This source file includes following definitions.
- Init
- GetRestrictedTokenHandle
- GetRestrictedTokenHandleForImpersonation
- AddAllSidsForDenyOnly
- AddSidForDenyOnly
- AddUserSidForDenyOnly
- DeleteAllPrivileges
- DeletePrivilege
- AddRestrictingSid
- AddRestrictingSidLogonSession
- AddRestrictingSidCurrentUser
- AddRestrictingSidAllSids
- SetIntegrityLevel
#include "sandbox/win/src/restricted_token.h"
#include <vector>
#include "base/logging.h"
#include "sandbox/win/src/acl.h"
#include "sandbox/win/src/win_utils.h"
namespace sandbox {
unsigned RestrictedToken::Init(const HANDLE effective_token) {
DCHECK(!init_);
if (init_)
return ERROR_ALREADY_INITIALIZED;
if (effective_token) {
HANDLE effective_token_dup;
if (::DuplicateHandle(::GetCurrentProcess(),
effective_token,
::GetCurrentProcess(),
&effective_token_dup,
0,
FALSE,
DUPLICATE_SAME_ACCESS)) {
effective_token_ = effective_token_dup;
} else {
return ::GetLastError();
}
} else {
if (!::OpenProcessToken(::GetCurrentProcess(),
TOKEN_ALL_ACCESS,
&effective_token_))
return ::GetLastError();
}
init_ = true;
return ERROR_SUCCESS;
}
unsigned RestrictedToken::GetRestrictedTokenHandle(HANDLE *token_handle) const {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
size_t deny_size = sids_for_deny_only_.size();
size_t restrict_size = sids_to_restrict_.size();
size_t privileges_size = privileges_to_disable_.size();
SID_AND_ATTRIBUTES *deny_only_array = NULL;
if (deny_size) {
deny_only_array = new SID_AND_ATTRIBUTES[deny_size];
for (unsigned int i = 0; i < sids_for_deny_only_.size() ; ++i) {
deny_only_array[i].Attributes = SE_GROUP_USE_FOR_DENY_ONLY;
deny_only_array[i].Sid =
const_cast<SID*>(sids_for_deny_only_[i].GetPSID());
}
}
SID_AND_ATTRIBUTES *sids_to_restrict_array = NULL;
if (restrict_size) {
sids_to_restrict_array = new SID_AND_ATTRIBUTES[restrict_size];
for (unsigned int i = 0; i < restrict_size; ++i) {
sids_to_restrict_array[i].Attributes = 0;
sids_to_restrict_array[i].Sid =
const_cast<SID*>(sids_to_restrict_[i].GetPSID());
}
}
LUID_AND_ATTRIBUTES *privileges_to_disable_array = NULL;
if (privileges_size) {
privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size];
for (unsigned int i = 0; i < privileges_size; ++i) {
privileges_to_disable_array[i].Attributes = 0;
privileges_to_disable_array[i].Luid = privileges_to_disable_[i];
}
}
BOOL result = TRUE;
HANDLE new_token = NULL;
if (deny_size || restrict_size || privileges_size) {
result = ::CreateRestrictedToken(effective_token_,
SANDBOX_INERT,
static_cast<DWORD>(deny_size),
deny_only_array,
static_cast<DWORD>(privileges_size),
privileges_to_disable_array,
static_cast<DWORD>(restrict_size),
sids_to_restrict_array,
&new_token);
} else {
result = ::DuplicateTokenEx(effective_token_, TOKEN_ALL_ACCESS, NULL,
SecurityIdentification, TokenPrimary,
&new_token);
}
if (deny_only_array)
delete[] deny_only_array;
if (sids_to_restrict_array)
delete[] sids_to_restrict_array;
if (privileges_to_disable_array)
delete[] privileges_to_disable_array;
if (!result)
return ::GetLastError();
if (!AddSidToDefaultDacl(new_token, WinRestrictedCodeSid, GENERIC_ALL))
return ::GetLastError();
if (!AddUserSidToDefaultDacl(new_token, GENERIC_ALL))
return ::GetLastError();
DWORD error = SetTokenIntegrityLevel(new_token, integrity_level_);
if (ERROR_SUCCESS != error)
return error;
BOOL status = ::DuplicateHandle(::GetCurrentProcess(),
new_token,
::GetCurrentProcess(),
token_handle,
TOKEN_ALL_ACCESS,
FALSE,
0);
if (new_token != effective_token_)
::CloseHandle(new_token);
if (!status)
return ::GetLastError();
return ERROR_SUCCESS;
}
unsigned RestrictedToken::GetRestrictedTokenHandleForImpersonation(
HANDLE *token_handle) const {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
HANDLE restricted_token_handle;
unsigned err_code = GetRestrictedTokenHandle(&restricted_token_handle);
if (ERROR_SUCCESS != err_code)
return err_code;
HANDLE impersonation_token;
if (!::DuplicateToken(restricted_token_handle,
SecurityImpersonation,
&impersonation_token)) {
::CloseHandle(restricted_token_handle);
return ::GetLastError();
}
::CloseHandle(restricted_token_handle);
BOOL status = ::DuplicateHandle(::GetCurrentProcess(),
impersonation_token,
::GetCurrentProcess(),
token_handle,
TOKEN_ALL_ACCESS,
FALSE,
0);
::CloseHandle(impersonation_token);
if (!status)
return ::GetLastError();
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddAllSidsForDenyOnly(std::vector<Sid> *exceptions) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
TOKEN_GROUPS *token_groups = NULL;
DWORD size = 0;
BOOL result = ::GetTokenInformation(effective_token_,
TokenGroups,
NULL,
0,
&size);
if (!size)
return ::GetLastError();
token_groups = reinterpret_cast<TOKEN_GROUPS*>(new BYTE[size]);
result = ::GetTokenInformation(effective_token_,
TokenGroups,
token_groups,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE*>(token_groups);
return ::GetLastError();
}
for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 &&
(token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) {
