1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/acl.h"
6
7 #include <aclapi.h>
8 #include <sddl.h>
9
10 #include "base/logging.h"
11
12 namespace sandbox {
13
GetDefaultDacl(HANDLE token,scoped_ptr_malloc<TOKEN_DEFAULT_DACL> * default_dacl)14 bool GetDefaultDacl(HANDLE token,
15 scoped_ptr_malloc<TOKEN_DEFAULT_DACL>* default_dacl) {
16 if (token == NULL)
17 return false;
18
19 DCHECK(default_dacl != NULL);
20
21 unsigned long length = 0;
22 ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length);
23 if (length == 0) {
24 NOTREACHED();
25 return false;
26 }
27
28 TOKEN_DEFAULT_DACL* acl =
29 reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length));
30 default_dacl->reset(acl);
31
32 if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
33 length, &length))
34 return false;
35
36 return true;
37 }
38
AddSidToDacl(const Sid & sid,ACL * old_dacl,ACCESS_MODE access_mode,ACCESS_MASK access,ACL ** new_dacl)39 bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MODE access_mode,
40 ACCESS_MASK access, ACL** new_dacl) {
41 EXPLICIT_ACCESS new_access = {0};
42 new_access.grfAccessMode = access_mode;
43 new_access.grfAccessPermissions = access;
44 new_access.grfInheritance = NO_INHERITANCE;
45
46 new_access.Trustee.pMultipleTrustee = NULL;
47 new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
48 new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
49 new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>(
50 const_cast<SID*>(sid.GetPSID()));
51
52 if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl))
53 return false;
54
55 return true;
56 }
57
AddSidToDefaultDacl(HANDLE token,const Sid & sid,ACCESS_MASK access)58 bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) {
59 if (token == NULL)
60 return false;
61
62 scoped_ptr_malloc<TOKEN_DEFAULT_DACL> default_dacl;
63 if (!GetDefaultDacl(token, &default_dacl))
64 return false;
65
66 ACL* new_dacl = NULL;
67 if (!AddSidToDacl(sid, default_dacl->DefaultDacl, GRANT_ACCESS, access,
68 &new_dacl))
69 return false;
70
71 TOKEN_DEFAULT_DACL new_token_dacl = {0};
72 new_token_dacl.DefaultDacl = new_dacl;
73
74 BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
75 sizeof(new_token_dacl));
76 ::LocalFree(new_dacl);
77 return (TRUE == ret);
78 }
79
AddUserSidToDefaultDacl(HANDLE token,ACCESS_MASK access)80 bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
81 DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
82 TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size));
83
84 scoped_ptr_malloc<TOKEN_USER> token_user_ptr(token_user);
85
86 if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
87 return false;
88
89 return AddSidToDefaultDacl(token,
90 reinterpret_cast<SID*>(token_user->User.Sid),
91 access);
92 }
93
AddKnownSidToObject(HANDLE object,SE_OBJECT_TYPE object_type,const Sid & sid,ACCESS_MODE access_mode,ACCESS_MASK access)94 bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type,
95 const Sid& sid, ACCESS_MODE access_mode,
96 ACCESS_MASK access) {
97 PSECURITY_DESCRIPTOR descriptor = NULL;
98 PACL old_dacl = NULL;
99 PACL new_dacl = NULL;
100
101 if (ERROR_SUCCESS != ::GetSecurityInfo(object, object_type,
102 DACL_SECURITY_INFORMATION, NULL, NULL,
103 &old_dacl, NULL, &descriptor))
104 return false;
105
106 if (!AddSidToDacl(sid.GetPSID(), old_dacl, access_mode, access, &new_dacl)) {
107 ::LocalFree(descriptor);
108 return false;
109 }
110
111 DWORD result = ::SetSecurityInfo(object, object_type,
112 DACL_SECURITY_INFORMATION, NULL, NULL,
113 new_dacl, NULL);
114
115 ::LocalFree(new_dacl);
116 ::LocalFree(descriptor);
117
118 if (ERROR_SUCCESS != result)
119 return false;
120
121 return true;
122 }
123
124 } // namespace sandbox
125