[Windows] Remove old sandbox Sid class.
This CL removes the old sandbox Sid class and moves all users to the
new class in base.
Bug: 1266853
Change-Id: I572027bd5e846f71e8caa5849401fdef895d56f0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3273701
Commit-Queue: James Forshaw <forshaw@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#941001}
NOKEYCHECK=True
GitOrigin-RevId: 44f1184597a11b68b7658b5c2fb6d783b50b5590
diff --git a/policy/win/sandbox_test_utils.cc b/policy/win/sandbox_test_utils.cc
index 7cb2701..aca774f 100644
--- a/policy/win/sandbox_test_utils.cc
+++ b/policy/win/sandbox_test_utils.cc
@@ -5,6 +5,7 @@
#include "sandbox/policy/win/sandbox_test_utils.h"
#include "base/strings/strcat.h"
+#include "base/win/security_util.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace sandbox {
@@ -14,11 +15,11 @@
constexpr wchar_t kRegistryRead[] = L"registryRead";
constexpr wchar_t klpacPnpNotifications[] = L"lpacPnpNotifications";
-std::vector<Sid> GetCapabilitySids(
+std::vector<base::win::Sid> GetCapabilitySids(
const std::initializer_list<std::wstring>& capabilities) {
- std::vector<Sid> sids;
+ std::vector<base::win::Sid> sids;
for (const auto& capability : capabilities) {
- sids.emplace_back(Sid::FromNamedCapability(capability.c_str()));
+ sids.push_back(*base::win::Sid::FromNamedCapability(capability.c_str()));
}
return sids;
}
@@ -27,19 +28,19 @@
const std::initializer_list<std::wstring>& capabilities) {
std::wstring sddl = kBaseSecurityDescriptor;
for (const auto& capability : GetCapabilitySids(capabilities)) {
- std::wstring sid_string;
- CHECK(capability.ToSddlString(&sid_string));
- base::StrAppend(&sddl, {L"(A;;GRGX;;;", sid_string, L")"});
+ absl::optional<std::wstring> sid_string = capability.ToSddlString();
+ CHECK(sid_string);
+ base::StrAppend(&sddl, {L"(A;;GRGX;;;", *sid_string, L")"});
}
return sddl;
}
-void EqualSidList(const std::vector<Sid>& left, const std::vector<Sid>& right) {
+void EqualSidList(const std::vector<base::win::Sid>& left,
+ const std::vector<base::win::Sid>& right) {
EXPECT_EQ(left.size(), right.size());
auto result = std::mismatch(left.cbegin(), left.cend(), right.cbegin(),
[](const auto& left_sid, const auto& right_sid) {
- return !!::EqualSid(left_sid.GetPSID(),
- right_sid.GetPSID());
+ return left_sid == right_sid;
});
EXPECT_EQ(result.first, left.cend());
}
@@ -54,10 +55,8 @@
auto base_caps = GetCapabilitySids(
{klpacPnpNotifications, kLpacChromeInstallFiles, kRegistryRead});
- impersonation_caps.insert(impersonation_caps.end(), additional_caps.begin(),
- additional_caps.end());
- base_caps.insert(base_caps.end(), additional_caps.begin(),
- additional_caps.end());
+ base::win::AppendSidVector(impersonation_caps, additional_caps);
+ base::win::AppendSidVector(base_caps, additional_caps);
EqualSidList(impersonation_caps, profile->GetImpersonationCapabilities());
EqualSidList(base_caps, profile->GetCapabilities());
diff --git a/policy/win/sandbox_test_utils.h b/policy/win/sandbox_test_utils.h
index dc869c9..734d83b 100644
--- a/policy/win/sandbox_test_utils.h
+++ b/policy/win/sandbox_test_utils.h
@@ -8,8 +8,8 @@
#include <string>
#include <vector>
+#include "base/win/sid.h"
#include "sandbox/win/src/app_container_base.h"
-#include "sandbox/win/src/sid.h"
namespace sandbox {
namespace policy {
@@ -17,13 +17,14 @@
constexpr wchar_t kChromeInstallFiles[] = L"chromeInstallFiles";
constexpr wchar_t kLpacChromeInstallFiles[] = L"lpacChromeInstallFiles";
-std::vector<Sid> GetCapabilitySids(
+std::vector<base::win::Sid> GetCapabilitySids(
const std::initializer_list<std::wstring>& capabilities);
std::wstring GetAccessAllowedForCapabilities(
const std::initializer_list<std::wstring>& capabilities);
-void EqualSidList(const std::vector<Sid>& left, const std::vector<Sid>& right);
+void EqualSidList(const std::vector<base::win::Sid>& left,
+ const std::vector<base::win::Sid>& right);
void CheckCapabilities(
AppContainerBase* profile,
diff --git a/policy/win/sandbox_win.cc b/policy/win/sandbox_win.cc
index 30a2498..6c0285b 100644
--- a/policy/win/sandbox_win.cc
+++ b/policy/win/sandbox_win.cc
@@ -36,6 +36,7 @@
#include "base/trace_event/trace_event.h"
#include "base/win/iat_patch_function.h"
#include "base/win/scoped_handle.h"
+#include "base/win/sid.h"
#include "base/win/win_util.h"
#include "base/win/windows_version.h"
#include "printing/buildflags/buildflags.h"
@@ -688,9 +689,9 @@
// Please refer to the following design doc on why we add the capabilities:
// https://docs.google.com/document/d/19Y4Js5v3BlzA5uSuiVTvcvPNIOwmxcMSFJWtuc1A-w8/edit#heading=h.iqvhsrml3gl9
if (!container->AddCapability(
- sandbox::WellKnownCapabilities::kPrivateNetworkClientServer) ||
+ base::win::WellKnownCapability::kPrivateNetworkClientServer) ||
!container->AddCapability(
- sandbox::WellKnownCapabilities::kInternetClient)) {
+ base::win::WellKnownCapability::kInternetClient)) {
DLOG(ERROR)
<< "AppContainer::AddCapability() - "
<< "Sandbox::kMediaFoundationCdm internet capabilities failed";
@@ -716,7 +717,7 @@
if (sandbox_type == Sandbox::kWindowsSystemProxyResolver) {
if (!container->AddCapability(
- sandbox::WellKnownCapabilities::kInternetClient)) {
+ base::win::WellKnownCapability::kInternetClient)) {
DLOG(ERROR) << "AppContainer::AddCapability() - "
<< "Sandbox::kWindowsSystemProxyResolver internet "
"capabilities failed";
@@ -767,10 +768,10 @@
// Enable LPAC for Network service.
if (sandbox_type == Sandbox::kNetwork) {
container->AddCapability(
- sandbox::WellKnownCapabilities::kPrivateNetworkClientServer);
- container->AddCapability(sandbox::WellKnownCapabilities::kInternetClient);
+ base::win::WellKnownCapability::kPrivateNetworkClientServer);
+ container->AddCapability(base::win::WellKnownCapability::kInternetClient);
container->AddCapability(
- sandbox::WellKnownCapabilities::kEnterpriseAuthentication);
+ base::win::WellKnownCapability::kEnterpriseAuthentication);
container->AddCapability(L"lpacIdentityServices");
container->AddCapability(L"lpacCryptoServices");
container->SetEnableLowPrivilegeAppContainer(true);
diff --git a/policy/win/sandbox_win_unittest.cc b/policy/win/sandbox_win_unittest.cc
index f45d320..8d32db1 100644
--- a/policy/win/sandbox_win_unittest.cc
+++ b/policy/win/sandbox_win_unittest.cc
@@ -21,6 +21,8 @@
#include "base/path_service.h"
#include "base/scoped_native_library.h"
#include "base/test/scoped_feature_list.h"
+#include "base/win/security_util.h"
+#include "base/win/sid.h"
#include "base/win/windows_version.h"
#include "build/build_config.h"
#include "sandbox/policy/features.h"
@@ -244,10 +246,10 @@
command_line, false, sandbox::mojom::Sandbox::kGpu, &profile);
ASSERT_EQ(SBOX_ALL_OK, result);
ASSERT_NE(nullptr, profile);
- auto package_sid = Sid::FromSddlString(kPackageSid);
- ASSERT_TRUE(package_sid.IsValid());
- EXPECT_TRUE(
- ::EqualSid(package_sid.GetPSID(), profile->GetPackageSid().GetPSID()));
+ absl::optional<base::win::Sid> package_sid =
+ base::win::Sid::FromSddlString(kPackageSid);
+ ASSERT_TRUE(package_sid);
+ EXPECT_EQ(package_sid, profile->GetPackageSid());
EXPECT_TRUE(profile->GetEnableLowPrivilegeAppContainer());
CheckCapabilities(profile.get(), {});
}
diff --git a/win/BUILD.gn b/win/BUILD.gn
index 8fb6c13..05d869b 100644
--- a/win/BUILD.gn
+++ b/win/BUILD.gn
@@ -115,8 +115,6 @@
"src/sharedmem_ipc_client.h",
"src/sharedmem_ipc_server.cc",
"src/sharedmem_ipc_server.h",
- "src/sid.cc",
- "src/sid.h",
"src/signed_dispatcher.cc",
"src/signed_dispatcher.h",
"src/signed_interception.cc",
@@ -336,7 +334,6 @@
"src/restricted_token_unittest.cc",
"src/sandbox_nt_util_unittest.cc",
"src/service_resolver_unittest.cc",
- "src/sid_unittest.cc",
"src/threadpool_unittest.cc",
"src/win_utils_unittest.cc",
"tests/common/test_utils.cc",
diff --git a/win/src/acl.cc b/win/src/acl.cc
index d77fe62..243d97c 100644
--- a/win/src/acl.cc
+++ b/win/src/acl.cc
@@ -10,6 +10,7 @@
#include "base/check.h"
#include "base/memory/free_deleter.h"
#include "base/notreached.h"
+#include "base/win/scoped_localalloc.h"
namespace sandbox {
@@ -32,14 +33,11 @@
reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length));
default_dacl->reset(acl);
- if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
- length, &length))
- return false;
-
- return true;
+ return !!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
+ length, &length);
}
-bool AddSidToDacl(const Sid& sid,
+bool AddSidToDacl(const base::win::Sid& sid,
ACL* old_dacl,
ACCESS_MODE access_mode,
ACCESS_MASK access,
@@ -61,7 +59,7 @@
}
bool AddSidToDefaultDacl(HANDLE token,
- const Sid& sid,
+ const base::win::Sid& sid,
ACCESS_MODE access_mode,
ACCESS_MASK access) {
if (!token)
@@ -71,102 +69,114 @@
if (!GetDefaultDacl(token, &default_dacl))
return false;
- ACL* new_dacl = nullptr;
+ ACL* new_dacl_ptr = nullptr;
if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access_mode, access,
- &new_dacl))
+ &new_dacl_ptr)) {
return false;
+ }
+ auto new_dacl = base::win::TakeLocalAlloc(new_dacl_ptr);
TOKEN_DEFAULT_DACL new_token_dacl = {0};
- new_token_dacl.DefaultDacl = new_dacl;
+ new_token_dacl.DefaultDacl = new_dacl.get();
- bool ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
- sizeof(new_token_dacl));
- ::LocalFree(new_dacl);
- return ret;
+ return !!::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
+ sizeof(new_token_dacl));
+}
+
+bool AddSidToDefaultDacl(HANDLE token,
+ base::win::WellKnownSid known_sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return false;
+ return AddSidToDefaultDacl(token, *sid, access_mode, access);
}
bool RevokeLogonSidFromDefaultDacl(HANDLE token) {
- DWORD size = sizeof(TOKEN_GROUPS) + SECURITY_MAX_SID_SIZE;
- TOKEN_GROUPS* logon_sid = reinterpret_cast<TOKEN_GROUPS*>(malloc(size));
+ char logon_sid_buffer[sizeof(TOKEN_GROUPS) + SECURITY_MAX_SID_SIZE];
+ DWORD size = sizeof(logon_sid_buffer);
- std::unique_ptr<TOKEN_GROUPS, base::FreeDeleter> logon_sid_ptr(logon_sid);
-
- if (!::GetTokenInformation(token, TokenLogonSid, logon_sid, size, &size)) {
+ if (!::GetTokenInformation(token, TokenLogonSid, logon_sid_buffer, size,
+ &size)) {
// If no logon sid, there's nothing to revoke.
