Move the Windows sandbox to sandbox/win

sandbox/src/acl.cc

-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/src/acl.h"
-
-#include <aclapi.h>
-#include <sddl.h>
-
-#include "base/logging.h"
-
-namespace sandbox {
-
-bool GetDefaultDacl(HANDLE token,
-                    scoped_ptr_malloc<TOKEN_DEFAULT_DACL>* default_dacl) {
-  if (token == NULL)
-    return false;
-
-  DCHECK(default_dacl != NULL);
-
-  unsigned long length = 0;
-  ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length);
-  if (length == 0) {
-    NOTREACHED();
-    return false;
-  }
-
-  TOKEN_DEFAULT_DACL* acl =
-      reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length));
-  default_dacl->reset(acl);
-
-  if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
-                             length, &length))
-      return false;
-
-  return true;
-}
-
-bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MASK access,
-                  ACL** new_dacl) {
-  EXPLICIT_ACCESS new_access = {0};
-  new_access.grfAccessMode = GRANT_ACCESS;
-  new_access.grfAccessPermissions = access;
-  new_access.grfInheritance = NO_INHERITANCE;
-
-  new_access.Trustee.pMultipleTrustee = NULL;
-  new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
-  new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
-  new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>(
-                                    const_cast<SID*>(sid.GetPSID()));
-
-  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl))
-    return false;
-
-  return true;
-}
-
-bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) {
-  if (token == NULL)
-    return false;
-
-  scoped_ptr_malloc<TOKEN_DEFAULT_DACL> default_dacl;
-  if (!GetDefaultDacl(token, &default_dacl))
-    return false;
-
-  ACL* new_dacl = NULL;
-  if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access, &new_dacl))
-    return false;
-
-  TOKEN_DEFAULT_DACL new_token_dacl = {0};
-  new_token_dacl.DefaultDacl = new_dacl;
-
-  BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
-                                   sizeof(new_token_dacl));
-  ::LocalFree(new_dacl);
-  return (TRUE == ret);
-}
-
-bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
-  DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
-  TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size));
-
-  scoped_ptr_malloc<TOKEN_USER> token_user_ptr(token_user);
-
-  if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
-    return false;
-
-  return AddSidToDefaultDacl(token,
-                             reinterpret_cast<SID*>(token_user->User.Sid),
-                             access);
-}
-
-bool AddKnownSidToKernelObject(HANDLE object, const Sid& sid,
-                               ACCESS_MASK access) {
-  PSECURITY_DESCRIPTOR descriptor = NULL;
-  PACL old_dacl = NULL;
-  PACL new_dacl = NULL;
-
-  if (ERROR_SUCCESS != ::GetSecurityInfo(object, SE_KERNEL_OBJECT,
-                                         DACL_SECURITY_INFORMATION, NULL, NULL,
-                                         &old_dacl, NULL, &descriptor))
-    return false;
-
-  if (!AddSidToDacl(sid.GetPSID(), old_dacl, access, &new_dacl)) {
-    ::LocalFree(descriptor);
-    return false;
-  }
-
-  DWORD result = ::SetSecurityInfo(object, SE_KERNEL_OBJECT,
-                                   DACL_SECURITY_INFORMATION, NULL, NULL,
-                                   new_dacl, NULL);
-
-  ::LocalFree(new_dacl);
-  ::LocalFree(descriptor);
-
-  if (ERROR_SUCCESS != result)
-    return false;
-
-  return true;
-}
-
-}  // namespace sandbox