OLD | NEW |
| (Empty) |
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ | |
6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ | |
7 | |
8 #include <stdint.h> | |
9 | |
10 namespace sandbox { | |
11 | |
12 // List of all the integrity levels supported in the sandbox. This is used | |
13 // only on Windows Vista. You can't set the integrity level of the process | |
14 // in the sandbox to a level higher than yours. | |
15 enum IntegrityLevel { | |
16 INTEGRITY_LEVEL_SYSTEM, | |
17 INTEGRITY_LEVEL_HIGH, | |
18 INTEGRITY_LEVEL_MEDIUM, | |
19 INTEGRITY_LEVEL_MEDIUM_LOW, | |
20 INTEGRITY_LEVEL_LOW, | |
21 INTEGRITY_LEVEL_BELOW_LOW, | |
22 INTEGRITY_LEVEL_UNTRUSTED, | |
23 INTEGRITY_LEVEL_LAST | |
24 }; | |
25 | |
26 // The Token level specifies a set of security profiles designed to | |
27 // provide the bulk of the security of sandbox. | |
28 // | |
29 // TokenLevel |Restricting |Deny Only |Privileges| | |
30 // |Sids |Sids | | | |
31 // ----------------------------|--------------|----------------|----------| | |
32 // USER_LOCKDOWN | Null Sid | All | None | | |
33 // ----------------------------|--------------|----------------|----------| | |
34 // USER_RESTRICTED | RESTRICTED | All | Traverse | | |
35 // ----------------------------|--------------|----------------|----------| | |
36 // USER_LIMITED | Users | All except: | Traverse | | |
37 // | Everyone | Users | | | |
38 // | RESTRICTED | Everyone | | | |
39 // | | Interactive | | | |
40 // ----------------------------|--------------|----------------|----------| | |
41 // USER_INTERACTIVE | Users | All except: | Traverse | | |
42 // | Everyone | Users | | | |
43 // | RESTRICTED | Everyone | | | |
44 // | Owner | Interactive | | | |
45 // | | Local | | | |
46 // | | Authent-users | | | |
47 // | | User | | | |
48 // ----------------------------|--------------|----------------|----------| | |
49 // USER_NON_ADMIN | None | All except: | Traverse | | |
50 // | | Users | | | |
51 // | | Everyone | | | |
52 // | | Interactive | | | |
53 // | | Local | | | |
54 // | | Authent-users | | | |
55 // | | User | | | |
56 // ----------------------------|--------------|----------------|----------| | |
57 // USER_RESTRICTED_SAME_ACCESS | All | None | All | | |
58 // ----------------------------|--------------|----------------|----------| | |
59 // USER_UNPROTECTED | None | None | All | | |
60 // ----------------------------|--------------|----------------|----------| | |
61 // | |
62 // The above restrictions are actually a transformation that is applied to | |
63 // the existing broker process token. The resulting token that will be | |
64 // applied to the target process depends both on the token level selected | |
65 // and on the broker token itself. | |
66 // | |
67 // The LOCKDOWN and RESTRICTED are designed to allow access to almost | |
68 // nothing that has security associated with and they are the recommended | |
69 // levels to run sandboxed code specially if there is a chance that the | |
70 // broker is process might be started by a user that belongs to the Admins | |
71 // or power users groups. | |
72 enum TokenLevel { | |
73 USER_LOCKDOWN = 0, | |
74 USER_RESTRICTED, | |
75 USER_LIMITED, | |
76 USER_INTERACTIVE, | |
77 USER_NON_ADMIN, | |
78 USER_RESTRICTED_SAME_ACCESS, | |
79 USER_UNPROTECTED, | |
80 USER_LAST | |
81 }; | |
82 | |
83 // The Job level specifies a set of decreasing security profiles for the | |
84 // Job object that the target process will be placed into. | |
85 // This table summarizes the security associated with each level: | |
86 // | |
87 // JobLevel |General |Quota | | |
88 // |restrictions |restrictions | | |
89 // -----------------|---------------------------------- |--------------------| | |
90 // JOB_NONE | No job is assigned to the | None | | |
91 // | sandboxed process. | | | |
92 // -----------------|---------------------------------- |--------------------| | |
93 // JOB_UNPROTECTED | None | *Kill on Job close.| | |
94 // -----------------|---------------------------------- |--------------------| | |
95 // JOB_INTERACTIVE | *Forbid system-wide changes using | | | |
96 // | SystemParametersInfo(). | *Kill on Job close.| | |
97 // | *Forbid the creation/switch of | | | |
98 // | Desktops. | | | |
99 // | *Forbids calls to ExitWindows(). | | | |
100 // -----------------|---------------------------------- |--------------------| | |
101 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process| | |
102 // | *Forbid changes to the display | limit. | | |
103 // | settings. | *Kill on Job close.| | |
104 // -----------------|---------------------------------- |--------------------| | |
105 // JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process| | |
106 // | * No read/write to the clipboard. | limit. | | |
107 // | * No access to User Handles that | *Kill on Job close.| | |
108 // | belong to other processes. | | | |
109 // | * Forbid message broadcasts. | | | |
110 // | * Forbid setting global hooks. | | | |
111 // | * No access to the global atoms | | | |
112 // | table. | | | |
113 // -----------------|-----------------------------------|--------------------| | |
114 // JOB_LOCKDOWN | Same as RESTRICTED | *One active process| | |
115 // | | limit. | | |
116 // | | *Kill on Job close.| | |
117 // | | *Kill on unhandled | | |
