| // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ |
| #define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ |
| |
| #include <accctrl.h> |
| #include <windows.h> |
| |
| #include "sandbox/src/restricted_token.h" |
| #include "sandbox/src/security_level.h" |
| |
| // Contains the utility functions to be able to create restricted tokens based |
| // on a security profiles. |
| |
| namespace sandbox { |
| |
| // The type of the token returned by the CreateNakedToken. |
| enum TokenType { |
| IMPERSONATION = 0, |
| PRIMARY |
| }; |
| |
| // Creates a restricted token based on the effective token of the current |
| // process. The parameter security_level determines how much the token is |
| // restricted. The token_type determines if the token will be used as a primary |
| // token or impersonation token. The integrity level of the token is set to |
| // |integrity level| on Vista only. |
| // token_handle is the output value containing the handle of the |
| // newly created restricted token. |
| // If the function succeeds, the return value is ERROR_SUCCESS. If the |
| // function fails, the return value is the win32 error code corresponding to |
| // the error. |
| DWORD CreateRestrictedToken(HANDLE *token_handle, |
| TokenLevel security_level, |
| IntegrityLevel integrity_level, |
| TokenType token_type); |
| |
| // Starts the process described by the input parameter command_line in a job |
| // with a restricted token. Also set the main thread of this newly created |
| // process to impersonate a user with more rights so it can initialize |
| // correctly. |
| // |
| // Parameters: primary_level is the security level of the primary token. |
| // impersonation_level is the security level of the impersonation token used |
| // to initialize the process. job_level is the security level of the job |
| // object used to encapsulate the process. |
| // |
| // The output parameter job_handle is the handle to the job object. It has |
| // to be closed with CloseHandle() when not needed. Closing this handle will |
| // kill the process started. |
| // |
| // Note: The process started with this function has to call RevertToSelf() as |
| // soon as possible to stop using the impersonation token and start being |
| // secure. |
| // |
| // Note: The Unicode version of this function will fail if the command_line |
| // parameter is a const string. |
| DWORD StartRestrictedProcessInJob(wchar_t *command_line, |
| TokenLevel primary_level, |
| TokenLevel impersonation_level, |
| JobLevel job_level, |
| HANDLE *job_handle); |
| |
| // Sets the integrity label on a object handle. |
| DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type, |
| const wchar_t* ace_access, |
| const wchar_t* integrity_level_sid); |
| |
| // Sets the integrity level on a token. This is only valid on Vista. It returns |
| // without failing on XP. If the integrity level that you specify is greater |
| // than the current integrity level, the function will fail. |
| DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level); |
| |
| // Sets the integrity level on the current process on Vista. It returns without |
| // failing on XP. If the integrity level that you specify is greater than the |
| // current integrity level, the function will fail. |
| DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level); |
| |
| } // namespace sandbox |
| |
| #endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ |