1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ 6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ 7 8 #include <stdint.h> 9 10 namespace sandbox { 11 12 // List of all the integrity levels supported in the sandbox. 13 // The integrity level of the sandboxed process can't be set to a level higher 14 // than the broker process. 15 // 16 // Note: These levels map to SIDs under the hood. 17 // INTEGRITY_LEVEL_SYSTEM: "S-1-16-16384" System Mandatory Level 18 // INTEGRITY_LEVEL_HIGH: "S-1-16-12288" High Mandatory Level 19 // INTEGRITY_LEVEL_MEDIUM: "S-1-16-8192" Medium Mandatory Level 20 // INTEGRITY_LEVEL_MEDIUM_LOW: "S-1-16-6144" 21 // INTEGRITY_LEVEL_LOW: "S-1-16-4096" Low Mandatory Level 22 // INTEGRITY_LEVEL_BELOW_LOW: "S-1-16-2048" 23 // INTEGRITY_LEVEL_UNTRUSTED: "S-1-16-0" Untrusted Mandatory Level 24 // 25 // Not defined: "S-1-16-20480" Protected Process Mandatory Level 26 // Not defined: "S-1-16-28672" Secure Process Mandatory Level 27 enum IntegrityLevel { 28 INTEGRITY_LEVEL_SYSTEM, 29 INTEGRITY_LEVEL_HIGH, 30 INTEGRITY_LEVEL_MEDIUM, 31 INTEGRITY_LEVEL_MEDIUM_LOW, 32 INTEGRITY_LEVEL_LOW, 33 INTEGRITY_LEVEL_BELOW_LOW, 34 INTEGRITY_LEVEL_UNTRUSTED, 35 INTEGRITY_LEVEL_LAST 36 }; 37 38 // The Token level specifies a set of security profiles designed to 39 // provide the bulk of the security of sandbox. 40 // 41 // TokenLevel |Restricting |Deny Only |Privileges| 42 // |Sids |Sids | | 43 // ----------------------------|--------------|----------------|----------| 44 // USER_LOCKDOWN | Null Sid | All | None | 45 // ----------------------------|--------------|----------------|----------| 46 // USER_RESTRICTED | RESTRICTED | All | Traverse | 47 // ----------------------------|--------------|----------------|----------| 48 // USER_LIMITED | Users | All except: | Traverse | 49 // | Everyone | Users | | 50 // | RESTRICTED | Everyone | | 51 // | | Interactive | | 52 // ----------------------------|--------------|----------------|----------| 53 // USER_INTERACTIVE | Users | All except: | Traverse | 54 // | Everyone | Users | | 55 // | RESTRICTED | Everyone | | 56 // | Owner | Interactive | | 57 // | | Local | | 58 // | | Authent-users | | 59 // | | User | | 60 // ----------------------------|--------------|----------------|----------| 61 // USER_NON_ADMIN | None | All except: | Traverse | 62 // | | Users | | 63 // | | Everyone | | 64 // | | Interactive | | 65 // | | Local | | 66 // | | Authent-users | | 67 // | | User | | 68 // ----------------------------|--------------|----------------|----------| 69 // USER_RESTRICTED_SAME_ACCESS | All | None | All | 70 // ----------------------------|--------------|----------------|----------| 71 // USER_UNPROTECTED | None | None | All | 72 // ----------------------------|--------------|----------------|----------| 73 // 74 // The above restrictions are actually a transformation that is applied to 75 // the existing broker process token. The resulting token that will be 76 // applied to the target process depends both on the token level selected 77 // and on the broker token itself. 78 // 79 // The LOCKDOWN and RESTRICTED are designed to allow access to almost 80 // nothing that has security associated with and they are the recommended 81 // levels to run sandboxed code specially if there is a chance that the 82 // broker is process might be started by a user that belongs to the Admins 83 // or power users groups. 84 enum TokenLevel { 85 USER_LOCKDOWN = 0, 86 USER_RESTRICTED, 87 USER_LIMITED, 88 USER_INTERACTIVE, 89 USER_NON_ADMIN, 90 USER_RESTRICTED_SAME_ACCESS, 91 USER_UNPROTECTED, 92 USER_LAST 93 }; 94 95 // The Job level specifies a set of decreasing security profiles for the 96 // Job object that the target process will be placed into. 97 // This table summarizes the security associated with each level: 98 // 99 // JobLevel |General |Quota | 100 // |restrictions |restrictions | 101 // -----------------|---------------------------------- |--------------------| 102 // JOB_NONE | No job is assigned to the | None | 103 // | sandboxed process. | | 104 // -----------------|---------------------------------- |--------------------| 105 // JOB_UNPROTECTED | None | *Kill on Job close.| 106 // -----------------|---------------------------------- |--------------------| 107 // JOB_INTERACTIVE | *Forbid system-wide changes using | | 108 // | SystemParametersInfo(). | *Kill on Job close.