Don't show supervised user as "already on this device" while they're being imported.
[chromium-blink-merge.git] / sandbox / win / src / sandbox_policy.h
blob54bb2a909664a5eb9f7bf0519486db0ad9c82a9c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
6 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
8 #include <string>
10 #include "base/basictypes.h"
11 #include "base/strings/string16.h"
12 #include "sandbox/win/src/sandbox_types.h"
13 #include "sandbox/win/src/security_level.h"
15 namespace sandbox {
17 class TargetPolicy {
18 public:
19 // Windows subsystems that can have specific rules.
20 // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
21 // exactly like the CreateProcess API does. See the comment at the top of
22 // process_thread_dispatcher.cc for more details.
23 enum SubSystem {
24 SUBSYS_FILES, // Creation and opening of files and pipes.
25 SUBSYS_NAMED_PIPES, // Creation of named pipes.
26 SUBSYS_PROCESS, // Creation of child processes.
27 SUBSYS_REGISTRY, // Creation and opening of registry keys.
28 SUBSYS_SYNC, // Creation of named sync objects.
29 SUBSYS_HANDLES, // Duplication of handles to other processes.
30 SUBSYS_WIN32K_LOCKDOWN // Win32K Lockdown related policy.
33 // Allowable semantics when a rule is matched.
34 enum Semantics {
35 FILES_ALLOW_ANY, // Allows open or create for any kind of access that
36 // the file system supports.
37 FILES_ALLOW_READONLY, // Allows open or create with read access only.
38 FILES_ALLOW_QUERY, // Allows access to query the attributes of a file.
39 FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics
40 // only.
41 HANDLES_DUP_ANY, // Allows duplicating handles opened with any
42 // access permissions.
43 HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process.
44 NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe.
45 PROCESS_MIN_EXEC, // Allows to create a process with minimal rights
46 // over the resulting process and thread handles.
47 // No other parameters besides the command line are
48 // passed to the child process.
49 PROCESS_ALL_EXEC, // Allows the creation of a process and return fill
50 // access on the returned handles.
51 // This flag can be used only when the main token of
52 // the sandboxed application is at least INTERACTIVE.
53 EVENTS_ALLOW_ANY, // Allows the creation of an event with full access.
54 EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
55 REG_ALLOW_READONLY, // Allows readonly access to a registry key.
56 REG_ALLOW_ANY, // Allows read and write access to a registry key.
57 FAKE_USER_GDI_INIT // Fakes user32 and gdi32 initialization. This can
58 // be used to allow the DLLs to load and initialize
59 // even if the process cannot access that subsystem.
62 // Increments the reference count of this object. The reference count must
63 // be incremented if this interface is given to another component.
64 virtual void AddRef() = 0;
66 // Decrements the reference count of this object. When the reference count
67 // is zero the object is automatically destroyed.
68 // Indicates that the caller is done with this interface. After calling
69 // release no other method should be called.
70 virtual void Release() = 0;
72 // Sets the security level for the target process' two tokens.
73 // This setting is permanent and cannot be changed once the target process is
74 // spawned.
75 // initial: the security level for the initial token. This is the token that
76 // is used by the process from the creation of the process until the moment
77 // the process calls TargetServices::LowerToken() or the process calls
78 // win32's ReverToSelf(). Once this happens the initial token is no longer
79 // available and the lockdown token is in effect. Using an initial token is
80 // not compatible with AppContainer, see SetAppContainer.
81 // lockdown: the security level for the token that comes into force after the
82 // process calls TargetServices::LowerToken() or the process calls
83 // ReverToSelf(). See the explanation of each level in the TokenLevel
84 // definition.
85 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
86 // Returns false if the lockdown value is more permissive than the initial
87 // value.
89 // Important: most of the sandbox-provided security relies on this single
90 // setting. The caller should strive to set the lockdown level as restricted
91 // as possible.
92 virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
94 // Returns the initial token level.
95 virtual TokenLevel GetInitialTokenLevel() const = 0;
97 // Returns the lockdown token level.
98 virtual TokenLevel GetLockdownTokenLevel() const = 0;
100 // Sets the security level of the Job Object to which the target process will
101 // belong. This setting is permanent and cannot be changed once the target
102 // process is spawned. The job controls the global security settings which
103 // can not be specified in the token security profile.
104 // job_level: the security level for the job. See the explanation of each
105 // level in the JobLevel definition.
106 // ui_exceptions: specify what specific rights that are disabled in the
107 // chosen job_level that need to be granted. Use this parameter to avoid
108 // selecting the next permissive job level unless you need all the rights
109 // that are granted in such level.
110 // The exceptions can be specified as a combination of the following
111 // constants:
112 // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
113 // include windows, icons, menus and various GDI objects. In addition the
114 // target process can set hooks, and broadcast messages to other processes
115 // that belong to the same desktop.
116 // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
117 // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
118 // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
119 // parameters as defined by the Win32 call SystemParametersInfo().
120 // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
121 // display settings.
