• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
7 
8 #include <stddef.h>
9 #include <stdint.h>
10 
11 #include <string>
12 
13 #include "base/strings/string16.h"
14 #include "sandbox/win/src/sandbox_types.h"
15 #include "sandbox/win/src/security_level.h"
16 
17 namespace sandbox {
18 
19 class TargetPolicy {
20  public:
21   // Windows subsystems that can have specific rules.
22   // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
23   // exactly like the CreateProcess API does. See the comment at the top of
24   // process_thread_dispatcher.cc for more details.
25   enum SubSystem {
26     SUBSYS_FILES,             // Creation and opening of files and pipes.
27     SUBSYS_NAMED_PIPES,       // Creation of named pipes.
28     SUBSYS_PROCESS,           // Creation of child processes.
29     SUBSYS_REGISTRY,          // Creation and opening of registry keys.
30     SUBSYS_SYNC,              // Creation of named sync objects.
31     SUBSYS_HANDLES,           // Duplication of handles to other processes.
32     SUBSYS_WIN32K_LOCKDOWN    // Win32K Lockdown related policy.
33   };
34 
35   // Allowable semantics when a rule is matched.
36   enum Semantics {
37     FILES_ALLOW_ANY,       // Allows open or create for any kind of access that
38                            // the file system supports.
39     FILES_ALLOW_READONLY,  // Allows open or create with read access only.
40     FILES_ALLOW_QUERY,     // Allows access to query the attributes of a file.
41     FILES_ALLOW_DIR_ANY,   // Allows open or create with directory semantics
42                            // only.
43     HANDLES_DUP_ANY,       // Allows duplicating handles opened with any
44                            // access permissions.
45     HANDLES_DUP_BROKER,    // Allows duplicating handles to the broker process.
46     NAMEDPIPES_ALLOW_ANY,  // Allows creation of a named pipe.
47     PROCESS_MIN_EXEC,      // Allows to create a process with minimal rights
48                            // over the resulting process and thread handles.
49                            // No other parameters besides the command line are
50                            // passed to the child process.
51     PROCESS_ALL_EXEC,      // Allows the creation of a process and return fill
52                            // access on the returned handles.
53                            // This flag can be used only when the main token of
54                            // the sandboxed application is at least INTERACTIVE.
55     EVENTS_ALLOW_ANY,      // Allows the creation of an event with full access.
56     EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
57     REG_ALLOW_READONLY,    // Allows readonly access to a registry key.
58     REG_ALLOW_ANY,         // Allows read and write access to a registry key.
59     FAKE_USER_GDI_INIT     // Fakes user32 and gdi32 initialization. This can
60                            // be used to allow the DLLs to load and initialize
61                            // even if the process cannot access that subsystem.
62   };
63 
64   // Increments the reference count of this object. The reference count must
65   // be incremented if this interface is given to another component.
66   virtual void AddRef() = 0;
67 
68   // Decrements the reference count of this object. When the reference count
69   // is zero the object is automatically destroyed.
70   // Indicates that the caller is done with this interface. After calling
71   // release no other method should be called.
72   virtual void Release() = 0;
73 
74   // Sets the security level for the target process' two tokens.
75   // This setting is permanent and cannot be changed once the target process is
76   // spawned.
77   // initial: the security level for the initial token. This is the token that
78   //   is used by the process from the creation of the process until the moment
79   //   the process calls TargetServices::LowerToken() or the process calls
80   //   win32's RevertToSelf(). Once this happens the initial token is no longer
81   //   available and the lockdown token is in effect. Using an initial token is
82   //   not compatible with AppContainer, see SetAppContainer.
83   // lockdown: the security level for the token that comes into force after the
84   //   process calls TargetServices::LowerToken() or the process calls
85   //   RevertToSelf(). See the explanation of each level in the TokenLevel
86   //   definition.
87   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
88   //   Returns false if the lockdown value is more permissive than the initial
89   //   value.
90   //
91   // Important: most of the sandbox-provided security relies on this single
92   // setting. The caller should strive to set the lockdown level as restricted
93   // as possible.
94   virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
95 
96   // Returns the initial token level.
97   virtual TokenLevel GetInitialTokenLevel() const = 0;
98 
99   // Returns the lockdown token level.
100   virtual TokenLevel GetLockdownTokenLevel() const = 0;
101 
102   // Sets the security level of the Job Object to which the target process will
103   // belong. This setting is permanent and cannot be changed once the target
104   // process is spawned. The job controls the global security settings which
105   // can not be specified in the token security profile.
106   // job_level: the security level for the job. See the explanation of each
107   //   level in the JobLevel definition.
108   // ui_exceptions: specify what specific rights that are disabled in the
109   //   chosen job_level that need to be granted. Use this parameter to avoid
110   //   selecting the next permissive job level unless you need all the rights
111   //   that are granted in such level.
112   //   The exceptions can be specified as a combination of the following
113   //   constants:
114   // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
115   //   include windows, icons, menus and various GDI objects. In addition the
116   //   target process can set hooks, and broadcast messages to other processes
117   //   that belong to the same desktop.
118   // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
119   // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
120   // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
121   //   parameters as defined by the Win32 call SystemParametersInfo().
122   // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
123   //  display settings.
