Move Windows sandbox

- Move Windows sandbox to sandbox/win
- Update sandbox_win.gypi

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146625 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 190 insertions, 0 deletions

diff --git a/sandbox/win/src/sandbox_policy.h b/sandbox/win/src/sandbox_policy.h
new file mode 100644
index 0000000..288adc45
--- /dev/null
+++ b/sandbox/win/src/sandbox_policy.h
@@ -0,0 +1,190 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_SRC_SANDBOX_POLICY_H_
+#define SANDBOX_SRC_SANDBOX_POLICY_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "sandbox/src/sandbox_types.h"
+#include "sandbox/src/security_level.h"
+
+namespace sandbox {
+
+class TargetPolicy {
+ public:
+  // Windows subsystems that can have specific rules.
+  // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
+  // exactly like the CreateProcess API does. See the comment at the top of
+  // process_thread_dispatcher.cc for more details.
+  enum SubSystem {
+    SUBSYS_FILES,             // Creation and opening of files and pipes.
+    SUBSYS_NAMED_PIPES,       // Creation of named pipes.
+    SUBSYS_PROCESS,           // Creation of child processes.
+    SUBSYS_REGISTRY,          // Creation and opening of registry keys.
+    SUBSYS_SYNC,              // Creation of named sync objects.
+    SUBSYS_HANDLES            // Duplication of handles to other processes.
+  };
+
+  // Allowable semantics when a rule is matched.
+  enum Semantics {
+    FILES_ALLOW_ANY,       // Allows open or create for any kind of access that
+                           // the file system supports.
+    FILES_ALLOW_READONLY,  // Allows open or create with read access only.
+    FILES_ALLOW_QUERY,     // Allows access to query the attributes of a file.
+    FILES_ALLOW_DIR_ANY,   // Allows open or create with directory semantics
+                           // only.
+    HANDLES_DUP_ANY,       // Allows duplicating handles opened with any
+                           // access permissions.
+    HANDLES_DUP_BROKER,    // Allows duplicating handles to the broker process.
+    NAMEDPIPES_ALLOW_ANY,  // Allows creation of a named pipe.
+    PROCESS_MIN_EXEC,      // Allows to create a process with minimal rights
+                           // over the resulting process and thread handles.
+                           // No other parameters besides the command line are
+                           // passed to the child process.
+    PROCESS_ALL_EXEC,      // Allows the creation of a process and return fill
+                           // access on the returned handles.
+                           // This flag can be used only when the main token of
+                           // the sandboxed application is at least INTERACTIVE.
+    EVENTS_ALLOW_ANY,      // Allows the creation of an event with full access.
+    EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
+    REG_ALLOW_READONLY,    // Allows readonly access to a registry key.
+    REG_ALLOW_ANY          // Allows read and write access to a registry key.
+  };
+
+  // Increments the reference count of this object. The reference count must
+  // be incremented if this interface is given to another component.
+  virtual void AddRef() = 0;
+
+  // Decrements the reference count of this object. When the reference count
+  // is zero the object is automatically destroyed.
+  // Indicates that the caller is done with this interface. After calling
+  // release no other method should be called.
+  virtual void Release() = 0;
+
+  // Sets the security level for the target process' two tokens.
+  // This setting is permanent and cannot be changed once the target process is
+  // spawned.
+  // initial: the security level for the initial token. This is the token that
+  //   is used by the process from the creation of the process until the moment
+  //   the process calls TargetServices::LowerToken() or the process calls
+  //   win32's ReverToSelf(). Once this happens the initial token is no longer
+  //   available and the lockdown token is in effect.
+  // lockdown: the security level for the token that comes into force after the
+  //   process calls TargetServices::LowerToken() or the process calls
+  //   ReverToSelf(). See the explanation of each level in the TokenLevel
+  //   definition.
+  // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
+  //   Returns false if the lockdown value is more permissive than the initial
+  //   value.
+  //
+  // Important: most of the sandbox-provided security relies on this single
+  // setting. The caller should strive to set the lockdown level as restricted
+  // as possible.
+  virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
+
+  // Sets the security level of the Job Object to which the target process will
+  // belong. This setting is permanent and cannot be changed once the target
+  // process is spawned. The job controls the global security settings which
+  // can not be specified in the token security profile.
+  // job_level: the security level for the job. See the explanation of each
