sandbox/win/src/filesystem_policy.h

   1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_SRC_FILESYSTEM_POLICY_H__
   6 #define SANDBOX_SRC_FILESYSTEM_POLICY_H__
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "sandbox/win/src/crosscall_server.h"
  12 #include "sandbox/win/src/nt_internals.h"
  13 #include "sandbox/win/src/policy_low_level.h"
  14 #include "sandbox/win/src/sandbox_policy.h"
  15
  16 namespace sandbox {
  17
  18 enum EvalResult;
  19
  20 // This class centralizes most of the knowledge related to file system policy
  21 class FileSystemPolicy {
  22  public:
  23   // Creates the required low-level policy rules to evaluate a high-level
  24   // policy rule for File IO, in particular open or create actions.
  25   // 'name' is the file or directory name.
  26   // 'semantics' is the desired semantics for the open or create.
  27   // 'policy' is the policy generator to which the rules are going to be added.
  28   static bool GenerateRules(const wchar_t* name,
  29                             TargetPolicy::Semantics semantics,
  30                             LowLevelPolicy* policy);
  31
  32   // Add basic file system rules.
  33   static bool SetInitialRules(LowLevelPolicy* policy);
  34
  35   // Performs the desired policy action on a create request with an
  36   // API that is compatible with the IPC-received parameters.
  37   // 'client_info' : the target process that is making the request.
  38   // 'eval_result' : The desired policy action to accomplish.
  39   // 'file' : The target file or directory.
  40   static bool CreateFileAction(EvalResult eval_result,
  41                                const ClientInfo& client_info,
  42                                const std::wstring &file,
  43                                uint32 attributes,
  44                                uint32 desired_access,
  45                                uint32 file_attributes,
  46                                uint32 share_access,
  47                                uint32 create_disposition,
  48                                uint32 create_options,
  49                                HANDLE* handle,
  50                                NTSTATUS* nt_status,
  51                                ULONG_PTR* io_information);
  52
  53   // Performs the desired policy action on an open request with an
  54   // API that is compatible with the IPC-received parameters.
  55   // 'client_info' : the target process that is making the request.
  56   // 'eval_result' : The desired policy action to accomplish.
  57   // 'file' : The target file or directory.
  58   static bool OpenFileAction(EvalResult eval_result,
  59                              const ClientInfo& client_info,
  60                              const std::wstring &file,
  61                              uint32 attributes,
  62                              uint32 desired_access,
  63                              uint32 share_access,
  64                              uint32 open_options,
  65                              HANDLE* handle,
  66                              NTSTATUS* nt_status,
  67                              ULONG_PTR* io_information);
  68
  69   // Performs the desired policy action on a query request with an
  70   // API that is compatible with the IPC-received parameters.
  71   static bool QueryAttributesFileAction(EvalResult eval_result,
  72                                         const ClientInfo& client_info,
  73                                         const std::wstring &file,
  74                                         uint32 attributes,
  75                                         FILE_BASIC_INFORMATION* file_info,
  76                                         NTSTATUS* nt_status);
  77
  78   // Performs the desired policy action on a query request with an
  79   // API that is compatible with the IPC-received parameters.
  80   static bool QueryFullAttributesFileAction(
  81       EvalResult eval_result,
  82       const ClientInfo& client_info,
  83       const std::wstring &file,
  84       uint32 attributes,
  85       FILE_NETWORK_OPEN_INFORMATION* file_info,
  86       NTSTATUS* nt_status);
  87
  88   // Performs the desired policy action on a set_info request with an
  89   // API that is compatible with the IPC-received parameters.
  90   static bool SetInformationFileAction(EvalResult eval_result,
  91                                        const ClientInfo& client_info,
  92                                        HANDLE target_file_handle,
  93                                        void* file_info,
  94                                        uint32 length,
  95                                        uint32 info_class,
  96                                        IO_STATUS_BLOCK* io_block,
  97                                        NTSTATUS* nt_status);
  98 };
  99
 100 // Expands the path and check if it's a reparse point. Returns false if
 101 // we cannot determine or if there is an unexpected error. In that case
 102 // the path cannot be trusted.
 103 bool PreProcessName(const std::wstring& path, std::wstring* new_path);
 104
 105 }  // namespace sandbox
 106
 107 #endif  // SANDBOX_SRC_FILESYSTEM_POLICY_H__