Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(465)

Unified Diff: sandbox/win/src/sandbox_policy.h

Issue 1851213002: Remove sandbox on Windows. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix nacl compile issues Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/win/src/sandbox_nt_util_unittest.cc ('k') | sandbox/win/src/sandbox_policy_base.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/sandbox_policy.h
diff --git a/sandbox/win/src/sandbox_policy.h b/sandbox/win/src/sandbox_policy.h
deleted file mode 100644
index edac55ec91e6e6c8cc1bba7644617cbb10c0e2a9..0000000000000000000000000000000000000000
--- a/sandbox/win/src/sandbox_policy.h
+++ /dev/null
@@ -1,267 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
-#define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/security_level.h"
-
-namespace sandbox {
-
-class TargetPolicy {
- public:
- // Windows subsystems that can have specific rules.
- // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
- // exactly like the CreateProcess API does. See the comment at the top of
- // process_thread_dispatcher.cc for more details.
- enum SubSystem {
- SUBSYS_FILES, // Creation and opening of files and pipes.
- SUBSYS_NAMED_PIPES, // Creation of named pipes.
- SUBSYS_PROCESS, // Creation of child processes.
- SUBSYS_REGISTRY, // Creation and opening of registry keys.
- SUBSYS_SYNC, // Creation of named sync objects.
- SUBSYS_HANDLES, // Duplication of handles to other processes.
- SUBSYS_WIN32K_LOCKDOWN // Win32K Lockdown related policy.
- };
-
- // Allowable semantics when a rule is matched.
- enum Semantics {
- FILES_ALLOW_ANY, // Allows open or create for any kind of access that
- // the file system supports.
- FILES_ALLOW_READONLY, // Allows open or create with read access only.
- FILES_ALLOW_QUERY, // Allows access to query the attributes of a file.
- FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics
- // only.
- HANDLES_DUP_ANY, // Allows duplicating handles opened with any
- // access permissions.
- HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process.
- NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe.
- PROCESS_MIN_EXEC, // Allows to create a process with minimal rights
- // over the resulting process and thread handles.
- // No other parameters besides the command line are
- // passed to the child process.
- PROCESS_ALL_EXEC, // Allows the creation of a process and return full
- // access on the returned handles.
- // This flag can be used only when the main token of
- // the sandboxed application is at least INTERACTIVE.
- EVENTS_ALLOW_ANY, // Allows the creation of an event with full access.
- EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
- REG_ALLOW_READONLY, // Allows readonly access to a registry key.
- REG_ALLOW_ANY, // Allows read and write access to a registry key.
- FAKE_USER_GDI_INIT // Fakes user32 and gdi32 initialization. This can
- // be used to allow the DLLs to load and initialize
- // even if the process cannot access that subsystem.
- };
-
- // Increments the reference count of this object. The reference count must
- // be incremented if this interface is given to another component.
- virtual void AddRef() = 0;
-
- // Decrements the reference count of this object. When the reference count
- // is zero the object is automatically destroyed.
- // Indicates that the caller is done with this interface. After calling
- // release no other method should be called.
- virtual void Release() = 0;
-
- // Sets the security level for the target process' two tokens.
- // This setting is permanent and cannot be changed once the target process is
- // spawned.
- // initial: the security level for the initial token. This is the token that
- // is used by the process from the creation of the process until the moment
- // the process calls TargetServices::LowerToken() or the process calls
- // win32's RevertToSelf(). Once this happens the initial token is no longer
- // available and the lockdown token is in effect. Using an initial token is
- // not compatible with AppContainer, see SetAppContainer.
- // lockdown: the security level for the token that comes into force after the
- // process calls TargetServices::LowerToken() or the process calls
- // RevertToSelf(). See the explanation of each level in the TokenLevel
- // definition.
- // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
- // Returns false if the lockdown value is more permissive than the initial
- // value.
- //
- // Important: most of the sandbox-provided security relies on this single
- // setting. The caller should strive to set the lockdown level as restricted
- // as possible.
- virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
-
- // Returns the initial token level.
- virtual TokenLevel GetInitialTokenLevel() const = 0;
-
- // Returns the lockdown token level.
- virtual TokenLevel GetLockdownTokenLevel() const = 0;
-
- // Sets the security level of the Job Object to which the target process will
- // belong. This setting is permanent and cannot be changed once the target
- // process is spawned. The job controls the global security settings which
- // can not be specified in the token security profile.
- // job_level: the security level for the job. See the explanation of each
- // level in the JobLevel definition.
- // ui_exceptions: specify what specific rights that are disabled in the
- // chosen job_level that need to be granted. Use this parameter to avoid
- // selecting the next permissive job level unless you need all the rights
- // that are granted in such level.
- // The exceptions can be specified as a combination of the following
- // constants:
- // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
- // include windows, icons, menus and various GDI objects. In addition the
- // target process can set hooks, and broadcast messages to other processes
- // that belong to the same desktop.
- // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
- // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
- // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
- // parameters as defined by the Win32 call SystemParametersInfo().
- // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
- // display settings.
- // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
- // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
- // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
- //
- // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
- //
- // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
- // length in:
- // http://msdn2.microsoft.com/en-us/library/ms684152.aspx
- //
- // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
- virtual ResultCode SetJobLevel(JobLevel job_level,
- uint32_t ui_exceptions) = 0;
-
- // Returns the job level.
