shared source/wpf/src/host/shimimpl/lorights.hxx

   1 //------------------------------------------------------------------------
   2 //
   3 //  Copyright (c) Microsoft Corporation.  All rights reserved.
   4 //
   5 //  Description:
   6 //     Implements the minimal set of interfaces required for
   7 //     the version-independent hosting shim.
   8 //
   9 // History:
  10 //      2005/05/09 - [....]
  11 //          Created
  12 //      2007/09/20-[....]
  13 //          Ported Windows->DevDiv. See SourcesHistory.txt.
  14 //
  15 //------------------------------------------------------------------------
  16
  17 #pragma once
  18
  19 BOOL ShouldProcessBeRestricted(void);
  20 BOOL LaunchRestrictedProcess(__in LPCWSTR lpwszCmdLine, __in_ecount(dwDisabledPrivilegeCount) PLUID_AND_ATTRIBUTES pDisabledPrivileges, DWORD dwDisabledPrivilegeCount);
  21 BOOL IsCurrentProcessRestricted(__in_ecount(dwDisabledPrivilegesCount) PLUID_AND_ATTRIBUTES ppDisabledPrivileges, DWORD dwDisabledPrivilegesCount);
  22
  23 const WELL_KNOWN_SID_TYPE g_disableSIDS[] = { WinBuiltinAdministratorsSid,
  24                                               WinBuiltinPowerUsersSid };
  25
  26 const LPCWSTR g_ppwszPrivileges[18] = { SE_ASSIGNPRIMARYTOKEN_NAME,
  27                                         SE_BACKUP_NAME,
  28                                         SE_CREATE_GLOBAL_NAME,
  29                                         SE_CREATE_PERMANENT_NAME,
  30                                         SE_CREATE_TOKEN_NAME,
  31                                         SE_ENABLE_DELEGATION_NAME,
  32                                         SE_LOAD_DRIVER_NAME,
  33                                         SE_MACHINE_ACCOUNT_NAME,
  34                                         SE_REMOTE_SHUTDOWN_NAME,
  35                                         SE_RESTORE_NAME,
  36                                         SE_SECURITY_NAME,
  37                                         SE_SYSTEMTIME_NAME,
  38                                         SE_TAKE_OWNERSHIP_NAME,
  39                                         SE_TCB_NAME,
  40                                         SE_IMPERSONATE_NAME,
  41                                         SE_AUDIT_NAME,
  42                                         SE_DEBUG_NAME,
  43                                         SE_CREATE_PAGEFILE_NAME
  44                                         };
  45
  46 BOOL IsCurrentPresentationHostRestricted(__in PSID_AND_ATTRIBUTES pDisabledSids,
  47                                          __in DWORD dwDisabledSidCount,
  48                                          __in PLUID_AND_ATTRIBUTES pDisabledPrivileges,
  49                                          __in DWORD dwDisabledPrivilegeCount);
  50
  51 DWORD CreateRestrictedProcess(__in PSID_AND_ATTRIBUTES pDisabledSids,
  52                               __in DWORD dwDisabledSidCount,
  53                               __in PLUID_AND_ATTRIBUTES pDisabledPrivileges,
  54                               __in DWORD dwDisabledPrivilegeCount,
  55                               __in LPCWSTR lpwszCmdLine);
  56
  57 // Call FreeSIDArray() when done with the returned data.
  58 DWORD GetDisabledSids(__out PSID_AND_ATTRIBUTES *ppDisabledSids,
  59                       __out DWORD *pdwDisabledSidCount);
  60
  61
  62 DWORD GetDisabledPrivileges(__out PLUID_AND_ATTRIBUTES *ppDisabledPrivileges,
  63                             __out DWORD *pdwDisabledPrivlegeCount);
  64
  65 DWORD GetSid(__in WELL_KNOWN_SID_TYPE sidType,
  66              __out PSID *ppSid,
  67              __inout DWORD *pdwSidSize);
  68
  69 DWORD GetUserSid(__in HANDLE hProcToken,
  70                  __out_bcount(SECURITY_MAX_SID_SIZE) PSID pSid);
  71
  72 BOOL CheckForDisabledSids(__in PSID_AND_ATTRIBUTES pSids,
  73                           __in DWORD dwSidCount,
  74                           __in PSID_AND_ATTRIBUTES pDisabledSids,
  75                           __in DWORD dwDisabledSidCount);
  76
  77 BOOL CheckForRestrictedSids(__in PSID_AND_ATTRIBUTES pSids,
  78                             __in DWORD dwSidCount,
  79                             __in PSID_AND_ATTRIBUTES pRestrictedSids,
  80                             __in DWORD dwRestrictedSidCount,
  81                             __in PSID pUserSid);
  82
  83 BOOL CheckForPrivileges(__in PLUID_AND_ATTRIBUTES pPrivileges,
  84                         __in DWORD dwPrivilegeCount,
  85                         __in PLUID_AND_ATTRIBUTES pDisabledPrivileges,
  86                         __in DWORD dwDisabledPrivilegeCount);
  87
  88 DWORD AddSidsToToken(__in HANDLE hRestrictedToken,
  89                      __in PSID *ppSids,
  90                      __in DWORD dwSids,
  91                      __in DWORD dwAccess);
  92
  93 BOOL  SetSidsOnAcl(__in PSID *ppSids,
  94                    __in DWORD dwSids,
  95                    __in PACL pAclSource,
  96                    __out PACL *pAclDestination,
  97                    __out DWORD *pcbDacl,
  98                    __in DWORD AccessMask,
  99                    __in BYTE AceFlags);
 100
 101 #if DEBUG
 102
 103 void GetAndPrintTokenInfo(__in FILE *fLog, __in HANDLE hToken);
 104 void GetAndPrintTokenDefaultDacl(__in FILE *fLog, __in HANDLE hToken);
 105
 106 void PrintTokenInfo(__in FILE *fLog, __in PTOKEN_GROUPS_AND_PRIVILEGES pTokenGroups);
 107 void PrintDACL(__in FILE *fLog, __in PACL pAcl);
 108 void PrintSid(__in FILE *fLog, __in PSID pSid, __in LPCWSTR lpwszData, __in DWORD dwIndex);
 109 void PrintPrivileges(__in FILE *fLog, __in PLUID_AND_ATTRIBUTES pTokenPrivileges, __in DWORD dwPrivilegeCount);
 110
 111 #endif
 112
 113
 114 DWORD CreateRestrictedProcess(__in PSID_AND_ATTRIBUTES pDisabledSids,
 115                               __in DWORD dwDisabledSidCount,
 116                               __in PLUID_AND_ATTRIBUTES pDisabledPrivileges,
 117                               __in DWORD dwDisabledPrivilegeCount,
 118                               __in LPCWSTR lpwszCmdLine);
 119
 120 BOOL IsPresentationHostHighIntegrity();