| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| 7 | 7 |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <stddef.h> | 9 #include <stddef.h> |
| 10 #include <stdint.h> | 10 #include <stdint.h> |
| (...skipping 10 matching lines...) Expand all Loading... |
| 21 #include "sandbox/win/src/crosscall_server.h" | 21 #include "sandbox/win/src/crosscall_server.h" |
| 22 #include "sandbox/win/src/handle_closer.h" | 22 #include "sandbox/win/src/handle_closer.h" |
| 23 #include "sandbox/win/src/ipc_tags.h" | 23 #include "sandbox/win/src/ipc_tags.h" |
| 24 #include "sandbox/win/src/policy_engine_opcodes.h" | 24 #include "sandbox/win/src/policy_engine_opcodes.h" |
| 25 #include "sandbox/win/src/policy_engine_params.h" | 25 #include "sandbox/win/src/policy_engine_params.h" |
| 26 #include "sandbox/win/src/sandbox_policy.h" | 26 #include "sandbox/win/src/sandbox_policy.h" |
| 27 #include "sandbox/win/src/win_utils.h" | 27 #include "sandbox/win/src/win_utils.h" |
| 28 | 28 |
| 29 namespace sandbox { | 29 namespace sandbox { |
| 30 | 30 |
| 31 class AppContainerAttributes; | |
| 32 class LowLevelPolicy; | 31 class LowLevelPolicy; |
| 33 class TargetProcess; | 32 class TargetProcess; |
| 34 struct PolicyGlobal; | 33 struct PolicyGlobal; |
| 35 | 34 |
| 36 class PolicyBase final : public TargetPolicy { | 35 class PolicyBase final : public TargetPolicy { |
| 37 public: | 36 public: |
| 38 PolicyBase(); | 37 PolicyBase(); |
| 39 | 38 |
| 40 // TargetPolicy: | 39 // TargetPolicy: |
| 41 void AddRef() override; | 40 void AddRef() override; |
| 42 void Release() override; | 41 void Release() override; |
| 43 ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) override; | 42 ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) override; |
| 44 TokenLevel GetInitialTokenLevel() const override; | 43 TokenLevel GetInitialTokenLevel() const override; |
| 45 TokenLevel GetLockdownTokenLevel() const override; | 44 TokenLevel GetLockdownTokenLevel() const override; |
| 46 ResultCode SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) override; | 45 ResultCode SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) override; |
| 47 JobLevel GetJobLevel() const override; | 46 JobLevel GetJobLevel() const override; |
| 48 ResultCode SetJobMemoryLimit(size_t memory_limit) override; | 47 ResultCode SetJobMemoryLimit(size_t memory_limit) override; |
| 49 ResultCode SetAlternateDesktop(bool alternate_winstation) override; | 48 ResultCode SetAlternateDesktop(bool alternate_winstation) override; |
| 50 base::string16 GetAlternateDesktop() const override; | 49 base::string16 GetAlternateDesktop() const override; |
| 51 ResultCode CreateAlternateDesktop(bool alternate_winstation) override; | 50 ResultCode CreateAlternateDesktop(bool alternate_winstation) override; |
| 52 void DestroyAlternateDesktop() override; | 51 void DestroyAlternateDesktop() override; |
| 53 ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; | 52 ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; |
| 54 IntegrityLevel GetIntegrityLevel() const override; | 53 IntegrityLevel GetIntegrityLevel() const override; |
| 55 ResultCode SetDelayedIntegrityLevel(IntegrityLevel integrity_level) override; | 54 ResultCode SetDelayedIntegrityLevel(IntegrityLevel integrity_level) override; |
| 56 ResultCode SetAppContainer(const wchar_t* sid) override; | |
| 57 ResultCode SetCapability(const wchar_t* sid) override; | 55 ResultCode SetCapability(const wchar_t* sid) override; |
| 58 ResultCode SetLowBox(const wchar_t* sid) override; | 56 ResultCode SetLowBox(const wchar_t* sid) override; |
| 59 ResultCode SetProcessMitigations(MitigationFlags flags) override; | 57 ResultCode SetProcessMitigations(MitigationFlags flags) override; |
| 60 MitigationFlags GetProcessMitigations() override; | 58 MitigationFlags GetProcessMitigations() override; |
| 61 ResultCode SetDelayedProcessMitigations(MitigationFlags flags) override; | 59 ResultCode SetDelayedProcessMitigations(MitigationFlags flags) override; |
| 62 MitigationFlags GetDelayedProcessMitigations() const override; | 60 MitigationFlags GetDelayedProcessMitigations() const override; |
| 63 void SetDisconnectCsrss() override; | 61 void SetDisconnectCsrss() override; |
| 64 void SetStrictInterceptions() override; | 62 void SetStrictInterceptions() override; |
| 65 ResultCode SetStdoutHandle(HANDLE handle) override; | 63 ResultCode SetStdoutHandle(HANDLE handle) override; |
| 66 ResultCode SetStderrHandle(HANDLE handle) override; | 64 ResultCode SetStderrHandle(HANDLE handle) override; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 77 // SetJobLevel(). | 75 // SetJobLevel(). |
