Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(214)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/restricted_token.cc

Issue 1821193002: Added a policy option to restrict the default DACL for tokens. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Added access mask to open process test Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/restricted_token.h ('k') | sandbox/win/src/restricted_token_test.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "sandbox/win/src/restricted_token.h" 5 #include "sandbox/win/src/restricted_token.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 8
9 #include <vector> 9 #include <vector>
10 10
(...skipping 27 matching lines...) Expand all
38 *error = ERROR_SUCCESS; 38 *error = ERROR_SUCCESS;
39 return buffer; 39 return buffer;
40 } 40 }
41 41
42 } // namespace 42 } // namespace
43 43
44 namespace sandbox { 44 namespace sandbox {
45 45
46 RestrictedToken::RestrictedToken() 46 RestrictedToken::RestrictedToken()
47 : integrity_level_(INTEGRITY_LEVEL_LAST), 47 : integrity_level_(INTEGRITY_LEVEL_LAST),
48 init_(false) { 48 init_(false),
49 } 49 lockdown_default_dacl_(false) {}
50 50
51 RestrictedToken::~RestrictedToken() { 51 RestrictedToken::~RestrictedToken() {
52 } 52 }
53 53
54 DWORD RestrictedToken::Init(const HANDLE effective_token) { 54 DWORD RestrictedToken::Init(const HANDLE effective_token) {
55 if (init_) 55 if (init_)
56 return ERROR_ALREADY_INITIALIZED; 56 return ERROR_ALREADY_INITIALIZED;
57 57
58 HANDLE temp_token; 58 HANDLE temp_token;
59 if (effective_token) { 59 if (effective_token) {
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after
151 delete[] sids_to_restrict_array; 151 delete[] sids_to_restrict_array;
152 152
153 if (privileges_to_disable_array) 153 if (privileges_to_disable_array)
154 delete[] privileges_to_disable_array; 154 delete[] privileges_to_disable_array;
155 155
156 if (!result) 156 if (!result)
157 return last_error; 157 return last_error;
158 158
159 base::win::ScopedHandle new_token(new_token_handle); 159 base::win::ScopedHandle new_token(new_token_handle);
160 160
161 // Modify the default dacl on the token to contain Restricted and the user. 161 if (lockdown_default_dacl_) {
162 if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL)) 162 // Don't add Restricted sid and also remove logon sid access.
163 return ::GetLastError(); 163 if (!RevokeLogonSidFromDefaultDacl(new_token.Get()))
164 return ::GetLastError();
165 } else {
166 // Modify the default dacl on the token to contain Restricted.
167 if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid,
168 GRANT_ACCESS, GENERIC_ALL)) {
169 return ::GetLastError();
170 }
171 }
164 172
173 // Add user to default dacl.
165 if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) 174 if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL))
166 return ::GetLastError(); 175 return ::GetLastError();
167 176
168 DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); 177 DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_);
169 if (ERROR_SUCCESS != error) 178 if (ERROR_SUCCESS != error)
170 return error; 179 return error;
171 180
172 HANDLE token_handle; 181 HANDLE token_handle;
173 if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(), 182 if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(),
174 ::GetCurrentProcess(), &token_handle, 183 ::GetCurrentProcess(), &token_handle,
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after
415 } 424 }
416 425
417 return ERROR_SUCCESS; 426 return ERROR_SUCCESS;
418 } 427 }
419 428
420 DWORD RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) { 429 DWORD RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) {
421 integrity_level_ = integrity_level; 430 integrity_level_ = integrity_level;
422 return ERROR_SUCCESS; 431 return ERROR_SUCCESS;
423 } 432 }
424 433
434 void RestrictedToken::SetLockdownDefaultDacl() {
435 lockdown_default_dacl_ = true;
436 }
437
425 } // namespace sandbox 438 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/win/src/restricted_token.h ('k') | sandbox/win/src/restricted_token_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698