| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/acl.h" | 5 #include "sandbox/win/src/acl.h" |
| 6 | 6 |
| 7 #include <aclapi.h> | 7 #include <aclapi.h> |
| 8 #include <sddl.h> | 8 #include <sddl.h> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 49 new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID; | 49 new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID; |
| 50 new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>( | 50 new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>( |
| 51 const_cast<SID*>(sid.GetPSID())); | 51 const_cast<SID*>(sid.GetPSID())); |
| 52 | 52 |
| 53 if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl)) | 53 if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl)) |
| 54 return false; | 54 return false; |
| 55 | 55 |
| 56 return true; | 56 return true; |
| 57 } | 57 } |
| 58 | 58 |
| 59 bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) { | 59 bool AddSidToDefaultDacl(HANDLE token, |
| 60 const Sid& sid, |
| 61 ACCESS_MODE access_mode, |
| 62 ACCESS_MASK access) { |
| 60 if (token == NULL) | 63 if (token == NULL) |
| 61 return false; | 64 return false; |
| 62 | 65 |
| 63 scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter> default_dacl; | 66 scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter> default_dacl; |
| 64 if (!GetDefaultDacl(token, &default_dacl)) | 67 if (!GetDefaultDacl(token, &default_dacl)) |
| 65 return false; | 68 return false; |
| 66 | 69 |
| 67 ACL* new_dacl = NULL; | 70 ACL* new_dacl = NULL; |
| 68 if (!AddSidToDacl(sid, default_dacl->DefaultDacl, GRANT_ACCESS, access, | 71 if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access_mode, access, |
| 69 &new_dacl)) | 72 &new_dacl)) |
| 70 return false; | 73 return false; |
| 71 | 74 |
| 72 TOKEN_DEFAULT_DACL new_token_dacl = {0}; | 75 TOKEN_DEFAULT_DACL new_token_dacl = {0}; |
| 73 new_token_dacl.DefaultDacl = new_dacl; | 76 new_token_dacl.DefaultDacl = new_dacl; |
| 74 | 77 |
| 75 BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl, | 78 BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl, |
| 76 sizeof(new_token_dacl)); | 79 sizeof(new_token_dacl)); |
| 77 ::LocalFree(new_dacl); | 80 ::LocalFree(new_dacl); |
| 78 return (TRUE == ret); | 81 return (TRUE == ret); |
| 79 } | 82 } |
| 80 | 83 |
| 84 bool RevokeLogonSidFromDefaultDacl(HANDLE token) { |
| 85 DWORD size = sizeof(TOKEN_GROUPS) + SECURITY_MAX_SID_SIZE; |
| 86 TOKEN_GROUPS* logon_sid = reinterpret_cast<TOKEN_GROUPS*>(malloc(size)); |
| 87 |
| 88 scoped_ptr<TOKEN_GROUPS, base::FreeDeleter> logon_sid_ptr(logon_sid); |
| 89 |
| 90 if (!::GetTokenInformation(token, TokenLogonSid, logon_sid, size, &size)) |
| 91 return false; |
| 92 if (logon_sid->GroupCount < 1) { |
| 93 ::SetLastError(ERROR_INVALID_TOKEN); |
| 94 return false; |
| 95 } |
| 96 return AddSidToDefaultDacl(token, |
| 97 reinterpret_cast<SID*>(logon_sid->Groups[0].Sid), |
| 98 REVOKE_ACCESS, 0); |
| 99 } |
| 100 |
| 81 bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) { | 101 bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) { |
| 82 DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; | 102 DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; |
| 83 TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size)); | 103 TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size)); |
| 84 | 104 |
| 85 scoped_ptr<TOKEN_USER, base::FreeDeleter> token_user_ptr(token_user); | 105 scoped_ptr<TOKEN_USER, base::FreeDeleter> token_user_ptr(token_user); |
| 86 | 106 |
| 87 if (!::GetTokenInformation(token, TokenUser, token_user, size, &size)) | 107 if (!::GetTokenInformation(token, TokenUser, token_user, size, &size)) |
| 88 return false; | 108 return false; |
| 89 | 109 |
| 90 return AddSidToDefaultDacl(token, | 110 return AddSidToDefaultDacl(token, |
| 91 reinterpret_cast<SID*>(token_user->User.Sid), | 111 reinterpret_cast<SID*>(token_user->User.Sid), |
| 92 access); | 112 GRANT_ACCESS, access); |
| 93 } | 113 } |
| 94 | 114 |
| 95 bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type, | 115 bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type, |
| 96 const Sid& sid, ACCESS_MODE access_mode, | 116 const Sid& sid, ACCESS_MODE access_mode, |
| 97 ACCESS_MASK access) { | 117 ACCESS_MASK access) { |
| 98 PSECURITY_DESCRIPTOR descriptor = NULL; | 118 PSECURITY_DESCRIPTOR descriptor = NULL; |
| 99 PACL old_dacl = NULL; | 119 PACL old_dacl = NULL; |
| 100 PACL new_dacl = NULL; | 120 PACL new_dacl = NULL; |
| 101 | 121 |
| 102 if (ERROR_SUCCESS != ::GetSecurityInfo(object, object_type, | 122 if (ERROR_SUCCESS != ::GetSecurityInfo(object, object_type, |
| (...skipping 13 matching lines...) Expand all Loading... |
| 116 ::LocalFree(new_dacl); | 136 ::LocalFree(new_dacl); |
| 117 ::LocalFree(descriptor); | 137 ::LocalFree(descriptor); |
| 118 | 138 |
| 119 if (ERROR_SUCCESS != result) | 139 if (ERROR_SUCCESS != result) |
| 120 return false; | 140 return false; |
| 121 | 141 |
| 122 return true; | 142 return true; |
| 123 } | 143 } |
| 124 | 144 |
| 125 } // namespace sandbox | 145 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master