OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef SANDBOX_SRC_FILESYSTEM_POLICY_H__ | |
6 #define SANDBOX_SRC_FILESYSTEM_POLICY_H__ | |
7 | |
8 #include <stdint.h> | |
9 | |
10 #include <string> | |
11 | |
12 #include "base/strings/string16.h" | |
13 #include "sandbox/win/src/crosscall_server.h" | |
14 #include "sandbox/win/src/nt_internals.h" | |
15 #include "sandbox/win/src/policy_low_level.h" | |
16 #include "sandbox/win/src/sandbox_policy.h" | |
17 | |
18 namespace sandbox { | |
19 | |
20 enum EvalResult; | |
21 | |
22 // This class centralizes most of the knowledge related to file system policy | |
23 class FileSystemPolicy { | |
24 public: | |
25 // Creates the required low-level policy rules to evaluate a high-level | |
26 // policy rule for File IO, in particular open or create actions. | |
27 // 'name' is the file or directory name. | |
28 // 'semantics' is the desired semantics for the open or create. | |
29 // 'policy' is the policy generator to which the rules are going to be added. | |
30 static bool GenerateRules(const wchar_t* name, | |
31 TargetPolicy::Semantics semantics, | |
32 LowLevelPolicy* policy); | |
33 | |
34 // Add basic file system rules. | |
35 static bool SetInitialRules(LowLevelPolicy* policy); | |
36 | |
37 // Performs the desired policy action on a create request with an | |
38 // API that is compatible with the IPC-received parameters. | |
39 // 'client_info' : the target process that is making the request. | |
40 // 'eval_result' : The desired policy action to accomplish. | |
41 // 'file' : The target file or directory. | |
42 static bool CreateFileAction(EvalResult eval_result, | |
43 const ClientInfo& client_info, | |
44 const base::string16& file, | |
45 uint32_t attributes, | |
46 uint32_t desired_access, | |
47 uint32_t file_attributes, | |
48 uint32_t share_access, | |
49 uint32_t create_disposition, | |
50 uint32_t create_options, | |
51 HANDLE* handle, | |
52 NTSTATUS* nt_status, | |
53 ULONG_PTR* io_information); | |
54 | |
55 // Performs the desired policy action on an open request with an | |
56 // API that is compatible with the IPC-received parameters. | |
57 // 'client_info' : the target process that is making the request. | |
58 // 'eval_result' : The desired policy action to accomplish. | |
59 // 'file' : The target file or directory. | |
60 static bool OpenFileAction(EvalResult eval_result, | |
61 const ClientInfo& client_info, | |
62 const base::string16& file, | |
63 uint32_t attributes, | |
64 uint32_t desired_access, | |
65 uint32_t share_access, | |
66 uint32_t open_options, | |
67 HANDLE* handle, | |
68 NTSTATUS* nt_status, | |
69 ULONG_PTR* io_information); | |
70 | |
71 // Performs the desired policy action on a query request with an | |
72 // API that is compatible with the IPC-received parameters. | |
73 static bool QueryAttributesFileAction(EvalResult eval_result, | |
74 const ClientInfo& client_info, | |
75 const base::string16& file, | |
76 uint32_t attributes, | |
77 FILE_BASIC_INFORMATION* file_info, | |
78 NTSTATUS* nt_status); | |
79 | |
80 // Performs the desired policy action on a query request with an | |
81 // API that is compatible with the IPC-received parameters. | |
82 static bool QueryFullAttributesFileAction( | |
83 EvalResult eval_result, | |
84 const ClientInfo& client_info, | |
85 const base::string16& file, | |
86 uint32_t attributes, | |
87 FILE_NETWORK_OPEN_INFORMATION* file_info, | |
88 NTSTATUS* nt_status); | |
89 | |
90 // Performs the desired policy action on a set_info request with an | |
91 // API that is compatible with the IPC-received parameters. | |
92 static bool SetInformationFileAction(EvalResult eval_result, | |
93 const ClientInfo& client_info, | |
94 HANDLE target_file_handle, | |
95 void* file_info, | |
96 uint32_t length, | |
97 uint32_t info_class, | |
98 IO_STATUS_BLOCK* io_block, | |
99 NTSTATUS* nt_status); | |
100 }; | |
101 | |
102 // Expands the path and check if it's a reparse point. Returns false if the path | |
103 // cannot be trusted. | |
104 bool PreProcessName(base::string16* path); | |
105 | |
106 // Corrects global paths to have a correctly escaped NT prefix at the | |
107 // beginning. If the name has no NT prefix (either normal or escaped) | |
108 // add the escaped form to the string | |
109 base::string16 FixNTPrefixForMatch(const base::string16& name); | |
110 | |
111 } // namespace sandbox | |
112 | |
113 #endif // SANDBOX_SRC_FILESYSTEM_POLICY_H__ | |
OLD | NEW |