1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
6 #define SANDBOX_SRC_SECURITY_LEVEL_H_
7 
8 #include <stdint.h>
9 
10 namespace sandbox {
11 
12 // List of all the integrity levels supported in the sandbox. This is used
13 // only on Windows Vista. You can't set the integrity level of the process
14 // in the sandbox to a level higher than yours.
15 enum IntegrityLevel {
16   INTEGRITY_LEVEL_SYSTEM,
17   INTEGRITY_LEVEL_HIGH,
18   INTEGRITY_LEVEL_MEDIUM,
19   INTEGRITY_LEVEL_MEDIUM_LOW,
20   INTEGRITY_LEVEL_LOW,
21   INTEGRITY_LEVEL_BELOW_LOW,
22   INTEGRITY_LEVEL_UNTRUSTED,
23   INTEGRITY_LEVEL_LAST
24 };
25 
26 // The Token level specifies a set of  security profiles designed to
27 // provide the bulk of the security of sandbox.
28 //
29 //  TokenLevel                 |Restricting   |Deny Only       |Privileges|
30 //                             |Sids          |Sids            |          |
31 // ----------------------------|--------------|----------------|----------|
32 // USER_LOCKDOWN               | Null Sid     | All            | None     |
33 // ----------------------------|--------------|----------------|----------|
34 // USER_RESTRICTED             | RESTRICTED   | All            | Traverse |
35 // ----------------------------|--------------|----------------|----------|
36 // USER_LIMITED                | Users        | All except:    | Traverse |
37 //                             | Everyone     | Users          |          |
38 //                             | RESTRICTED   | Everyone       |          |
39 //                             |              | Interactive    |          |
40 // ----------------------------|--------------|----------------|----------|
41 // USER_INTERACTIVE            | Users        | All except:    | Traverse |
42 //                             | Everyone     | Users          |          |
43 //                             | RESTRICTED   | Everyone       |          |
44 //                             | Owner        | Interactive    |          |
45 //                             |              | Local          |          |
46 //                             |              | Authent-users  |          |
47 //                             |              | User           |          |
48 // ----------------------------|--------------|----------------|----------|
49 // USER_NON_ADMIN              | None         | All except:    | Traverse |
50 //                             |              | Users          |          |
51 //                             |              | Everyone       |          |
52 //                             |              | Interactive    |          |
53 //                             |              | Local          |          |
54 //                             |              | Authent-users  |          |
55 //                             |              | User           |          |
56 // ----------------------------|--------------|----------------|----------|
57 // USER_RESTRICTED_SAME_ACCESS | All          | None           | All      |
58 // ----------------------------|--------------|----------------|----------|
59 // USER_UNPROTECTED            | None         | None           | All      |
60 // ----------------------------|--------------|----------------|----------|
61 //
62 // The above restrictions are actually a transformation that is applied to
63 // the existing broker process token. The resulting token that will be
64 // applied to the target process depends both on the token level selected
65 // and on the broker token itself.
66 //
67 //  The LOCKDOWN and RESTRICTED are designed to allow access to almost
68 //  nothing that has security associated with and they are the recommended
69 //  levels to run sandboxed code specially if there is a chance that the
70 //  broker is process might be started by a user that belongs to the Admins
71 //  or power users groups.
72 enum TokenLevel {
73    USER_LOCKDOWN = 0,
74    USER_RESTRICTED,
75    USER_LIMITED,
76    USER_INTERACTIVE,
77    USER_NON_ADMIN,
78    USER_RESTRICTED_SAME_ACCESS,
79    USER_UNPROTECTED,
80    USER_LAST
81 };
82 
83 // The Job level specifies a set of decreasing security profiles for the
84 // Job object that the target process will be placed into.
85 // This table summarizes the security associated with each level:
86 //
87 //  JobLevel        |General                            |Quota               |
88 //                  |restrictions                       |restrictions        |
89 // -----------------|---------------------------------- |--------------------|
90 // JOB_NONE         | No job is assigned to the         | None               |
91 //                  | sandboxed process.                |                    |
92 // -----------------|---------------------------------- |--------------------|
93 // JOB_UNPROTECTED  | None                              | *Kill on Job close.|
94 // -----------------|---------------------------------- |--------------------|
95 // JOB_INTERACTIVE  | *Forbid system-wide changes using |                    |
96 //                  |  SystemParametersInfo().          | *Kill on Job close.|
97 //                  | *Forbid the creation/switch of    |                    |
98 //                  |  Desktops.                        |                    |
99 //                  | *Forbids calls to ExitWindows().  |                    |
100 // -----------------|---------------------------------- |--------------------|
101 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus:    | *One active process|
102 //                  | *Forbid changes to the display    |  limit.            |
103 //                  |  settings.                        | *Kill on Job close.|
104 // -----------------|---------------------------------- |--------------------|
105 // JOB_RESTRICTED   | Same as LIMITED_USER plus:        | *One active process|
106 //                  | * No read/write to the clipboard. |  limit.            |
107 //                  | * No access to User Handles that  | *Kill on Job close.|
108 //                  |   belong to other processes.      |                    |
109 //                  | * Forbid message broadcasts.      |                    |
110 //                  | * Forbid setting global hooks.    |                    |
111 //                  | * No access to the global atoms   |                    |
112 //                  |   table.                          |                    |
113 // -----------------|-----------------------------------|--------------------|
114 // JOB_LOCKDOWN     | Same as RESTRICTED                | *One active process|
115 //                  |                                   |  limit.            |
116 //                  |                                   | *Kill on Job close.|
117 //                  |                                   | *Kill on unhandled |
118 //                  |                                   |  exception.        |
119 //                  |                                   |                    |
120 // In the context of the above table, 'user handles' refers to the handles of
121 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
122 // handles and are not affected by the job level settings.
