OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
6 | 6 |
7 #include <sddl.h> | 7 #include <sddl.h> |
8 | 8 |
9 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
10 #include "base/callback.h" | 10 #include "base/callback.h" |
(...skipping 524 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
535 return SBOX_ERROR_GENERIC; | 535 return SBOX_ERROR_GENERIC; |
536 | 536 |
537 *job = job_obj.Take(); | 537 *job = job_obj.Take(); |
538 } else { | 538 } else { |
539 *job = base::win::ScopedHandle(); | 539 *job = base::win::ScopedHandle(); |
540 } | 540 } |
541 return SBOX_ALL_OK; | 541 return SBOX_ALL_OK; |
542 } | 542 } |
543 | 543 |
544 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, | 544 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, |
545 base::win::ScopedHandle* lockdown) { | 545 base::win::ScopedHandle* lockdown, |
| 546 base::win::ScopedHandle* lowbox) { |
546 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && | 547 if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() && |
547 lowbox_sid_) { | 548 lowbox_sid_) { |
548 return SBOX_ERROR_BAD_PARAMS; | 549 return SBOX_ERROR_BAD_PARAMS; |
549 } | 550 } |
550 | 551 |
551 // Create the 'naked' token. This will be the permanent token associated | 552 // Create the 'naked' token. This will be the permanent token associated |
552 // with the process and therefore with any thread that is not impersonating. | 553 // with the process and therefore with any thread that is not impersonating. |
553 DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_, | 554 DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_, |
554 PRIMARY, lockdown); | 555 PRIMARY, lockdown); |
555 if (ERROR_SUCCESS != result) | 556 if (ERROR_SUCCESS != result) |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
606 DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0; | 607 DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0; |
607 | 608 |
608 NTSTATUS status = CreateLowBoxToken(&token_lowbox, lockdown->Get(), | 609 NTSTATUS status = CreateLowBoxToken(&token_lowbox, lockdown->Get(), |
609 TOKEN_ALL_ACCESS, &obj_attr, | 610 TOKEN_ALL_ACCESS, &obj_attr, |
610 lowbox_sid_, 0, NULL, | 611 lowbox_sid_, 0, NULL, |
611 saved_handles_count, saved_handles); | 612 saved_handles_count, saved_handles); |
612 if (!NT_SUCCESS(status)) | 613 if (!NT_SUCCESS(status)) |
613 return SBOX_ERROR_GENERIC; | 614 return SBOX_ERROR_GENERIC; |
614 | 615 |
615 DCHECK(token_lowbox); | 616 DCHECK(token_lowbox); |
616 lockdown->Set(token_lowbox); | 617 lowbox->Set(token_lowbox); |
617 } | 618 } |
618 | 619 |
619 // Create the 'better' token. We use this token as the one that the main | 620 // Create the 'better' token. We use this token as the one that the main |
620 // thread uses when booting up the process. It should contain most of | 621 // thread uses when booting up the process. It should contain most of |
621 // what we need (before reaching main( )) | 622 // what we need (before reaching main( )) |
622 result = CreateRestrictedToken(initial_level_, integrity_level_, | 623 result = CreateRestrictedToken(initial_level_, integrity_level_, |
623 IMPERSONATION, initial); | 624 IMPERSONATION, initial); |
624 if (ERROR_SUCCESS != result) | 625 if (ERROR_SUCCESS != result) |
625 return SBOX_ERROR_GENERIC; | 626 return SBOX_ERROR_GENERIC; |
626 | 627 |
(...skipping 246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
873 break; | 874 break; |
874 } | 875 } |
875 | 876 |
876 default: { return SBOX_ERROR_UNSUPPORTED; } | 877 default: { return SBOX_ERROR_UNSUPPORTED; } |
877 } | 878 } |
878 | 879 |
879 return SBOX_ALL_OK; | 880 return SBOX_ALL_OK; |
880 } | 881 } |
881 | 882 |
882 } // namespace sandbox | 883 } // namespace sandbox |
OLD | NEW |