Home | History | Annotate | Download | only in common

Lines Matching full:sandbox

29 #include "sandbox/win/src/process_mitigations.h"
30 #include "sandbox/win/src/sandbox.h"
31 #include "sandbox/win/src/sandbox_nt_util.h"
32 #include "sandbox/win/src/win_utils.h"
34 static sandbox::BrokerServices* g_broker_services = NULL;
35 static sandbox::TargetServices* g_target_services = NULL;
113                   sandbox::TargetPolicy::Semantics access,
114                   sandbox::TargetPolicy* policy) {
122   sandbox::ResultCode result;
123   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
125   if (result != sandbox::SBOX_ALL_OK)
133   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
135   if (result != sandbox::SBOX_ALL_OK)
144                       sandbox::TargetPolicy::Semantics access,
145                       sandbox::TargetPolicy* policy) {
146   sandbox::ResultCode result;
147   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access,
149   if (result != sandbox::SBOX_ALL_OK)
153   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access,
155   if (result != sandbox::SBOX_ALL_OK)
180                         sandbox::TargetPolicy* policy) {
215 // Eviction of injected DLLs is done by the sandbox so that the injected module
217 void AddGenericDllEvictionPolicy(sandbox::TargetPolicy* policy) {
242 // Checks if the sandbox should be let to run without a job object assigned.
273 // Adds the generic policy rules to a sandbox TargetPolicy.
274 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
275   sandbox::ResultCode result;
279   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
280                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
282   if (result != sandbox::SBOX_ALL_OK)
288   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
289                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
291   if (result != sandbox::SBOX_ALL_OK)
298   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
299                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
301   if (result != sandbox::SBOX_ALL_OK)
306   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
307                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
309   if (result != sandbox::SBOX_ALL_OK)
327   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
328                            sandbox::TargetPolicy::PROCESS_MIN_EXEC,
330   if (result != sandbox::SBOX_ALL_OK)
339 bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
340   sandbox::ResultCode result;
342   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
343                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
345   if (result != sandbox::SBOX_ALL_OK)
348   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
352     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
355   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
357   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
362   if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(use_winsta)) {
372 // be in a sandbox.
418     " process.\n Please use the sandbox::BrokerDuplicateHandle API or"
507                  sandbox::JobLevel job_level,
509                  sandbox::TargetPolicy* policy) {
513     policy->SetJobLevel(sandbox::JOB_NONE, 0);
518 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
525 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
530   sandbox::ResultCode result = broker_services->Init();
558   return sandbox::SBOX_ALL_OK == result;
561 bool InitTargetServices(sandbox::TargetServices* target_services) {
564   sandbox::ResultCode result = target_services->Init();
566   return sandbox::SBOX_ALL_OK == result;
608   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
610   sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE |
611                                          sandbox::MITIGATION_BOTTOM_UP_ASLR |
612                                          sandbox::MITIGATION_DEP |
613                                          sandbox::MITIGATION_DEP_NO_ATL_THUNK |
614                                          sandbox::MITIGATION_SEHOP;
616   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
619   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
620                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
622   if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
625   SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
642   sandbox::ResultCode result;
644     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
645                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
647     if (result != sandbox::SBOX_ALL_OK)
651     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
652                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
654     if (result != sandbox::SBOX_ALL_OK)
689   if (sandbox::SBOX_ALL_OK != result) {
690     if (result == sandbox::SBOX_ERROR_GENERIC)
703   // the process is in a sandbox.
727                                          options) == sandbox::SBOX_ALL_OK) {
745   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;