OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <aclapi.h> | 5 #include <aclapi.h> |
6 #include <sddl.h> | 6 #include <sddl.h> |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "sandbox/src/restricted_token_utils.h" | 9 #include "sandbox/src/restricted_token_utils.h" |
10 | 10 |
11 #include "base/logging.h" | 11 #include "base/logging.h" |
(...skipping 321 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
333 HANDLE token_handle; | 333 HANDLE token_handle; |
334 if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, | 334 if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, |
335 &token_handle)) | 335 &token_handle)) |
336 return ::GetLastError(); | 336 return ::GetLastError(); |
337 | 337 |
338 base::win::ScopedHandle token(token_handle); | 338 base::win::ScopedHandle token(token_handle); |
339 | 339 |
340 return SetTokenIntegrityLevel(token.Get(), integrity_level); | 340 return SetTokenIntegrityLevel(token.Get(), integrity_level); |
341 } | 341 } |
342 | 342 |
343 DWORD SetObjectDenyRestrictedAndNull(HANDLE handle, SE_OBJECT_TYPE type) { | |
344 PSECURITY_DESCRIPTOR sec_desc = NULL; | |
345 PACL old_dacl = NULL; | |
346 | |
347 DWORD error = ::GetSecurityInfo(handle, type, DACL_SECURITY_INFORMATION, | |
348 NULL, NULL, &old_dacl, NULL, &sec_desc); | |
349 if (!error) { | |
350 Sid deny_sids[] = { Sid(WinNullSid), Sid(WinRestrictedCodeSid) }; | |
351 const int kDenySidsCount = sizeof(deny_sids) / sizeof(deny_sids[0]); | |
352 EXPLICIT_ACCESS deny_aces[kDenySidsCount]; | |
353 ::ZeroMemory(deny_aces, sizeof(deny_aces)); | |
354 | |
355 for (int i = 0; i < kDenySidsCount; ++i) { | |
356 deny_aces[i].grfAccessMode = DENY_ACCESS; | |
357 deny_aces[i].grfAccessPermissions = GENERIC_ALL; | |
358 deny_aces[i].grfInheritance = NO_INHERITANCE; | |
359 deny_aces[i].Trustee.TrusteeForm = TRUSTEE_IS_SID; | |
360 deny_aces[i].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; | |
361 deny_aces[i].Trustee.ptstrName = | |
362 reinterpret_cast<LPWSTR>(const_cast<SID*>(deny_sids[i].GetPSID())); | |
363 } | |
364 | |
365 PACL new_dacl = NULL; | |
366 error = ::SetEntriesInAcl(kDenySidsCount, deny_aces, old_dacl, &new_dacl); | |
367 if (!error) { | |
368 error = ::SetSecurityInfo(handle, type, DACL_SECURITY_INFORMATION, | |
369 NULL, NULL, new_dacl, NULL); | |
370 ::LocalFree(new_dacl); | |
371 } | |
372 | |
373 ::LocalFree(sec_desc); | |
374 } | |
375 | |
376 return error; | |
377 } | |
378 | |
379 } // namespace sandbox | 343 } // namespace sandbox |
OLD | NEW |