if (::GetLastError() == ERROR_NOT_FOUND)
return true;
return false;
}
- if (logon_sid->GroupCount < 1) {
+ TOKEN_GROUPS* logon_sid_ptr =
+ reinterpret_cast<TOKEN_GROUPS*>(logon_sid_buffer);
+ if (logon_sid_ptr->GroupCount < 1) {
::SetLastError(ERROR_INVALID_TOKEN);
return false;
}
- return AddSidToDefaultDacl(token,
- reinterpret_cast<SID*>(logon_sid->Groups[0].Sid),
- REVOKE_ACCESS, 0);
+ absl::optional<base::win::Sid> logon_sid =
+ base::win::Sid::FromPSID(logon_sid_ptr->Groups[0].Sid);
+ if (!logon_sid) {
+ ::SetLastError(ERROR_INVALID_SID);
+ return false;
+ }
+ return AddSidToDefaultDacl(token, *logon_sid, REVOKE_ACCESS, 0);
}
bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size));
-
- std::unique_ptr<TOKEN_USER, base::FreeDeleter> token_user_ptr(token_user);
-
- if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
+ absl::optional<base::win::Sid> user_sid = base::win::Sid::FromToken(token);
+ if (!user_sid)
return false;
- return AddSidToDefaultDacl(token,
- reinterpret_cast<SID*>(token_user->User.Sid),
- GRANT_ACCESS, access);
+ return AddSidToDefaultDacl(token, *user_sid, GRANT_ACCESS, access);
}
bool AddKnownSidToObject(HANDLE object,
SE_OBJECT_TYPE object_type,
- const Sid& sid,
+ const base::win::Sid& sid,
ACCESS_MODE access_mode,
ACCESS_MASK access) {
- PSECURITY_DESCRIPTOR descriptor = nullptr;
+ PSECURITY_DESCRIPTOR descriptor_ptr = nullptr;
PACL old_dacl = nullptr;
- PACL new_dacl = nullptr;
if (ERROR_SUCCESS !=
::GetSecurityInfo(object, object_type, DACL_SECURITY_INFORMATION, nullptr,
- nullptr, &old_dacl, nullptr, &descriptor))
- return false;
-
- if (!AddSidToDacl(sid, old_dacl, access_mode, access, &new_dacl)) {
- ::LocalFree(descriptor);
+ nullptr, &old_dacl, nullptr, &descriptor_ptr)) {
return false;
}
- DWORD result =
- ::SetSecurityInfo(object, object_type, DACL_SECURITY_INFORMATION, nullptr,
- nullptr, new_dacl, nullptr);
-
- ::LocalFree(new_dacl);
- ::LocalFree(descriptor);
-
- if (ERROR_SUCCESS != result)
+ auto descriptor = base::win::TakeLocalAlloc(descriptor_ptr);
+ PACL new_dacl_ptr = nullptr;
+ if (!AddSidToDacl(sid, old_dacl, access_mode, access, &new_dacl_ptr))
return false;
- return true;
+ auto new_dacl = base::win::TakeLocalAlloc(new_dacl_ptr);
+ return ::SetSecurityInfo(object, object_type, DACL_SECURITY_INFORMATION,
+ nullptr, nullptr, new_dacl.get(),
+ nullptr) == ERROR_SUCCESS;
+}
+
+bool AddKnownSidToObject(HANDLE object,
+ SE_OBJECT_TYPE object_type,
+ base::win::WellKnownSid known_sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return false;
+ return AddKnownSidToObject(object, object_type, *sid, access_mode, access);
}
bool ReplacePackageSidInDacl(HANDLE object,
SE_OBJECT_TYPE object_type,
- const Sid& package_sid,
+ const base::win::Sid& package_sid,
ACCESS_MASK access) {
if (!AddKnownSidToObject(object, object_type, package_sid, REVOKE_ACCESS,
0)) {
return false;
}
- Sid any_package_sid(::WinBuiltinAnyPackageSid);
- if (!AddKnownSidToObject(object, object_type, any_package_sid, GRANT_ACCESS,
- access)) {
- return false;
- }
- return true;
+ return AddKnownSidToObject(
+ object, object_type,
+ *base::win::Sid::FromKnownSid(
+ base::win::WellKnownSid::kAllApplicationPackages),
+ GRANT_ACCESS, access);
}
} // namespace sandbox
diff --git a/win/src/acl.h b/win/src/acl.h
index e1e97c2..fd07fa0 100644
--- a/win/src/acl.h
+++ b/win/src/acl.h
@@ -11,7 +11,7 @@
#include <memory>
#include "base/memory/free_deleter.h"
-#include "sandbox/win/src/sid.h"
+#include "base/win/sid.h"
namespace sandbox {
@@ -23,7 +23,7 @@
// Appends an ACE represented by |sid|, |access_mode|, and |access| to
// |old_dacl|. If the function succeeds, new_dacl contains the new dacl and
// must be freed using LocalFree.
-bool AddSidToDacl(const Sid& sid,
+bool AddSidToDacl(const base::win::Sid& sid,
ACL* old_dacl,
ACCESS_MODE access_mode,
ACCESS_MASK access,
@@ -32,7 +32,14 @@
// Adds an ACE represented by |sid| and |access| with |access_mode| to the
// default dacl present in the token.
bool AddSidToDefaultDacl(HANDLE token,
- const Sid& sid,
+ const base::win::Sid& sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access);
+
+// Adds an ACE represented by |known_sid| and |access| with |access_mode| to the
+// default dacl present in the token.
+bool AddSidToDefaultDacl(HANDLE token,
+ base::win::WellKnownSid known_sid,
ACCESS_MODE access_mode,
ACCESS_MASK access);
@@ -47,7 +54,15 @@
// the dacl of the kernel object referenced by |object| and of |object_type|.
bool AddKnownSidToObject(HANDLE object,
SE_OBJECT_TYPE object_type,
- const Sid& sid,
+ base::win::WellKnownSid known_sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access);
+
+// Adds an ACE represented by |sid|, |access_mode|, and |access| to
+// the dacl of the kernel object referenced by |object| and of |object_type|.
+bool AddKnownSidToObject(HANDLE object,
+ SE_OBJECT_TYPE object_type,
+ const base::win::Sid& sid,
ACCESS_MODE access_mode,
ACCESS_MASK access);
@@ -56,7 +71,7 @@
// AppContainer.
bool ReplacePackageSidInDacl(HANDLE object,
SE_OBJECT_TYPE object_type,
- const Sid& package_sid,
+ const base::win::Sid& package_sid,
ACCESS_MASK access);
} // namespace sandbox
diff --git a/win/src/app_container.h b/win/src/app_container.h
index 73f71c1..c657b8a 100644
--- a/win/src/app_container.h
+++ b/win/src/app_container.h
@@ -11,7 +11,7 @@
#include "base/files/file_path.h"
#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/sid.h"
+#include "base/win/sid.h"
namespace sandbox {
@@ -55,14 +55,15 @@
// Adds a capability by name to this profile.
virtual bool AddCapability(const wchar_t* capability_name) = 0;
// Adds a capability from a known list.
- virtual bool AddCapability(WellKnownCapabilities capability) = 0;
+ virtual bool AddCapability(base::win::WellKnownCapability capability) = 0;
// Adds a capability from a SID
virtual bool AddCapabilitySddl(const wchar_t* sddl_sid) = 0;
// Adds an impersonation capability by name to this profile.
virtual bool AddImpersonationCapability(const wchar_t* capability_name) = 0;
// Adds an impersonation capability from a known list.
- virtual bool AddImpersonationCapability(WellKnownCapabilities capability) = 0;
+ virtual bool AddImpersonationCapability(
+ base::win::WellKnownCapability capability) = 0;
// Adds an impersonation capability from a SID
virtual bool AddImpersonationCapabilitySddl(const wchar_t* sddl_sid) = 0;
diff --git a/win/src/app_container_base.cc b/win/src/app_container_base.cc
index 9cb27f0..916ab59 100644
--- a/win/src/app_container_base.cc
+++ b/win/src/app_container_base.cc
@@ -90,16 +90,19 @@
if (!create_app_container_profile)
return nullptr;
- PSID package_sid = nullptr;
+ PSID package_sid_ptr = nullptr;
HRESULT hr = create_app_container_profile(
- package_name, display_name, description, nullptr, 0, &package_sid);
+ package_name, display_name, description, nullptr, 0, &package_sid_ptr);
if (hr == HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS))
return Open(package_name);
if (FAILED(hr))
return nullptr;
- std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid);
- return new AppContainerBase(Sid(package_sid), AppContainerType::kProfile);
+ std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid_ptr);
+ auto package_sid = base::win::Sid::FromPSID(package_sid_ptr);
+ if (!package_sid)
+ return nullptr;
+ return new AppContainerBase(*package_sid, AppContainerType::kProfile);
}
// static
@@ -111,23 +114,25 @@
if (!derive_app_container_sid)
return nullptr;
- PSID package_sid = nullptr;
- HRESULT hr = derive_app_container_sid(package_name, &package_sid);
+ PSID package_sid_ptr = nullptr;
+ HRESULT hr = derive_app_container_sid(package_name, &package_sid_ptr);
if (FAILED(hr))
return nullptr;
- std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid);
- return new AppContainerBase(Sid(package_sid), AppContainerType::kDerived);
+ std::unique_ptr<void, FreeSidDeleter> sid_deleter(package_sid_ptr);
+ auto package_sid = base::win::Sid::FromPSID(package_sid_ptr);
+ if (!package_sid)
+ return nullptr;
+ return new AppContainerBase(*package_sid, AppContainerType::kDerived);
}
// static
AppContainerBase* AppContainerBase::CreateLowbox(const wchar_t* sid) {
- PSID package_sid;
- if (!ConvertStringSidToSid(sid, &package_sid))
+ auto package_sid = base::win::Sid::FromSddlString(sid);
+ if (!package_sid)
return nullptr;
- std::unique_ptr<void, LocalFreeDeleter> sid_deleter(package_sid);
- return new AppContainerBase(Sid(package_sid), AppContainerType::kLowbox);
+ return new AppContainerBase(*package_sid, AppContainerType::kLowbox);
}
// static
@@ -141,10 +146,10 @@
return SUCCEEDED(delete_app_container_profile(package_name));
}
-AppContainerBase::AppContainerBase(const Sid& package_sid,
+AppContainerBase::AppContainerBase(base::win::Sid& package_sid,
AppContainerType type)
: ref_count_(0),
- package_sid_(package_sid),
+ package_sid_(std::move(package_sid)),
enable_low_privilege_app_container_(false),
type_(type) {}
@@ -190,11 +195,11 @@
GetModuleHandle(L"userenv"), "GetAppContainerFolderPath"));
if (!get_app_container_folder_path)
return false;
- std::wstring sddl_str;
- if (!package_sid_.ToSddlString(&sddl_str))
+ auto sddl_str = package_sid_.ToSddlString();
+ if (!sddl_str)
return false;
base::win::ScopedCoMem<wchar_t> path_str;
- if (FAILED(get_app_container_folder_path(sddl_str.c_str(), &path_str)))
+ if (FAILED(get_app_container_folder_path(sddl_str->c_str(), &path_str)))
return false;
*file_path = base::FilePath(path_str.get());
return true;
@@ -202,11 +207,11 @@
bool AppContainerBase::GetPipePath(const wchar_t* pipe_name,
base::FilePath* pipe_path) {
- std::wstring sddl_str;
- if (!package_sid_.ToSddlString(&sddl_str))
+ auto sddl_str = package_sid_.ToSddlString();
+ if (!sddl_str)
return false;
*pipe_path = base::FilePath(base::StringPrintf(L"\\\\.\\pipe\\%ls\\%ls",
- sddl_str.c_str(), pipe_name));
+ sddl_str->c_str(), pipe_name));
return true;
}
@@ -232,7 +237,8 @@
std::unique_ptr<void, LocalFreeDeleter> sd_ptr(sd);
if (enable_low_privilege_app_container_) {
- Sid any_package_sid(::WinBuiltinAnyPackageSid);
+ base::win::Sid any_package_sid = *base::win::Sid::FromKnownSid(
+ base::win::WellKnownSid::kAllApplicationPackages);
// We can't create a LPAC token directly, so modify the DACL to simulate it.
// Set mask for ALL APPLICATION PACKAGE Sid to 0.
for (WORD index = 0; index < dacl->AceCount; ++index) {
@@ -249,7 +255,7 @@
if (!::IsValidSid(&ace->SidStart)) {
continue;
}
- if (::EqualSid(&ace->SidStart, any_package_sid.GetPSID())) {
+ if (any_package_sid.Equal(&ace->SidStart)) {
ace->Mask = 0;
}
}
@@ -268,50 +274,55 @@
}
bool AppContainerBase::AddCapability(const wchar_t* capability_name) {
- return AddCapability(Sid::FromNamedCapability(capability_name), false);
+ return AddCapability(base::win::Sid::FromNamedCapability(capability_name),
+ false);
}
-bool AppContainerBase::AddCapability(WellKnownCapabilities capability) {
- return AddCapability(Sid::FromKnownCapability(capability), false);
+bool AppContainerBase::AddCapability(
+ base::win::WellKnownCapability capability) {
+ return AddCapability(base::win::Sid::FromKnownCapability(capability), false);
}
bool AppContainerBase::AddCapabilitySddl(const wchar_t* sddl_sid) {
- return AddCapability(Sid::FromSddlString(sddl_sid), false);
+ return AddCapability(base::win::Sid::FromSddlString(sddl_sid), false);
}
-bool AppContainerBase::AddCapability(const Sid& capability_sid,
- bool impersonation_only) {
- if (!capability_sid.IsValid())
+bool AppContainerBase::AddCapability(
+ const absl::optional<base::win::Sid>& capability_sid,
+ bool impersonation_only) {
+ if (!capability_sid)
return false;
if (!impersonation_only)
- capabilities_.push_back(capability_sid);
- impersonation_capabilities_.push_back(capability_sid);
+ capabilities_.push_back(capability_sid->Clone());
+ impersonation_capabilities_.push_back(capability_sid->Clone());
return true;
}
bool AppContainerBase::AddImpersonationCapability(
const wchar_t* capability_name) {
- return AddCapability(Sid::FromNamedCapability(capability_name), true);
+ return AddCapability(base::win::Sid::FromNamedCapability(capability_name),
+ true);
}
bool AppContainerBase::AddImpersonationCapability(
- WellKnownCapabilities capability) {
- return AddCapability(Sid::FromKnownCapability(capability), true);
+ base::win::WellKnownCapability capability) {
+ return AddCapability(base::win::Sid::FromKnownCapability(capability), true);
}
bool AppContainerBase::AddImpersonationCapabilitySddl(const wchar_t* sddl_sid) {
- return AddCapability(Sid::FromSddlString(sddl_sid), true);
+ return AddCapability(base::win::Sid::FromSddlString(sddl_sid), true);
}
-const std::vector<Sid>& AppContainerBase::GetCapabilities() {
+const std::vector<base::win::Sid>& AppContainerBase::GetCapabilities() {
return capabilities_;
}
-const std::vector<Sid>& AppContainerBase::GetImpersonationCapabilities() {
+const std::vector<base::win::Sid>&
+AppContainerBase::GetImpersonationCapabilities() {
return impersonation_capabilities_;
}
-Sid AppContainerBase::GetPackageSid() const {
+const base::win::Sid& AppContainerBase::GetPackageSid() const {
return package_sid_;
}
diff --git a/win/src/app_container_base.h b/win/src/app_container_base.h
index 990a510..7ad16d7 100644
--- a/win/src/app_container_base.h
+++ b/win/src/app_container_base.h
@@ -15,10 +15,11 @@
#include "base/files/file_path.h"
#include "base/memory/ref_counted.h"
#include "base/win/scoped_handle.h"
+#include "base/win/sid.h"
#include "sandbox/win/src/app_container.h"
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/security_capabilities.h"
-#include "sandbox/win/src/sid.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
namespace sandbox {
@@ -40,27 +41,28 @@
DWORD* granted_access,
BOOL* access_status) override;
bool AddCapability(const wchar_t* capability_name) override;
- bool AddCapability(WellKnownCapabilities capability) override;
+ bool AddCapability(base::win::WellKnownCapability capability) override;
bool AddCapabilitySddl(const wchar_t* sddl_sid) override;
bool AddImpersonationCapability(const wchar_t* capability_name) override;
- bool AddImpersonationCapability(WellKnownCapabilities capability) override;
+ bool AddImpersonationCapability(
+ base::win::WellKnownCapability capability) override;
bool AddImpersonationCapabilitySddl(const wchar_t* sddl_sid) override;
void SetEnableLowPrivilegeAppContainer(bool enable) override;
bool GetEnableLowPrivilegeAppContainer() override;
AppContainerType GetAppContainerType() override;
// Get the package SID for this AC.
