Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(143)

Side by Side Diff: sandbox/win/src/restricted_token_utils.cc

Issue 1821193002: Added a policy option to restrict the default DACL for tokens. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Added access mask to open process test Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/restricted_token_utils.h ('k') | sandbox/win/src/sandbox_policy.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <aclapi.h> 5 #include <aclapi.h>
6 #include <sddl.h> 6 #include <sddl.h>
7 #include <vector> 7 #include <vector>
8 8
9 #include "sandbox/win/src/restricted_token_utils.h" 9 #include "sandbox/win/src/restricted_token_utils.h"
10 10
11 #include "base/logging.h" 11 #include "base/logging.h"
12 #include "base/win/scoped_handle.h" 12 #include "base/win/scoped_handle.h"
13 #include "base/win/windows_version.h" 13 #include "base/win/windows_version.h"
14 #include "sandbox/win/src/job.h" 14 #include "sandbox/win/src/job.h"
15 #include "sandbox/win/src/restricted_token.h" 15 #include "sandbox/win/src/restricted_token.h"
16 #include "sandbox/win/src/security_level.h" 16 #include "sandbox/win/src/security_level.h"
17 #include "sandbox/win/src/sid.h" 17 #include "sandbox/win/src/sid.h"
18 18
19 namespace sandbox { 19 namespace sandbox {
20 20
21 DWORD CreateRestrictedToken(TokenLevel security_level, 21 DWORD CreateRestrictedToken(TokenLevel security_level,
22 IntegrityLevel integrity_level, 22 IntegrityLevel integrity_level,
23 TokenType token_type, 23 TokenType token_type,
24 bool lockdown_default_dacl,
24 base::win::ScopedHandle* token) { 25 base::win::ScopedHandle* token) {
25 RestrictedToken restricted_token; 26 RestrictedToken restricted_token;
26 restricted_token.Init(NULL); // Initialized with the current process token 27 restricted_token.Init(NULL); // Initialized with the current process token
28 if (lockdown_default_dacl)
29 restricted_token.SetLockdownDefaultDacl();
27 30
28 std::vector<base::string16> privilege_exceptions; 31 std::vector<base::string16> privilege_exceptions;
29 std::vector<Sid> sid_exceptions; 32 std::vector<Sid> sid_exceptions;
30 33
31 bool deny_sids = true; 34 bool deny_sids = true;
32 bool remove_privileges = true; 35 bool remove_privileges = true;
33 36
34 switch (security_level) { 37 switch (security_level) {
35 case USER_UNPROTECTED: { 38 case USER_UNPROTECTED: {
36 deny_sids = false; 39 deny_sids = false;
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after
293 if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, 296 if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER,
294 &token_handle)) 297 &token_handle))
295 return ::GetLastError(); 298 return ::GetLastError();
296 299
297 base::win::ScopedHandle token(token_handle); 300 base::win::ScopedHandle token(token_handle);
298 301
299 return HardenTokenIntegrityLevelPolicy(token.Get()); 302 return HardenTokenIntegrityLevelPolicy(token.Get());
300 } 303 }
301 304
302 } // namespace sandbox 305 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/win/src/restricted_token_utils.h ('k') | sandbox/win/src/sandbox_policy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698