123 enum JobLevel {
124   JOB_LOCKDOWN = 0,
125   JOB_RESTRICTED,
126   JOB_LIMITED_USER,
127   JOB_INTERACTIVE,
128   JOB_UNPROTECTED,
129   JOB_NONE
130 };
131 
132 // These flags correspond to various process-level mitigations (eg. ASLR and
133 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
134 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
135 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
136 // Some mitigations are implemented directly by the sandbox or emulated to
137 // the greatest extent possible when not directly supported by the OS.
138 // Flags that are unsupported for the target OS will be silently ignored.
139 // Flags that are invalid for their application (pre or post startup) will
140 // return SBOX_ERROR_BAD_PARAMS.
141 typedef uint64_t MitigationFlags;
142 
143 // Permanently enables DEP for the target process. Corresponds to
144 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
145 const MitigationFlags MITIGATION_DEP                              = 0x00000001;
146 
147 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid
148 // only when MITIGATION_DEP is passed. Corresponds to not passing
149 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
150 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK                 = 0x00000002;
151 
152 // Enables Structured exception handling override prevention. Must be
153 // enabled prior to process start. Corresponds to
154 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
155 const MitigationFlags MITIGATION_SEHOP                            = 0x00000004;
156 
157 // Forces ASLR on all images in the child process. Corresponds to
158 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
159 const MitigationFlags MITIGATION_RELOCATE_IMAGE                   = 0x00000008;
160 
161 // Refuses to load DLLs that cannot support ASLR. Corresponds to
162 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
163 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED          = 0x00000010;
164 
165 // Terminates the process on Windows heap corruption. Coresponds to
166 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
167 const MitigationFlags MITIGATION_HEAP_TERMINATE                   = 0x00000020;
168 
169 // Sets a random lower bound as the minimum user address. Must be
170 // enabled prior to process start. On 32-bit processes this is
171 // emulated to a much smaller degree. Corresponds to
172 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
173 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR                   = 0x00000040;
174 
175 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
176 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
177 // Corresponds to
178 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
179 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR                = 0x00000080;
180 
181 // Immediately raises an exception on a bad handle reference. Must be
182 // enabled after startup. Corresponds to
183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS             = 0x00000100;
185 
186 // Prevents the process from making Win32k calls. Corresponds to
187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
188 const MitigationFlags MITIGATION_WIN32K_DISABLE                   = 0x00000200;
189 
190 // Prevents certain built-in third party extension points from being used.
191 // - App_Init DLLs
192 // - Winsock Layered Service Providers (LSPs)
193 // - Global Windows Hooks (NOT thread-targeted hooks)
194 // - Legacy Input Method Editors (IMEs).
195 // I.e.: Disable legacy hooking mechanisms.  Corresponds to
196 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
197 const MitigationFlags MITIGATION_EXTENSION_POINT_DISABLE = 0x00000400;
198 
199 // Prevents the process from loading non-system fonts into GDI.
200 // Corresponds to
201 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON
202 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800;
203 
204 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
205 // directories can be added via the Windows AddDllDirectory() function.
206 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
207 // Must be enabled after startup.
208 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER        = 0x00000001ULL << 32;
209 
210 // Changes the mandatory integrity level policy on the current process' token
211 // to enable no-read and no-execute up. This prevents a lower IL process from
212 // opening the process token for impersonate/duplicate/assignment.
213 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY  = 0x00000001ULL << 33;
214 
215 // Blocks mapping of images from remote devices. Corresponds to
216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON.
217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52;
218 
219 // Blocks mapping of images that have the low manditory label. Corresponds to
220 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON.
221 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56;
222 
223 }  // namespace sandbox
224 
225 #endif  // SANDBOX_SRC_SECURITY_LEVEL_H_
226