- Sid GetPackageSid() const;
+ const base::win::Sid& GetPackageSid() const;
// Get an allocated SecurityCapabilities object for this App Container.
std::unique_ptr<SecurityCapabilities> GetSecurityCapabilities();
// Get a vector of capabilities.
- const std::vector<Sid>& GetCapabilities();
+ const std::vector<base::win::Sid>& GetCapabilities();
// Get a vector of impersonation only capabilities. Used if the process needs
// a more privileged token to start.
- const std::vector<Sid>& GetImpersonationCapabilities();
+ const std::vector<base::win::Sid>& GetImpersonationCapabilities();
// Creates a new AppContainer object. This will create a new profile
// if it doesn't already exist. The profile must be deleted manually using
@@ -86,17 +88,18 @@
base::win::ScopedHandle* lockdown = nullptr);
private:
- AppContainerBase(const Sid& package_sid, AppContainerType type);
+ AppContainerBase(base::win::Sid& package_sid, AppContainerType type);
~AppContainerBase();
- bool AddCapability(const Sid& capability_sid, bool impersonation_only);
+ bool AddCapability(const absl::optional<base::win::Sid>& capability_sid,
+ bool impersonation_only);
// Standard object-lifetime reference counter.
volatile LONG ref_count_;
- Sid package_sid_;
+ base::win::Sid package_sid_;
bool enable_low_privilege_app_container_;
- std::vector<Sid> capabilities_;
- std::vector<Sid> impersonation_capabilities_;
+ std::vector<base::win::Sid> capabilities_;
+ std::vector<base::win::Sid> impersonation_capabilities_;
AppContainerType type_;
base::win::ScopedHandle lowbox_directory_;
};
diff --git a/win/src/app_container_test.cc b/win/src/app_container_test.cc
index 555c826..6eef634 100644
--- a/win/src/app_container_test.cc
+++ b/win/src/app_container_test.cc
@@ -99,16 +99,16 @@
<< TokenTypeToName(token_type);
}
- std::unique_ptr<Sid> package_sid;
- ASSERT_TRUE(GetTokenAppContainerSid(token, &package_sid))
- << TokenTypeToName(token_type);
+ absl::optional<base::win::Sid> package_sid = GetTokenAppContainerSid(token);
+ ASSERT_TRUE(package_sid) << TokenTypeToName(token_type);
EXPECT_TRUE(::EqualSid(security_capabilities->AppContainerSid,
package_sid->GetPSID()))
<< TokenTypeToName(token_type);
- std::vector<SidAndAttributes> capabilities;
- ASSERT_TRUE(GetTokenGroups(token, ::TokenCapabilities, &capabilities))
- << TokenTypeToName(token_type);
+ absl::optional<std::vector<SidAndAttributes>> capability_groups =
+ GetTokenGroups(token, ::TokenCapabilities);
+ ASSERT_TRUE(capability_groups) << TokenTypeToName(token_type);
+ const std::vector<SidAndAttributes>& capabilities = *capability_groups;
ASSERT_EQ(capabilities.size(), security_capabilities->CapabilityCount)
<< TokenTypeToName(token_type);
@@ -206,10 +206,10 @@
constexpr const wchar_t* kBaseCapsSt[] = {
L"lpacChromeInstallFiles", L"registryRead", L"lpacIdentityServices",
L"lpacCryptoServices"};
- constexpr const WellKnownCapabilities kBaseCapsWK[] = {
- WellKnownCapabilities::kPrivateNetworkClientServer,
- WellKnownCapabilities::kInternetClient,
- WellKnownCapabilities::kEnterpriseAuthentication};
+ constexpr const base::win::WellKnownCapability kBaseCapsWK[] = {
+ base::win::WellKnownCapability::kPrivateNetworkClientServer,
+ base::win::WellKnownCapability::kInternetClient,
+ base::win::WellKnownCapability::kEnterpriseAuthentication};
for (const auto* cap : kBaseCapsSt) {
if (!app_container->AddCapability(cap)) {
@@ -555,8 +555,9 @@
if (!container_)
return;
- container_->AddCapability(kInternetClient);
- container_->AddCapability(kInternetClientServer);
+ container_->AddCapability(base::win::WellKnownCapability::kInternetClient);
+ container_->AddCapability(
+ base::win::WellKnownCapability::kInternetClientServer);
policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
policy_->SetJobLevel(JOB_NONE, 0);
@@ -573,8 +574,9 @@
if (!container_)
return;
- container_->AddCapability(kInternetClient);
- container_->AddCapability(kInternetClientServer);
+ container_->AddCapability(base::win::WellKnownCapability::kInternetClient);
+ container_->AddCapability(
+ base::win::WellKnownCapability::kInternetClientServer);
policy_->SetTokenLevel(USER_LOCKDOWN, USER_RESTRICTED_SAME_ACCESS);
policy_->SetJobLevel(JOB_NONE, 0);
@@ -591,10 +593,13 @@
if (!container_)
return;
- container_->AddCapability(kInternetClient);
- container_->AddCapability(kInternetClientServer);
- container_->AddImpersonationCapability(kPrivateNetworkClientServer);
- container_->AddImpersonationCapability(kPicturesLibrary);
+ container_->AddCapability(base::win::WellKnownCapability::kInternetClient);
+ container_->AddCapability(
+ base::win::WellKnownCapability::kInternetClientServer);
+ container_->AddImpersonationCapability(
+ base::win::WellKnownCapability::kPrivateNetworkClientServer);
+ container_->AddImpersonationCapability(
+ base::win::WellKnownCapability::kPicturesLibrary);
policy_->SetTokenLevel(USER_UNPROTECTED, USER_UNPROTECTED);
policy_->SetJobLevel(JOB_NONE, 0);
diff --git a/win/src/app_container_unittest.cc b/win/src/app_container_unittest.cc
index a57bd44..519650e 100644
--- a/win/src/app_container_unittest.cc
+++ b/win/src/app_container_unittest.cc
@@ -16,10 +16,10 @@
#include "base/path_service.h"
#include "base/rand_util.h"
#include "base/strings/stringprintf.h"
+#include "base/win/sid.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/app_container_base.h"
#include "sandbox/win/src/security_capabilities.h"
-#include "sandbox/win/src/sid.h"
#include "sandbox/win/src/win_utils.h"
#include "testing/gtest/include/gtest/gtest.h"
@@ -27,14 +27,14 @@
namespace {
-bool ValidSecurityCapabilities(PSECURITY_CAPABILITIES security_capabilities,
- const Sid& package_sid,
- const std::vector<Sid>& capabilities) {
+bool ValidSecurityCapabilities(
+ PSECURITY_CAPABILITIES security_capabilities,
+ const base::win::Sid& package_sid,
+ const std::vector<base::win::Sid>& capabilities) {
if (!security_capabilities)
return false;
- if (!::EqualSid(package_sid.GetPSID(),
- security_capabilities->AppContainerSid)) {
+ if (!package_sid.Equal(security_capabilities->AppContainerSid)) {
return false;
}
@@ -52,8 +52,8 @@
for (DWORD index = 0; index < security_capabilities->CapabilityCount;
++index) {
- if (!::EqualSid(capabilities[index].GetPSID(),
- security_capabilities->Capabilities[index].Sid)) {
+ if (!capabilities[index].Equal(
+ security_capabilities->Capabilities[index].Sid)) {
return false;
}
if (security_capabilities->Capabilities[index].Attributes !=
@@ -65,14 +65,14 @@
return true;
}
-bool CompareSidVectors(const std::vector<Sid>& left,
- const std::vector<Sid>& right) {
+bool CompareSidVectors(const std::vector<base::win::Sid>& left,
+ const std::vector<base::win::Sid>& right) {
if (left.size() != right.size())
return false;
auto left_interator = left.cbegin();
auto right_interator = right.cbegin();
while (left_interator != left.cend()) {
- if (!::EqualSid(left_interator->GetPSID(), right_interator->GetPSID()))
+ if (*left_interator != *right_interator)
return false;
++left_interator;
++right_interator;
@@ -119,17 +119,24 @@
bool IsValid() { return lpSecurityDescriptor != nullptr; }
};
-std::wstring CreateSddlWithSid(const Sid& sid) {
- std::wstring sddl_string;
- if (!sid.ToSddlString(&sddl_string))
+std::wstring CreateSddlWithSid(const base::win::Sid& sid) {
+ auto sddl_string = sid.ToSddlString();
+ if (!sddl_string)
return L"";
std::wstring base_sddl = L"D:(A;;GA;;;WD)(A;;GA;;;";
- return base_sddl + sddl_string + L")";
+ return base_sddl + *sddl_string + L")";
+}
+
+std::wstring CreateSddlWithSid(base::win::WellKnownSid known_sid) {
+ auto sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return L"";
+ return CreateSddlWithSid(*sid);
}
void AccessCheckFile(AppContainer* container,
const base::FilePath& path,
- const Sid& sid,
+ const base::win::Sid& sid,
DWORD desired_access,
DWORD expected_access,
BOOL expected_status) {
@@ -150,6 +157,30 @@
ASSERT_EQ(expected_access, granted_access);
}
+void AccessCheckFile(AppContainer* container,
+ const base::FilePath& path,
+ base::win::WellKnownSid known_sid,
+ DWORD desired_access,
+ DWORD expected_access,
+ BOOL expected_status) {
+ auto sid = base::win::Sid::FromKnownSid(known_sid);
+ ASSERT_TRUE(sid);
+ AccessCheckFile(container, path, *sid, desired_access, expected_access,
+ expected_status);
+}
+
+void AccessCheckFile(AppContainer* container,
+ const base::FilePath& path,
+ base::win::WellKnownCapability known_cap,
+ DWORD desired_access,
+ DWORD expected_access,
+ BOOL expected_status) {
+ auto sid = base::win::Sid::FromKnownCapability(known_cap);
+ ASSERT_TRUE(sid);
+ AccessCheckFile(container, path, *sid, desired_access, expected_access,
+ expected_status);
+}
+
} // namespace
TEST(AppContainerTest, SecurityCapabilities) {
@@ -157,19 +188,22 @@
return;
// This isn't a valid package SID but it doesn't matter for this test.
- Sid package_sid(::WinNullSid);
+ base::win::Sid package_sid =
+ *base::win::Sid::FromKnownSid(base::win::WellKnownSid::kNull);
- std::vector<Sid> capabilities;
+ std::vector<base::win::Sid> capabilities;
SecurityCapabilities no_capabilities(package_sid);
EXPECT_TRUE(
ValidSecurityCapabilities(&no_capabilities, package_sid, capabilities));
- capabilities.push_back(::WinWorldSid);
+ capabilities.push_back(
+ *base::win::Sid::FromKnownSid(base::win::WellKnownSid::kWorld));
SecurityCapabilities one_capability(package_sid, capabilities);
EXPECT_TRUE(
ValidSecurityCapabilities(&one_capability, package_sid, capabilities));
- capabilities.push_back(::WinLocalSid);
+ capabilities.push_back(
+ *base::win::Sid::FromKnownSid(base::win::WellKnownSid::kNetwork));
SecurityCapabilities two_capabilities(package_sid, capabilities);
EXPECT_TRUE(
ValidSecurityCapabilities(&two_capabilities, package_sid, capabilities));
@@ -234,7 +268,7 @@
AppContainerBase::Open(package_name.c_str());
ASSERT_NE(nullptr, container.get());
- std::vector<Sid> capabilities;
+ std::vector<base::win::Sid> capabilities;
auto no_capabilities = container->GetSecurityCapabilities();
ASSERT_TRUE(ValidSecurityCapabilities(
no_capabilities.get(), container->GetPackageSid(), capabilities));
@@ -242,14 +276,17 @@
// No support for named capabilities prior to Win10.
if (base::win::GetVersion() >= base::win::Version::WIN10) {
ASSERT_TRUE(container->AddCapability(L"FakeCapability"));
- capabilities.push_back(Sid::FromNamedCapability(L"FakeCapability"));
+ capabilities.push_back(
+ *base::win::Sid::FromNamedCapability(L"FakeCapability"));
}
- ASSERT_TRUE(container->AddCapability(kInternetClient));
- capabilities.push_back(Sid::FromKnownCapability(kInternetClient));
+ ASSERT_TRUE(container->AddCapability(
+ base::win::WellKnownCapability::kInternetClient));
+ capabilities.push_back(*base::win::Sid::FromKnownCapability(
+ base::win::WellKnownCapability::kInternetClient));
const wchar_t kSddlSid[] = L"S-1-15-3-1";
ASSERT_TRUE(container->AddCapabilitySddl(kSddlSid));
- capabilities.push_back(Sid::FromSddlString(kSddlSid));
+ capabilities.push_back(*base::win::Sid::FromSddlString(kSddlSid));
auto with_capabilities = container->GetSecurityCapabilities();
ASSERT_TRUE(ValidSecurityCapabilities(
with_capabilities.get(), container->GetPackageSid(), capabilities));
@@ -289,34 +326,37 @@
std::wstring package_name = GenerateRandomPackageName();
scoped_refptr<AppContainerBase> container =
AppContainerBase::Open(package_name.c_str());
- container->AddCapability(kInternetClient);
+ container->AddCapability(base::win::WellKnownCapability::kInternetClient);
base::ScopedTempDir temp_dir;
ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
base::FilePath path = temp_dir.GetPath().Append(package_name);
- AccessCheckFile(container.get(), path, ::WinNullSid, FILE_READ_DATA, 0,
- FALSE);
- AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid,
+ AccessCheckFile(container.get(), path, base::win::WellKnownSid::kNull,
+ FILE_READ_DATA, 0, FALSE);
+ AccessCheckFile(container.get(), path,
+ base::win::WellKnownSid::kAllApplicationPackages,
FILE_READ_DATA, FILE_READ_DATA, TRUE);
AccessCheckFile(container.get(), path, container->GetPackageSid(),
FILE_READ_DATA, FILE_READ_DATA, TRUE);
AccessCheckFile(container.get(), path,
- Sid::FromKnownCapability(kInternetClient), FILE_READ_DATA,
- FILE_READ_DATA, TRUE);
+ base::win::WellKnownCapability::kInternetClient,
+ FILE_READ_DATA, FILE_READ_DATA, TRUE);
// Check mapping generic access rights.
- AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid,
+ AccessCheckFile(container.get(), path,
+ base::win::WellKnownSid::kAllApplicationPackages,
GENERIC_READ | GENERIC_EXECUTE,
FILE_GENERIC_READ | FILE_GENERIC_EXECUTE, TRUE);
// No support for LPAC less than Win10 RS1.
if (base::win::GetVersion() < base::win::Version::WIN10_RS1)
return;
container->SetEnableLowPrivilegeAppContainer(true);
- AccessCheckFile(container.get(), path, ::WinBuiltinAnyPackageSid,
+ AccessCheckFile(container.get(), path,
+ base::win::WellKnownSid::kAllApplicationPackages,
FILE_READ_DATA, 0, FALSE);
AccessCheckFile(container.get(), path,
- Sid::AllRestrictedApplicationPackages(), FILE_READ_DATA,
- FILE_READ_DATA, TRUE);
+ base::win::WellKnownSid::kAllRestrictedApplicationPackages,
+ FILE_READ_DATA, FILE_READ_DATA, TRUE);
}
TEST(AppContainerTest, AccessCheckRegistry) {
@@ -330,7 +370,8 @@
// Ensure the key doesn't exist.
RegDeleteKey(HKEY_CURRENT_USER, package_name.c_str());
SECURITY_ATTRIBUTES_SDDL sa(
- CreateSddlWithSid(::WinBuiltinAnyPackageSid).c_str());
+ CreateSddlWithSid(base::win::WellKnownSid::kAllApplicationPackages)
+ .c_str());
HKEY key_handle;
ASSERT_EQ(ERROR_SUCCESS,
RegCreateKeyEx(HKEY_CURRENT_USER, package_name.c_str(), 0, nullptr,
@@ -359,31 +400,34 @@
AppContainerBase::Open(package_name.c_str());
ASSERT_NE(nullptr, container.get());
- std::vector<Sid> capabilities;
- std::vector<Sid> impersonation_capabilities;
+ std::vector<base::win::Sid> capabilities;
+ std::vector<base::win::Sid> impersonation_capabilities;
- ASSERT_TRUE(container->AddCapability(kInternetClient));
- capabilities.push_back(Sid::FromKnownCapability(kInternetClient));
- impersonation_capabilities.push_back(
- Sid::FromKnownCapability(kInternetClient));
+ ASSERT_TRUE(container->AddCapability(
+ base::win::WellKnownCapability::kInternetClient));
+ capabilities.push_back(*base::win::Sid::FromKnownCapability(
+ base::win::WellKnownCapability::kInternetClient));
+ impersonation_capabilities.push_back(*base::win::Sid::FromKnownCapability(
+ base::win::WellKnownCapability::kInternetClient));
ASSERT_TRUE(CompareSidVectors(container->GetCapabilities(), capabilities));
ASSERT_TRUE(CompareSidVectors(container->GetImpersonationCapabilities(),
impersonation_capabilities));
- ASSERT_TRUE(
- container->AddImpersonationCapability(kPrivateNetworkClientServer));
- impersonation_capabilities.push_back(
- Sid::FromKnownCapability(kPrivateNetworkClientServer));
+ ASSERT_TRUE(container->AddImpersonationCapability(
+ base::win::WellKnownCapability::kPrivateNetworkClientServer));
+ impersonation_capabilities.push_back(*base::win::Sid::FromKnownCapability(
+ base::win::WellKnownCapability::kPrivateNetworkClientServer));
// No support for named capabilities prior to Win10.
if (base::win::GetVersion() >= base::win::Version::WIN10) {
ASSERT_TRUE(container->AddImpersonationCapability(L"FakeCapability"));
impersonation_capabilities.push_back(
- Sid::FromNamedCapability(L"FakeCapability"));
+ *base::win::Sid::FromNamedCapability(L"FakeCapability"));
}
const wchar_t kSddlSid[] = L"S-1-15-3-1";
ASSERT_TRUE(container->AddImpersonationCapabilitySddl(kSddlSid));
- impersonation_capabilities.push_back(Sid::FromSddlString(kSddlSid));
+ impersonation_capabilities.push_back(
+ *base::win::Sid::FromSddlString(kSddlSid));
ASSERT_TRUE(CompareSidVectors(container->GetCapabilities(), capabilities));
ASSERT_TRUE(CompareSidVectors(container->GetImpersonationCapabilities(),
impersonation_capabilities));
diff --git a/win/src/broker_services.cc b/win/src/broker_services.cc
index 68b40b5..72d5ee7 100644
--- a/win/src/broker_services.cc
+++ b/win/src/broker_services.cc
@@ -537,11 +537,16 @@
// Create the TargetProcess object and spawn the target suspended. Note that
// Brokerservices does not own the target object. It is owned by the Policy.
base::win::ScopedProcessInformation process_info;
+ std::vector<base::win::Sid> imp_caps;
+ if (container) {
+ for (const base::win::Sid& sid :
+ container->GetImpersonationCapabilities()) {
+ imp_caps.push_back(sid.Clone());
+ }
+ }
std::unique_ptr<TargetProcess> target = std::make_unique<TargetProcess>(
std::move(initial_token), std::move(lockdown_token), job.Get(),
- thread_pool_,
- container ? container->GetImpersonationCapabilities()
- : std::vector<Sid>());
+ thread_pool_, imp_caps);
result = target->Create(exe_path, command_line, std::move(startup_info),
&process_info, last_error);
diff --git a/win/src/restricted_token.cc b/win/src/restricted_token.cc
index 5b20e88..ba3244d 100644
--- a/win/src/restricted_token.cc
+++ b/win/src/restricted_token.cc
@@ -140,8 +140,9 @@
return ::GetLastError();
} else {
// Modify the default dacl on the token to contain Restricted.
- if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid,
- GRANT_ACCESS, GENERIC_ALL)) {
+ if (!AddSidToDefaultDacl(new_token.Get(),
+ base::win::WellKnownSid::kRestricted, GRANT_ACCESS,
+ GENERIC_ALL)) {
return ::GetLastError();
}
}
@@ -204,7 +205,8 @@
return ERROR_SUCCESS;
}
-DWORD RestrictedToken::AddAllSidsForDenyOnly(std::vector<Sid>* exceptions) {
+DWORD RestrictedToken::AddAllSidsForDenyOnly(
+ std::vector<base::win::Sid>* exceptions) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
@@ -225,8 +227,7 @@
bool should_ignore = false;
if (exceptions) {
for (unsigned int j = 0; j < exceptions->size(); ++j) {
- if (::EqualSid((*exceptions)[j].GetPSID(),
- token_groups->Groups[i].Sid)) {
+ if ((*exceptions)[j].Equal(token_groups->Groups[i].Sid)) {
should_ignore = true;
break;
}
@@ -234,7 +235,7 @@
}
if (!should_ignore) {
sids_for_deny_only_.push_back(
- reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
+ *base::win::Sid::FromPSID(token_groups->Groups[i].Sid));
}
}
}
@@ -242,32 +243,32 @@
return ERROR_SUCCESS;
}
-DWORD RestrictedToken::AddSidForDenyOnly(const Sid& sid) {
+DWORD RestrictedToken::AddSidForDenyOnly(const base::win::Sid& sid) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
- sids_for_deny_only_.push_back(sid);
+ sids_for_deny_only_.push_back(sid.Clone());
return ERROR_SUCCESS;
}
+DWORD RestrictedToken::AddSidForDenyOnly(base::win::WellKnownSid known_sid) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return ERROR_INVALID_SID;
+ return AddSidForDenyOnly(*sid);
+}
+
DWORD RestrictedToken::AddUserSidForDenyOnly() {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- std::unique_ptr<BYTE[]> buffer(new BYTE[size]);
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(buffer.get());
+ absl::optional<base::win::Sid> user = base::win::Sid::CurrentUser();
+ if (!user)
+ return ERROR_INVALID_SID;
- bool result = ::GetTokenInformation(effective_token_.Get(), TokenUser,
- token_user, size, &size);
-
- if (!result)
- return ::GetLastError();
-
- Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
- sids_for_deny_only_.push_back(user);
+ sids_for_deny_only_.push_back(std::move(*user));
return ERROR_SUCCESS;
}
@@ -324,15 +325,22 @@
return ERROR_SUCCESS;
}
-DWORD RestrictedToken::AddRestrictingSid(const Sid& sid) {
+DWORD RestrictedToken::AddRestrictingSid(const base::win::Sid& sid) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
- sids_to_restrict_.push_back(sid); // No attributes
+ sids_to_restrict_.push_back(sid.Clone()); // No attributes
return ERROR_SUCCESS;
}
+DWORD RestrictedToken::AddRestrictingSid(base::win::WellKnownSid known_sid) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return ERROR_INVALID_SID;
+ return AddRestrictingSid(*sid);
+}
+
DWORD RestrictedToken::AddRestrictingSidLogonSession() {
DCHECK(init_);
if (!init_)
@@ -347,17 +355,21 @@
TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
- SID* logon_sid = nullptr;
+ PSID logon_sid_ptr = nullptr;
for (unsigned int i = 0; i < token_groups->GroupCount; ++i) {
if ((token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) != 0) {
- logon_sid = static_cast<SID*>(token_groups->Groups[i].Sid);
+ logon_sid_ptr = token_groups->Groups[i].Sid;
break;
}
}
- if (logon_sid)
- sids_to_restrict_.push_back(logon_sid);
-
+ if (logon_sid_ptr) {
+ absl::optional<base::win::Sid> logon_sid =
+ base::win::Sid::FromPSID(logon_sid_ptr);
+ if (!logon_sid)
+ return ERROR_INVALID_SID;
+ sids_to_restrict_.push_back(std::move(*logon_sid));
+ }
return ERROR_SUCCESS;
}
@@ -366,18 +378,10 @@
if (!init_)
return ERROR_NO_TOKEN;
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- std::unique_ptr<BYTE[]> buffer(new BYTE[size]);
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(buffer.get());
-
- bool result = ::GetTokenInformation(effective_token_.Get(), TokenUser,
- token_user, size, &size);
-
- if (!result)
- return ::GetLastError();
-
- Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
- sids_to_restrict_.push_back(user);
+ absl::optional<base::win::Sid> user = base::win::Sid::CurrentUser();
+ if (!user)
+ return ERROR_INVALID_SID;
+ sids_to_restrict_.push_back(std::move(*user));
return ERROR_SUCCESS;
}
@@ -402,8 +406,13 @@
// Build the list of restricting sids from all groups.
for (unsigned int i = 0; i < token_groups->GroupCount; ++i) {
- if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0)
- AddRestrictingSid(reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
+ if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0) {
+ absl::optional<base::win::Sid> sid =
+ base::win::Sid::FromPSID(token_groups->Groups[i].Sid);
+ if (!sid)
+ return ERROR_INVALID_SID;
+ AddRestrictingSid(*sid);
+ }
}
return ERROR_SUCCESS;
@@ -418,15 +427,25 @@
lockdown_default_dacl_ = true;
}
-DWORD RestrictedToken::AddDefaultDaclSid(const Sid& sid,
+DWORD RestrictedToken::AddDefaultDaclSid(const base::win::Sid& sid,
ACCESS_MODE access_mode,
ACCESS_MASK access) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
- sids_for_default_dacl_.push_back(std::make_tuple(sid, access_mode, access));
+ sids_for_default_dacl_.push_back(
+ std::make_tuple(sid.Clone(), access_mode, access));
return ERROR_SUCCESS;
}
+DWORD RestrictedToken::AddDefaultDaclSid(base::win::WellKnownSid known_sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ if (!sid)
+ return ERROR_INVALID_SID;
+ return AddDefaultDaclSid(*sid, access_mode, access);
+}
+
} // namespace sandbox
diff --git a/win/src/restricted_token.h b/win/src/restricted_token.h
index eff6a10..3856984 100644
--- a/win/src/restricted_token.h
+++ b/win/src/restricted_token.h
@@ -14,9 +14,9 @@
#include "base/macros.h"
#include "base/win/scoped_handle.h"
+#include "base/win/sid.h"
#include "sandbox/win/src/restricted_token_utils.h"
#include "sandbox/win/src/security_level.h"
-#include "sandbox/win/src/sid.h"
// Flags present in the Group SID list. These 2 flags are new in Windows Vista
#ifndef SE_GROUP_INTEGRITY
@@ -87,21 +87,29 @@
// the error.
//
// Sample usage:
- // std::vector<Sid> sid_exceptions;
+ // std::vector<base::win::Sid> sid_exceptions;
// sid_exceptions.push_back(ATL::Sids::Users().GetPSID());
// sid_exceptions.push_back(ATL::Sids::World().GetPSID());
// restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
// Note: A Sid marked for Deny Only in a token cannot be used to grant
// access to any resource. It can only be used to deny access.
- DWORD AddAllSidsForDenyOnly(std::vector<Sid>* exceptions);
+ DWORD AddAllSidsForDenyOnly(std::vector<base::win::Sid>* exceptions);
// Adds a user or group SID for Deny Only in the restricted token.
// Parameter: sid is the SID to add in the Deny Only list.