| 109 // | *Forbid the creation/switch of | | 110 // | Desktops. | | 111 // | *Forbids calls to ExitWindows(). | | 112 // -----------------|---------------------------------- |--------------------| 113 // JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process| 114 // | *Forbid changes to the display | limit. | 115 // | settings. | *Kill on Job close.| 116 // -----------------|---------------------------------- |--------------------| 117 // JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process| 118 // | * No read/write to the clipboard. | limit. | 119 // | * No access to User Handles that | *Kill on Job close.| 120 // | belong to other processes. | | 121 // | * Forbid message broadcasts. | | 122 // | * Forbid setting global hooks. | | 123 // | * No access to the global atoms | | 124 // | table. | | 125 // -----------------|-----------------------------------|--------------------| 126 // JOB_LOCKDOWN | Same as RESTRICTED | *One active process| 127 // | | limit. | 128 // | | *Kill on Job close.| 129 // | | *Kill on unhandled | 130 // | | exception. | 131 // | | | 132 // In the context of the above table, 'user handles' refers to the handles of 133 // windows, bitmaps, menus, etc. Files, treads and registry handles are kernel 134 // handles and are not affected by the job level settings. 135 enum JobLevel { 136 JOB_LOCKDOWN = 0, 137 JOB_RESTRICTED, 138 JOB_LIMITED_USER, 139 JOB_INTERACTIVE, 140 JOB_UNPROTECTED, 141 JOB_NONE 142 }; 143 144 // These flags correspond to various process-level mitigations (eg. ASLR and 145 // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for 146 // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented 147 // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 148 // Some mitigations are implemented directly by the sandbox or emulated to 149 // the greatest extent possible when not directly supported by the OS. 150 // Flags that are unsupported for the target OS will be silently ignored. 151 // Flags that are invalid for their application (pre or post startup) will 152 // return SBOX_ERROR_BAD_PARAMS. 153 typedef uint64_t MitigationFlags; 154 155 // Permanently enables DEP for the target process. Corresponds to 156 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. 157 const MitigationFlags MITIGATION_DEP = 0x00000001; 158 159 // Permanently Disables ATL thunk emulation when DEP is enabled. Valid 160 // only when MITIGATION_DEP is passed. Corresponds to not passing 161 // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. 162 const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; 163 164 // Enables Structured exception handling override prevention. Must be 165 // enabled prior to process start. Corresponds to 166 // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. 167 const MitigationFlags MITIGATION_SEHOP = 0x00000004; 168 169 // Forces ASLR on all images in the child process. In debug builds, must be 170 // enabled after startup. Corresponds to 171 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . 172 const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008; 173 174 // Refuses to load DLLs that cannot support ASLR. In debug builds, must be 175 // enabled after startup. Corresponds to 176 // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS. 177 const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; 178 179 // Terminates the process on Windows heap corruption. Coresponds to 180 // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. 181 const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020; 182 183 // Sets a random lower bound as the minimum user address. Must be 184 // enabled prior to process start. On 32-bit processes this is 185 // emulated to a much smaller degree. Corresponds to 186 // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. 187 const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040; 188 189 // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be 190 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. 191 // Corresponds to 192 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON 193 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; 194 195 // Immediately raises an exception on a bad handle reference. Must be 196 // enabled after startup. Corresponds to 197 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. 198 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; 199 200 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional 201 // directories can be added via the Windows AddDllDirectory() function. 