OLD | NEW |
1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ | 5 #ifndef SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ |
6 #define SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ | 6 #define SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ |
7 | 7 |
| 8 #include <stdint.h> |
| 9 |
8 #include <string> | 10 #include <string> |
9 | 11 |
10 #include "sandbox/win/src/policy_low_level.h" | 12 #include "sandbox/win/src/policy_low_level.h" |
11 | 13 |
12 #include "base/basictypes.h" | |
13 #include "base/strings/string16.h" | 14 #include "base/strings/string16.h" |
14 #include "sandbox/win/src/crosscall_server.h" | 15 #include "sandbox/win/src/crosscall_server.h" |
15 #include "sandbox/win/src/sandbox_policy.h" | 16 #include "sandbox/win/src/sandbox_policy.h" |
16 | 17 |
17 namespace sandbox { | 18 namespace sandbox { |
18 | 19 |
19 enum EvalResult; | 20 enum EvalResult; |
20 | 21 |
21 // This class centralizes most of the knowledge related to process execution. | 22 // This class centralizes most of the knowledge related to process execution. |
22 class ProcessPolicy { | 23 class ProcessPolicy { |
23 public: | 24 public: |
24 // Creates the required low-level policy rules to evaluate a high-level. | 25 // Creates the required low-level policy rules to evaluate a high-level. |
25 // policy rule for process creation | 26 // policy rule for process creation |
26 // 'name' is the executable to be spawn. | 27 // 'name' is the executable to be spawn. |
27 // 'semantics' is the desired semantics. | 28 // 'semantics' is the desired semantics. |
28 // 'policy' is the policy generator to which the rules are going to be added. | 29 // 'policy' is the policy generator to which the rules are going to be added. |
29 static bool GenerateRules(const wchar_t* name, | 30 static bool GenerateRules(const wchar_t* name, |
30 TargetPolicy::Semantics semantics, | 31 TargetPolicy::Semantics semantics, |
31 LowLevelPolicy* policy); | 32 LowLevelPolicy* policy); |
32 | 33 |
33 // Opens a thread from the child process and returns the handle. | 34 // Opens a thread from the child process and returns the handle. |
34 // client_info contains the information about the child process, | 35 // client_info contains the information about the child process, |
35 // desired_access is the access requested by the child and thread_id | 36 // desired_access is the access requested by the child and thread_id |
36 // is the thread_id to be opened. | 37 // is the thread_id to be opened. |
37 // The function returns the return value of NtOpenThread. | 38 // The function returns the return value of NtOpenThread. |
38 static NTSTATUS OpenThreadAction(const ClientInfo& client_info, | 39 static NTSTATUS OpenThreadAction(const ClientInfo& client_info, |
39 uint32 desired_access, | 40 uint32_t desired_access, |
40 uint32 thread_id, | 41 uint32_t thread_id, |
41 HANDLE* handle); | 42 HANDLE* handle); |
42 | 43 |
43 // Opens the process id passed in and returns the duplicated handle to | 44 // Opens the process id passed in and returns the duplicated handle to |
44 // the child. We only allow the child processes to open themselves. Any other | 45 // the child. We only allow the child processes to open themselves. Any other |
45 // pid open is denied. | 46 // pid open is denied. |
46 static NTSTATUS OpenProcessAction(const ClientInfo& client_info, | 47 static NTSTATUS OpenProcessAction(const ClientInfo& client_info, |
47 uint32 desired_access, | 48 uint32_t desired_access, |
48 uint32 process_id, | 49 uint32_t process_id, |
49 HANDLE* handle); | 50 HANDLE* handle); |
50 | 51 |
51 // Opens the token associated with the process and returns the duplicated | 52 // Opens the token associated with the process and returns the duplicated |
52 // handle to the child. We only allow the child processes to open his own | 53 // handle to the child. We only allow the child processes to open his own |
53 // token (using ::GetCurrentProcess()). | 54 // token (using ::GetCurrentProcess()). |
54 static NTSTATUS OpenProcessTokenAction(const ClientInfo& client_info, | 55 static NTSTATUS OpenProcessTokenAction(const ClientInfo& client_info, |
55 HANDLE process, | 56 HANDLE process, |
56 uint32 desired_access, | 57 uint32_t desired_access, |
57 HANDLE* handle); | 58 HANDLE* handle); |
58 | 59 |
59 // Opens the token associated with the process and returns the duplicated | 60 // Opens the token associated with the process and returns the duplicated |
60 // handle to the child. We only allow the child processes to open his own | 61 // handle to the child. We only allow the child processes to open his own |
61 // token (using ::GetCurrentProcess()). | 62 // token (using ::GetCurrentProcess()). |
62 static NTSTATUS OpenProcessTokenExAction(const ClientInfo& client_info, | 63 static NTSTATUS OpenProcessTokenExAction(const ClientInfo& client_info, |
63 HANDLE process, | 64 HANDLE process, |
64 uint32 desired_access, | 65 uint32_t desired_access, |
65 uint32 attributes, | 66 uint32_t attributes, |
66 HANDLE* handle); | 67 HANDLE* handle); |
67 | 68 |
68 // Processes a 'CreateProcessW()' request from the target. | 69 // Processes a 'CreateProcessW()' request from the target. |
69 // 'client_info' : the target process that is making the request. | 70 // 'client_info' : the target process that is making the request. |
70 // 'eval_result' : The desired policy action to accomplish. | 71 // 'eval_result' : The desired policy action to accomplish. |
71 // 'app_name' : The full path of the process to be created. | 72 // 'app_name' : The full path of the process to be created. |
72 // 'command_line' : The command line passed to the created process. | 73 // 'command_line' : The command line passed to the created process. |
73 static DWORD CreateProcessWAction(EvalResult eval_result, | 74 static DWORD CreateProcessWAction(EvalResult eval_result, |
74 const ClientInfo& client_info, | 75 const ClientInfo& client_info, |
75 const base::string16 &app_name, | 76 const base::string16 &app_name, |
76 const base::string16 &command_line, | 77 const base::string16 &command_line, |
77 PROCESS_INFORMATION* process_info); | 78 PROCESS_INFORMATION* process_info); |
78 }; | 79 }; |
79 | 80 |
80 } // namespace sandbox | 81 } // namespace sandbox |
81 | 82 |
82 | 83 |
83 #endif // SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ | 84 #endif // SANDBOX_SRC_PROCESS_THREAD_POLICY_H_ |
OLD | NEW |