// The return value is always ERROR_SUCCESS.
//
// Sample Usage:
- // restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID());
- DWORD AddSidForDenyOnly(const Sid& sid);
+ // restricted_token.AddSidForDenyOnly(sid);
+ DWORD AddSidForDenyOnly(const base::win::Sid& sid);
+
+ // Adds a known SID for Deny Only in the restricted token.
+ // Parameter: known_sid is the SID to add in the Deny Only list.
+ // The return value is always ERROR_SUCCESS.
+ //
+ // Sample Usage:
+ // restricted_token.AddSidForDenyOnly(base::win::WellKnownSid::kWorld);
+ DWORD AddSidForDenyOnly(base::win::WellKnownSid known_sid);
// Adds the user sid of the token for Deny Only in the restricted token.
// If the function succeeds, the return value is ERROR_SUCCESS. If the
@@ -146,7 +154,19 @@
// access checks twice. The first time using your user SID and your groups,
// and the second time using your list of restricting sids. The access has
// to be granted in both places to get access to the resource requested.
- DWORD AddRestrictingSid(const Sid& sid);
+ DWORD AddRestrictingSid(const base::win::Sid& sid);
+
+ // Adds a known SID to the list of restricting sids in the restricted token.
+ // Parameter: known_sid is the sid to add to the list restricting sids.
+ // The return value is always ERROR_SUCCESS.
+ //
+ // Sample usage:
+ // restricted_token.AddRestrictingSid(base::win::WellKnownSid::kWorld);
+ // Note: The list of restricting is used to force Windows to perform all
+ // access checks twice. The first time using your user SID and your groups,
+ // and the second time using your list of restricting sids. The access has
+ // to be granted in both places to get access to the resource requested.
+ DWORD AddRestrictingSid(base::win::WellKnownSid known_sid);
// Adds the logon sid of the token in the list of restricting sids for the
// restricted token.
@@ -181,19 +201,26 @@
// Add a SID to the default DACL. These SIDs are added regardless of the
// SetLockdownDefaultDacl state.
- DWORD AddDefaultDaclSid(const Sid& sid,
+ DWORD AddDefaultDaclSid(const base::win::Sid& sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access);
+
+ // Add a SID to the default DACL. These SIDs are added regardless of the
+ // SetLockdownDefaultDacl state.
+ DWORD AddDefaultDaclSid(base::win::WellKnownSid known_sid,
ACCESS_MODE access_mode,
ACCESS_MASK access);
private:
// The list of restricting sids in the restricted token.
- std::vector<Sid> sids_to_restrict_;
+ std::vector<base::win::Sid> sids_to_restrict_;
// The list of privileges to remove in the restricted token.
std::vector<LUID> privileges_to_disable_;
// The list of sids to mark as Deny Only in the restricted token.
- std::vector<Sid> sids_for_deny_only_;
+ std::vector<base::win::Sid> sids_for_deny_only_;
// The list of sids to add to the default DACL of the restricted token.
- std::vector<std::tuple<Sid, ACCESS_MODE, ACCESS_MASK>> sids_for_default_dacl_;
+ std::vector<std::tuple<base::win::Sid, ACCESS_MODE, ACCESS_MASK>>
+ sids_for_default_dacl_;
// The token to restrict. Can only be set in a constructor.
base::win::ScopedHandle effective_token_;
// The token integrity level. Only valid on Vista.
diff --git a/win/src/restricted_token_unittest.cc b/win/src/restricted_token_unittest.cc
index f638a2f..fa53b04 100644
--- a/win/src/restricted_token_unittest.cc
+++ b/win/src/restricted_token_unittest.cc
@@ -10,10 +10,10 @@
#include "base/win/atl.h"
#include "base/win/scoped_handle.h"
+#include "base/win/sid.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/acl.h"
#include "sandbox/win/src/security_capabilities.h"
-#include "sandbox/win/src/sid.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace sandbox {
@@ -28,14 +28,16 @@
ATL::CSid additional_sid = ATL::Sids::Guests();
ATL::CSid additional_sid2 = ATL::Sids::Batch();
if (additional_sid_required) {
- token.AddDefaultDaclSid(Sid(additional_sid.GetPSID()), GRANT_ACCESS,
- READ_CONTROL);
- token.AddDefaultDaclSid(Sid(additional_sid2.GetPSID()), DENY_ACCESS,
- GENERIC_ALL);
+ token.AddDefaultDaclSid(
+ *base::win::Sid::FromPSID(const_cast<SID*>(additional_sid.GetPSID())),
+ GRANT_ACCESS, READ_CONTROL);
+ token.AddDefaultDaclSid(
+ *base::win::Sid::FromPSID(const_cast<SID*>(additional_sid2.GetPSID())),
+ DENY_ACCESS, GENERIC_ALL);
}
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
+ token.AddRestrictingSid(base::win::WellKnownSid::kWorld));
base::win::ScopedHandle handle;
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
@@ -124,10 +126,10 @@
ATL::CDacl dacl;
ASSERT_TRUE(token_sd.GetDacl(&dacl));
- ATL::CSid package_sid(
- static_cast<SID*>(security_capabilities->AppContainerSid));
- ATL::CSid all_package_sid(
- static_cast<SID*>(sandbox::Sid(::WinBuiltinAnyPackageSid).GetPSID()));
+ base::win::Sid package_sid =
+ *base::win::Sid::FromPSID(security_capabilities->AppContainerSid);
+ base::win::Sid all_package_sid = *base::win::Sid::FromKnownSid(
+ base::win::WellKnownSid::kAllApplicationPackages);
unsigned int ace_count = dacl.GetAceCount();
for (unsigned int i = 0; i < ace_count; ++i) {
@@ -137,9 +139,10 @@
dacl.GetAclEntry(i, &sid, &mask, &type);
if (mask != TOKEN_ALL_ACCESS || type != ACCESS_ALLOWED_ACE_TYPE)
continue;
- if (sid == package_sid)
+ PSID psid = const_cast<SID*>(sid.GetPSID());
+ if (package_sid.Equal(psid))
EXPECT_TRUE(package_sid_required);
- else if (sid == all_package_sid)
+ else if (all_package_sid.Equal(psid))
EXPECT_FALSE(package_sid_required);
}
}
@@ -315,7 +318,7 @@
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(nullptr));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
+ token.AddRestrictingSid(base::win::WellKnownSid::kWorld));
base::win::ScopedHandle restricted_token;
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
@@ -371,7 +374,7 @@
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(nullptr));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddSidForDenyOnly(Sid(WinWorldSid)));
+ token.AddSidForDenyOnly(base::win::WellKnownSid::kWorld));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
token.GetRestrictedToken(&token_handle));
@@ -429,8 +432,9 @@
RestrictedToken token;
base::win::ScopedHandle token_handle;
- std::vector<Sid> sids_exception;
- sids_exception.push_back(Sid(WinWorldSid));
+ std::vector<base::win::Sid> sids_exception;
+ sids_exception.push_back(
+ *base::win::Sid::FromKnownSid(base::win::WellKnownSid::kWorld));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(nullptr));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
@@ -620,7 +624,7 @@
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(nullptr));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
+ token.AddRestrictingSid(base::win::WellKnownSid::kWorld));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
token.GetRestrictedToken(&token_handle));
@@ -708,7 +712,7 @@
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
token.AddRestrictingSidLogonSession());
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
+ token.AddRestrictingSid(base::win::WellKnownSid::kWorld));
ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
token.GetRestrictedToken(&token_handle));
@@ -789,8 +793,9 @@
return;
base::win::ScopedHandle token;
- Sid package_sid = Sid::FromSddlString(L"S-1-15-2-1-2-3-4-5-6-7");
- SecurityCapabilities caps_no_capabilities(package_sid);
+ auto package_sid = base::win::Sid::FromSddlString(L"S-1-15-2-1-2-3-4-5-6-7");
+ ASSERT_TRUE(package_sid);
+ SecurityCapabilities caps_no_capabilities(*package_sid);
ASSERT_EQ(DWORD{ERROR_INVALID_PARAMETER},
CreateLowBoxToken(nullptr, PRIMARY, &caps_no_capabilities, nullptr,
@@ -802,8 +807,7 @@
CheckLowBoxToken(token, ::TokenPrimary, &caps_no_capabilities);
ASSERT_TRUE(ReplacePackageSidInDacl(token.Get(), SE_KERNEL_OBJECT,
- Sid(caps_no_capabilities.AppContainerSid),
- TOKEN_ALL_ACCESS));
+ *package_sid, TOKEN_ALL_ACCESS));
CheckDaclForPackageSid(token, &caps_no_capabilities, false);
ASSERT_EQ(DWORD{ERROR_SUCCESS},
@@ -812,10 +816,11 @@
ASSERT_TRUE(token.IsValid());
CheckLowBoxToken(token, ::TokenImpersonation, &caps_no_capabilities);
- std::vector<Sid> capabilities;
- capabilities.push_back(Sid::FromKnownCapability(kInternetClient));
- capabilities.push_back(Sid::FromKnownCapability(kPrivateNetworkClientServer));
- SecurityCapabilities caps_with_capabilities(package_sid, capabilities);
+ auto capabilities = base::win::Sid::FromKnownCapabilityVector(
+ {base::win::WellKnownCapability::kInternetClient,
+ base::win::WellKnownCapability::kPrivateNetworkClientServer});
+ ASSERT_TRUE(capabilities);
+ SecurityCapabilities caps_with_capabilities(*package_sid, *capabilities);
ASSERT_EQ(DWORD{ERROR_SUCCESS},
CreateLowBoxToken(nullptr, PRIMARY, &caps_with_capabilities,
nullptr, 0, &token));
@@ -825,8 +830,8 @@
RestrictedToken restricted_token;
base::win::ScopedHandle token_handle;
ASSERT_EQ(DWORD{ERROR_SUCCESS}, restricted_token.Init(nullptr));
- ASSERT_EQ(DWORD{ERROR_SUCCESS},
- restricted_token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
+ ASSERT_EQ(DWORD{ERROR_SUCCESS}, restricted_token.AddRestrictingSid(
+ base::win::WellKnownSid::kWorld));
ASSERT_EQ(DWORD{ERROR_SUCCESS},
restricted_token.GetRestrictedToken(&token_handle));
@@ -838,7 +843,7 @@
CheckRestrictingSid(token.Get(), ATL::Sids::World(), 1);
SecurityCapabilities caps_for_handles(
- Sid::FromSddlString(L"S-1-15-2-1-2-3-4-5-6-8"));
+ *base::win::Sid::FromSddlString(L"S-1-15-2-1-2-3-4-5-6-8"));
base::win::ScopedHandle object_handle;
ASSERT_EQ(DWORD{ERROR_SUCCESS},
CreateLowBoxObjectDirectory(caps_for_handles.AppContainerSid, true,
diff --git a/win/src/restricted_token_utils.cc b/win/src/restricted_token_utils.cc
index 923cc8a..51bf229 100644
--- a/win/src/restricted_token_utils.cc
+++ b/win/src/restricted_token_utils.cc
@@ -19,7 +19,6 @@
#include "sandbox/win/src/restricted_token.h"
#include "sandbox/win/src/sandbox_utils.h"
#include "sandbox/win/src/security_level.h"
-#include "sandbox/win/src/sid.h"
#include "sandbox/win/src/win_utils.h"
namespace sandbox {
@@ -50,28 +49,37 @@
return ERROR_SUCCESS;
}
+void AddSidException(std::vector<base::win::Sid>& sids,
+ base::win::WellKnownSid known_sid) {
+ absl::optional<base::win::Sid> sid = base::win::Sid::FromKnownSid(known_sid);
+ DCHECK(sid);
+ sids.push_back(std::move(*sid));
+}
+
} // namespace
-DWORD CreateRestrictedToken(HANDLE effective_token,
- TokenLevel security_level,
- IntegrityLevel integrity_level,
- TokenType token_type,
- bool lockdown_default_dacl,
- PSID unique_restricted_sid,
- base::win::ScopedHandle* token) {
+DWORD CreateRestrictedToken(
+ HANDLE effective_token,
+ TokenLevel security_level,
+ IntegrityLevel integrity_level,
+ TokenType token_type,
+ bool lockdown_default_dacl,
+ const absl::optional<base::win::Sid>& unique_restricted_sid,
+ base::win::ScopedHandle* token) {
RestrictedToken restricted_token;
restricted_token.Init(effective_token);
if (lockdown_default_dacl)
restricted_token.SetLockdownDefaultDacl();
if (unique_restricted_sid) {
- restricted_token.AddDefaultDaclSid(Sid(unique_restricted_sid), GRANT_ACCESS,
+ restricted_token.AddDefaultDaclSid(*unique_restricted_sid, GRANT_ACCESS,
GENERIC_ALL);
- restricted_token.AddDefaultDaclSid(Sid(WinCreatorOwnerRightsSid),
- GRANT_ACCESS, READ_CONTROL);
+ restricted_token.AddDefaultDaclSid(
+ base::win::WellKnownSid::kCreatorOwnerRights, GRANT_ACCESS,
+ READ_CONTROL);
}
std::vector<std::wstring> privilege_exceptions;
- std::vector<Sid> sid_exceptions;
+ std::vector<base::win::Sid> sid_exceptions;
bool deny_sids = true;
bool remove_privileges = true;
@@ -93,55 +101,62 @@
break;
}
case USER_NON_ADMIN: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
- sid_exceptions.push_back(WinAuthenticatedUserSid);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kBuiltinUsers);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kWorld);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kInteractive);
+ AddSidException(sid_exceptions,
+ base::win::WellKnownSid::kAuthenticatedUser);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
break;
}
case USER_RESTRICTED_NON_ADMIN: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
- sid_exceptions.push_back(WinAuthenticatedUserSid);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kBuiltinUsers);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kWorld);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kInteractive);
+ AddSidException(sid_exceptions,
+ base::win::WellKnownSid::kAuthenticatedUser);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
- restricted_token.AddRestrictingSid(WinWorldSid);
- restricted_token.AddRestrictingSid(WinInteractiveSid);
- restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ restricted_token.AddRestrictingSid(
+ base::win::WellKnownSid::kBuiltinUsers);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kWorld);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kInteractive);
+ restricted_token.AddRestrictingSid(
+ base::win::WellKnownSid::kAuthenticatedUser);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);
restricted_token.AddRestrictingSidCurrentUser();
restricted_token.AddRestrictingSidLogonSession();
if (unique_restricted_sid)
- restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
break;
}
case USER_INTERACTIVE: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
- sid_exceptions.push_back(WinAuthenticatedUserSid);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kBuiltinUsers);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kWorld);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kInteractive);
+ AddSidException(sid_exceptions,
+ base::win::WellKnownSid::kAuthenticatedUser);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
- restricted_token.AddRestrictingSid(WinWorldSid);
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ restricted_token.AddRestrictingSid(
+ base::win::WellKnownSid::kBuiltinUsers);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kWorld);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);
restricted_token.AddRestrictingSidCurrentUser();
restricted_token.AddRestrictingSidLogonSession();
if (unique_restricted_sid)
- restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
break;
}
case USER_LIMITED: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kBuiltinUsers);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kWorld);
+ AddSidException(sid_exceptions, base::win::WellKnownSid::kInteractive);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
- restricted_token.AddRestrictingSid(WinWorldSid);
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ restricted_token.AddRestrictingSid(
+ base::win::WellKnownSid::kBuiltinUsers);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kWorld);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);
if (unique_restricted_sid)
- restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
// This token has to be able to create objects in BNO.