118 // | | exception. | | |
119 // | | | | |
120 // In the context of the above table, 'user handles' refers to the handles of | |
121 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel | |
122 // handles and are not affected by the job level settings. | |
123 enum JobLevel { | |
124 JOB_LOCKDOWN = 0, | |
125 JOB_RESTRICTED, | |
126 JOB_LIMITED_USER, | |
127 JOB_INTERACTIVE, | |
128 JOB_UNPROTECTED, | |
129 JOB_NONE | |
130 }; | |
131 | |
132 // These flags correspond to various process-level mitigations (eg. ASLR and | |
133 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for | |
134 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented | |
135 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 | |
136 // Some mitigations are implemented directly by the sandbox or emulated to | |
137 // the greatest extent possible when not directly supported by the OS. | |
138 // Flags that are unsupported for the target OS will be silently ignored. | |
139 // Flags that are invalid for their application (pre or post startup) will | |
140 // return SBOX_ERROR_BAD_PARAMS. | |
141 typedef uint64_t MitigationFlags; | |
142 | |
143 // Permanently enables DEP for the target process. Corresponds to | |
144 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. | |
145 const MitigationFlags MITIGATION_DEP = 0x00000001; | |
146 | |
147 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid | |
148 // only when MITIGATION_DEP is passed. Corresponds to not passing | |
149 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. | |
150 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; | |
151 | |
152 // Enables Structured exception handling override prevention. Must be | |
153 // enabled prior to process start. Corresponds to | |
154 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. | |
155 const MitigationFlags MITIGATION_SEHOP = 0x00000004; | |
156 | |
157 // Forces ASLR on all images in the child process. Corresponds to | |
158 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . | |
159 const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008; | |
160 | |
161 // Refuses to load DLLs that cannot support ASLR. Corresponds to | |
162 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS
. | |
163 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; | |
164 | |
165 // Terminates the process on Windows heap corruption. Coresponds to | |
166 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. | |
167 const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020; | |
168 | |
169 // Sets a random lower bound as the minimum user address. Must be | |
170 // enabled prior to process start. On 32-bit processes this is | |
171 // emulated to a much smaller degree. Corresponds to | |
172 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. | |
173 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040; | |
174 | |
175 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be | |
176 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. | |
177 // Corresponds to | |
178 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON | |
179 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; | |
180 | |
181 // Immediately raises an exception on a bad handle reference. Must be | |
182 // enabled after startup. Corresponds to | |
183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. | |
184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; | |
185 | |
186 // Prevents the process from making Win32k calls. Corresponds to | |
187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. | |
188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; | |
189 | |
190 // Disables common DLL injection methods (e.g. window hooks and | |
191 // App_InitDLLs). Corresponds to | |
192 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. | |
193 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; | |
194 | |
195 // Prevents the process from loading non-system fonts into GDI. | |
196 // Corresponds to | |
197 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON | |
198 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800; | |
199 | |
200 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional | |
201 // directories can be added via the Windows AddDllDirectory() function. | |
202 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 | |
203 // Must be enabled after startup. | |
204 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; | |
205 | |
206 // Changes the mandatory integrity level policy on the current process' token | |
207 // to enable no-read and no-execute up. This prevents a lower IL process from | |
208 // opening the process token for impersonate/duplicate/assignment. | |
209 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; | |
210 | |
211 // Blocks mapping of images from remote devices. Corresponds to | |
212 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON. | |
213 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52; | |
214 | |
215 // Blocks mapping of images that have the low manditory label. Corresponds to | |
216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON. | |
217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56; | |
218 | |
219 } // namespace sandbox | |
220 | |
221 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ | |
OLD | NEW |