Roll src/third_party/WebKit e0eac24:489c548 (svn 193311:193320)
[chromium-blink-merge.git] / sandbox / win / src / restricted_token_utils.h
blob509feaf74bdf5cf14507fdc581531d79bf8b826b
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
6 #define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
8 #include <accctrl.h>
9 #include <windows.h>
11 #include "sandbox/win/src/restricted_token.h"
12 #include "sandbox/win/src/security_level.h"
14 // Contains the utility functions to be able to create restricted tokens based
15 // on a security profiles.
17 namespace sandbox {
19 // The type of the token returned by the CreateNakedToken.
20 enum TokenType {
21 IMPERSONATION = 0,
22 PRIMARY
25 // Creates a restricted token based on the effective token of the current
26 // process. The parameter security_level determines how much the token is
27 // restricted. The token_type determines if the token will be used as a primary
28 // token or impersonation token. The integrity level of the token is set to
29 // |integrity level| on Vista only.
30 // token_handle is the output value containing the handle of the
31 // newly created restricted token.
32 // If the function succeeds, the return value is ERROR_SUCCESS. If the
33 // function fails, the return value is the win32 error code corresponding to
34 // the error.
35 DWORD CreateRestrictedToken(HANDLE *token_handle,
36 TokenLevel security_level,
37 IntegrityLevel integrity_level,
38 TokenType token_type);
40 // Starts the process described by the input parameter command_line in a job
41 // with a restricted token. Also set the main thread of this newly created
42 // process to impersonate a user with more rights so it can initialize
43 // correctly.
45 // Parameters: primary_level is the security level of the primary token.
46 // impersonation_level is the security level of the impersonation token used
47 // to initialize the process. job_level is the security level of the job
48 // object used to encapsulate the process.
50 // The output parameter job_handle is the handle to the job object. It has
51 // to be closed with CloseHandle() when not needed. Closing this handle will
52 // kill the process started.
54 // Note: The process started with this function has to call RevertToSelf() as
55 // soon as possible to stop using the impersonation token and start being
56 // secure.
58 // Note: The Unicode version of this function will fail if the command_line
59 // parameter is a const string.
60 DWORD StartRestrictedProcessInJob(wchar_t *command_line,
61 TokenLevel primary_level,
62 TokenLevel impersonation_level,
63 JobLevel job_level,
64 HANDLE *job_handle);
66 // Sets the integrity label on a object handle.
67 DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type,
68 const wchar_t* ace_access,
69 const wchar_t* integrity_level_sid);
71 // Sets the integrity level on a token. This is only valid on Vista. It returns
72 // without failing on XP. If the integrity level that you specify is greater
73 // than the current integrity level, the function will fail.
74 DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level);
76 // Returns the integrity level SDDL string associated with a given
77 // IntegrityLevel value.
78 const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level);
80 // Sets the integrity level on the current process on Vista. It returns without
81 // failing on XP. If the integrity level that you specify is greater than the
82 // current integrity level, the function will fail.
83 DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level);
85 // Hardens the integrity level policy on a token. This is only valid on Win 7
86 // and above. Specifically it sets the policy to block read and execute so
87 // that a lower privileged process cannot open the token for impersonate or
88 // duplicate permissions. This should limit potential security holes.
89 DWORD HardenTokenIntegrityLevelPolicy(HANDLE token);
91 // Hardens the integrity level policy on the current process. This is only
92 // valid on Win 7 and above. Specifically it sets the policy to block read
93 // and execute so that a lower privileged process cannot open the token for
94 // impersonate or duplicate permissions. This should limit potential security
95 // holes.
96 DWORD HardenProcessIntegrityLevelPolicy();
98 } // namespace sandbox
100 #endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__