- virtual JobLevel GetJobLevel() const = 0;
-
- // Sets a hard limit on the size of the commit set for the sandboxed process.
- // If the limit is reached, the process will be terminated with
- // SBOX_FATAL_MEMORY_EXCEEDED (7012).
- virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
-
- // Specifies the desktop on which the application is going to run. If the
- // desktop does not exist, it will be created. If alternate_winstation is
- // set to true, the desktop will be created on an alternate window station.
- virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
-
- // Returns the name of the alternate desktop used. If an alternate window
- // station is specified, the name is prepended by the window station name,
- // followed by a backslash.
- virtual base::string16 GetAlternateDesktop() const = 0;
-
- // Precreates the desktop and window station, if any.
- virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
-
- // Destroys the desktop and windows station.
- virtual void DestroyAlternateDesktop() = 0;
-
- // Sets the integrity level of the process in the sandbox. Both the initial
- // token and the main token will be affected by this. If the integrity level
- // is set to a level higher than the current level, the sandbox will fail
- // to start.
- virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
-
- // Returns the initial integrity level used.
- virtual IntegrityLevel GetIntegrityLevel() const = 0;
-
- // Sets the integrity level of the process in the sandbox. The integrity level
- // will not take effect before you call LowerToken. User Interface Privilege
- // Isolation is not affected by this setting and will remain off for the
- // process in the sandbox. If the integrity level is set to a level higher
- // than the current level, the sandbox will fail to start.
- virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
-
- // Sets the AppContainer to be used for the sandboxed process. Any capability
- // to be enabled for the process should be added before this method is invoked
- // (by calling SetCapability() as many times as needed).
- // The desired AppContainer must be already installed on the system, otherwise
- // launching the sandboxed process will fail. See BrokerServices for details
- // about installing an AppContainer.
- // Note that currently Windows restricts the use of impersonation within
- // AppContainers, so this function is incompatible with the use of an initial
- // token.
- virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
-
- // Sets a capability to be enabled for the sandboxed process' AppContainer.
- virtual ResultCode SetCapability(const wchar_t* sid) = 0;
-
- // Sets the LowBox token for sandboxed process. This is mutually exclusive
- // with SetAppContainer method.
- virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
-
- // Sets the mitigations enabled when the process is created. Most of these
- // are implemented as attributes passed via STARTUPINFOEX. So they take
- // effect before any thread in the target executes. The declaration of
- // MitigationFlags is followed by a detailed description of each flag.
- virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
-
- // Returns the currently set mitigation flags.
- virtual MitigationFlags GetProcessMitigations() = 0;
-
- // Sets process mitigation flags that don't take effect before the call to
- // LowerToken().
- virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
-
- // Returns the currently set delayed mitigation flags.
- virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
-
- // Disconnect the target from CSRSS when TargetServices::LowerToken() is
- // called inside the target.
- virtual void SetDisconnectCsrss() = 0;
-
- // Sets the interceptions to operate in strict mode. By default, interceptions
- // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
- // already patched we attempt to intercept it anyway. Setting interceptions
- // to strict mode means that when we detect that the function is patched we'll
- // refuse to perform the interception.
- virtual void SetStrictInterceptions() = 0;
-
- // Set the handles the target process should inherit for stdout and
- // stderr. The handles the caller passes must remain valid for the
- // lifetime of the policy object. This only has an effect on
- // Windows Vista and later versions. These methods accept pipe and
- // file handles, but not console handles.
- virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
- virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
-
- // Adds a policy rule effective for processes spawned using this policy.
- // subsystem: One of the above enumerated windows subsystems.
- // semantics: One of the above enumerated FileSemantics.
- // pattern: A specific full path or a full path with wildcard patterns.
- // The valid wildcards are:
- // '*' : Matches zero or more character. Only one in series allowed.
- // '?' : Matches a single character. One or more in series are allowed.
- // Examples:
- // "c:\\documents and settings\\vince\\*.dmp"
- // "c:\\documents and settings\\*\\crashdumps\\*.dmp"
- // "c:\\temp\\app_log_?????_chrome.txt"
- virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
- const wchar_t* pattern) = 0;
-
- // Adds a dll that will be unloaded in the target process before it gets
- // a chance to initialize itself. Typically, dlls that cause the target
- // to crash go here.
- virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
-
- // Adds a handle that will be closed in the target process after lockdown.
- // A NULL value for handle_name indicates all handles of the specified type.
- // An empty string for handle_name indicates the handle is unnamed.
- virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
- const wchar_t* handle_name) = 0;
-
- // Adds a handle that will be shared with the target process. Does not take
- // ownership of the handle.
- virtual void AddHandleToShare(HANDLE handle) = 0;
-
- // Locks down the default DACL of the created lockdown and initial tokens
- // to restrict what other processes are allowed to access a process' kernel
- // resources.
- virtual void SetLockdownDefaultDacl() = 0;
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
« no previous file with comments | « sandbox/win/src/sandbox_nt_util_unittest.cc ('k') | sandbox/win/src/sandbox_policy_base.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698