Chromium Code Reviews Chromium Code Reviews
Issue 937353002:
Adding method to create process using LowBox token in sandbox code. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| 7 | 7 |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 | 9 |
| 10 #include <list> | 10 #include <list> |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 49 virtual ResultCode SetAlternateDesktop(bool alternate_winstation) override; | 49 virtual ResultCode SetAlternateDesktop(bool alternate_winstation) override; |
| 50 virtual base::string16 GetAlternateDesktop() const override; | 50 virtual base::string16 GetAlternateDesktop() const override; |
| 51 virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) override; | 51 virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) override; |
| 52 virtual void DestroyAlternateDesktop() override; | 52 virtual void DestroyAlternateDesktop() override; |
| 53 virtual ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; | 53 virtual ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; |
| 54 virtual IntegrityLevel GetIntegrityLevel() const override; | 54 virtual IntegrityLevel GetIntegrityLevel() const override; |
| 55 virtual ResultCode SetDelayedIntegrityLevel( | 55 virtual ResultCode SetDelayedIntegrityLevel( |
| 56 IntegrityLevel integrity_level) override; | 56 IntegrityLevel integrity_level) override; |
| 57 virtual ResultCode SetAppContainer(const wchar_t* sid) override; | 57 virtual ResultCode SetAppContainer(const wchar_t* sid) override; |
| 58 virtual ResultCode SetCapability(const wchar_t* sid) override; | 58 virtual ResultCode SetCapability(const wchar_t* sid) override; |
| 59 virtual ResultCode SetLowBox(const wchar_t* sid) override; | |
| 59 virtual ResultCode SetProcessMitigations(MitigationFlags flags) override; | 60 virtual ResultCode SetProcessMitigations(MitigationFlags flags) override; |
| 60 virtual MitigationFlags GetProcessMitigations() override; | 61 virtual MitigationFlags GetProcessMitigations() override; |
| 61 virtual ResultCode SetDelayedProcessMitigations( | 62 virtual ResultCode SetDelayedProcessMitigations( |
| 62 MitigationFlags flags) override; | 63 MitigationFlags flags) override; |
| 63 virtual MitigationFlags GetDelayedProcessMitigations() const override; | 64 virtual MitigationFlags GetDelayedProcessMitigations() const override; |
| 64 virtual void SetStrictInterceptions() override; | 65 virtual void SetStrictInterceptions() override; |
| 65 virtual ResultCode SetStdoutHandle(HANDLE handle) override; | 66 virtual ResultCode SetStdoutHandle(HANDLE handle) override; |
| 66 virtual ResultCode SetStderrHandle(HANDLE handle) override; | 67 virtual ResultCode SetStderrHandle(HANDLE handle) override; |
| 67 virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, | 68 virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, |
| 68 const wchar_t* pattern) override; | 69 const wchar_t* pattern) override; |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 79 // Creates a Job object with the level specified in a previous call to | 80 // Creates a Job object with the level specified in a previous call to |
| 80 // SetJobLevel(). | 81 // SetJobLevel(). |
| 81 ResultCode MakeJobObject(HANDLE* job); | 82 ResultCode MakeJobObject(HANDLE* job); |
| 82 | 83 |
| 83 // Creates the two tokens with the levels specified in a previous call to | 84 // Creates the two tokens with the levels specified in a previous call to |
| 84 // SetTokenLevel(). | 85 // SetTokenLevel(). |
| 85 ResultCode MakeTokens(HANDLE* initial, HANDLE* lockdown); | 86 ResultCode MakeTokens(HANDLE* initial, HANDLE* lockdown); |
| 86 | 87 |
| 87 const AppContainerAttributes* GetAppContainer() const; | 88 const AppContainerAttributes* GetAppContainer() const; |
| 88 | 89 |
| 90 const PSID GetLowBoxSid() const; | |
| 91 | |
| 89 // Adds a target process to the internal list of targets. Internally a | 92 // Adds a target process to the internal list of targets. Internally a |
| 90 // call to TargetProcess::Init() is issued. | 93 // call to TargetProcess::Init() is issued. |
| 91 bool AddTarget(TargetProcess* target); | 94 bool AddTarget(TargetProcess* target); |
| 92 | 95 |
| 93 // Called when there are no more active processes in a Job. | 96 // Called when there are no more active processes in a Job. |
| 94 // Removes a Job object associated with this policy and the target associated | 97 // Removes a Job object associated with this policy and the target associated |
| 95 // with the job. | 98 // with the job. |
| 96 bool OnJobEmpty(HANDLE job); | 99 bool OnJobEmpty(HANDLE job); |
| 97 | 100 |
| 98 EvalResult EvalPolicy(int service, CountedParameterSetBase* params); | 101 EvalResult EvalPolicy(int service, CountedParameterSetBase* params); |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 151 // Memory structure that stores the low level policy. | 154 // Memory structure that stores the low level policy. |
| 152 PolicyGlobal* policy_; | 155 PolicyGlobal* policy_; |
| 153 // The list of dlls to unload in the target process. | 156 // The list of dlls to unload in the target process. |
| 154 std::vector<base::string16> blacklisted_dlls_; | 157 std::vector<base::string16> blacklisted_dlls_; |
| 155 // This is a map of handle-types to names that we need to close in the | 158 // This is a map of handle-types to names that we need to close in the |
| 156 // target process. A null set means we need to close all handles of the | 159 // target process. A null set means we need to close all handles of the |
| 157 // given type. | 160 // given type. |
| 158 HandleCloser handle_closer_; | 161 HandleCloser handle_closer_; |
| 159 std::vector<base::string16> capabilities_; | 162 std::vector<base::string16> capabilities_; |
| 160 scoped_ptr<AppContainerAttributes> appcontainer_list_; | 163 scoped_ptr<AppContainerAttributes> appcontainer_list_; |
| 164 PSID lowbox_sid_; | |
|
cpu_(ooo_6.6-7.5)
2015/02/28 02:13:53
instead pointer to sid? we don't use PHANDLE for
Shrikant Kelkar
2015/02/28 02:33:47
Sorry, didn't understand. We need PSID for CreateL
| |
| 161 | 165 |
| 162 static HDESK alternate_desktop_handle_; | 166 static HDESK alternate_desktop_handle_; |
| 163 static HWINSTA alternate_winstation_handle_; | 167 static HWINSTA alternate_winstation_handle_; |
| 164 static IntegrityLevel alternate_desktop_integrity_level_label_; | 168 static IntegrityLevel alternate_desktop_integrity_level_label_; |
| 165 | 169 |
| 166 DISALLOW_COPY_AND_ASSIGN(PolicyBase); | 170 DISALLOW_COPY_AND_ASSIGN(PolicyBase); |
| 167 }; | 171 }; |
| 168 | 172 |
| 169 } // namespace sandbox | 173 } // namespace sandbox |
| 170 | 174 |
| 171 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ | 175 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_ |
| OLD | NEW |
