1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/strings/string16.h" 12 #include "sandbox/win/src/sandbox_types.h" 13 #include "sandbox/win/src/security_level.h" 14 15 namespace sandbox { 16 17 class TargetPolicy { 18 public: 19 // Windows subsystems that can have specific rules. 20 // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request 21 // exactly like the CreateProcess API does. See the comment at the top of 22 // process_thread_dispatcher.cc for more details. 23 enum SubSystem { 24 SUBSYS_FILES, // Creation and opening of files and pipes. 25 SUBSYS_NAMED_PIPES, // Creation of named pipes. 26 SUBSYS_PROCESS, // Creation of child processes. 27 SUBSYS_REGISTRY, // Creation and opening of registry keys. 28 SUBSYS_SYNC, // Creation of named sync objects. 29 SUBSYS_HANDLES // Duplication of handles to other processes. 30 }; 31 32 // Allowable semantics when a rule is matched. 33 enum Semantics { 34 FILES_ALLOW_ANY, // Allows open or create for any kind of access that 35 // the file system supports. 36 FILES_ALLOW_READONLY, // Allows open or create with read access only. 37 FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. 38 FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics 39 // only. 40 HANDLES_DUP_ANY, // Allows duplicating handles opened with any 41 // access permissions. 42 HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. 43 NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. 44 PROCESS_MIN_EXEC, // Allows to create a process with minimal rights 45 // over the resulting process and thread handles. 46 // No other parameters besides the command line are 47 // passed to the child process. 48 PROCESS_ALL_EXEC, // Allows the creation of a process and return fill 49 // access on the returned handles. 50 // This flag can be used only when the main token of 51 // the sandboxed application is at least INTERACTIVE. 52 EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. 53 EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access. 54 REG_ALLOW_READONLY, // Allows readonly access to a registry key. 55 REG_ALLOW_ANY // Allows read and write access to a registry key. 56 }; 57 58 // Increments the reference count of this object. The reference count must 59 // be incremented if this interface is given to another component. 60 virtual void AddRef() = 0; 61 62 // Decrements the reference count of this object. When the reference count 63 // is zero the object is automatically destroyed. 64 // Indicates that the caller is done with this interface. After calling 65 // release no other method should be called. 66 virtual void Release() = 0; 67 68 // Sets the security level for the target process' two tokens. 69 // This setting is permanent and cannot be changed once the target process is 70 // spawned. 71 // initial: the security level for the initial token. This is the token that 72 // is used by the process from the creation of the process until the moment 73 // the process calls TargetServices::LowerToken() or the process calls 74 // win32's ReverToSelf(). Once this happens the initial token is no longer 75 // available and the lockdown token is in effect. Using an initial token is 76 // not compatible with AppContainer, see SetAppContainer. 77 // lockdown: the security level for the token that comes into force after the 78 // process calls TargetServices::LowerToken() or the process calls 79 // ReverToSelf(). See the explanation of each level in the TokenLevel 80 // definition. 81 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. 82 // Returns false if the lockdown value is more permissive than the initial 83 // value. 84 // 85 // Important: most of the sandbox-provided security relies on this single 86 // setting. The caller should strive to set the lockdown level as restricted 87 // as possible. 88 virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; 89 90 // Sets the security level of the Job Object to which the target process will 91 // belong. This setting is permanent and cannot be changed once the target 92 // process is spawned. The job controls the global security settings which 93 // can not be specified in the token security profile. 94 // job_level: the security level for the job. See the explanation of each 95 // level in the JobLevel definition. 96 // ui_exceptions: specify what specific rights that are disabled in the 97 // chosen job_level that need to be granted. Use this parameter to avoid 98 // selecting the next permissive job level unless you need all the rights 99 // that are granted in such level. 100 // The exceptions can be specified as a combination of the following 101 // constants: 102 // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These 103 // include windows, icons, menus and various GDI objects. In addition the 104 // target process can set hooks, and broadcast messages to other processes 105 // that belong to the same desktop. 106 // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard. 107 // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard. 108 // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide 109 // parameters as defined by the Win32 call SystemParametersInfo(). 110 // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the 111 // display settings. 112 // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table. 113 // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops. 114 // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows(). 115 // 116 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. 