Codebase Browser
chromium
Go to App

chromium/sandbox/win/src/restricted_token_utils.h 

// Copyright 2006-2008 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_
#define SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_

#include <optional>
#include "base/win/access_token.h"
#include "base/win/sid.h"
#include "base/win/windows_types.h"
#include "sandbox/win/src/restricted_token.h"
#include "sandbox/win/src/security_level.h"

// Contains the utility functions to be able to create restricted tokens based
// on a security profiles.

namespace sandbox {

// The type of the token returned by the CreateRestrictedToken API.
enum class TokenType { kImpersonation, kPrimary };

// Creates a restricted token from the current process' token. The parameter
// `security_level` determines how much the token is restricted.
// `token_type` determines if the token will be used as a primary or
// impersonation token.
//  `integrity level` set the token's integrity level.
// `lockdown_default_dacl` indicates the token's default DACL should be locked
// down to restrict what other process can open kernel resources created while
// running under the token.
// `unique_restricted_sid` indicates an optional restricted SID to add to the
// token's restricted SID list defined by `security_level`. This allows a
// sandbox process to be grant access to itself and its resources but not
// other sandboxed processes at the same security level.
// If the function succeeds, the return value is the restricted token. If it
// fails then the return value is empty.
std::optional<base::win::AccessToken> CreateRestrictedToken(
    TokenLevel security_level,
    IntegrityLevel integrity_level,
    TokenType token_type,
    bool lockdown_default_dacl,
    const std::optional<base::win::Sid>& unique_restricted_sid);

// Hardens the integrity level policy on a token. Specifically it sets the
// policy to block read and execute so that a lower privileged process cannot
// open the token for impersonate or duplicate permissions. This should limit
// potential security holes.
// `token` must be a token with READ_CONTROL and WRITE_OWNER access.
// If the function succeeds, the return value is ERROR_SUCCESS. If the
// function fails, the return value is the win32 error code corresponding to
// the error.
DWORD HardenTokenIntegrityLevelPolicy(const base::win::AccessToken& token);

}  // namespace sandbox

#endif  // SANDBOX_WIN_SRC_RESTRICTED_TOKEN_UTILS_H_