1 // Copyright 2022 The ChromiumOS Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 use crate::IntegrityLevel; 6 use crate::JobLevel; 7 use crate::Semantics; 8 use crate::SubSystem; 9 use crate::TokenLevel; 10 use crate::JOB_OBJECT_UILIMIT_READCLIPBOARD; 11 use crate::JOB_OBJECT_UILIMIT_WRITECLIPBOARD; 12 13 /// Policy struct for describing how a sandbox `TargetPolicy` should be 14 /// constructed for a particular process. 15 pub struct Policy { 16 pub initial_token_level: TokenLevel, 17 pub lockdown_token_level: TokenLevel, 18 pub integrity_level: IntegrityLevel, 19 pub delayed_integrity_level: IntegrityLevel, 20 pub job_level: JobLevel, 21 pub ui_exceptions: u32, 22 pub alternate_desktop: bool, 23 pub alternate_winstation: bool, 24 pub exceptions: Vec<Rule>, 25 pub dll_blocklist: Vec<String>, 26 } 27 28 /// Rule struct describing a sandbox rule that should be added to the 29 /// `TargetPolicy`. 30 pub struct Rule { 31 pub subsystem: SubSystem, 32 pub semantics: Semantics, 33 pub pattern: String, 34 } 35 36 /// Policy for the main emulator process. 37 pub const MAIN: Policy = Policy { 38 // Token levels and integrity levels needed for access to hypervisor APIs. 39 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 40 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 41 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 42 // Needed for access to audio APIs. 43 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 44 // Needed for access to UI APIs. 45 job_level: JobLevel::JOB_LIMITED_USER, 46 ui_exceptions: JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_WRITECLIPBOARD, 47 // Needed to display window on main desktop. 48 alternate_desktop: false, 49 alternate_winstation: false, 50 exceptions: vec![], 51 dll_blocklist: vec![], 52 }; 53 54 /// Policy for the metrics process. 55 pub const METRICS: Policy = Policy { 56 // Needed for access to WinINet. 57 initial_token_level: TokenLevel::USER_NON_ADMIN, 58 lockdown_token_level: TokenLevel::USER_NON_ADMIN, 59 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 60 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 61 job_level: JobLevel::JOB_LOCKDOWN, 62 ui_exceptions: 0, 63 alternate_desktop: true, 64 alternate_winstation: true, 65 exceptions: vec![], 66 dll_blocklist: vec![], 67 }; 68 69 /// Policy for a block device process. 70 pub const BLOCK: Policy = Policy { 71 initial_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 72 lockdown_token_level: TokenLevel::USER_LOCKDOWN, 73 // INTEGRITY_LEVEL_MEDIUM needed to open disk file. 74 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 75 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 76 job_level: JobLevel::JOB_LOCKDOWN, 77 ui_exceptions: 0, 78 alternate_desktop: true, 79 alternate_winstation: true, 80 exceptions: vec![], 81 dll_blocklist: vec![], 82 }; 83 84 /// Policy for the network process. 85 pub const NET: Policy = Policy { 86 // Needed to connect to crash handler. 87 initial_token_level: TokenLevel::USER_INTERACTIVE, 88 lockdown_token_level: TokenLevel::USER_LOCKDOWN, 89 // Process won't start below this level as loading ntdll will fail. 90 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 91 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 92 job_level: JobLevel::JOB_LOCKDOWN, 93 ui_exceptions: 0, 94 alternate_desktop: true, 95 alternate_winstation: true, 96 exceptions: vec![], 97 dll_blocklist: vec![], 98 }; 99 100 /// Policy for the slirp process. 101 pub const SLIRP: Policy = Policy { 102 // Needed to connect to crash handler. 103 initial_token_level: TokenLevel::USER_INTERACTIVE, 104 // Needed for access to winsock. 105 lockdown_token_level: TokenLevel::USER_LIMITED, 106 // Needed for access to winsock. 107 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 108 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 109 job_level: JobLevel::JOB_LOCKDOWN, 110 ui_exceptions: 0, 111 alternate_desktop: true, 112 alternate_winstation: true, 113 exceptions: vec![], 114 dll_blocklist: vec![], 115 }; 116 117 /// Policy for the GPU process. 118 pub const GPU: Policy = Policy { 119 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 120 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 121 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 122 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 123 // Needed for access to UI APIs. 124 job_level: JobLevel::JOB_LIMITED_USER, 125 ui_exceptions: JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_WRITECLIPBOARD, 126 // Needed to display window on main desktop. 127 alternate_desktop: false, 128 alternate_winstation: false, 129 exceptions: vec![], 130 dll_blocklist: vec![], 131 }; 132 133 /// Policy for the sound process. 134 pub const SND: Policy = Policy { 135 // Needed for CoInitializeEx. 136 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 137 // Needed for subsequent CoCreateInstance requests. 138 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 139 // Needed for access to audio APIs. 140 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 141 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 142 job_level: JobLevel::JOB_LOCKDOWN, 143 ui_exceptions: 0, 144 alternate_desktop: true, 145 alternate_winstation: true, 146 exceptions: vec![], 147 dll_blocklist: vec![], 148 }; 149