| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <aclapi.h> | 5 #include <aclapi.h> |
| 6 #include <sddl.h> | 6 #include <sddl.h> |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "sandbox/win/src/restricted_token_utils.h" | 9 #include "sandbox/win/src/restricted_token_utils.h" |
| 10 | 10 |
| 11 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/win/scoped_handle.h" | 12 #include "base/win/scoped_handle.h" |
| 13 #include "base/win/windows_version.h" | 13 #include "base/win/windows_version.h" |
| 14 #include "sandbox/win/src/job.h" | 14 #include "sandbox/win/src/job.h" |
| 15 #include "sandbox/win/src/restricted_token.h" | 15 #include "sandbox/win/src/restricted_token.h" |
| 16 #include "sandbox/win/src/security_level.h" | 16 #include "sandbox/win/src/security_level.h" |
| 17 #include "sandbox/win/src/sid.h" | 17 #include "sandbox/win/src/sid.h" |
| 18 | 18 |
| 19 namespace sandbox { | 19 namespace sandbox { |
| 20 | 20 |
| 21 DWORD CreateRestrictedToken(TokenLevel security_level, | 21 DWORD CreateRestrictedToken(TokenLevel security_level, |
| 22 IntegrityLevel integrity_level, | 22 IntegrityLevel integrity_level, |
| 23 TokenType token_type, | 23 TokenType token_type, |
| 24 bool lockdown_default_dacl, |
| 24 base::win::ScopedHandle* token) { | 25 base::win::ScopedHandle* token) { |
| 25 RestrictedToken restricted_token; | 26 RestrictedToken restricted_token; |
| 26 restricted_token.Init(NULL); // Initialized with the current process token | 27 restricted_token.Init(NULL); // Initialized with the current process token |
| 28 if (lockdown_default_dacl) |
| 29 restricted_token.SetLockdownDefaultDacl(); |
| 27 | 30 |
| 28 std::vector<base::string16> privilege_exceptions; | 31 std::vector<base::string16> privilege_exceptions; |
| 29 std::vector<Sid> sid_exceptions; | 32 std::vector<Sid> sid_exceptions; |
| 30 | 33 |
| 31 bool deny_sids = true; | 34 bool deny_sids = true; |
| 32 bool remove_privileges = true; | 35 bool remove_privileges = true; |
| 33 | 36 |
| 34 switch (security_level) { | 37 switch (security_level) { |
| 35 case USER_UNPROTECTED: { | 38 case USER_UNPROTECTED: { |
| 36 deny_sids = false; | 39 deny_sids = false; |
| (...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 293 if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, | 296 if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, |
| 294 &token_handle)) | 297 &token_handle)) |
| 295 return ::GetLastError(); | 298 return ::GetLastError(); |
| 296 | 299 |
| 297 base::win::ScopedHandle token(token_handle); | 300 base::win::ScopedHandle token(token_handle); |
| 298 | 301 |
| 299 return HardenTokenIntegrityLevelPolicy(token.Get()); | 302 return HardenTokenIntegrityLevelPolicy(token.Get()); |
| 300 } | 303 } |
| 301 | 304 |
| 302 } // namespace sandbox | 305 } // namespace sandbox |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1821193002:
Added a policy option to restrict the default DACL for tokens. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master