1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ 6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ 7 8 #include <stdint.h> 9 10 namespace sandbox { 11 12 // List of all the integrity levels supported in the sandbox. This is used 13 // only on Windows Vista. You can't set the integrity level of the process 14 // in the sandbox to a level higher than yours. 15 enum IntegrityLevel { 16 INTEGRITY_LEVEL_SYSTEM, 17 INTEGRITY_LEVEL_HIGH, 18 INTEGRITY_LEVEL_MEDIUM, 19 INTEGRITY_LEVEL_MEDIUM_LOW, 20 INTEGRITY_LEVEL_LOW, 21 INTEGRITY_LEVEL_BELOW_LOW, 22 INTEGRITY_LEVEL_UNTRUSTED, 23 INTEGRITY_LEVEL_LAST 24 }; 25 26 // The Token level specifies a set of security profiles designed to 27 // provide the bulk of the security of sandbox. 28 // 29 // TokenLevel |Restricting |Deny Only |Privileges| 30 // |Sids |Sids | | 31 // ----------------------------|--------------|----------------|----------| 32 // USER_LOCKDOWN | Null Sid | All | None | 33 // ----------------------------|--------------|----------------|----------| 34 // USER_RESTRICTED | RESTRICTED | All | Traverse | 35 // ----------------------------|--------------|----------------|----------| 36 // USER_LIMITED | Users | All except: | Traverse | 37 // | Everyone | Users | | 38 // | RESTRICTED | Everyone | | 39 // | | Interactive | | 40 // ----------------------------|--------------|----------------|----------| 41 // USER_INTERACTIVE | Users | All except: | Traverse | 42 // | Everyone | Users | | 43 // | RESTRICTED | Everyone | | 44 // | Owner | Interactive | | 45 // | | Local | | 46 // | | Authent-users | | 47 // | | User | | 48 // ----------------------------|--------------|----------------|----------| 49 // USER_NON_ADMIN | None | All except: | Traverse | 50 // | | Users | | 51 // | | Everyone | | 52 // | | Interactive | | 53 // | | Local | | 54 // | | Authent-users | | 55 // | | User | | 56 // ----------------------------|--------------|----------------|----------| 57 // USER_RESTRICTED_SAME_ACCESS | All | None | All | 58 // ----------------------------|--------------|----------------|----------| 59 // USER_UNPROTECTED | None | None | All | 60 // ----------------------------|--------------|----------------|----------| 61 // 62 // The above restrictions are actually a transformation that is applied to 63 // the existing broker process token. The resulting token that will be 64 // applied to the target process depends both on the token level selected 65 // and on the broker token itself. 66 // 67 // The LOCKDOWN and RESTRICTED are designed to allow access to almost 68 // nothing that has security associated with and they are the recommended 69 // levels to run sandboxed code specially if there is a chance that the 70 // broker is process might be started by a user that belongs to the Admins 71 // or power users groups. 72 enum TokenLevel { 73 USER_LOCKDOWN = 0, 74 USER_RESTRICTED, 75 USER_LIMITED, 76 USER_INTERACTIVE, 77 USER_NON_ADMIN, 78 USER_RESTRICTED_SAME_ACCESS, 79 USER_UNPROTECTED, 80 USER_LAST 81 }; 82 83 // The Job level specifies a set of decreasing security profiles for the 84 // Job object that the target process will be placed into. 85 // This table summarizes the security associated with each level: 86 // 87 // JobLevel |General |Quota | 88 // |restrictions |restrictions | 89 // -----------------|---------------------------------- |--------------------| 90 // JOB_NONE | No job is assigned to the | None | 91 // | sandboxed process. | | 92 // -----------------|---------------------------------- |--------------------| 93 // JOB_UNPROTECTED | None | *Kill on Job close.| 94 // -----------------|---------------------------------- |--------------------| 95 // JOB_INTERACTIVE | *Forbid system-wide changes using | | 96 // | SystemParametersInfo(). | *Kill on Job close.| 97 // | *Forbid the creation/switch of | | 98 // | Desktops. | | 99 // | *Forbids calls to ExitWindows(). | | 100 // -----------------|---------------------------------- |--------------------| 101 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process| 102 // | *Forbid changes to the display | limit. | 103 // | settings. | *Kill on Job close.| 104 // -----------------|---------------------------------- |--------------------| 105 // JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process| 106 // | * No read/write to the clipboard. | limit. | 107 // | * No access to User Handles that | *Kill on Job close.| 108 // | belong to other processes. | | 109 // | * Forbid message broadcasts. | | 110 // | * Forbid setting global hooks. | | 111 // | * No access to the global atoms | | 112 // | table. | | 113 // -----------------|-----------------------------------|--------------------| 114 // JOB_LOCKDOWN | Same as RESTRICTED | *One active process| 115 // | | limit. | 116 // | | *Kill on Job close.| 117 // | | *Kill on unhandled | 118 // | | exception. | 119 // | | | 120 // In the context of the above table, 'user handles' refers to the handles of 121 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel 122 // handles and are not affected by the job level settings. 