Don't show supervised user as "already on this device" while they're being imported.
[chromium-blink-merge.git] / sandbox / win / src / acl.cc
blobf140c7e6c4f27715ecbe49adc993c24337cc660f
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/win/src/acl.h"
7 #include <aclapi.h>
8 #include <sddl.h>
10 #include "base/logging.h"
12 namespace sandbox {
14 bool GetDefaultDacl(
15 HANDLE token,
16 scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter>* default_dacl) {
17 if (token == NULL)
18 return false;
20 DCHECK(default_dacl != NULL);
22 unsigned long length = 0;
23 ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length);
24 if (length == 0) {
25 NOTREACHED();
26 return false;
29 TOKEN_DEFAULT_DACL* acl =
30 reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length));
31 default_dacl->reset(acl);
33 if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
34 length, &length))
35 return false;
37 return true;
40 bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MODE access_mode,
41 ACCESS_MASK access, ACL** new_dacl) {
42 EXPLICIT_ACCESS new_access = {0};
43 new_access.grfAccessMode = access_mode;
44 new_access.grfAccessPermissions = access;
45 new_access.grfInheritance = NO_INHERITANCE;
47 new_access.Trustee.pMultipleTrustee = NULL;
48 new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
49 new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
50 new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>(
51 const_cast<SID*>(sid.GetPSID()));
53 if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl))
54 return false;
56 return true;
59 bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) {
60 if (token == NULL)
61 return false;
63 scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter> default_dacl;
64 if (!GetDefaultDacl(token, &default_dacl))
65 return false;
67 ACL* new_dacl = NULL;
68 if (!AddSidToDacl(sid, default_dacl->DefaultDacl, GRANT_ACCESS, access,
69 &new_dacl))
70 return false;
72 TOKEN_DEFAULT_DACL new_token_dacl = {0};
73 new_token_dacl.DefaultDacl = new_dacl;
75 BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
76 sizeof(new_token_dacl));
77 ::LocalFree(new_dacl);
78 return (TRUE == ret);
81 bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
82 DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
83 TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size));
85 scoped_ptr<TOKEN_USER, base::FreeDeleter> token_user_ptr(token_user);
87 if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
88 return false;
90 return AddSidToDefaultDacl(token,
91 reinterpret_cast<SID*>(token_user->User.Sid),
92 access);
95 bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type,
96 const Sid& sid, ACCESS_MODE access_mode,
97 ACCESS_MASK access) {
98 PSECURITY_DESCRIPTOR descriptor = NULL;
99 PACL old_dacl = NULL;
100 PACL new_dacl = NULL;
102 if (ERROR_SUCCESS != ::GetSecurityInfo(object, object_type,
103 DACL_SECURITY_INFORMATION, NULL, NULL,
104 &old_dacl, NULL, &descriptor))
105 return false;
107 if (!AddSidToDacl(sid.GetPSID(), old_dacl, access_mode, access, &new_dacl)) {
108 ::LocalFree(descriptor);
109 return false;
112 DWORD result = ::SetSecurityInfo(object, object_type,
113 DACL_SECURITY_INFORMATION, NULL, NULL,
114 new_dacl, NULL);
116 ::LocalFree(new_dacl);
117 ::LocalFree(descriptor);
119 if (ERROR_SUCCESS != result)
120 return false;
122 return true;
125 } // namespace sandbox