diff options
Diffstat (limited to 'sandbox/src/acl.cc')
| -rw-r--r-- | sandbox/src/acl.cc | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/sandbox/src/acl.cc b/sandbox/src/acl.cc new file mode 100644 index 0000000..4869bb0 --- /dev/null +++ b/sandbox/src/acl.cc @@ -0,0 +1,122 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/src/acl.h" + +#include <aclapi.h> +#include <sddl.h> + +#include "base/logging.h" + +namespace sandbox { + +bool GetDefaultDacl(HANDLE token, + scoped_ptr_malloc<TOKEN_DEFAULT_DACL>* default_dacl) { + if (token == NULL) + return false; + + DCHECK(default_dacl != NULL); + + unsigned long length = 0; + ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length); + if (length == 0) { + NOTREACHED(); + return false; + } + + TOKEN_DEFAULT_DACL* acl = + reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length)); + default_dacl->reset(acl); + + if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(), + length, &length)) + return false; + + return true; +} + +bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MASK access, + ACL** new_dacl) { + EXPLICIT_ACCESS new_access = {0}; + new_access.grfAccessMode = GRANT_ACCESS; + new_access.grfAccessPermissions = access; + new_access.grfInheritance = NO_INHERITANCE; + + new_access.Trustee.pMultipleTrustee = NULL; + new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; + new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID; + new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>( + const_cast<SID*>(sid.GetPSID())); + + if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl)) + return false; + + return true; +} + +bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) { + if (token == NULL) + return false; + + scoped_ptr_malloc<TOKEN_DEFAULT_DACL> default_dacl; + if (!GetDefaultDacl(token, &default_dacl)) + return false; + + ACL* new_dacl = NULL; + if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access, &new_dacl)) + return false; + + TOKEN_DEFAULT_DACL new_token_dacl = {0}; + new_token_dacl.DefaultDacl = new_dacl; + + BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl, + sizeof(new_token_dacl)); + ::LocalFree(new_dacl); + return (TRUE == ret); +} + +bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) { + DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE; + TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size)); + + scoped_ptr_malloc<TOKEN_USER> token_user_ptr(token_user); + + if (!::GetTokenInformation(token, TokenUser, token_user, size, &size)) + return false; + + return AddSidToDefaultDacl(token, + reinterpret_cast<SID*>(token_user->User.Sid), + access); +} + +bool AddKnownSidToKernelObject(HANDLE object, const Sid& sid, + ACCESS_MASK access) { + PSECURITY_DESCRIPTOR descriptor = NULL; + PACL old_dacl = NULL; + PACL new_dacl = NULL; + + if (ERROR_SUCCESS != ::GetSecurityInfo(object, SE_KERNEL_OBJECT, + DACL_SECURITY_INFORMATION, NULL, NULL, + &old_dacl, NULL, &descriptor)) + return false; + + if (!AddSidToDacl(sid.GetPSID(), old_dacl, access, &new_dacl)) { + ::LocalFree(descriptor); + return false; + } + + DWORD result = ::SetSecurityInfo(object, SE_KERNEL_OBJECT, + DACL_SECURITY_INFORMATION, NULL, NULL, + new_dacl, NULL); + + ::LocalFree(new_dacl); + ::LocalFree(descriptor); + + if (ERROR_SUCCESS != result) + return false; + + return true; +} + +} // namespace sandbox |