This source file includes following definitions.
- PrintUsage
- GetTokenLevelFromString
- GetJobLevelFromString
- wmain
#include "sandbox/win/src/restricted_token_utils.h"
#define PARAM_IS(y) (argc > i) && (_wcsicmp(argv[i], y) == 0)
void PrintUsage(const wchar_t *application_name) {
wprintf(L"\n\nUsage: \n %ls --main level --init level --job level cmd_line ",
application_name);
wprintf(L"\n\n Levels : \n\tLOCKDOWN \n\tRESTRICTED "
L"\n\tLIMITED_USER \n\tINTERACTIVE_USER \n\tNON_ADMIN \n\tUNPROTECTED");
wprintf(L"\n\n main: Security level of the main token");
wprintf(L"\n init: Security level of the impersonation token");
wprintf(L"\n job: Security level of the job object");
}
bool GetTokenLevelFromString(const wchar_t *param,
sandbox::TokenLevel* level) {
if (_wcsicmp(param, L"LOCKDOWN") == 0) {
*level = sandbox::USER_LOCKDOWN;
} else if (_wcsicmp(param, L"RESTRICTED") == 0) {
*level = sandbox::USER_RESTRICTED;
} else if (_wcsicmp(param, L"LIMITED_USER") == 0) {
*level = sandbox::USER_LIMITED;
} else if (_wcsicmp(param, L"INTERACTIVE_USER") == 0) {
*level = sandbox::USER_INTERACTIVE;
} else if (_wcsicmp(param, L"NON_ADMIN") == 0) {
*level = sandbox::USER_NON_ADMIN;
} else if (_wcsicmp(param, L"USER_RESTRICTED_SAME_ACCESS") == 0) {
*level = sandbox::USER_RESTRICTED_SAME_ACCESS;
} else if (_wcsicmp(param, L"UNPROTECTED") == 0) {
*level = sandbox::USER_UNPROTECTED;
} else {
return false;
}
return true;
}
bool GetJobLevelFromString(const wchar_t *param, sandbox::JobLevel* level) {
if (_wcsicmp(param, L"LOCKDOWN") == 0) {
*level = sandbox::JOB_LOCKDOWN;
} else if (_wcsicmp(param, L"RESTRICTED") == 0) {
*level = sandbox::JOB_RESTRICTED;
} else if (_wcsicmp(param, L"LIMITED_USER") == 0) {
*level = sandbox::JOB_LIMITED_USER;
} else if (_wcsicmp(param, L"INTERACTIVE_USER") == 0) {
*level = sandbox::JOB_INTERACTIVE;
} else if (_wcsicmp(param, L"NON_ADMIN") == 0) {
wprintf(L"\nNON_ADMIN is not a supported job type");
return false;
} else if (_wcsicmp(param, L"UNPROTECTED") == 0) {
*level = sandbox::JOB_UNPROTECTED;
} else {
return false;
}
return true;
}
int wmain(int argc, wchar_t *argv[]) {
wchar_t *app_name = wcsrchr(argv[0], L'\\');
if (!app_name) {
app_name = argv[0];
} else {
app_name++;
}
if (argc == 1) {
PrintUsage(app_name);
return -1;
}
sandbox::TokenLevel primary_level = sandbox::USER_LOCKDOWN;
sandbox::TokenLevel impersonation_level =
sandbox::USER_RESTRICTED_SAME_ACCESS;
sandbox::JobLevel job_level = sandbox::JOB_LOCKDOWN;
ATL::CString command_line;
for (int i = 1; i < argc; ++i) {
if (PARAM_IS(L"--main")) {
i++;
if (argc > i) {
if (!GetTokenLevelFromString(argv[i], &primary_level)) {
wprintf(L"\nAbord, Unrecognized main token level \"%ls\"", argv[i]);
PrintUsage(app_name);
return -1;
}
}
} else if (PARAM_IS(L"--init")) {
i++;
if (argc > i) {
if (!GetTokenLevelFromString(argv[i], &impersonation_level)) {
wprintf(L"\nAbord, Unrecognized init token level \"%ls\"", argv[i]);
PrintUsage(app_name);
return -1;
}
}
} else if (PARAM_IS(L"--job")) {
i++;
if (argc > i) {
if (!GetJobLevelFromString(argv[i], &job_level)) {
wprintf(L"\nAbord, Unrecognized job security level \"%ls\"", argv[i]);
PrintUsage(app_name);
return -1;
}
}
} else {
if (command_line.GetLength()) {
command_line += L' ';
}
command_line += argv[i];
}
}
if (!command_line.GetLength()) {
wprintf(L"\nAbord, No command line specified");
PrintUsage(app_name);
return -1;
}
wprintf(L"\nLaunching command line: \"%ls\"\n", command_line.GetBuffer());
HANDLE job_handle;
DWORD err_code = sandbox::StartRestrictedProcessInJob(
command_line.GetBuffer(),
primary_level,
impersonation_level,
job_level,
&job_handle);
if (ERROR_SUCCESS != err_code) {
wprintf(L"\nAbord, Error %d while launching command line.", err_code);
return -1;
}
wprintf(L"\nPress any key to continue.");
while(!_kbhit()) {
Sleep(100);
}
::CloseHandle(job_handle);
return 0;
}