| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ | 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
| 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ | 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
| 7 | 7 |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 80 // definition. | 80 // definition. |
| 81 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. | 81 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. |
| 82 // Returns false if the lockdown value is more permissive than the initial | 82 // Returns false if the lockdown value is more permissive than the initial |
| 83 // value. | 83 // value. |
| 84 // | 84 // |
| 85 // Important: most of the sandbox-provided security relies on this single | 85 // Important: most of the sandbox-provided security relies on this single |
| 86 // setting. The caller should strive to set the lockdown level as restricted | 86 // setting. The caller should strive to set the lockdown level as restricted |
| 87 // as possible. | 87 // as possible. |
| 88 virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; | 88 virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; |
| 89 | 89 |
| 90 // Returns the initial token level. |
| 91 virtual TokenLevel GetInitialTokenLevel() const = 0; |
| 92 |
| 93 // Returns the lockdown token level. |
| 94 virtual TokenLevel GetLockdownTokenLevel() const = 0; |
| 95 |
| 90 // Sets the security level of the Job Object to which the target process will | 96 // Sets the security level of the Job Object to which the target process will |
| 91 // belong. This setting is permanent and cannot be changed once the target | 97 // belong. This setting is permanent and cannot be changed once the target |
| 92 // process is spawned. The job controls the global security settings which | 98 // process is spawned. The job controls the global security settings which |
| 93 // can not be specified in the token security profile. | 99 // can not be specified in the token security profile. |
| 94 // job_level: the security level for the job. See the explanation of each | 100 // job_level: the security level for the job. See the explanation of each |
| 95 // level in the JobLevel definition. | 101 // level in the JobLevel definition. |
| 96 // ui_exceptions: specify what specific rights that are disabled in the | 102 // ui_exceptions: specify what specific rights that are disabled in the |
| 97 // chosen job_level that need to be granted. Use this parameter to avoid | 103 // chosen job_level that need to be granted. Use this parameter to avoid |
| 98 // selecting the next permissive job level unless you need all the rights | 104 // selecting the next permissive job level unless you need all the rights |
| 99 // that are granted in such level. | 105 // that are granted in such level. |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 137 | 143 |
| 138 // Destroys the desktop and windows station. | 144 // Destroys the desktop and windows station. |
| 139 virtual void DestroyAlternateDesktop() = 0; | 145 virtual void DestroyAlternateDesktop() = 0; |
| 140 | 146 |
| 141 // Sets the integrity level of the process in the sandbox. Both the initial | 147 // Sets the integrity level of the process in the sandbox. Both the initial |
| 142 // token and the main token will be affected by this. If the integrity level | 148 // token and the main token will be affected by this. If the integrity level |
| 143 // is set to a level higher than the current level, the sandbox will fail | 149 // is set to a level higher than the current level, the sandbox will fail |
| 144 // to start. | 150 // to start. |
| 145 virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; | 151 virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; |
| 146 | 152 |
| 153 // Returns the initial integrity level used. |
| 154 virtual IntegrityLevel GetIntegrityLevel() const = 0; |
| 155 |
| 147 // Sets the integrity level of the process in the sandbox. The integrity level | 156 // Sets the integrity level of the process in the sandbox. The integrity level |
| 148 // will not take effect before you call LowerToken. User Interface Privilege | 157 // will not take effect before you call LowerToken. User Interface Privilege |
| 149 // Isolation is not affected by this setting and will remain off for the | 158 // Isolation is not affected by this setting and will remain off for the |
| 150 // process in the sandbox. If the integrity level is set to a level higher | 159 // process in the sandbox. If the integrity level is set to a level higher |
| 151 // than the current level, the sandbox will fail to start. | 160 // than the current level, the sandbox will fail to start. |
| 152 virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; | 161 virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; |
| 153 | 162 |
| 154 // Sets the AppContainer to be used for the sandboxed process. Any capability | 163 // Sets the AppContainer to be used for the sandboxed process. Any capability |
| 155 // to be enabled for the process should be added before this method is invoked | 164 // to be enabled for the process should be added before this method is invoked |
| 156 // (by calling SetCapability() as many times as needed). | 165 // (by calling SetCapability() as many times as needed). |
| (...skipping 15 matching lines...) Expand all Loading... |
| 172 virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; | 181 virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; |
| 173 | 182 |
| 174 // Returns the currently set mitigation flags. | 183 // Returns the currently set mitigation flags. |
| 175 virtual MitigationFlags GetProcessMitigations() = 0; | 184 virtual MitigationFlags GetProcessMitigations() = 0; |
| 176 | 185 |
| 177 // Sets process mitigation flags that don't take effect before the call to | 186 // Sets process mitigation flags that don't take effect before the call to |
| 178 // LowerToken(). | 187 // LowerToken(). |
| 179 virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; | 188 virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; |
| 180 | 189 |
| 181 // Returns the currently set delayed mitigation flags. | 190 // Returns the currently set delayed mitigation flags. |
| 182 virtual MitigationFlags GetDelayedProcessMitigations() = 0; | 191 virtual MitigationFlags GetDelayedProcessMitigations() const = 0; |
| 183 | 192 |
| 184 // Sets the interceptions to operate in strict mode. By default, interceptions | 193 // Sets the interceptions to operate in strict mode. By default, interceptions |
| 185 // are performed in "relaxed" mode, where if something inside NTDLL.DLL is | 194 // are performed in "relaxed" mode, where if something inside NTDLL.DLL is |
| 186 // already patched we attempt to intercept it anyway. Setting interceptions | 195 // already patched we attempt to intercept it anyway. Setting interceptions |
| 187 // to strict mode means that when we detect that the function is patched we'll | 196 // to strict mode means that when we detect that the function is patched we'll |
| 188 // refuse to perform the interception. | 197 // refuse to perform the interception. |
| 189 virtual void SetStrictInterceptions() = 0; | 198 virtual void SetStrictInterceptions() = 0; |
| 190 | 199 |
| 191 // Set the handles the target process should inherit for stdout and | 200 // Set the handles the target process should inherit for stdout and |
| 192 // stderr. The handles the caller passes must remain valid for the | 201 // stderr. The handles the caller passes must remain valid for the |
| (...skipping 26 matching lines...) Expand all Loading... |
| 219 // A NULL value for handle_name indicates all handles of the specified type. | 228 // A NULL value for handle_name indicates all handles of the specified type. |
| 220 // An empty string for handle_name indicates the handle is unnamed. | 229 // An empty string for handle_name indicates the handle is unnamed. |
| 221 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, | 230 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, |
| 222 const wchar_t* handle_name) = 0; | 231 const wchar_t* handle_name) = 0; |
| 223 }; | 232 }; |
| 224 | 233 |
| 225 } // namespace sandbox | 234 } // namespace sandbox |
| 226 | 235 |
| 227 | 236 |
| 228 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ | 237 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
