1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "sandbox/win/src/restricted_token_utils.h" 6 #include "sandbox/win/tools/finder/finder.h" 7 8 #define PARAM_IS(y) (argc > i) && (_wcsicmp(argv[i], y) == 0) 9 10 void PrintUsage(wchar_t *application_name) { 11 wprintf(L"\n\nUsage: \n %ls --token type --object ob1 [ob2 ob3] " 12 L"--access ac1 [ac2 ac3] [--log filename]", application_name); 13 wprintf(L"\n\n Token Types : \n\tLOCKDOWN \n\tRESTRICTED " 14 L"\n\tLIMITED_USER \n\tINTERACTIVE_USER \n\tNON_ADMIN \n\tUNPROTECTED"); 15 wprintf(L"\n Object Types: \n\tREG \n\tFILE \n\tKERNEL"); 16 wprintf(L"\n Access Types: \n\tR \n\tW \n\tALL"); 17 wprintf(L"\n\nSample: \n %ls --token LOCKDOWN --object REG FILE KERNEL " 18 L"--access R W ALL", application_name); 19 } 20 21 int wmain(int argc, wchar_t* argv[]) { 22 // Extract the filename from the path. 23 wchar_t *app_name = wcsrchr(argv[0], L'\\'); 24 if (!app_name) { 25 app_name = argv[0]; 26 } else { 27 app_name++; 28 } 29 30 // parameters to read 31 ATL::CString log_file; 32 sandbox::TokenLevel token_type = sandbox::USER_LOCKDOWN; 33 DWORD object_type = 0; 34 DWORD access_type = 0; 35 36 // no arguments 37 if (argc == 1) { 38 PrintUsage(app_name); 39 return -1; 40 } 41 42 // parse command line. 43 for (int i = 1; i < argc; ++i) { 44 if (PARAM_IS(L"--token")) { 45 i++; 46 if (argc > i) { 47 if (PARAM_IS(L"LOCKDOWN")) { 48 token_type = sandbox::USER_LOCKDOWN; 49 } else if (PARAM_IS(L"RESTRICTED")) { 50 token_type = sandbox::USER_RESTRICTED; 51 } else if (PARAM_IS(L"LIMITED_USER")) { 52 token_type = sandbox::USER_LIMITED; 53 } else if (PARAM_IS(L"INTERACTIVE_USER")) { 54 token_type = sandbox::USER_INTERACTIVE; 55 } else if (PARAM_IS(L"NON_ADMIN")) { 56 token_type = sandbox::USER_NON_ADMIN; 57 } else if (PARAM_IS(L"USER_RESTRICTED_SAME_ACCESS")) { 58 token_type = sandbox::USER_RESTRICTED_SAME_ACCESS; 59 } else if (PARAM_IS(L"UNPROTECTED")) { 60 token_type = sandbox::USER_UNPROTECTED; 61 } else { 62 wprintf(L"\nAbord. Invalid token type \"%ls\"", argv[i]); 63 PrintUsage(app_name); 64 return -1; 65 } 66 } 67 } else if (PARAM_IS(L"--object")) { 68 bool is_object = true; 69 do { 70 i++; 71 if (PARAM_IS(L"REG")) { 72 object_type |= kScanRegistry; 73 } else if (PARAM_IS(L"FILE")) { 74 object_type |= kScanFileSystem; 75 } else if (PARAM_IS(L"KERNEL")) { 76 object_type |= kScanKernelObjects; 77 } else { 78 is_object = false; 79 } 80 } while(is_object); 81 i--; 82 } else if (PARAM_IS(L"--access")) { 83 bool is_access = true; 84 do { 85 i++; 86 if (PARAM_IS(L"R")) { 87 access_type |= kTestForRead; 88 } else if (PARAM_IS(L"W")) { 89 access_type |= kTestForWrite; 90 } else if (PARAM_IS(L"ALL")) { 91 access_type |= kTestForAll; 92 } else { 93 is_access = false; 94 } 95 } while(is_access); 96 i--; 97 } else if (PARAM_IS(L"--log")) { 98 i++; 99 if (argc > i) { 100 log_file = argv[i]; 101 } 102 else { 103 wprintf(L"\nAbord. No log file specified"); 104 PrintUsage(app_name); 105 return -1; 106 } 107 } else { 108 wprintf(L"\nAbord. Unrecognized parameter \"%ls\"", argv[i]); 109 PrintUsage(app_name); 110 return -1; 111 } 112 } 113 114 // validate parameters 115 if (0 == access_type) { 116 wprintf(L"\nAbord, Access type not specified"); 117 PrintUsage(app_name); 118 return -1; 119 } 120 121 if (0 == object_type) { 122 wprintf(L"\nAbord, Object type not specified"); 123 PrintUsage(app_name); 124 return -1; 125 } 126 127 128 // Open log file 129 FILE * file_output; 130 if (log_file.GetLength()) { 131 errno_t err = _wfopen_s(&file_output, log_file, L"w"); 132 if (err) { 133 wprintf(L"\nAbord, Cannot open file \"%ls\"", log_file.GetBuffer()); 134 return -1; 135 } 136 } else { 137 file_output = stdout; 138 } 139 140 Finder finder_obj; 141 finder_obj.Init(token_type, object_type, access_type, file_output); 142 finder_obj.Scan(); 143 144 fclose(file_output); 145 146 return 0; 147 } 148