// Unfortunately, on Vista+, it needs the current logon sid
@@ -154,16 +169,16 @@
case USER_RESTRICTED: {
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
restricted_token.AddUserSidForDenyOnly();
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);
if (unique_restricted_sid)
- restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
break;
}
case USER_LOCKDOWN: {
restricted_token.AddUserSidForDenyOnly();
- restricted_token.AddRestrictingSid(WinNullSid);
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);
if (unique_restricted_sid)
- restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
break;
}
default: { return ERROR_BAD_ARGUMENTS; }
diff --git a/win/src/restricted_token_utils.h b/win/src/restricted_token_utils.h
index cc46f56..655072b 100644
--- a/win/src/restricted_token_utils.h
+++ b/win/src/restricted_token_utils.h
@@ -9,8 +9,10 @@
#include <windows.h>
#include "base/win/scoped_handle.h"
+#include "base/win/sid.h"
#include "sandbox/win/src/restricted_token.h"
#include "sandbox/win/src/security_level.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
// Contains the utility functions to be able to create restricted tokens based
// on a security profiles.
@@ -30,16 +32,21 @@
// |lockdown_default_dacl| indicates the token's default DACL should be locked
// down to restrict what other process can open kernel resources created while
// running under the token.
+// |unique_restricted_sid| indicates an optional restricted SID to add to the
+// token's restricted SID list defined by |security_level|. This allows a
+// sandbox process to be grant access to itself and its resources but not
+// other sandboxed processes at the same security level.
// If the function succeeds, the return value is ERROR_SUCCESS. If the
// function fails, the return value is the win32 error code corresponding to
// the error.
-DWORD CreateRestrictedToken(HANDLE effective_token,
- TokenLevel security_level,
- IntegrityLevel integrity_level,
- TokenType token_type,
- bool lockdown_default_dacl,
- PSID unique_restricted_sid,
- base::win::ScopedHandle* token);
+DWORD CreateRestrictedToken(
+ HANDLE effective_token,
+ TokenLevel security_level,
+ IntegrityLevel integrity_level,
+ TokenType token_type,
+ bool lockdown_default_dacl,
+ const absl::optional<base::win::Sid>& unique_restricted_sid,
+ base::win::ScopedHandle* token);
// Sets the integrity label on a object handle.
DWORD SetObjectIntegrityLabel(HANDLE handle,
diff --git a/win/src/sandbox_policy_base.cc b/win/src/sandbox_policy_base.cc
index 8295069..53a7a8c 100644
--- a/win/src/sandbox_policy_base.cc
+++ b/win/src/sandbox_policy_base.cc
@@ -13,6 +13,7 @@
#include "base/callback.h"
#include "base/logging.h"
#include "base/macros.h"
+#include "base/win/sid.h"
#include "base/win/win_util.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/acl.h"
@@ -424,16 +425,17 @@
ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
base::win::ScopedHandle* lockdown,
base::win::ScopedHandle* lowbox) {
- Sid random_sid = Sid::GenerateRandomSid();
- PSID random_sid_ptr = nullptr;
- if (add_restricting_random_sid_)
- random_sid_ptr = random_sid.GetPSID();
+ absl::optional<base::win::Sid> random_sid =
+ add_restricting_random_sid_ ? base::win::Sid::GenerateRandomSid()
+ : absl::nullopt;
+ if (add_restricting_random_sid_ && !random_sid)
+ return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN;
// Create the 'naked' token. This will be the permanent token associated
// with the process and therefore with any thread that is not impersonating.
DWORD result = CreateRestrictedToken(
effective_token_, lockdown_level_, integrity_level_, PRIMARY,
- lockdown_default_dacl_, random_sid_ptr, lockdown);
+ lockdown_default_dacl_, random_sid, lockdown);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN;
@@ -483,9 +485,9 @@
// Create the 'better' token. We use this token as the one that the main
// thread uses when booting up the process. It should contain most of
// what we need (before reaching main( ))
- result = CreateRestrictedToken(
- effective_token_, initial_level_, integrity_level_, IMPERSONATION,
- lockdown_default_dacl_, random_sid_ptr, initial);
+ result = CreateRestrictedToken(effective_token_, initial_level_,
+ integrity_level_, IMPERSONATION,
+ lockdown_default_dacl_, random_sid, initial);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN;
diff --git a/win/src/sandbox_policy_diagnostic.cc b/win/src/sandbox_policy_diagnostic.cc
index f1f580e..a4bdf8c 100644
--- a/win/src/sandbox_policy_diagnostic.cc
+++ b/win/src/sandbox_policy_diagnostic.cc
@@ -119,11 +119,13 @@
}
}
-std::wstring GetSidAsString(const Sid* sid) {
- std::wstring result;
- if (!sid->ToSddlString(&result))
+std::wstring GetSidAsString(const base::win::Sid& sid) {
+ absl::optional<std::wstring> result = sid.ToSddlString();
+ if (!result) {
DCHECK(false) << "Failed to make sddl string";
- return result;
+ return L"";
+ }
+ return *result;
}
std::string GetMitigationsAsHex(MitigationFlags mitigations) {
@@ -400,14 +402,13 @@
desired_mitigations_ = policy->mitigations_ | policy->delayed_mitigations_;
if (policy->app_container_) {
- app_container_sid_ =
- std::make_unique<Sid>(policy->app_container_->GetPackageSid());
+ app_container_sid_.emplace(policy->app_container_->GetPackageSid().Clone());
for (const auto& sid : policy->app_container_->GetCapabilities()) {
- capabilities_.push_back(sid);
+ capabilities_.push_back(sid.Clone());
}
for (const auto& sid :
policy->app_container_->GetImpersonationCapabilities()) {
- initial_capabilities_.push_back(sid);
+ initial_capabilities_.push_back(sid.Clone());
}
app_container_type_ = policy->app_container_->GetAppContainerType();
@@ -458,18 +459,18 @@
if (app_container_sid_) {
value.SetStringKey(
kAppContainerSid,
- base::AsStringPiece16(GetSidAsString(app_container_sid_.get())));
+ base::AsStringPiece16(GetSidAsString(*app_container_sid_)));
std::vector<base::Value> caps;
- for (auto sid : capabilities_) {
- auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(&sid)));
+ for (const auto& sid : capabilities_) {
+ auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(sid)));
caps.push_back(std::move(sid_value));
}
if (!caps.empty()) {
value.SetKey(kAppContainerCapabilities, base::Value(std::move(caps)));
}
std::vector<base::Value> imp_caps;
- for (auto sid : initial_capabilities_) {
- auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(&sid)));
+ for (const auto& sid : initial_capabilities_) {
+ auto sid_value = base::Value(base::AsStringPiece16(GetSidAsString(sid)));
imp_caps.push_back(std::move(sid_value));
}
if (!imp_caps.empty()) {
@@ -478,9 +479,8 @@
}
if (app_container_type_ == AppContainerType::kLowbox)
- value.SetStringKey(
- kLowboxSid,
- base::AsStringPiece16(GetSidAsString(app_container_sid_.get())));
+ value.SetStringKey(kLowboxSid, base::AsStringPiece16(
+ GetSidAsString(*app_container_sid_)));
}
if (policy_rules_)
diff --git a/win/src/sandbox_policy_diagnostic.h b/win/src/sandbox_policy_diagnostic.h
index c042674..7df7623 100644
--- a/win/src/sandbox_policy_diagnostic.h
+++ b/win/src/sandbox_policy_diagnostic.h
@@ -12,13 +12,14 @@
#include <vector>
#include "base/macros.h"
+#include "base/win/sid.h"
#include "sandbox/win/src/app_container.h"
#include "sandbox/win/src/handle_closer.h"
#include "sandbox/win/src/policy_low_level.h"
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/security_level.h"
-#include "sandbox/win/src/sid.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
namespace sandbox {
@@ -46,11 +47,11 @@
JobLevel job_level_ = JOB_NONE;
IntegrityLevel desired_integrity_level_ = INTEGRITY_LEVEL_LAST;
MitigationFlags desired_mitigations_ = 0;
- std::unique_ptr<Sid> app_container_sid_;
+ absl::optional<base::win::Sid> app_container_sid_;
// Only populated if |app_container_sid_| is present.
- std::vector<Sid> capabilities_;
+ std::vector<base::win::Sid> capabilities_;
// Only populated if |app_container_sid_| is present.
- std::vector<Sid> initial_capabilities_;
+ std::vector<base::win::Sid> initial_capabilities_;
AppContainerType app_container_type_ = AppContainerType::kNone;
std::unique_ptr<PolicyGlobal> policy_rules_;
bool is_csrss_connected_ = false;
diff --git a/win/src/security_capabilities.cc b/win/src/security_capabilities.cc
index 0df446b..eb3b14b 100644
--- a/win/src/security_capabilities.cc
+++ b/win/src/security_capabilities.cc
@@ -4,14 +4,16 @@
#include "sandbox/win/src/security_capabilities.h"
#include "base/numerics/safe_conversions.h"
+#include "base/win/security_util.h"
namespace sandbox {
-SecurityCapabilities::SecurityCapabilities(const Sid& package_sid,
- const std::vector<Sid>& capabilities)
+SecurityCapabilities::SecurityCapabilities(
+ const base::win::Sid& package_sid,
+ const std::vector<base::win::Sid>& capabilities)
: SECURITY_CAPABILITIES(),
- capabilities_(capabilities),
- package_sid_(package_sid) {
+ capabilities_(base::win::CloneSidVector(capabilities)),
+ package_sid_(package_sid.Clone()) {
AppContainerSid = package_sid_.GetPSID();
if (capabilities_.empty())
return;
@@ -25,8 +27,8 @@
Capabilities = capability_sids_.data();
}
-SecurityCapabilities::SecurityCapabilities(const Sid& package_sid)
- : SecurityCapabilities(package_sid, std::vector<Sid>()) {}
+SecurityCapabilities::SecurityCapabilities(const base::win::Sid& package_sid)
+ : SecurityCapabilities(package_sid, std::vector<base::win::Sid>()) {}
SecurityCapabilities::~SecurityCapabilities() {}
diff --git a/win/src/security_capabilities.h b/win/src/security_capabilities.h
index 1e36c2f..257667d 100644
--- a/win/src/security_capabilities.h
+++ b/win/src/security_capabilities.h
@@ -10,15 +10,15 @@
#include <vector>
#include "base/macros.h"
-#include "sandbox/win/src/sid.h"
+#include "base/win/sid.h"
namespace sandbox {
class SecurityCapabilities final : public SECURITY_CAPABILITIES {
public:
- explicit SecurityCapabilities(const Sid& package_sid);
- SecurityCapabilities(const Sid& package_sid,
- const std::vector<Sid>& capabilities);
+ explicit SecurityCapabilities(const base::win::Sid& package_sid);
+ SecurityCapabilities(const base::win::Sid& package_sid,
+ const std::vector<base::win::Sid>& capabilities);
SecurityCapabilities(const SecurityCapabilities&) = delete;
SecurityCapabilities& operator=(const SecurityCapabilities&) = delete;
@@ -26,9 +26,9 @@
~SecurityCapabilities();
private:
- std::vector<Sid> capabilities_;
+ std::vector<base::win::Sid> capabilities_;
std::vector<SID_AND_ATTRIBUTES> capability_sids_;
- Sid package_sid_;
+ base::win::Sid package_sid_;
};
} // namespace sandbox
diff --git a/win/src/sid.cc b/win/src/sid.cc
deleted file mode 100644
index a22e8a4..0000000
--- a/win/src/sid.cc
+++ /dev/null
@@ -1,163 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sid.h"
-
-#include <memory>
-
-#include <sddl.h>
-#include <stdlib.h>
-
-#include "base/check.h"
-#include "base/rand_util.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace sandbox {
-
-namespace {
-
-DWORD WellKnownCapabilityToRid(WellKnownCapabilities capability) {
- switch (capability) {
- case kInternetClient:
- return SECURITY_CAPABILITY_INTERNET_CLIENT;
- case kInternetClientServer:
- return SECURITY_CAPABILITY_INTERNET_CLIENT_SERVER;
- case kPrivateNetworkClientServer:
- return SECURITY_CAPABILITY_PRIVATE_NETWORK_CLIENT_SERVER;
- case kPicturesLibrary:
- return SECURITY_CAPABILITY_PICTURES_LIBRARY;
- case kVideosLibrary:
- return SECURITY_CAPABILITY_VIDEOS_LIBRARY;
- case kMusicLibrary:
- return SECURITY_CAPABILITY_MUSIC_LIBRARY;
- case kDocumentsLibrary:
- return SECURITY_CAPABILITY_DOCUMENTS_LIBRARY;
- case kEnterpriseAuthentication:
- return SECURITY_CAPABILITY_ENTERPRISE_AUTHENTICATION;
