Index: sandbox/win/src/restricted_token_utils.cc |
diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc |
index 93b212efaf3cd1597261874614368137f12d480c..5bd27f85962626863c9cd73e54295d53ee207f9a 100644 |
--- a/sandbox/win/src/restricted_token_utils.cc |
+++ b/sandbox/win/src/restricted_token_utils.cc |
@@ -342,4 +342,68 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) { |
return SetTokenIntegrityLevel(token.Get(), integrity_level); |
} |
+DWORD HardenTokenIntegrityLevelPolicy(HANDLE token) { |
+ if (base::win::GetVersion() < base::win::VERSION_VISTA) |
cpu_(ooo_6.6-7.5)
2014/12/18 21:05:36
seven
forshaw
2014/12/19 08:30:00
Done.
|
+ return ERROR_SUCCESS; |
+ |
+ DWORD last_error = 0; |
+ DWORD length_needed = 0; |
+ |
+ GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, |
+ NULL, 0, &length_needed); |
+ |
+ last_error = ::GetLastError(); |
cpu_(ooo_6.6-7.5)
2014/12/18 21:05:36
Mixing :: style for calling windows apis. Looks at
forshaw
2014/12/19 08:30:00
Done.
|
+ if (last_error != ERROR_INSUFFICIENT_BUFFER) |
+ return last_error; |
+ |
+ std::vector<char> security_desc_buffer(length_needed); |
+ PSECURITY_DESCRIPTOR security_desc = |
+ reinterpret_cast<PSECURITY_DESCRIPTOR>(&security_desc_buffer[0]); |
+ |
+ if (!GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, |
+ security_desc, length_needed, |
+ &length_needed)) |
+ return ::GetLastError(); |
+ |
+ PACL sacl = NULL; |
+ BOOL sacl_present = FALSE; |
+ BOOL sacl_defaulted = FALSE; |
+ |
+ if (!GetSecurityDescriptorSacl(security_desc, &sacl_present, |
+ &sacl, &sacl_defaulted)) |
+ return ::GetLastError(); |
+ |
+ for (DWORD ace_index = 0; ace_index < sacl->AceCount; ++ace_index) { |
+ PSYSTEM_MANDATORY_LABEL_ACE ace; |
+ |
+ if (GetAce(sacl, ace_index, reinterpret_cast<LPVOID*>(&ace)) |
+ && ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) |
+ { |
cpu_(ooo_6.6-7.5)
2014/12/18 21:05:36
381 bracket in the previous line?
forshaw
2014/12/19 08:30:00
Done.
|
+ ace->Mask |= SYSTEM_MANDATORY_LABEL_NO_READ_UP |
+ | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP; |
+ break; |
+ } |
+ } |
+ |
+ if (!SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION, |
+ security_desc)) |
+ return ::GetLastError(); |
+ |
+ return ERROR_SUCCESS; |
+} |
+ |
+DWORD HardenProcessIntegrityLevelPolicy() { |
+ if (base::win::GetVersion() < base::win::VERSION_VISTA) |
+ return ERROR_SUCCESS; |
+ |
+ HANDLE token_handle; |
+ if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER, |
+ &token_handle)) |
+ return ::GetLastError(); |
+ |
+ base::win::ScopedHandle token(token_handle); |
cpu_(ooo_6.6-7.5)
2014/12/18 21:05:36
isn't there a base/ helper for doing 399 to 404 ?
forshaw
2014/12/19 08:30:00
Not that I could see in code search. The only user
|
+ |
+ return HardenTokenIntegrityLevelPolicy(token.Get()); |
+} |
+ |
} // namespace sandbox |