1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 6 #define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 7 8 #include <accctrl.h> 9 #include <windows.h> 10 11 #include "sandbox/win/src/restricted_token.h" 12 #include "sandbox/win/src/security_level.h" 13 14 // Contains the utility functions to be able to create restricted tokens based 15 // on a security profiles. 16 17 namespace sandbox { 18 19 // The type of the token returned by the CreateNakedToken. 20 enum TokenType { 21 IMPERSONATION = 0, 22 PRIMARY 23 }; 24 25 // Creates a restricted token based on the effective token of the current 26 // process. The parameter security_level determines how much the token is 27 // restricted. The token_type determines if the token will be used as a primary 28 // token or impersonation token. The integrity level of the token is set to 29 // |integrity level| on Vista only. 30 // token_handle is the output value containing the handle of the 31 // newly created restricted token. 32 // If the function succeeds, the return value is ERROR_SUCCESS. If the 33 // function fails, the return value is the win32 error code corresponding to 34 // the error. 35 DWORD CreateRestrictedToken(HANDLE *token_handle, 36 TokenLevel security_level, 37 IntegrityLevel integrity_level, 38 TokenType token_type); 39 40 // Starts the process described by the input parameter command_line in a job 41 // with a restricted token. Also set the main thread of this newly created 42 // process to impersonate a user with more rights so it can initialize 43 // correctly. 44 // 45 // Parameters: primary_level is the security level of the primary token. 46 // impersonation_level is the security level of the impersonation token used 47 // to initialize the process. job_level is the security level of the job 48 // object used to encapsulate the process. 49 // 50 // The output parameter job_handle is the handle to the job object. It has 51 // to be closed with CloseHandle() when not needed. Closing this handle will 52 // kill the process started. 53 // 54 // Note: The process started with this function has to call RevertToSelf() as 55 // soon as possible to stop using the impersonation token and start being 56 // secure. 57 // 58 // Note: The Unicode version of this function will fail if the command_line 59 // parameter is a const string. 60 DWORD StartRestrictedProcessInJob(wchar_t *command_line, 61 TokenLevel primary_level, 62 TokenLevel impersonation_level, 63 JobLevel job_level, 64 HANDLE *job_handle); 65 66 // Sets the integrity label on a object handle. 67 DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type, 68 const wchar_t* ace_access, 69 const wchar_t* integrity_level_sid); 70 71 // Sets the integrity level on a token. This is only valid on Vista. It returns 72 // without failing on XP. If the integrity level that you specify is greater 73 // than the current integrity level, the function will fail. 74 DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level); 75 76 // Returns the integrity level SDDL string associated with a given 77 // IntegrityLevel value. 78 const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level); 79 80 // Sets the integrity level on the current process on Vista. It returns without 81 // failing on XP. If the integrity level that you specify is greater than the 82 // current integrity level, the function will fail. 83 DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level); 84 85 } // namespace sandbox 86 87 #endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ 88