1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/src/acl.h"
#include <aclapi.h>
#include <sddl.h>
#include "base/logging.h"
namespace sandbox {
bool GetDefaultDacl(HANDLE token,
scoped_ptr<TOKEN_DEFAULT_DACL>* default_dacl) {
if (token == NULL)
return false;
DCHECK(default_dacl != NULL);
unsigned long length = 0;
::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length);
if (length == 0) {
NOTREACHED();
return false;
}
TOKEN_DEFAULT_DACL* acl =
reinterpret_cast<TOKEN_DEFAULT_DACL*>(new char[length]);
default_dacl->reset(acl);
if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
length, &length))
return false;
return true;
}
bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MASK access,
ACL** new_dacl) {
EXPLICIT_ACCESS new_access = {0};
new_access.grfAccessMode = GRANT_ACCESS;
new_access.grfAccessPermissions = access;
new_access.grfInheritance = NO_INHERITANCE;
new_access.Trustee.pMultipleTrustee = NULL;
new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>(
const_cast<SID*>(sid.GetPSID()));
if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl))
return false;
return true;
}
bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) {
if (token == NULL)
return false;
scoped_ptr<TOKEN_DEFAULT_DACL> default_dacl;
if (!GetDefaultDacl(token, &default_dacl))
return false;
ACL* new_dacl = NULL;
if (!AddSidToDacl(sid, default_dacl->DefaultDacl, access, &new_dacl))
return false;
TOKEN_DEFAULT_DACL new_token_dacl = {0};
new_token_dacl.DefaultDacl = new_dacl;
BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
sizeof(new_token_dacl));
::LocalFree(new_dacl);
return (TRUE == ret);
}
bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(new BYTE[size]);
scoped_ptr<TOKEN_USER> token_user_ptr(token_user);
if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
return false;
return AddSidToDefaultDacl(token,
reinterpret_cast<SID*>(token_user->User.Sid),
access);
}
bool AddKnownSidToKernelObject(HANDLE object, const Sid& sid,
ACCESS_MASK access) {
PSECURITY_DESCRIPTOR descriptor = NULL;
PACL old_dacl = NULL;
PACL new_dacl = NULL;
if (ERROR_SUCCESS != ::GetSecurityInfo(object, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL,
&old_dacl, NULL, &descriptor))
return false;
if (!AddSidToDacl(sid.GetPSID(), old_dacl, access, &new_dacl)) {
::LocalFree(descriptor);
return false;
}
DWORD result = ::SetSecurityInfo(object, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL,
new_dacl, NULL);
::LocalFree(new_dacl);
::LocalFree(descriptor);
if (ERROR_SUCCESS != result)
return false;
return true;
}
} // namespace sandbox
|
