sandbox/win/src/security_level.h

   1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
   6 #define SANDBOX_SRC_SECURITY_LEVEL_H_
   7
   8 namespace sandbox {
   9
  10 // List of all the integrity levels supported in the sandbox. This is used
  11 // only on Windows Vista. You can't set the integrity level of the process
  12 // in the sandbox to a level higher than yours.
  13 enum IntegrityLevel {
  14   INTEGRITY_LEVEL_SYSTEM,
  15   INTEGRITY_LEVEL_HIGH,
  16   INTEGRITY_LEVEL_MEDIUM,
  17   INTEGRITY_LEVEL_MEDIUM_LOW,
  18   INTEGRITY_LEVEL_LOW,
  19   INTEGRITY_LEVEL_BELOW_LOW,
  20   INTEGRITY_LEVEL_UNTRUSTED,
  21   INTEGRITY_LEVEL_LAST
  22 };
  23
  24 // The Token level specifies a set of  security profiles designed to
  25 // provide the bulk of the security of sandbox.
  26 //
  27 //  TokenLevel                 |Restricting   |Deny Only       |Privileges|
  28 //                             |Sids          |Sids            |          |
  29 // ----------------------------|--------------|----------------|----------|
  30 // USER_LOCKDOWN               | Null Sid     | All            | None     |
  31 // ----------------------------|--------------|----------------|----------|
  32 // USER_RESTRICTED             | RESTRICTED   | All            | Traverse |
  33 // ----------------------------|--------------|----------------|----------|
  34 // USER_LIMITED                | Users        | All except:    | Traverse |
  35 //                             | Everyone     | Users          |          |
  36 //                             | RESTRICTED   | Everyone       |          |
  37 //                             |              | Interactive    |          |
  38 // ----------------------------|--------------|----------------|----------|
  39 // USER_INTERACTIVE            | Users        | All except:    | Traverse |
  40 //                             | Everyone     | Users          |          |
  41 //                             | RESTRICTED   | Everyone       |          |
  42 //                             | Owner        | Interactive    |          |
  43 //                             |              | Local          |          |
  44 //                             |              | Authent-users  |          |
  45 //                             |              | User           |          |
  46 // ----------------------------|--------------|----------------|----------|
  47 // USER_NON_ADMIN              | None         | All except:    | Traverse |
  48 //                             |              | Users          |          |
  49 //                             |              | Everyone       |          |
  50 //                             |              | Interactive    |          |
  51 //                             |              | Local          |          |
  52 //                             |              | Authent-users  |          |
  53 //                             |              | User           |          |
  54 // ----------------------------|--------------|----------------|----------|
  55 // USER_RESTRICTED_SAME_ACCESS | All          | None           | All      |
  56 // ----------------------------|--------------|----------------|----------|
  57 // USER_UNPROTECTED            | None         | None           | All      |
  58 // ----------------------------|--------------|----------------|----------|
  59 //
  60 // The above restrictions are actually a transformation that is applied to
  61 // the existing broker process token. The resulting token that will be
  62 // applied to the target process depends both on the token level selected
  63 // and on the broker token itself.
  64 //
  65 //  The LOCKDOWN and RESTRICTED are designed to allow access to almost
  66 //  nothing that has security associated with and they are the recommended
  67 //  levels to run sandboxed code specially if there is a chance that the
  68 //  broker is process might be started by a user that belongs to the Admins
  69 //  or power users groups.
  70 enum TokenLevel {
  71    USER_LOCKDOWN = 0,
  72    USER_RESTRICTED,
  73    USER_LIMITED,
  74    USER_INTERACTIVE,
  75    USER_NON_ADMIN,
  76    USER_RESTRICTED_SAME_ACCESS,
  77    USER_UNPROTECTED
  78 };
  79
  80 // The Job level specifies a set of decreasing security profiles for the
  81 // Job object that the target process will be placed into.
