OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_SRC_SANDBOX_POLICY_H_ | 5 #ifndef SANDBOX_SRC_SANDBOX_POLICY_H_ |
6 #define SANDBOX_SRC_SANDBOX_POLICY_H_ | 6 #define SANDBOX_SRC_SANDBOX_POLICY_H_ |
7 | 7 |
8 #include <string> | 8 #include <string> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
11 #include "sandbox/src/sandbox_types.h" | 11 #include "sandbox/src/sandbox_types.h" |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
121 | 121 |
122 // Windows subsystems that can have specific rules. | 122 // Windows subsystems that can have specific rules. |
123 // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request | 123 // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request |
124 // exactly like the CreateProcess API does. See the comment at the top of | 124 // exactly like the CreateProcess API does. See the comment at the top of |
125 // process_thread_dispatcher.cc for more details. | 125 // process_thread_dispatcher.cc for more details. |
126 enum SubSystem { | 126 enum SubSystem { |
127 SUBSYS_FILES, // Creation and opening of files and pipes. | 127 SUBSYS_FILES, // Creation and opening of files and pipes. |
128 SUBSYS_NAMED_PIPES, // Creation of named pipes. | 128 SUBSYS_NAMED_PIPES, // Creation of named pipes. |
129 SUBSYS_PROCESS, // Creation of child processes. | 129 SUBSYS_PROCESS, // Creation of child processes. |
130 SUBSYS_REGISTRY, // Creation and opening of registry keys. | 130 SUBSYS_REGISTRY, // Creation and opening of registry keys. |
131 SUBSYS_SYNC, // Creation of named sync objects. | 131 SUBSYS_SYNC // Creation of named sync objects. |
132 SUBSYS_HANDLES // Duplication of handles to other processes. | |
133 }; | 132 }; |
134 | 133 |
135 // Allowable semantics when a rule is matched. | 134 // Allowable semantics when a rule is matched. |
136 enum Semantics { | 135 enum Semantics { |
137 FILES_ALLOW_ANY, // Allows open or create for any kind of access that | 136 FILES_ALLOW_ANY, // Allows open or create for any kind of access that |
138 // the file system supports. | 137 // the file system supports. |
139 FILES_ALLOW_READONLY, // Allows open or create with read access only. | 138 FILES_ALLOW_READONLY, // Allows open or create with read access only. |
140 FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. | 139 FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. |
141 FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics | 140 FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics |
142 // only. | 141 // only. |
143 HANDLES_DUP_ANY, // Allows duplicating handles opened with any | |
144 // access permissions. | |
145 NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. | 142 NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. |
146 PROCESS_MIN_EXEC, // Allows to create a process with minimal rights | 143 PROCESS_MIN_EXEC, // Allows to create a process with minimal rights |
147 // over the resulting process and thread handles. | 144 // over the resulting process and thread handles. |
148 // No other parameters besides the command line are | 145 // No other parameters besides the command line are |
149 // passed to the child process. | 146 // passed to the child process. |
150 PROCESS_ALL_EXEC, // Allows the creation of a process and return fill | 147 PROCESS_ALL_EXEC, // Allows the creation of a process and return fill |
151 // access on the returned handles. | 148 // access on the returned handles. |
152 // This flag can be used only when the main token of | 149 // This flag can be used only when the main token of |
153 // the sandboxed application is at least INTERACTIVE. | 150 // the sandboxed application is at least INTERACTIVE. |
154 EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. | 151 EVENTS_ALLOW_ANY, // Allows the creation of an event with full access. |
(...skipping 25 matching lines...) Expand all Loading... |
180 // A NULL value for handle_name indicates all handles of the specified type. | 177 // A NULL value for handle_name indicates all handles of the specified type. |
181 // An empty string for handle_name indicates the handle is unnamed. | 178 // An empty string for handle_name indicates the handle is unnamed. |
182 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, | 179 virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type, |
183 const wchar_t* handle_name) = 0; | 180 const wchar_t* handle_name) = 0; |
184 }; | 181 }; |
185 | 182 |
186 } // namespace sandbox | 183 } // namespace sandbox |
187 | 184 |
188 | 185 |
189 #endif // SANDBOX_SRC_SANDBOX_POLICY_H_ | 186 #endif // SANDBOX_SRC_SANDBOX_POLICY_H_ |
OLD | NEW |