117 // 118 // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at 119 // length in: 120 // http://msdn2.microsoft.com/en-us/library/ms684152.aspx 121 // 122 // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN. 123 virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0; 124 125 // Specifies the desktop on which the application is going to run. If the 126 // desktop does not exist, it will be created. If alternate_winstation is 127 // set to true, the desktop will be created on an alternate window station. 128 virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0; 129 130 // Returns the name of the alternate desktop used. If an alternate window 131 // station is specified, the name is prepended by the window station name, 132 // followed by a backslash. 133 virtual base::string16 GetAlternateDesktop() const = 0; 134 135 // Precreates the desktop and window station, if any. 136 virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0; 137 138 // Destroys the desktop and windows station. 139 virtual void DestroyAlternateDesktop() = 0; 140 141 // Sets the integrity level of the process in the sandbox. Both the initial 142 // token and the main token will be affected by this. If the integrity level 143 // is set to a level higher than the current level, the sandbox will fail 144 // to start. 145 virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; 146 147 // Sets the integrity level of the process in the sandbox. The integrity level 148 // will not take effect before you call LowerToken. User Interface Privilege 149 // Isolation is not affected by this setting and will remain off for the 150 // process in the sandbox. If the integrity level is set to a level higher 151 // than the current level, the sandbox will fail to start. 152 virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; 153 154 // Sets the AppContainer to be used for the sandboxed process. Any capability 155 // to be enabled for the process should be added before this method is invoked 156 // (by calling SetCapability() as many times as needed). 157 // The desired AppContainer must be already installed on the system, otherwise 158 // launching the sandboxed process will fail. See BrokerServices for details 159 // about installing an AppContainer. 160 // Note that currently Windows restricts the use of impersonation within 161 // AppContainers, so this function is incompatible with the use of an initial 162 // token. 163 virtual ResultCode SetAppContainer(const wchar_t* sid) = 0; 164 165 // Sets a capability to be enabled for the sandboxed process' AppContainer. 166 virtual ResultCode SetCapability(const wchar_t* sid) = 0; 167 168 // Sets the mitigations enabled when the process is created. Most of these 169 // are implemented as attributes passed via STARTUPINFOEX. So they take 170 // effect before any thread in the target executes. The declaration of 171 // MitigationFlags is followed by a detailed description of each flag. 172 virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; 173 174 // Returns the currently set mitigation flags. 175 virtual MitigationFlags GetProcessMitigations() = 0; 176 177 // Sets process mitigation flags that don't take effect before the call to 178 // LowerToken(). 179 virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; 180 181 // Returns the currently set delayed mitigation flags. 182 virtual MitigationFlags GetDelayedProcessMitigations() = 0; 183 184 // Sets the interceptions to operate in strict mode. By default, interceptions 185 // are performed in "relaxed" mode, where if something inside NTDLL.DLL is 186 // already patched we attempt to intercept it anyway. Setting interceptions 187 // to strict mode means that when we detect that the function is patched we'll 188 // refuse to perform the interception. 189 virtual void SetStrictInterceptions() = 0; 190 191 // Set the handles the target process should inherit for stdout and 192 // stderr. The handles the caller passes must remain valid for the 193 // lifetime of the policy object. This only has an effect on 194 // Windows Vista and later versions. These methods accept pipe and 195 // file handles, but not console handles. 196 virtual ResultCode SetStdoutHandle(HANDLE handle) = 0; 197 virtual ResultCode SetStderrHandle(HANDLE handle) = 0; 198 199 // Adds a policy rule effective for processes spawned using this policy. 200 // subsystem: One of the above enumerated windows subsystems. 201 // semantics: One of the above enumerated FileSemantics. 202 // pattern: A specific full path or a full path with wildcard patterns. 203 // The valid wildcards are: 204 // '*' : Matches zero or more character. Only one in series allowed. 205 // '?' : Matches a single character. One or more in series are allowed. 206 // Examples: 207 // "c:\\documents and settings\\vince\\*.dmp" 208 // "c:\\documents and settings\\*\\crashdumps\\*.dmp" 209 // "c:\\temp\\app_log_?????_chrome.txt" 210 virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, 211 const wchar_t* pattern) = 0; 212 213 // Adds a dll that will be unloaded in the target process before it gets 214 // a chance to initialize itself. Typically, dlls that cause the target 215 // to crash go here. 216 virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0; 217 218 // Adds a handle that will be closed in the target process after lockdown. 219 // A NULL value for handle_name indicates all handles of the specified type. 220 // An empty string for handle_name indicates the handle is unnamed. 221 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, 222 const wchar_t* handle_name) = 0; 223 }; 224 225 } // namespace sandbox 226 227 228 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 229