202 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 203 // Must be enabled after startup. 204 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200; 205 206 // Changes the mandatory integrity level policy on the current process' token 207 // to enable no-read and no-execute up. This prevents a lower IL process from 208 // opening the process token for impersonate/duplicate/assignment. 209 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000400; 210 211 // Prevents the process from making Win32k calls. Corresponds to 212 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. 213 // 214 // Applications linked to user32.dll or gdi32.dll make Win32k calls during 215 // setup, even if Win32k is not otherwise used. So they also need to add a rule 216 // with SUBSYS_WIN32K_LOCKDOWN and semantics FAKE_USER_GDI_INIT to allow the 217 // initialization to succeed. 218 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000800; 219 220 // Prevents certain built-in third party extension points from being used. 221 // - App_Init DLLs 222 // - Winsock Layered Service Providers (LSPs) 223 // - Global Windows Hooks (NOT thread-targeted hooks) 224 // - Legacy Input Method Editors (IMEs) 225 // I.e.: Disable legacy hooking mechanisms. Corresponds to 226 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. 227 const MitigationFlags MITIGATION_EXTENSION_POINT_DISABLE = 0x00001000; 228 229 // Prevents the process from generating dynamic code or modifying executable 230 // code. Second option to allow thread-specific opt-out. 231 // - VirtualAlloc with PAGE_EXECUTE_* 232 // - VirtualProtect with PAGE_EXECUTE_* 233 // - MapViewOfFile with FILE_MAP_EXECUTE | FILE_MAP_WRITE 234 // - SetProcessValidCallTargets for CFG 235 // Corresponds to 236 // PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON and 237 // PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON_ALLOW_OPT_OUT. 238 const MitigationFlags MITIGATION_DYNAMIC_CODE_DISABLE = 0x00002000; 239 const MitigationFlags MITIGATION_DYNAMIC_CODE_DISABLE_WITH_OPT_OUT = 0x00004000; 240 // The following per-thread flag can be used with the 241 // ApplyMitigationsToCurrentThread API. Requires the above process mitigation 242 // to be set on the current process. 243 const MitigationFlags MITIGATION_DYNAMIC_CODE_OPT_OUT_THIS_THREAD = 0x00008000; 244 245 // Prevents the process from loading non-system fonts into GDI. 246 // Corresponds to 247 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON 248 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00010000; 249 250 // Prevents the process from loading binaries NOT signed by MS. 251 // Corresponds to 252 // PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON 253 const MitigationFlags MITIGATION_FORCE_MS_SIGNED_BINS = 0x00020000; 254 255 // Blocks mapping of images from remote devices. Corresponds to 256 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON. 257 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00040000; 258 259 // Blocks mapping of images that have the low manditory label. Corresponds to 260 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON. 261 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00080000; 262 263 // Forces image load preference to prioritize the Windows install System32 264 // folder before dll load dir, application dir and any user dirs set. 265 // - Affects IAT resolution standard search path only, NOT direct LoadLibrary or 266 // executable search path. 267 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON. 268 const MitigationFlags MITIGATION_IMAGE_LOAD_PREFER_SYS32 = 0x00100000; 269 270 // Prevents hyperthreads from interfering with indirect branch predictions. 271 // (SPECTRE Variant 2 mitigation.) Corresponds to 272 // PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON. 273 const MitigationFlags MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION = 274 0x00200000; 275 276 // Begin Mozilla-added flags. 277 // Working down from the high bit to avoid conflict with new upstream flags. 278 279 // Disable Control Flow Guard. This may seem more like an anti-mitigation, but 280 // this flag allows code to make targeted changes to CFG to avoid bugs, while 281 // leaving it enabled in the common case. Corresponds to 282 // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON. 283 const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000; 284 285 } // namespace sandbox 286 287 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ 288