  82 // This table summarizes the security associated with each level:
  83 //
  84 //  JobLevel        |General                            |Quota               |
  85 //                  |restrictions                       |restrictions        |
  86 // -----------------|---------------------------------- |--------------------|
  87 // JOB_NONE         | No job is assigned to the         | None               |
  88 //                  | sandboxed process.                |                    |
  89 // -----------------|---------------------------------- |--------------------|
  90 // JOB_UNPROTECTED  | None                              | *Kill on Job close.|
  91 // -----------------|---------------------------------- |--------------------|
  92 // JOB_INTERACTIVE  | *Forbid system-wide changes using |                    |
  93 //                  |  SystemParametersInfo().          | *Kill on Job close.|
  94 //                  | *Forbid the creation/switch of    |                    |
  95 //                  |  Desktops.                        |                    |
  96 //                  | *Forbids calls to ExitWindows().  |                    |
  97 // -----------------|---------------------------------- |--------------------|
  98 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus:    | *One active process|
  99 //                  | *Forbid changes to the display    |  limit.            |
 100 //                  |  settings.                        | *Kill on Job close.|
 101 // -----------------|---------------------------------- |--------------------|
 102 // JOB_RESTRICTED   | Same as LIMITED_USER plus:        | *One active process|
 103 //                  | * No read/write to the clipboard. |  limit.            |
 104 //                  | * No access to User Handles that  | *Kill on Job close.|
 105 //                  |   belong to other processes.      |                    |
 106 //                  | * Forbid message broadcasts.      |                    |
 107 //                  | * Forbid setting global hooks.    |                    |
 108 //                  | * No access to the global atoms   |                    |
 109 //                  |   table.                          |                    |
 110 // -----------------|-----------------------------------|--------------------|
 111 // JOB_LOCKDOWN     | Same as RESTRICTED                | *One active process|
 112 //                  |                                   |  limit.            |
 113 //                  |                                   | *Kill on Job close.|
 114 //                  |                                   | *Kill on unhandled |
 115 //                  |                                   |  exception.        |
 116 //                  |                                   |                    |
 117 // In the context of the above table, 'user handles' refers to the handles of
 118 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
 119 // handles and are not affected by the job level settings.
 120 enum JobLevel {
 121   JOB_LOCKDOWN = 0,
 122   JOB_RESTRICTED,
 123   JOB_LIMITED_USER,
 124   JOB_INTERACTIVE,
 125   JOB_UNPROTECTED,
 126   JOB_NONE
 127 };
 128
 129 // These flags correspond to various process-level mitigations (eg. ASLR and
 130 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
 131 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
 132 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
 133 // Some mitigations are implemented directly by the sandbox or emulated to
 134 // the greatest extent possible when not directly supported by the OS.
 135 // Flags that are unsupported for the target OS will be silently ignored.
 136 // Flags that are invalid for their application (pre or post startup) will
 137 // return SBOX_ERROR_BAD_PARAMS.
 138 typedef uint64 MitigationFlags;
 139
 140 // Permanently enables DEP for the target process. Corresponds to
 141 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
 142 const MitigationFlags MITIGATION_DEP                              = 0x00000001;
 143
 144 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid
 145 // only when MITIGATION_DEP is passed. Corresponds to not passing
 146 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
 147 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK                 = 0x00000002;
 148
 149 // Enables Structured exception handling override prevention. Must be
 150 // enabled prior to process start. Corresponds to
 151 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
 152 const MitigationFlags MITIGATION_SEHOP                            = 0x00000004;
 153
 154 // Forces ASLR on all images in the child process. Corresponds to
 155 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
 156 const MitigationFlags MITIGATION_RELOCATE_IMAGE                   = 0x00000008;
 157
 158 // Refuses to load DLLs that cannot support ASLR. Corresponds to
 159 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
 160 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED          = 0x00000010;
 161
 162 // Terminates the process on Windows heap corruption. Coresponds to
 163 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
 164 const MitigationFlags MITIGATION_HEAP_TERMINATE                   = 0x00000020;
 165
 166 // Sets a random lower bound as the minimum user address. Must be
 167 // enabled prior to process start. On 32-bit processes this is
 168 // emulated to a much smaller degree. Corresponds to
 169 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
 170 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR                   = 0x00000040;
 171
 172 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
 173 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
 174 // Corresponds to
 175 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
 176 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR                = 0x00000080;
 177
 178 // Immediately raises an exception on a bad handle reference. Must be
 179 // enabled after startup. Corresponds to
 180 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
 181 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS             = 0x00000100;
 182
 183 // Prevents the process from making Win32k calls. Must be enabled after
 184 // startup. Corresponds to
 185 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
 186 const MitigationFlags MITIGATION_WIN32K_DISABLE                   = 0x00000200;
 187
 188 // Disables common DLL injection methods (e.g. window hooks and
 189 // App_InitDLLs). Corresponds to
 190 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
 191 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE            = 0x00000400;
 192
 193 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
 194 // directories can be added via the Windows AddDllDirectory() function.
 195 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
 196 // Must be enabled after startup.
 197 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER        = 0x00000001ULL << 32;
 198
 199 }  // namespace sandbox
 200
 201 #endif  // SANDBOX_SRC_SECURITY_LEVEL_H_