| 78 ResultCode MakeJobObject(base::win::ScopedHandle* job); | 76 ResultCode MakeJobObject(base::win::ScopedHandle* job); |
| 79 | 77 |
| 80 // Creates the two tokens with the levels specified in a previous call to | 78 // Creates the two tokens with the levels specified in a previous call to |
| 81 // SetTokenLevel(). Also creates a lowbox token if specified based on the | 79 // SetTokenLevel(). Also creates a lowbox token if specified based on the |
| 82 // lowbox SID. | 80 // lowbox SID. |
| 83 ResultCode MakeTokens(base::win::ScopedHandle* initial, | 81 ResultCode MakeTokens(base::win::ScopedHandle* initial, |
| 84 base::win::ScopedHandle* lockdown, | 82 base::win::ScopedHandle* lockdown, |
| 85 base::win::ScopedHandle* lowbox); | 83 base::win::ScopedHandle* lowbox); |
| 86 | 84 |
| 87 const AppContainerAttributes* GetAppContainer() const; | |
| 88 | |
| 89 PSID GetLowBoxSid() const; | 85 PSID GetLowBoxSid() const; |
| 90 | 86 |
| 91 // Adds a target process to the internal list of targets. Internally a | 87 // Adds a target process to the internal list of targets. Internally a |
| 92 // call to TargetProcess::Init() is issued. | 88 // call to TargetProcess::Init() is issued. |
| 93 bool AddTarget(TargetProcess* target); | 89 bool AddTarget(TargetProcess* target); |
| 94 | 90 |
| 95 // Called when there are no more active processes in a Job. | 91 // Called when there are no more active processes in a Job. |
| 96 // Removes a Job object associated with this policy and the target associated | 92 // Removes a Job object associated with this policy and the target associated |
| 97 // with the job. | 93 // with the job. |
| 98 bool OnJobEmpty(HANDLE job); | 94 bool OnJobEmpty(HANDLE job); |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 148 LowLevelPolicy* policy_maker_; | 144 LowLevelPolicy* policy_maker_; |
| 149 // Memory structure that stores the low level policy. | 145 // Memory structure that stores the low level policy. |
| 150 PolicyGlobal* policy_; | 146 PolicyGlobal* policy_; |
| 151 // The list of dlls to unload in the target process. | 147 // The list of dlls to unload in the target process. |
| 152 std::vector<base::string16> blacklisted_dlls_; | 148 std::vector<base::string16> blacklisted_dlls_; |
| 153 // This is a map of handle-types to names that we need to close in the | 149 // This is a map of handle-types to names that we need to close in the |
| 154 // target process. A null set means we need to close all handles of the | 150 // target process. A null set means we need to close all handles of the |
| 155 // given type. | 151 // given type. |
| 156 HandleCloser handle_closer_; | 152 HandleCloser handle_closer_; |
| 157 std::vector<base::string16> capabilities_; | 153 std::vector<base::string16> capabilities_; |
| 158 std::unique_ptr<AppContainerAttributes> appcontainer_list_; | |
| 159 PSID lowbox_sid_; | 154 PSID lowbox_sid_; |
| 160 base::win::ScopedHandle lowbox_directory_; | 155 base::win::ScopedHandle lowbox_directory_; |
| 161 std::unique_ptr<Dispatcher> dispatcher_; | 156 std::unique_ptr<Dispatcher> dispatcher_; |
| 162 bool lockdown_default_dacl_; | 157 bool lockdown_default_dacl_; |
| 163 | 158 |
| 164 static HDESK alternate_desktop_handle_; | 159 static HDESK alternate_desktop_handle_; |
| 165 static HWINSTA alternate_winstation_handle_; | 160 static HWINSTA alternate_winstation_handle_; |
| 166 static IntegrityLevel alternate_desktop_integrity_level_label_; | 161 static IntegrityLevel alternate_desktop_integrity_level_label_; |
| 167 | 162 |
| 168 // Contains the list of handles being shared with the target process. | 163 // Contains the list of handles being shared with the target process. |
| 169 // This list contains handles other than the stderr/stdout handles which are | 164 // This list contains handles other than the stderr/stdout handles which are |
| 170 // shared with the target at times. | 165 // shared with the target at times. |
| 171 base::HandlesToInheritVector handles_to_share_; | 166 base::HandlesToInheritVector handles_to_share_; |
| 172 | 167 |
| 173 DISALLOW_COPY_AND_ASSIGN(PolicyBase); | 168 DISALLOW_COPY_AND_ASSIGN(PolicyBase); |
| 174 }; | 169 }; |
| 175 | 170 |
| 176 } // namespace sandbox | 171 } // namespace sandbox |
| 177 | 172 |
| 178 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 173 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1867223005:
Removed old AppContainer support. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master