bool should_ignore = false;
if (exceptions) {
for (unsigned int j = 0; j < exceptions->size(); ++j) {
if (::EqualSid(const_cast<SID*>((*exceptions)[j].GetPSID()),
token_groups->Groups[i].Sid)) {
should_ignore = true;
break;
}
}
}
if (!should_ignore) {
sids_for_deny_only_.push_back(
reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
}
}
}
delete[] reinterpret_cast<BYTE*>(token_groups);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddSidForDenyOnly(const Sid &sid) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
sids_for_deny_only_.push_back(sid);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddUserSidForDenyOnly() {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(new BYTE[size]);
BOOL result = ::GetTokenInformation(effective_token_,
TokenUser,
token_user,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE*>(token_user);
return ::GetLastError();
}
Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
sids_for_deny_only_.push_back(user);
delete[] reinterpret_cast<BYTE*>(token_user);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::DeleteAllPrivileges(
const std::vector<base::string16> *exceptions) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
TOKEN_PRIVILEGES *token_privileges = NULL;
DWORD size = 0;
BOOL result = ::GetTokenInformation(effective_token_,
TokenPrivileges,
NULL,
0,
&size);
if (!size)
return ::GetLastError();
token_privileges = reinterpret_cast<TOKEN_PRIVILEGES*>(new BYTE[size]);
result = ::GetTokenInformation(effective_token_,
TokenPrivileges,
token_privileges,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE *>(token_privileges);
return ::GetLastError();
}
for (unsigned int i = 0; i < token_privileges->PrivilegeCount; ++i) {
bool should_ignore = false;
if (exceptions) {
for (unsigned int j = 0; j < exceptions->size(); ++j) {
LUID luid = {0};
::LookupPrivilegeValue(NULL, (*exceptions)[j].c_str(), &luid);
if (token_privileges->Privileges[i].Luid.HighPart == luid.HighPart &&
token_privileges->Privileges[i].Luid.LowPart == luid.LowPart) {
should_ignore = true;
break;
}
}
}
if (!should_ignore) {
privileges_to_disable_.push_back(token_privileges->Privileges[i].Luid);
}
}
delete[] reinterpret_cast<BYTE *>(token_privileges);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::DeletePrivilege(const wchar_t *privilege) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
LUID luid = {0};
if (LookupPrivilegeValue(NULL, privilege, &luid))
privileges_to_disable_.push_back(luid);
else
return ::GetLastError();
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddRestrictingSid(const Sid &sid) {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
sids_to_restrict_.push_back(sid);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddRestrictingSidLogonSession() {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
TOKEN_GROUPS *token_groups = NULL;
DWORD size = 0;
BOOL result = ::GetTokenInformation(effective_token_,
TokenGroups,
NULL,
0,
&size);
if (!size)
return ::GetLastError();
token_groups = reinterpret_cast<TOKEN_GROUPS*>(new BYTE[size]);
result = ::GetTokenInformation(effective_token_,
TokenGroups,
token_groups,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE*>(token_groups);
return ::GetLastError();
}
SID *logon_sid = NULL;
for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
if ((token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) != 0) {
logon_sid = static_cast<SID*>(token_groups->Groups[i].Sid);
break;
}
}
if (logon_sid)
sids_to_restrict_.push_back(logon_sid);
delete[] reinterpret_cast<BYTE*>(token_groups);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddRestrictingSidCurrentUser() {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(new BYTE[size]);
BOOL result = ::GetTokenInformation(effective_token_,
TokenUser,
token_user,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE*>(token_user);
return ::GetLastError();
}
Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
sids_to_restrict_.push_back(user);
delete[] reinterpret_cast<BYTE*>(token_user);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::AddRestrictingSidAllSids() {
DCHECK(init_);
if (!init_)
return ERROR_NO_TOKEN;
unsigned error = AddRestrictingSidCurrentUser();
if (ERROR_SUCCESS != error)
return error;
TOKEN_GROUPS *token_groups = NULL;
DWORD size = 0;
BOOL result = ::GetTokenInformation(effective_token_, TokenGroups, NULL, 0,
&size);
if (!size)
return ::GetLastError();
token_groups = reinterpret_cast<TOKEN_GROUPS*>(new BYTE[size]);
result = ::GetTokenInformation(effective_token_,
TokenGroups,
token_groups,
size,
&size);
if (!result) {
delete[] reinterpret_cast<BYTE*>(token_groups);
return ::GetLastError();
}
for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0)
AddRestrictingSid(reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
}
delete[] reinterpret_cast<BYTE*>(token_groups);
return ERROR_SUCCESS;
}
unsigned RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) {
integrity_level_ = integrity_level;
return ERROR_SUCCESS;
}
}