROR_SUCCESS; | 463 return ERROR_SUCCESS; |
| 460 } | 464 } |
| 461 | 465 |
| 462 } // namespace sandbox | 466 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 550029:
Merge 35990 - Try the SANDOX_INERT flag in CreateRestrictedToken... (Closed)
Base URL: svn://svn.chromium.org/chrome/branches/249/src/