Chromium Code Reviews Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/restricted_token.h" | 5 #include "sandbox/win/src/restricted_token.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 151 delete[] sids_to_restrict_array; | 151 delete[] sids_to_restrict_array; |
| 152 | 152 |
| 153 if (privileges_to_disable_array) | 153 if (privileges_to_disable_array) |
| 154 delete[] privileges_to_disable_array; | 154 delete[] privileges_to_disable_array; |
| 155 | 155 |
| 156 if (!result) | 156 if (!result) |
| 157 return last_error; | 157 return last_error; |
| 158 | 158 |
| 159 base::win::ScopedHandle new_token(new_token_handle); | 159 base::win::ScopedHandle new_token(new_token_handle); |
| 160 | 160 |
| 161 // Modify the default dacl on the token to contain Restricted and the user. | 161 if (lockdown_default_dacl_) { |
| 162 if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL)) | 162 // Don't add Restricted sid and also remove logon sid access. |
| 163 return ::GetLastError(); | 163 if (!RevokeLogonSidFromDefaultDacl(new_token.Get())) |
| 164 return ::GetLastError(); | |
| 165 } else { | |
| 166 // Modify the default dacl on the token to contain Restricted. | |
| 167 if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, | |
| 168 GENERIC_ALL)) | |
| 169 return ::GetLastError(); | |
|
Will Harris
2016/03/27 01:20:05
nit brackets for multiline if statement
forshaw
2016/03/28 16:40:31
Done.
| |
| 170 } | |
| 164 | 171 |
| 172 // Add user to default dacl. | |
| 165 if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) | 173 if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) |
| 166 return ::GetLastError(); | 174 return ::GetLastError(); |
| 167 | 175 |
| 168 DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); | 176 DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); |
| 169 if (ERROR_SUCCESS != error) | 177 if (ERROR_SUCCESS != error) |
| 170 return error; | 178 return error; |
| 171 | 179 |
| 172 HANDLE token_handle; | 180 HANDLE token_handle; |
| 173 if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(), | 181 if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(), |
| 174 ::GetCurrentProcess(), &token_handle, | 182 ::GetCurrentProcess(), &token_handle, |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 415 } | 423 } |
| 416 | 424 |
| 417 return ERROR_SUCCESS; | 425 return ERROR_SUCCESS; |
| 418 } | 426 } |
| 419 | 427 |
| 420 DWORD RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { | 428 DWORD RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { |
| 421 integrity_level_ = integrity_level; | 429 integrity_level_ = integrity_level; |
| 422 return ERROR_SUCCESS; | 430 return ERROR_SUCCESS; |
| 423 } | 431 } |
| 424 | 432 |
| 433 void RestrictedToken::SetLockdownDefaultDacl() { | |
| 434 lockdown_default_dacl_ = true; | |
| 435 } | |
| 436 | |
| 425 } // namespace sandbox | 437 } // namespace sandbox |
| OLD | NEW |
