1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "sandbox/win/src/sandbox_types.h" 12 #include "sandbox/win/src/security_level.h" 13 14 namespace sandbox { 15 16 class TargetPolicy { 17 public: 18 // Windows subsystems that can have specific rules. 19 // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request 20 // exactly like the CreateProcess API does. See the comment at the top of 21 // process_thread_dispatcher.cc for more details. 22 enum SubSystem { 23 SUBSYS_FILES, // Creation and opening of files and pipes. 24 SUBSYS_NAMED_PIPES, // Creation of named pipes. 25 SUBSYS_PROCESS, // Creation of child processes. 26 SUBSYS_REGISTRY, // Creation and opening of registry keys. 27 SUBSYS_SYNC, // Creation of named sync objects. 28 SUBSYS_HANDLES // Duplication of handles to other processes. 29 }; 30 31 // Allowable semantics when a rule is matched. 32 enum Semantics { 33 FILES_ALLOW_ANY, // Allows open or create for any kind of access that 34 // the file system supports. 35 FILES_ALLOW_READONLY, // Allows open or create with read access only. 36 FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. 37 FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics 38 // only. 39 HANDLES_DUP_ANY, // Allows duplicating handles opened with any 40 // access permissions. 41 HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. 42 NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. 43 PROCESS_MIN_EXEC, // Allows to create a process with minimal rights 44 // over the resulting process and thread handles. 45 // No other parameters besides the command line are 46 // passed to the child process. 47 PROCESS_ALL_EXEC, // Allows the creation of a process and return fill 48 // access on the returned handles. 49 // This flag can be used only when the main token of 50 // the sandboxed application is at least INTERACTIVE. 51 EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. 52 EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access. 53 REG_ALLOW_READONLY, // Allows readonly access to a registry key. 54 REG_ALLOW_ANY // Allows read and write access to a registry key. 55 }; 56 57 // Increments the reference count of this object. The reference count must 58 // be incremented if this interface is given to another component. 59 virtual void AddRef() = 0; 60 61 // Decrements the reference count of this object. When the reference count 62 // is zero the object is automatically destroyed. 63 // Indicates that the caller is done with this interface. After calling 64 // release no other method should be called. 65 virtual void Release() = 0; 66 67 // Sets the security level for the target process' two tokens. 68 // This setting is permanent and cannot be changed once the target process is 69 // spawned. 70 // initial: the security level for the initial token. This is the token that 71 // is used by the process from the creation of the process until the moment 72 // the process calls TargetServices::LowerToken() or the process calls 73 // win32's ReverToSelf(). Once this happens the initial token is no longer 74 // available and the lockdown token is in effect. Using an initial token is 75 // not compatible with AppContainer, see SetAppContainer. 76 // lockdown: the security level for the token that comes into force after the 77 // process calls TargetServices::LowerToken() or the process calls 78 // ReverToSelf(). See the explanation of each level in the TokenLevel 79 // definition. 80 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. 81 // Returns false if the lockdown value is more permissive than the initial 82 // value. 83 // 84 // Important: most of the sandbox-provided security relies on this single 85 // setting. The caller should strive to set the lockdown level as restricted 86 // as possible. 87 virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; 88 89 // Sets the security level of the Job Object to which the target process will 90 // belong. This setting is permanent and cannot be changed once the target 91 // process is spawned. The job controls the global security settings which 92 // can not be specified in the token security profile. 93 // job_level: the security level for the job. See the explanation of each 94 // level in the JobLevel definition. 95 // ui_exceptions: specify what specific rights that are disabled in the 96 // chosen job_level that need to be granted. Use this parameter to avoid 97 // selecting the next permissive job level unless you need all the rights 98 // that are granted in such level. 99 // The exceptions can be specified as a combination of the following 100 // constants: 101 // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These 102 // include windows, icons, menus and various GDI objects. In addition the 103 // target process can set hooks, and broadcast messages to other processes 104 // that belong to the same desktop. 105 // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard. 106 // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard. 107 // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide 108 // parameters as defined by the Win32 call SystemParametersInfo(). 109 // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the 110 // display settings. 111 // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table. 112 // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops. 113 // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows(). 