+  //   level in the JobLevel definition.
+  // ui_exceptions: specify what specific rights that are disabled in the
+  //   chosen job_level that need to be granted. Use this parameter to avoid
+  //   selecting the next permissive job level unless you need all the rights
+  //   that are granted in such level.
+  //   The exceptions can be specified as a combination of the following
+  //   constants:
+  // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
+  //   include windows, icons, menus and various GDI objects. In addition the
+  //   target process can set hooks, and broadcast messages to other processes
+  //   that belong to the same desktop.
+  // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
+  // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
+  // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
+  //   parameters as defined by the Win32 call SystemParametersInfo().
+  // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
+  //  display settings.
+  // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
+  // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
+  // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
+  //
+  // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
+  //
+  // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
+  // length in:
+  //   http://msdn2.microsoft.com/en-us/library/ms684152.aspx
+  //
+  // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
+  virtual ResultCode SetJobLevel(JobLevel job_level, uint32 ui_exceptions) = 0;
+
+  // Specifies the desktop on which the application is going to run. If the
+  // desktop does not exist, it will be created. If alternate_winstation is
+  // set to true, the desktop will be created on an alternate window station.
+  virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
+
+  // Returns the name of the alternate desktop used. If an alternate window
+  // station is specified, the name is prepended by the window station name,
+  // followed by a backslash.
+  virtual std::wstring GetAlternateDesktop() const = 0;
+
+  // Precreates the desktop and window station, if any.
+  virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
+
+  // Destroys the desktop and windows station.
+  virtual void DestroyAlternateDesktop() = 0;
+
+  // Sets the integrity level of the process in the sandbox. Both the initial
+  // token and the main token will be affected by this. This is valid only
+  // on Vista. It is silently ignored on other OSes. If you set the integrity
+  // level to a level higher than your current level, the sandbox will fail
+  // to start.
+  virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
+
+  // Sets the integrity level of the process in the sandbox. The integrity level
+  // will not take effect before you call LowerToken. User Interface Privilege
+  // Isolation is not affected by this setting and will remain off for the
+  // process in the sandbox.  This flag is valid on Vista only, it is silently
+  // ignored on other OSes.  If you set the integrity level to a level higher
+  // than your current level, the sandbox will fail to start.
+  virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
+
+  // Sets the interceptions to operate in strict mode. By default, interceptions
+  // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
+  // already patched we attempt to intercept it anyway. Setting interceptions
+  // to strict mode means that when we detect that the function is patched we'll
+  // refuse to perform the interception.
+  virtual void SetStrictInterceptions() = 0;
+
+  // Adds a policy rule effective for processes spawned using this policy.
+  // subsystem: One of the above enumerated windows subsystems.
+  // semantics: One of the above enumerated FileSemantics.
+  // pattern: A specific full path or a full path with wildcard patterns.
+  //   The valid wildcards are:
+  //   '*' : Matches zero or more character. Only one in series allowed.
+  //   '?' : Matches a single character. One or more in series are allowed.
+  // Examples:
+  //   "c:\\documents and settings\\vince\\*.dmp"
+  //   "c:\\documents and settings\\*\\crashdumps\\*.dmp"
+  //   "c:\\temp\\app_log_?????_chrome.txt"
+  virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
+                             const wchar_t* pattern) = 0;
+
+  // Adds a dll that will be unloaded in the target process before it gets
+  // a chance to initialize itself. Typically, dlls that cause the target
+  // to crash go here.
+  virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
+
+  // Adds a handle that will be closed in the target process after lockdown.
+  // A NULL value for handle_name indicates all handles of the specified type.
+  // An empty string for handle_name indicates the handle is unnamed.
+  virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
+                                            const wchar_t* handle_name) = 0;
+};
+
+}  // namespace sandbox
+
+
+#endif  // SANDBOX_SRC_SANDBOX_POLICY_H_