1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/win/src/restricted_token_utils.h"
6 #include "sandbox/win/tools/finder/finder.h"
7
8 #define PARAM_IS(y) (argc > i) && (_wcsicmp(argv[i], y) == 0)
9
PrintUsage(wchar_t * application_name)10 void PrintUsage(wchar_t *application_name) {
11 wprintf(L"\n\nUsage: \n %ls --token type --object ob1 [ob2 ob3] "
12 L"--access ac1 [ac2 ac3] [--log filename]", application_name);
13 wprintf(L"\n\n Token Types : \n\tLOCKDOWN \n\tRESTRICTED "
14 L"\n\tLIMITED_USER \n\tINTERACTIVE_USER \n\tNON_ADMIN \n\tUNPROTECTED");
15 wprintf(L"\n Object Types: \n\tREG \n\tFILE \n\tKERNEL");
16 wprintf(L"\n Access Types: \n\tR \n\tW \n\tALL");
17 wprintf(L"\n\nSample: \n %ls --token LOCKDOWN --object REG FILE KERNEL "
18 L"--access R W ALL", application_name);
19 }
20
wmain(int argc,wchar_t * argv[])21 int wmain(int argc, wchar_t* argv[]) {
22 // Extract the filename from the path.
23 wchar_t *app_name = wcsrchr(argv[0], L'\\');
24 if (!app_name) {
25 app_name = argv[0];
26 } else {
27 app_name++;
28 }
29
30 // parameters to read
31 ATL::CString log_file;
32 sandbox::TokenLevel token_type = sandbox::USER_LOCKDOWN;
33 DWORD object_type = 0;
34 DWORD access_type = 0;
35
36 // no arguments
37 if (argc == 1) {
38 PrintUsage(app_name);
39 return -1;
40 }
41
42 // parse command line.
43 for (int i = 1; i < argc; ++i) {
44 if (PARAM_IS(L"--token")) {
45 i++;
46 if (argc > i) {
47 if (PARAM_IS(L"LOCKDOWN")) {
48 token_type = sandbox::USER_LOCKDOWN;
49 } else if (PARAM_IS(L"RESTRICTED")) {
50 token_type = sandbox::USER_RESTRICTED;
51 } else if (PARAM_IS(L"LIMITED_USER")) {
52 token_type = sandbox::USER_LIMITED;
53 } else if (PARAM_IS(L"INTERACTIVE_USER")) {
54 token_type = sandbox::USER_INTERACTIVE;
55 } else if (PARAM_IS(L"NON_ADMIN")) {
56 token_type = sandbox::USER_NON_ADMIN;
57 } else if (PARAM_IS(L"USER_RESTRICTED_SAME_ACCESS")) {
58 token_type = sandbox::USER_RESTRICTED_SAME_ACCESS;
59 } else if (PARAM_IS(L"UNPROTECTED")) {
60 token_type = sandbox::USER_UNPROTECTED;
61 } else {
62 wprintf(L"\nAbord. Invalid token type \"%ls\"", argv[i]);
63 PrintUsage(app_name);
64 return -1;
65 }
66 }
67 } else if (PARAM_IS(L"--object")) {
68 bool is_object = true;
69 do {
70 i++;
71 if (PARAM_IS(L"REG")) {
72 object_type |= kScanRegistry;
73 } else if (PARAM_IS(L"FILE")) {
74 object_type |= kScanFileSystem;
75 } else if (PARAM_IS(L"KERNEL")) {
76 object_type |= kScanKernelObjects;
77 } else {
78 is_object = false;
79 }
80 } while(is_object);
81 i--;
82 } else if (PARAM_IS(L"--access")) {
83 bool is_access = true;
84 do {
85 i++;
86 if (PARAM_IS(L"R")) {
87 access_type |= kTestForRead;
88 } else if (PARAM_IS(L"W")) {
89 access_type |= kTestForWrite;
90 } else if (PARAM_IS(L"ALL")) {
91 access_type |= kTestForAll;
92 } else {
93 is_access = false;
94 }
95 } while(is_access);
96 i--;
97 } else if (PARAM_IS(L"--log")) {
98 i++;
99 if (argc > i) {
100 log_file = argv[i];
101 }
102 else {
103 wprintf(L"\nAbord. No log file specified");
104 PrintUsage(app_name);
105 return -1;
106 }
107 } else {
108 wprintf(L"\nAbord. Unrecognized parameter \"%ls\"", argv[i]);
109 PrintUsage(app_name);
110 return -1;
111 }
112 }
113
114 // validate parameters
115 if (0 == access_type) {
116 wprintf(L"\nAbord, Access type not specified");
117 PrintUsage(app_name);
118 return -1;
119 }
120
121 if (0 == object_type) {
122 wprintf(L"\nAbord, Object type not specified");
123 PrintUsage(app_name);
124 return -1;
125 }
126
127
128 // Open log file
129 FILE * file_output;
130 if (log_file.GetLength()) {
131 errno_t err = _wfopen_s(&file_output, log_file, L"w");
132 if (err) {
133 wprintf(L"\nAbord, Cannot open file \"%ls\"", log_file.GetBuffer());
134 return -1;
135 }
136 } else {
137 file_output = stdout;
138 }
139
140 Finder finder_obj;
141 finder_obj.Init(token_type, object_type, access_type, file_output);
142 finder_obj.Scan();
143
144 fclose(file_output);
145
146 return 0;
147 }
148