114 // 115 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise. 116 // 117 // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at 118 // length in: 119 // http://msdn2.microsoft.com/en-us/library/ms684152.aspx 120 // 121 // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN. 122 virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0; 123 124 // Specifies the desktop on which the application is going to run. If the 125 // desktop does not exist, it will be created. If alternate_winstation is 126 // set to true, the desktop will be created on an alternate window station. 127 virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0; 128 129 // Returns the name of the alternate desktop used. If an alternate window 130 // station is specified, the name is prepended by the window station name, 131 // followed by a backslash. 132 virtual std::wstring GetAlternateDesktop() const = 0; 133 134 // Precreates the desktop and window station, if any. 135 virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0; 136 137 // Destroys the desktop and windows station. 138 virtual void DestroyAlternateDesktop() = 0; 139 140 // Sets the integrity level of the process in the sandbox. Both the initial 141 // token and the main token will be affected by this. If the integrity level 142 // is set to a level higher than the current level, the sandbox will fail 143 // to start. 144 virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0; 145 146 // Sets the integrity level of the process in the sandbox. The integrity level 147 // will not take effect before you call LowerToken. User Interface Privilege 148 // Isolation is not affected by this setting and will remain off for the 149 // process in the sandbox. If the integrity level is set to a level higher 150 // than the current level, the sandbox will fail to start. 151 virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0; 152 153 // Sets the AppContainer to be used for the sandboxed process. Any capability 154 // to be enabled for the process should be added before this method is invoked 155 // (by calling SetCapability() as many times as needed). 156 // The desired AppContainer must be already installed on the system, otherwise 157 // launching the sandboxed process will fail. See BrokerServices for details 158 // about installing an AppContainer. 159 // Note that currently Windows restricts the use of impersonation within 160 // AppContainers, so this function is incompatible with the use of an initial 161 // token. 162 virtual ResultCode SetAppContainer(const wchar_t* sid) = 0; 163 164 // Sets a capability to be enabled for the sandboxed process' AppContainer. 165 virtual ResultCode SetCapability(const wchar_t* sid) = 0; 166 167 // Sets the mitigations enabled when the process is created. Most of these 168 // are implemented as attributes passed via STARTUPINFOEX. So they take 169 // effect before any thread in the target executes. The declaration of 170 // MitigationFlags is followed by a detailed description of each flag. 171 virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0; 172 173 // Returns the currently set mitigation flags. 174 virtual MitigationFlags GetProcessMitigations() = 0; 175 176 // Sets process mitigation flags that don't take effect before the call to 177 // LowerToken(). 178 virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0; 179 180 // Returns the currently set delayed mitigation flags. 181 virtual MitigationFlags GetDelayedProcessMitigations() = 0; 182 183 // Sets the interceptions to operate in strict mode. By default, interceptions 184 // are performed in "relaxed" mode, where if something inside NTDLL.DLL is 185 // already patched we attempt to intercept it anyway. Setting interceptions 186 // to strict mode means that when we detect that the function is patched we'll 187 // refuse to perform the interception. 188 virtual void SetStrictInterceptions() = 0; 189 190 // Set the handles the target process should inherit for stdout and 191 // stderr. The handles the caller passes must remain valid for the 192 // lifetime of the policy object. This only has an effect on 193 // Windows Vista and later versions. These methods accept pipe and 194 // file handles, but not console handles. 195 virtual ResultCode SetStdoutHandle(HANDLE handle) = 0; 196 virtual ResultCode SetStderrHandle(HANDLE handle) = 0; 197 198 // Adds a policy rule effective for processes spawned using this policy. 199 // subsystem: One of the above enumerated windows subsystems. 200 // semantics: One of the above enumerated FileSemantics. 201 // pattern: A specific full path or a full path with wildcard patterns. 202 // The valid wildcards are: 203 // '*' : Matches zero or more character. Only one in series allowed. 204 // '?' : Matches a single character. One or more in series are allowed. 205 // Examples: 206 // "c:\\documents and settings\\vince\\*.dmp" 207 // "c:\\documents and settings\\*\\crashdumps\\*.dmp" 208 // "c:\\temp\\app_log_?????_chrome.txt" 209 virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics, 210 const wchar_t* pattern) = 0; 211 212 // Adds a dll that will be unloaded in the target process before it gets 213 // a chance to initialize itself. Typically, dlls that cause the target 214 // to crash go here. 215 virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0; 216 217 // Adds a handle that will be closed in the target process after lockdown. 218 // A NULL value for handle_name indicates all handles of the specified type. 219 // An empty string for handle_name indicates the handle is unnamed. 220 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, 221 const wchar_t* handle_name) = 0; 222 }; 223 224 } // namespace sandbox 225 226 227 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_ 228