- case kSharedUserCertificates:
- return SECURITY_CAPABILITY_SHARED_USER_CERTIFICATES;
- case kRemovableStorage:
- return SECURITY_CAPABILITY_REMOVABLE_STORAGE;
- case kAppointments:
- return SECURITY_CAPABILITY_APPOINTMENTS;
- case kContacts:
- return SECURITY_CAPABILITY_CONTACTS;
- default:
- break;
- }
- return 0;
-}
-
-} // namespace
-
-Sid::Sid() : sid_() {}
-
-Sid::Sid(PSID sid) : sid_() {
- ::CopySid(SECURITY_MAX_SID_SIZE, sid_, sid);
-}
-
-Sid::Sid(const SID* sid) : sid_() {
- ::CopySid(SECURITY_MAX_SID_SIZE, sid_, const_cast<SID*>(sid));
-}
-
-Sid::Sid(WELL_KNOWN_SID_TYPE type) {
- DWORD size_sid = SECURITY_MAX_SID_SIZE;
- bool result = ::CreateWellKnownSid(type, nullptr, sid_, &size_sid);
- DCHECK(result);
- (void)result;
-}
-
-Sid Sid::FromKnownCapability(WellKnownCapabilities capability) {
- DWORD capability_rid = WellKnownCapabilityToRid(capability);
- if (!capability_rid)
- return Sid();
- SID_IDENTIFIER_AUTHORITY capability_authority = {
- SECURITY_APP_PACKAGE_AUTHORITY};
- DWORD sub_authorities[] = {SECURITY_CAPABILITY_BASE_RID, capability_rid};
- return FromSubAuthorities(&capability_authority, 2, sub_authorities);
-}
-
-Sid Sid::FromNamedCapability(const wchar_t* capability_name) {
- RtlDeriveCapabilitySidsFromNameFunction derive_capability_sids = nullptr;
- ResolveNTFunctionPtr("RtlDeriveCapabilitySidsFromName",
- &derive_capability_sids);
- RtlInitUnicodeStringFunction init_unicode_string = nullptr;
- ResolveNTFunctionPtr("RtlInitUnicodeString", &init_unicode_string);
-
- if (!derive_capability_sids || !init_unicode_string)
- return Sid();
-
- if (!capability_name || ::wcslen(capability_name) == 0)
- return Sid();
-
- UNICODE_STRING name = {};
- init_unicode_string(&name, capability_name);
- Sid capability_sid;
- Sid group_sid;
-
- NTSTATUS status =
- derive_capability_sids(&name, group_sid.sid_, capability_sid.sid_);
- if (!NT_SUCCESS(status))
- return Sid();
-
- return capability_sid;
-}
-
-Sid Sid::FromSddlString(const wchar_t* sddl_sid) {
- PSID psid = nullptr;
- if (!::ConvertStringSidToSid(sddl_sid, &psid))
- return Sid();
- std::unique_ptr<void, sandbox::LocalFreeDeleter> converted_sid(psid);
- return Sid(converted_sid.get());
-}
-
-Sid Sid::FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority,
- BYTE sub_authority_count,
- PDWORD sub_authorities) {
- Sid sid;
- if (!::InitializeSid(sid.sid_, identifier_authority, sub_authority_count))
- return Sid();
-
- for (DWORD index = 0; index < sub_authority_count; ++index) {
- PDWORD sub_authority = GetSidSubAuthority(sid.sid_, index);
- *sub_authority = sub_authorities[index];
- }
- return sid;
-}
-
-Sid Sid::AllRestrictedApplicationPackages() {
- SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_APP_PACKAGE_AUTHORITY};
- DWORD sub_authorities[] = {SECURITY_APP_PACKAGE_BASE_RID,
- SECURITY_BUILTIN_PACKAGE_ANY_RESTRICTED_PACKAGE};
- return FromSubAuthorities(&package_authority, 2, sub_authorities);
-}
-
-Sid Sid::GenerateRandomSid() {
- SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_NULL_SID_AUTHORITY};
- DWORD sub_authorities[4] = {};
- base::RandBytes(&sub_authorities, sizeof(sub_authorities));
- return FromSubAuthorities(&package_authority, _countof(sub_authorities),
- sub_authorities);
-}
-
-PSID Sid::GetPSID() const {
- return const_cast<BYTE*>(sid_);
-}
-
-bool Sid::IsValid() const {
- return !!::IsValidSid(GetPSID());
-}
-
-// Converts the SID to an SDDL format string.
-bool Sid::ToSddlString(std::wstring* sddl_string) const {
- LPWSTR sid = nullptr;
- if (!::ConvertSidToStringSid(GetPSID(), &sid))
- return false;
- std::unique_ptr<void, LocalFreeDeleter> sid_ptr(sid);
- *sddl_string = sid;
- return true;
-}
-
-} // namespace sandbox
diff --git a/win/src/sid.h b/win/src/sid.h
deleted file mode 100644
index f6f0ff2..0000000
--- a/win/src/sid.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SID_H_
-#define SANDBOX_WIN_SRC_SID_H_
-
-#include <windows.h>
-
-#include <string>
-
-namespace sandbox {
-
-// Known capabilities defined in Windows 8.
-enum WellKnownCapabilities {
- kInternetClient,
- kInternetClientServer,
- kPrivateNetworkClientServer,
- kPicturesLibrary,
- kVideosLibrary,
- kMusicLibrary,
- kDocumentsLibrary,
- kEnterpriseAuthentication,
- kSharedUserCertificates,
- kRemovableStorage,
- kAppointments,
- kContacts,
- kMaxWellKnownCapability
-};
-
-// This class is used to hold and generate SIDS.
-class Sid {
- public:
- // As PSID is just a void* make it explicit. Copies
- // the memory referenced by |sid|.
- explicit Sid(PSID sid);
- // Constructors initializing the object with the SID passed.
- // This is a converting constructor. It is not explicit.
- Sid(const SID* sid);
- Sid(WELL_KNOWN_SID_TYPE type);
-
- // Create a Sid from an AppContainer capability name. The name can be
- // completely arbitrary.
- static Sid FromNamedCapability(const wchar_t* capability_name);
- // Create a Sid from a known capability enumeration value. The Sids
- // match with the list defined in Windows 8.
- static Sid FromKnownCapability(WellKnownCapabilities capability);
- // Create a Sid from a SDDL format string, such as S-1-1-0.
- static Sid FromSddlString(const wchar_t* sddl_sid);
- // Create a Sid from a set of sub authorities.
- static Sid FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority,
- BYTE sub_authority_count,
- PDWORD sub_authorities);
- // Create the restricted all application packages sid.
- static Sid AllRestrictedApplicationPackages();
- // Generate a random SID value.
- static Sid GenerateRandomSid();
-
- // Returns sid_.
- PSID GetPSID() const;
-
- // Gets whether the sid is valid.
- bool IsValid() const;
-
- // Converts the SID to a SDDL format string.
- bool ToSddlString(std::wstring* sddl_string) const;
-
- private:
- Sid();
- BYTE sid_[SECURITY_MAX_SID_SIZE];
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_SID_H_
diff --git a/win/src/sid_unittest.cc b/win/src/sid_unittest.cc
deleted file mode 100644
index e39b47e..0000000
--- a/win/src/sid_unittest.cc
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for the sid class.
-
-#include "sandbox/win/src/sid.h"
-
-#include <sddl.h>
-
-#include "base/win/atl.h"
-#include "base/win/windows_version.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-namespace {
-
-bool EqualSid(const Sid& sid, const ATL::CSid& compare_sid) {
- if (!sid.IsValid())
- return false;
- return !!::EqualSid(sid.GetPSID(), const_cast<SID*>(compare_sid.GetPSID()));
-}
-
-bool EqualSid(const Sid& sid, const wchar_t* sddl_sid) {
- PSID compare_sid;
- if (!sid.IsValid())
- return false;
- if (!::ConvertStringSidToSid(sddl_sid, &compare_sid))
- return false;
- bool equal = !!::EqualSid(sid.GetPSID(), compare_sid);
- ::LocalFree(compare_sid);
- return equal;
-}
-
-struct KnownCapabilityTestEntry {
- WellKnownCapabilities capability;
- const wchar_t* sddl_sid;
-};
-
-struct NamedCapabilityTestEntry {
- const wchar_t* capability_name;
- const wchar_t* sddl_sid;
-};
-
-} // namespace
-
-// Tests the creation of a Sid.
-TEST(SidTest, Constructors) {
- ATL::CSid sid_world = ATL::Sids::World();
- PSID sid_world_pointer = const_cast<SID*>(sid_world.GetPSID());
-
- // Check the SID* constructor.
- Sid sid_sid_star(sid_world_pointer);
- ASSERT_TRUE(EqualSid(sid_sid_star, sid_world));
-
- // Check the copy constructor.
- Sid sid_copy(sid_sid_star);
- ASSERT_TRUE(EqualSid(sid_copy, sid_world));
-
- Sid sid_sddl = Sid::FromSddlString(L"S-1-1-0");
- ASSERT_TRUE(sid_sddl.IsValid());
- ASSERT_TRUE(EqualSid(sid_sddl, sid_world));
-
- Sid sid_sddl_invalid = Sid::FromSddlString(L"X-1-1-0");
- ASSERT_FALSE(sid_sddl_invalid.IsValid());
-
- Sid sid_sddl_empty = Sid::FromSddlString(L"");
- ASSERT_FALSE(sid_sddl_empty.IsValid());
-
- // Note that the WELL_KNOWN_SID_TYPE constructor is tested in the GetPSID
- // test. AppContainer related constructors are tested in AppContainer.
-}
-
-// Tests the method GetPSID
-TEST(SidTest, GetPSID) {
- // Check for non-null result;
- ASSERT_NE(nullptr, Sid(::WinLocalSid).GetPSID());
- ASSERT_NE(nullptr, Sid(::WinCreatorOwnerSid).GetPSID());
- ASSERT_NE(nullptr, Sid(::WinBatchSid).GetPSID());
-
- ASSERT_TRUE(EqualSid(Sid(::WinNullSid), ATL::Sids::Null()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinWorldSid), ATL::Sids::World()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinDialupSid), ATL::Sids::Dialup()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinNetworkSid), ATL::Sids::Network()));
-
- ASSERT_TRUE(
- EqualSid(Sid(::WinBuiltinAdministratorsSid), ATL::Sids::Admins()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinBuiltinUsersSid), ATL::Sids::Users()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinBuiltinGuestsSid), ATL::Sids::Guests()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinProxySid), ATL::Sids::Proxy()));
-}
-
-TEST(SidTest, KnownCapability) {
- if (base::win::GetVersion() < base::win::Version::WIN8)
- return;
-
- Sid sid_invalid_well_known =
- Sid::FromKnownCapability(kMaxWellKnownCapability);
- EXPECT_FALSE(sid_invalid_well_known.IsValid());
-
- const KnownCapabilityTestEntry capabilities[] = {
- {kInternetClient, L"S-1-15-3-1"},
- {kInternetClientServer, L"S-1-15-3-2"},
- {kPrivateNetworkClientServer, L"S-1-15-3-3"},
- {kPicturesLibrary, L"S-1-15-3-4"},
- {kVideosLibrary, L"S-1-15-3-5"},
- {kMusicLibrary, L"S-1-15-3-6"},
- {kDocumentsLibrary, L"S-1-15-3-7"},
- {kEnterpriseAuthentication, L"S-1-15-3-8"},
- {kSharedUserCertificates, L"S-1-15-3-9"},
- {kRemovableStorage, L"S-1-15-3-10"},
- {kAppointments, L"S-1-15-3-11"},
- {kContacts, L"S-1-15-3-12"},
- };
-
- for (auto capability : capabilities) {
- EXPECT_TRUE(EqualSid(Sid::FromKnownCapability(capability.capability),
- capability.sddl_sid))
- << "Known Capability: " << capability.sddl_sid;
- }
-}
-
-TEST(SidTest, NamedCapability) {
- if (base::win::GetVersion() < base::win::Version::WIN10)
- return;
-
- Sid sid_nullptr = Sid::FromNamedCapability(nullptr);
- EXPECT_FALSE(sid_nullptr.IsValid());
-
- Sid sid_empty = Sid::FromNamedCapability(L"");
- EXPECT_FALSE(sid_empty.IsValid());
-
- const NamedCapabilityTestEntry capabilities[] = {
- {L"internetClient", L"S-1-15-3-1"},
- {L"internetClientServer", L"S-1-15-3-2"},
- {L"registryRead",
- L"S-1-15-3-1024-1065365936-1281604716-3511738428-"
- "1654721687-432734479-3232135806-4053264122-3456934681"},
- {L"lpacCryptoServices",
- L"S-1-15-3-1024-3203351429-2120443784-2872670797-"
- "1918958302-2829055647-4275794519-765664414-2751773334"},
- {L"enterpriseAuthentication", L"S-1-15-3-8"},
- {L"privateNetworkClientServer", L"S-1-15-3-3"}};
-
- for (auto capability : capabilities) {
- EXPECT_TRUE(EqualSid(Sid::FromNamedCapability(capability.capability_name),
- capability.sddl_sid))
- << "Named Capability: " << capability.sddl_sid;
- }
-}
-
-TEST(SidTest, Sddl) {
- Sid sid_sddl = Sid::FromSddlString(L"S-1-1-0");
- ASSERT_TRUE(sid_sddl.IsValid());
- std::wstring sddl_str;
- ASSERT_TRUE(sid_sddl.ToSddlString(&sddl_str));
- ASSERT_EQ(L"S-1-1-0", sddl_str);
-}
-
-TEST(SidTest, SubAuthorities) {
- DWORD world_subauthorities[] = {0};
- SID_IDENTIFIER_AUTHORITY world_authority = {SECURITY_WORLD_SID_AUTHORITY};
- Sid sid_world =
- Sid::FromSubAuthorities(&world_authority, 1, world_subauthorities);
- ASSERT_TRUE(EqualSid(sid_world, ATL::Sids::World()));
- ASSERT_TRUE(Sid::FromSubAuthorities(&world_authority, 0, nullptr).IsValid());
-
- DWORD admin_subauthorities[] = {32, 544};
- SID_IDENTIFIER_AUTHORITY nt_authority = {SECURITY_NT_AUTHORITY};
- Sid sid_admin =
- Sid::FromSubAuthorities(&nt_authority, 2, admin_subauthorities);
- ASSERT_TRUE(EqualSid(sid_admin, ATL::Sids::Admins()));
-}
-
-TEST(SidTest, RandomSid) {
- Sid sid1 = Sid::GenerateRandomSid();