123 enum JobLevel { 124 JOB_LOCKDOWN = 0, 125 JOB_RESTRICTED, 126 JOB_LIMITED_USER, 127 JOB_INTERACTIVE, 128 JOB_UNPROTECTED, 129 JOB_NONE 130 }; 131 132 // These flags correspond to various process-level mitigations (eg. ASLR and 133 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for 134 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented 135 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 136 // Some mitigations are implemented directly by the sandbox or emulated to 137 // the greatest extent possible when not directly supported by the OS. 138 // Flags that are unsupported for the target OS will be silently ignored. 139 // Flags that are invalid for their application (pre or post startup) will 140 // return SBOX_ERROR_BAD_PARAMS. 141 typedef uint64_t MitigationFlags; 142 143 // Permanently enables DEP for the target process. Corresponds to 144 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. 145 const MitigationFlags MITIGATION_DEP = 0x00000001; 146 147 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid 148 // only when MITIGATION_DEP is passed. Corresponds to not passing 149 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. 150 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; 151 152 // Enables Structured exception handling override prevention. Must be 153 // enabled prior to process start. Corresponds to 154 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. 155 const MitigationFlags MITIGATION_SEHOP = 0x00000004; 156 157 // Forces ASLR on all images in the child process. Corresponds to 158 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . 159 const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008; 160 161 // Refuses to load DLLs that cannot support ASLR. Corresponds to 162 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS. 163 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; 164 165 // Terminates the process on Windows heap corruption. Coresponds to 166 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. 167 const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020; 168 169 // Sets a random lower bound as the minimum user address. Must be 170 // enabled prior to process start. On 32-bit processes this is 171 // emulated to a much smaller degree. Corresponds to 172 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. 173 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040; 174 175 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be 176 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. 177 // Corresponds to 178 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON 179 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; 180 181 // Immediately raises an exception on a bad handle reference. Must be 182 // enabled after startup. Corresponds to 183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. 184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; 185 186 // Prevents the process from making Win32k calls. Corresponds to 187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. 188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; 189 190 // Prevents certain built-in third party extension points from being used. 191 // - App_Init DLLs 192 // - Winsock Layered Service Providers (LSPs) 193 // - Global Windows Hooks (NOT thread-targeted hooks) 194 // - Legacy Input Method Editors (IMEs). 195 // I.e.: Disable legacy hooking mechanisms. Corresponds to 196 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. 197 const MitigationFlags MITIGATION_EXTENSION_POINT_DISABLE = 0x00000400; 198 199 // Prevents the process from loading non-system fonts into GDI. 200 // Corresponds to 201 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON 202 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800; 203 204 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional 205 // directories can be added via the Windows AddDllDirectory() function. 206 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 207 // Must be enabled after startup. 208 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; 209 210 // Changes the mandatory integrity level policy on the current process' token 211 // to enable no-read and no-execute up. This prevents a lower IL process from 212 // opening the process token for impersonate/duplicate/assignment. 213 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; 214 215 // Blocks mapping of images from remote devices. Corresponds to 216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON. 217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52; 218 219 // Blocks mapping of images that have the low manditory label. Corresponds to 220 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON. 221 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56; 222 223 } // namespace sandbox 224 225 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ 226