124   // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
125   // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
126   // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
127   //
128   // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
129   //
130   // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
131   // length in:
132   //   http://msdn2.microsoft.com/en-us/library/ms684152.aspx
133   //
134   // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
135   virtual ResultCode SetJobLevel(JobLevel job_level,
136                                  uint32_t ui_exceptions) = 0;
137 
138   // Sets a hard limit on the size of the commit set for the sandboxed process.
139   // If the limit is reached, the process will be terminated with
140   // SBOX_FATAL_MEMORY_EXCEEDED (7012).
141   virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
142 
143   // Specifies the desktop on which the application is going to run. If the
144   // desktop does not exist, it will be created. If alternate_winstation is
145   // set to true, the desktop will be created on an alternate window station.
146   virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
147 
148   // Returns the name of the alternate desktop used. If an alternate window
149   // station is specified, the name is prepended by the window station name,
150   // followed by a backslash.
151   virtual base::string16 GetAlternateDesktop() const = 0;
152 
153   // Precreates the desktop and window station, if any.
154   virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
155 
156   // Destroys the desktop and windows station.
157   virtual void DestroyAlternateDesktop() = 0;
158 
159   // Sets the integrity level of the process in the sandbox. Both the initial
160   // token and the main token will be affected by this. If the integrity level
161   // is set to a level higher than the current level, the sandbox will fail
162   // to start.
163   virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
164 
165   // Returns the initial integrity level used.
166   virtual IntegrityLevel GetIntegrityLevel() const = 0;
167 
168   // Sets the integrity level of the process in the sandbox. The integrity level
169   // will not take effect before you call LowerToken. User Interface Privilege
170   // Isolation is not affected by this setting and will remain off for the
171   // process in the sandbox. If the integrity level is set to a level higher
172   // than the current level, the sandbox will fail to start.
173   virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
174 
175   // Sets the AppContainer to be used for the sandboxed process. Any capability
176   // to be enabled for the process should be added before this method is invoked
177   // (by calling SetCapability() as many times as needed).
178   // The desired AppContainer must be already installed on the system, otherwise
179   // launching the sandboxed process will fail. See BrokerServices for details
180   // about installing an AppContainer.
181   // Note that currently Windows restricts the use of impersonation within
182   // AppContainers, so this function is incompatible with the use of an initial
183   // token.
184   virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
185 
186   // Sets a capability to be enabled for the sandboxed process' AppContainer.
187   virtual ResultCode SetCapability(const wchar_t* sid) = 0;
188 
189   // Sets the LowBox token for sandboxed process. This is mutually exclusive
190   // with SetAppContainer method.
191   virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
192 
193   // Sets the mitigations enabled when the process is created. Most of these
194   // are implemented as attributes passed via STARTUPINFOEX. So they take
195   // effect before any thread in the target executes. The declaration of
196   // MitigationFlags is followed by a detailed description of each flag.
197   virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
198 
199   // Returns the currently set mitigation flags.
200   virtual MitigationFlags GetProcessMitigations() = 0;
201 
202   // Sets process mitigation flags that don't take effect before the call to
203   // LowerToken().
204   virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
205 
206   // Returns the currently set delayed mitigation flags.
207   virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
208 
209   // Sets the interceptions to operate in strict mode. By default, interceptions
210   // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
211   // already patched we attempt to intercept it anyway. Setting interceptions
212   // to strict mode means that when we detect that the function is patched we'll
213   // refuse to perform the interception.
214   virtual void SetStrictInterceptions() = 0;
215 
216   // Set the handles the target process should inherit for stdout and
217   // stderr.  The handles the caller passes must remain valid for the
218   // lifetime of the policy object.  This only has an effect on
219   // Windows Vista and later versions.  These methods accept pipe and
220   // file handles, but not console handles.
221   virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
222   virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
223 
224   // Adds a policy rule effective for processes spawned using this policy.
225   // subsystem: One of the above enumerated windows subsystems.
226   // semantics: One of the above enumerated FileSemantics.
227   // pattern: A specific full path or a full path with wildcard patterns.
228   //   The valid wildcards are:
229   //   '*' : Matches zero or more character. Only one in series allowed.
230   //   '?' : Matches a single character. One or more in series are allowed.
231   // Examples:
232   //   "c:\\documents and settings\\vince\\*.dmp"
233   //   "c:\\documents and settings\\*\\crashdumps\\*.dmp"
234   //   "c:\\temp\\app_log_?????_chrome.txt"
235   virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
236                              const wchar_t* pattern) = 0;
237 
238   // Adds a dll that will be unloaded in the target process before it gets
239   // a chance to initialize itself. Typically, dlls that cause the target
240   // to crash go here.
241   virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
242 
243   // Adds a handle that will be closed in the target process after lockdown.
244   // A NULL value for handle_name indicates all handles of the specified type.
245   // An empty string for handle_name indicates the handle is unnamed.
246   virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
247                                             const wchar_t* handle_name) = 0;
248 
249   // Adds a handle that will be shared with the target process.
250   // Returns the handle which was actually shared with the target. This is
251   // achieved by duplicating the handle to ensure that it is inheritable by
252   // the target. The caller should treat this as an opaque value.
253   virtual void* AddHandleToShare(HANDLE handle) = 0;
254 };
255 
256 }  // namespace sandbox
257 
258 
259 #endif  // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
260