- ASSERT_TRUE(sid1.IsValid());
- Sid sid2 = Sid::GenerateRandomSid();
- ASSERT_TRUE(sid2.IsValid());
- ASSERT_FALSE(::EqualSid(sid1.GetPSID(), sid2.GetPSID()));
-}
-
-} // namespace sandbox
diff --git a/win/src/target_process.cc b/win/src/target_process.cc
index e93cf37..927a2a8 100644
--- a/win/src/target_process.cc
+++ b/win/src/target_process.cc
@@ -14,6 +14,7 @@
#include "base/macros.h"
#include "base/memory/free_deleter.h"
#include "base/numerics/safe_conversions.h"
+#include "base/win/security_util.h"
#include "base/win/startup_information.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/crosscall_client.h"
@@ -23,7 +24,6 @@
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/security_capabilities.h"
#include "sandbox/win/src/sharedmem_ipc_server.h"
-#include "sandbox/win/src/sid.h"
#include "sandbox/win/src/startup_information_helper.h"
#include "sandbox/win/src/win_utils.h"
@@ -49,8 +49,7 @@
}
}
-bool GetTokenAppContainerSid(HANDLE token_handle,
- std::unique_ptr<Sid>* app_container_sid) {
+absl::optional<base::win::Sid> GetTokenAppContainerSid(HANDLE token_handle) {
std::vector<char> app_container_info(sizeof(TOKEN_APPCONTAINER_INFORMATION) +
SECURITY_MAX_SID_SIZE);
DWORD return_length;
@@ -59,37 +58,34 @@
token_handle, TokenAppContainerSid, app_container_info.data(),
base::checked_cast<DWORD>(app_container_info.size()),
&return_length)) {
- return false;
+ return absl::nullopt;
}
PTOKEN_APPCONTAINER_INFORMATION info =
reinterpret_cast<PTOKEN_APPCONTAINER_INFORMATION>(
app_container_info.data());
if (!info->TokenAppContainer)
- return false;
- *app_container_sid = std::make_unique<Sid>(info->TokenAppContainer);
- return true;
+ return absl::nullopt;
+ return base::win::Sid::FromPSID(info->TokenAppContainer);
}
-bool GetProcessAppContainerSid(HANDLE process,
- std::unique_ptr<Sid>* app_container_sid) {
+absl::optional<base::win::Sid> GetProcessAppContainerSid(HANDLE process) {
HANDLE token_handle;
if (!::OpenProcessToken(process, TOKEN_QUERY, &token_handle))
- return false;
+ return absl::nullopt;
base::win::ScopedHandle process_token(token_handle);
- return GetTokenAppContainerSid(process_token.Get(), app_container_sid);
+ return GetTokenAppContainerSid(process_token.Get());
}
bool GetAppContainerImpersonationToken(
HANDLE process,
HANDLE initial_token,
- const std::vector<Sid>& capabilities,
+ const std::vector<base::win::Sid>& capabilities,
base::win::ScopedHandle* impersonation_token) {
- std::unique_ptr<Sid> app_container_sid;
- if (!GetProcessAppContainerSid(process, &app_container_sid)) {
+ auto app_container_sid = GetProcessAppContainerSid(process);
+ if (!app_container_sid)
return false;
- }
SecurityCapabilities security_caps(*app_container_sid, capabilities);
return CreateLowBoxToken(initial_token, IMPERSONATION, &security_caps,
nullptr, 0, impersonation_token) == ERROR_SUCCESS;
@@ -101,11 +97,12 @@
SANDBOX_INTERCEPT size_t g_shared_IPC_size;
SANDBOX_INTERCEPT size_t g_shared_policy_size;
-TargetProcess::TargetProcess(base::win::ScopedHandle initial_token,
- base::win::ScopedHandle lockdown_token,
- HANDLE job,
- ThreadPool* thread_pool,
- const std::vector<Sid>& impersonation_capabilities)
+TargetProcess::TargetProcess(
+ base::win::ScopedHandle initial_token,
+ base::win::ScopedHandle lockdown_token,
+ HANDLE job,
+ ThreadPool* thread_pool,
+ const std::vector<base::win::Sid>& impersonation_capabilities)
// This object owns everything initialized here except thread_pool and
// the job_ handle. The Job handle is closed by BrokerServices and results
// eventually in a call to our dtor.
@@ -114,7 +111,8 @@
job_(job),
thread_pool_(thread_pool),
base_address_(nullptr),
- impersonation_capabilities_(impersonation_capabilities) {}
+ impersonation_capabilities_(
+ base::win::CloneSidVector(impersonation_capabilities)) {}
TargetProcess::~TargetProcess() {
// Give a chance to the process to die. In most cases the JOB_KILL_ON_CLOSE
@@ -362,7 +360,7 @@
HMODULE base_address) {
auto target = std::make_unique<TargetProcess>(
base::win::ScopedHandle(), base::win::ScopedHandle(), nullptr, nullptr,
- std::vector<Sid>());
+ std::vector<base::win::Sid>());
PROCESS_INFORMATION process_info = {};
process_info.hProcess = process;
target->sandbox_process_info_.Set(process_info);
diff --git a/win/src/target_process.h b/win/src/target_process.h
index 7432291..7fa60d2 100644
--- a/win/src/target_process.h
+++ b/win/src/target_process.h
@@ -17,6 +17,7 @@
#include "base/memory/free_deleter.h"
#include "base/win/scoped_handle.h"
#include "base/win/scoped_process_information.h"
+#include "base/win/sid.h"
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/sandbox_types.h"
@@ -38,7 +39,7 @@
base::win::ScopedHandle lockdown_token,
HANDLE job,
ThreadPool* thread_pool,
- const std::vector<Sid>& impersonation_capabilities);
+ const std::vector<base::win::Sid>& impersonation_capabilities);
TargetProcess(const TargetProcess&) = delete;
TargetProcess& operator=(const TargetProcess&) = delete;
@@ -116,7 +117,7 @@
// Full name of the target executable.
std::unique_ptr<wchar_t, base::FreeDeleter> exe_name_;
/// List of capability sids for use when impersonating in an AC process.
- std::vector<Sid> impersonation_capabilities_;
+ std::vector<base::win::Sid> impersonation_capabilities_;
// Function used for testing.
friend std::unique_ptr<TargetProcess> MakeTestTargetProcess(
diff --git a/win/src/window.cc b/win/src/window.cc
index 66e76af..22960bf 100644
--- a/win/src/window.cc
+++ b/win/src/window.cc
@@ -9,10 +9,10 @@
#include <memory>
#include "base/notreached.h"
+#include "base/win/sid.h"
#include "base/win/win_util.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/acl.h"
-#include "sandbox/win/src/sid.h"
namespace {
@@ -136,11 +136,12 @@
// the DACL. Also need WinBuiltinAnyPackageSid for AppContainer processes.
if (base::win::GetVersion() >= base::win::Version::WIN8) {
AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT,
- Sid(WinBuiltinAnyPackageSid), GRANT_ACCESS,
- GENERIC_ALL);
+ base::win::WellKnownSid::kAllApplicationPackages,
+ GRANT_ACCESS, GENERIC_ALL);
}
- AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinWorldSid),
- GRANT_ACCESS, GENERIC_ALL);
+ AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT,
+ base::win::WellKnownSid::kWorld, GRANT_ACCESS,
+ GENERIC_ALL);
}
// Replace the DACL on the new Desktop with a reduced privilege version.
@@ -149,8 +150,9 @@
WRITE_DAC | WRITE_OWNER | DELETE | DESKTOP_CREATEMENU |
DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK |
DESKTOP_JOURNALRECORD | DESKTOP_SWITCHDESKTOP;
- AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid),
- DENY_ACCESS, kDesktopDenyMask);
+ AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT,
+ base::win::WellKnownSid::kRestricted, DENY_ACCESS,
+ kDesktopDenyMask);
return SBOX_ALL_OK;
}
diff --git a/win/tests/common/test_utils.cc b/win/tests/common/test_utils.cc
index 53fcc10..5aeffd7 100644
--- a/win/tests/common/test_utils.cc
+++ b/win/tests/common/test_utils.cc
@@ -78,7 +78,7 @@
SidAndAttributes::SidAndAttributes(const SID_AND_ATTRIBUTES& sid_and_attributes)
: attributes_(sid_and_attributes.Attributes),
- sid_(sid_and_attributes.Sid) {}
+ sid_(*base::win::Sid::FromPSID(sid_and_attributes.Sid)) {}
PSID SidAndAttributes::GetPSID() const {
return sid_.GetPSID();
@@ -88,8 +88,7 @@
return attributes_;
}
-bool GetTokenAppContainerSid(HANDLE token,
- std::unique_ptr<sandbox::Sid>* app_container_sid) {
+absl::optional<base::win::Sid> GetTokenAppContainerSid(HANDLE token) {
std::vector<char> app_container_info(sizeof(TOKEN_APPCONTAINER_INFORMATION) +
SECURITY_MAX_SID_SIZE);
DWORD return_length;
@@ -98,54 +97,57 @@
token, TokenAppContainerSid, app_container_info.data(),
base::checked_cast<DWORD>(app_container_info.size()),
&return_length)) {
- return false;
+ return absl::nullopt;
}
PTOKEN_APPCONTAINER_INFORMATION info =
reinterpret_cast<PTOKEN_APPCONTAINER_INFORMATION>(
app_container_info.data());
if (!info->TokenAppContainer)
- return false;
- *app_container_sid = std::make_unique<sandbox::Sid>(info->TokenAppContainer);
- return true;
+ return absl::nullopt;
+ return base::win::Sid::FromPSID(info->TokenAppContainer);
}
-bool GetTokenGroups(HANDLE token,
- TOKEN_INFORMATION_CLASS information_class,
- std::vector<SidAndAttributes>* token_groups) {
+absl::optional<std::vector<SidAndAttributes>> GetTokenGroups(
+ HANDLE token,
+ TOKEN_INFORMATION_CLASS information_class) {
if (information_class != ::TokenCapabilities &&
information_class != ::TokenGroups &&
information_class != ::TokenRestrictedSids) {
- return false;
+ return absl::nullopt;
}
- std::vector<char> groups_buf;
- if (!GetVariableTokenInformation(token, information_class, &groups_buf))
- return false;
+ absl::optional<std::vector<char>> groups_buf =
+ GetVariableTokenInformation(token, information_class);
+ if (!groups_buf)
+ return absl::nullopt;
- PTOKEN_GROUPS groups = reinterpret_cast<PTOKEN_GROUPS>(groups_buf.data());
-
- if (groups->GroupCount > 0) {
- token_groups->insert(token_groups->begin(), groups->Groups,
- groups->Groups + groups->GroupCount);
+ PTOKEN_GROUPS groups = reinterpret_cast<PTOKEN_GROUPS>(groups_buf->data());
+ std::vector<SidAndAttributes> token_groups;
+ token_groups.reserve(groups->GroupCount);
+ for (DWORD index = 0; index < groups->GroupCount; ++index) {
+ token_groups.push_back(groups->Groups[index]);
}
- return true;
+ return token_groups;
}
-bool GetVariableTokenInformation(HANDLE token,
- TOKEN_INFORMATION_CLASS information_class,
- std::vector<char>* information) {
+absl::optional<std::vector<char>> GetVariableTokenInformation(
+ HANDLE token,
+ TOKEN_INFORMATION_CLASS information_class) {
DWORD return_length;
if (!::GetTokenInformation(token, information_class, nullptr, 0,
&return_length)) {
if (::GetLastError() != ERROR_INSUFFICIENT_BUFFER)
- return false;
+ return absl::nullopt;
}
- information->resize(return_length);
- return !!::GetTokenInformation(token, information_class, information->data(),
- return_length, &return_length);
+ std::vector<char> information(return_length);
+ if (!::GetTokenInformation(token, information_class, information.data(),
+ return_length, &return_length)) {
+ return absl::nullopt;
+ }
+ return information;
}
} // namespace sandbox
diff --git a/win/tests/common/test_utils.h b/win/tests/common/test_utils.h
index 2d63047..a9e62ac 100644
--- a/win/tests/common/test_utils.h
+++ b/win/tests/common/test_utils.h
@@ -10,7 +10,8 @@
#include <memory>
#include <vector>
-#include "sandbox/win/src/sid.h"
+#include "base/win/sid.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
namespace sandbox {
@@ -32,23 +33,22 @@
private:
DWORD attributes_;
- sandbox::Sid sid_;
+ base::win::Sid sid_;
};
// Get the App Container sid for a token.
-bool GetTokenAppContainerSid(HANDLE token,
- std::unique_ptr<sandbox::Sid>* app_container_sid);
+absl::optional<base::win::Sid> GetTokenAppContainerSid(HANDLE token);
// Get the a list of groups from a token. |information_class| can be one of
-// TokenGroups, TokenRestrictedSids or TokenCapabilites.
-bool GetTokenGroups(HANDLE token,
- TOKEN_INFORMATION_CLASS information_class,
- std::vector<SidAndAttributes>* groups);
+// TokenGroups, TokenRestrictedSids or TokenCapabilities.
+absl::optional<std::vector<SidAndAttributes>> GetTokenGroups(
+ HANDLE token,
+ TOKEN_INFORMATION_CLASS information_class);
// Get a variable length property from a token.
-bool GetVariableTokenInformation(HANDLE token,
- TOKEN_INFORMATION_CLASS information_class,
- std::vector<char>* information);
+absl::optional<std::vector<char>> GetVariableTokenInformation(
+ HANDLE token,
+ TOKEN_INFORMATION_CLASS information_class);
} // namespace sandbox
