Home | History | Annotate | Download | only in common

Lines Matching full:sandbox

28 #include "sandbox/win/src/process_mitigations.h"
29 #include "sandbox/win/src/sandbox.h"
30 #include "sandbox/win/src/sandbox_nt_util.h"
31 #include "sandbox/win/src/win_utils.h"
34 static sandbox::BrokerServices* g_broker_services = NULL;
35 static sandbox::TargetServices* g_target_services = NULL;
116                   sandbox::TargetPolicy::Semantics access,
117                   sandbox::TargetPolicy* policy) {
125   sandbox::ResultCode result;
126   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
128   if (result != sandbox::SBOX_ALL_OK)
136   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, access,
138   if (result != sandbox::SBOX_ALL_OK)
147                       sandbox::TargetPolicy::Semantics access,
148                       sandbox::TargetPolicy* policy) {
149   sandbox::ResultCode result;
150   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access,
152   if (result != sandbox::SBOX_ALL_OK)
156   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, access,
158   if (result != sandbox::SBOX_ALL_OK)
183                         sandbox::TargetPolicy* policy) {
218 // Eviction of injected DLLs is done by the sandbox so that the injected module
220 void AddGenericDllEvictionPolicy(sandbox::TargetPolicy* policy) {
245 // Checks if the sandbox should be let to run without a job object assigned.
276 // Adds the generic policy rules to a sandbox TargetPolicy.
277 bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
278   sandbox::ResultCode result;
282   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
283                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
285   if (result != sandbox::SBOX_ALL_OK)
291   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
292                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
294   if (result != sandbox::SBOX_ALL_OK)
301   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
302                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
304   if (result != sandbox::SBOX_ALL_OK)
309   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
310                            sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
312   if (result != sandbox::SBOX_ALL_OK)
330   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
331                            sandbox::TargetPolicy::PROCESS_MIN_EXEC,
333   if (result != sandbox::SBOX_ALL_OK)
341 bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
342   sandbox::ResultCode result;
344   result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
345                            sandbox::TargetPolicy::HANDLES_DUP_ANY,
347   if (result != sandbox::SBOX_ALL_OK)
354   sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
358     initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
361   policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
363   policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
365   if (sandbox::SBOX_ALL_OK !=  policy->SetAlternateDesktop(true)) {
408     " process.\n Please use the sandbox::BrokerDuplicateHandle API or"
497                  sandbox::JobLevel job_level,
499                  sandbox::TargetPolicy* policy) {
506     policy->SetJobLevel(sandbox::JOB_NONE, 0);
512 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
519 bool InitBrokerServices(sandbox::BrokerServices* broker_services) {
524   sandbox::ResultCode result = broker_services->Init();
555   return sandbox::SBOX_ALL_OK == result;
558 bool InitTargetServices(sandbox::TargetServices* target_services) {
561   sandbox::ResultCode result = target_services->Init();
563   return sandbox::SBOX_ALL_OK == result;
628   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
630   sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE |
631                                          sandbox::MITIGATION_BOTTOM_UP_ASLR |
632                                          sandbox::MITIGATION_DEP |
633                                          sandbox::MITIGATION_DEP_NO_ATL_THUNK |
634                                          sandbox::MITIGATION_SEHOP;
640     if (policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
641                         sandbox::TargetPolicy::FAKE_USER_GDI_INIT,
642                         NULL) != sandbox::SBOX_ALL_OK) {
645     mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
648   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
651   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
652                 sandbox::MITIGATION_DLL_SEARCH_ORDER;
654   if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
657   SetJobLevel(*cmd_line, sandbox::JOB_LOCKDOWN, 0, policy);
672                   sandbox::TargetPolicy::FILES_ALLOW_READONLY,
682   sandbox::ResultCode result;
684     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
685                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
687     if (result != sandbox::SBOX_ALL_OK)
691     result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
692                              sandbox::TargetPolicy::FILES_ALLOW_ANY,
694     if (result != sandbox::SBOX_ALL_OK)
729   if (sandbox::SBOX_ALL_OK != result) {
730     if (result == sandbox::SBOX_ERROR_GENERIC)
761                                          options) == sandbox::SBOX_ALL_OK) {
779   return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;