122 // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
123 // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
124 // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
126 // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
128 // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
129 // length in:
130 // http://msdn2.microsoft.com/en-us/library/ms684152.aspx
132 // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
133 virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0;
135 // Sets a hard limit on the size of the commit set for the sandboxed process.
136 // If the limit is reached, the process will be terminated with
137 // SBOX_FATAL_MEMORY_EXCEEDED (7012).
138 virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
140 // Specifies the desktop on which the application is going to run. If the
141 // desktop does not exist, it will be created. If alternate_winstation is
142 // set to true, the desktop will be created on an alternate window station.
143 virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
145 // Returns the name of the alternate desktop used. If an alternate window
146 // station is specified, the name is prepended by the window station name,
147 // followed by a backslash.
148 virtual base::string16 GetAlternateDesktop() const = 0;
150 // Precreates the desktop and window station, if any.
151 virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
153 // Destroys the desktop and windows station.
154 virtual void DestroyAlternateDesktop() = 0;
156 // Sets the integrity level of the process in the sandbox. Both the initial
157 // token and the main token will be affected by this. If the integrity level
158 // is set to a level higher than the current level, the sandbox will fail
159 // to start.
160 virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
162 // Returns the initial integrity level used.
163 virtual IntegrityLevel GetIntegrityLevel() const = 0;
165 // Sets the integrity level of the process in the sandbox. The integrity level
166 // will not take effect before you call LowerToken. User Interface Privilege
167 // Isolation is not affected by this setting and will remain off for the
168 // process in the sandbox. If the integrity level is set to a level higher
169 // than the current level, the sandbox will fail to start.
170 virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
172 // Sets the AppContainer to be used for the sandboxed process. Any capability
173 // to be enabled for the process should be added before this method is invoked
174 // (by calling SetCapability() as many times as needed).
175 // The desired AppContainer must be already installed on the system, otherwise
176 // launching the sandboxed process will fail. See BrokerServices for details
177 // about installing an AppContainer.
178 // Note that currently Windows restricts the use of impersonation within
179 // AppContainers, so this function is incompatible with the use of an initial
180 // token.
181 virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
183 // Sets a capability to be enabled for the sandboxed process' AppContainer.
184 virtual ResultCode SetCapability(const wchar_t* sid) = 0;
186 // Sets the LowBox token for sandboxed process. This is mutually exclusive
187 // with SetAppContainer method.
188 virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
190 // Sets the mitigations enabled when the process is created. Most of these
191 // are implemented as attributes passed via STARTUPINFOEX. So they take
192 // effect before any thread in the target executes. The declaration of
193 // MitigationFlags is followed by a detailed description of each flag.
194 virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
196 // Returns the currently set mitigation flags.
197 virtual MitigationFlags GetProcessMitigations() = 0;
199 // Sets process mitigation flags that don't take effect before the call to
200 // LowerToken().
201 virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
203 // Returns the currently set delayed mitigation flags.
204 virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
206 // Sets the interceptions to operate in strict mode. By default, interceptions
207 // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
208 // already patched we attempt to intercept it anyway. Setting interceptions
209 // to strict mode means that when we detect that the function is patched we'll
210 // refuse to perform the interception.
211 virtual void SetStrictInterceptions() = 0;
213 // Set the handles the target process should inherit for stdout and
214 // stderr. The handles the caller passes must remain valid for the
215 // lifetime of the policy object. This only has an effect on
216 // Windows Vista and later versions. These methods accept pipe and
217 // file handles, but not console handles.
218 virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
219 virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
221 // Adds a policy rule effective for processes spawned using this policy.
222 // subsystem: One of the above enumerated windows subsystems.
223 // semantics: One of the above enumerated FileSemantics.
224 // pattern: A specific full path or a full path with wildcard patterns.
225 // The valid wildcards are:
226 // '*' : Matches zero or more character. Only one in series allowed.
227 // '?' : Matches a single character. One or more in series are allowed.
228 // Examples:
229 // "c:\\documents and settings\\vince\\*.dmp"
230 // "c:\\documents and settings\\*\\crashdumps\\*.dmp"
231 // "c:\\temp\\app_log_?????_chrome.txt"
232 virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
233 const wchar_t* pattern) = 0;
235 // Adds a dll that will be unloaded in the target process before it gets
236 // a chance to initialize itself. Typically, dlls that cause the target
237 // to crash go here.
238 virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
240 // Adds a handle that will be closed in the target process after lockdown.
241 // A NULL value for handle_name indicates all handles of the specified type.
242 // An empty string for handle_name indicates the handle is unnamed.
243 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
244 const wchar_t* handle_name) = 0;
246 // Adds a handle that will be shared with the target process.
247 // Returns the handle which was actually shared with the target. This is
248 // achieved by duplicating the handle to ensure that it is inheritable by
249 // the target. The caller should treat this as an opaque value.
250 virtual void* AddHandleToShare(HANDLE handle) = 0;
253 } // namespace sandbox
256 #endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_