| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ | 5 #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
| 6 #define SANDBOX_SRC_RESTRICTED_TOKEN_H_ | 6 #define SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
| 7 | 7 |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 150 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 161 // | 161 // |
| 162 // If the function succeeds, the return value is ERROR_SUCCESS. If the | 162 // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| 163 // function fails, the return value is the win32 error code corresponding to | 163 // function fails, the return value is the win32 error code corresponding to |
| 164 // the error. | 164 // the error. |
| 165 DWORD AddRestrictingSidAllSids(); | 165 DWORD AddRestrictingSidAllSids(); |
| 166 | 166 |
| 167 // Sets the token integrity level. This is only valid on Vista. The integrity | 167 // Sets the token integrity level. This is only valid on Vista. The integrity |
| 168 // level cannot be higher than your current integrity level. | 168 // level cannot be higher than your current integrity level. |
| 169 DWORD SetIntegrityLevel(IntegrityLevel integrity_level); | 169 DWORD SetIntegrityLevel(IntegrityLevel integrity_level); |
| 170 | 170 |
| 171 // Set a flag which indicates the created token should have a locked down |
| 172 // default DACL when created. |
| 173 void SetLockdownDefaultDacl(); |
| 174 |
| 171 private: | 175 private: |
| 172 // The list of restricting sids in the restricted token. | 176 // The list of restricting sids in the restricted token. |
| 173 std::vector<Sid> sids_to_restrict_; | 177 std::vector<Sid> sids_to_restrict_; |
| 174 // The list of privileges to remove in the restricted token. | 178 // The list of privileges to remove in the restricted token. |
| 175 std::vector<LUID> privileges_to_disable_; | 179 std::vector<LUID> privileges_to_disable_; |
| 176 // The list of sids to mark as Deny Only in the restricted token. | 180 // The list of sids to mark as Deny Only in the restricted token. |
| 177 std::vector<Sid> sids_for_deny_only_; | 181 std::vector<Sid> sids_for_deny_only_; |
| 178 // The token to restrict. Can only be set in a constructor. | 182 // The token to restrict. Can only be set in a constructor. |
| 179 base::win::ScopedHandle effective_token_; | 183 base::win::ScopedHandle effective_token_; |
| 180 // The token integrity level. Only valid on Vista. | 184 // The token integrity level. Only valid on Vista. |
| 181 IntegrityLevel integrity_level_; | 185 IntegrityLevel integrity_level_; |
| 182 // Tells if the object is initialized or not (if Init() has been called) | 186 // Tells if the object is initialized or not (if Init() has been called) |
| 183 bool init_; | 187 bool init_; |
| 188 // Lockdown the default DACL when creating new tokens. |
| 189 bool lockdown_default_dacl_; |
| 184 | 190 |
| 185 DISALLOW_COPY_AND_ASSIGN(RestrictedToken); | 191 DISALLOW_COPY_AND_ASSIGN(RestrictedToken); |
| 186 }; | 192 }; |
| 187 | 193 |
| 188 } // namespace sandbox | 194 } // namespace sandbox |
| 189 | 195 |
| 190 #endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_ | 196 #endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master