01_add_back_user_restricted_level.patch (3509B)
1 # HG changeset patch 2 # User Bob Owen <bobowencode@gmail.com> 3 # Date 1730471667 0 4 # Fri Nov 01 14:34:27 2024 +0000 5 Add back USER_RESTRICTED access token level 6 7 diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc 8 --- a/sandbox/win/src/restricted_token_utils.cc 9 +++ b/sandbox/win/src/restricted_token_utils.cc 10 @@ -112,16 +112,23 @@ std::optional<base::win::AccessToken> Cr 11 restricted_token.AddRestrictingSid(*unique_restricted_sid); 12 } 13 // This token has to be able to create objects in BNO, it needs the 14 // current logon sid in the token to achieve this. You should also set the 15 // process to be low integrity level so it can't access object created by 16 // other processes. 17 restricted_token.AddRestrictingSidLogonSession(); 18 break; 19 + case USER_RESTRICTED: 20 + restricted_token.AddUserSidForDenyOnly(); 21 + restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted); 22 + if (unique_restricted_sid) { 23 + restricted_token.AddRestrictingSid(*unique_restricted_sid); 24 + } 25 + break; 26 case USER_LOCKDOWN: 27 remove_traverse_privilege = true; 28 restricted_token.AddUserSidForDenyOnly(); 29 restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull); 30 if (unique_restricted_sid) { 31 restricted_token.AddRestrictingSid(*unique_restricted_sid); 32 } 33 break; 34 diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h 35 --- a/sandbox/win/src/security_level.h 36 +++ b/sandbox/win/src/security_level.h 37 @@ -38,16 +38,18 @@ enum IntegrityLevel { 38 // The Token level specifies a set of security profiles designed to 39 // provide the bulk of the security of sandbox. 40 // 41 // TokenLevel |Restricting |Deny Only |Privileges| 42 // |Sids |Sids | | 43 // ----------------------------|--------------|----------------|----------| 44 // USER_LOCKDOWN | Null Sid | All | None | 45 // ----------------------------|--------------|----------------|----------| 46 +// USER_RESTRICTED | RESTRICTED | All | Traverse | 47 +// ----------------------------|--------------|----------------|----------| 48 // USER_LIMITED | Users | All except: | Traverse | 49 // | Everyone | Users | | 50 // | RESTRICTED | Everyone | | 51 // | | Interactive | | 52 // ----------------------------|--------------|----------------|----------| 53 // USER_INTERACTIVE | Users | All except: | Traverse | 54 // | Everyone | Users | | 55 // | RESTRICTED | Everyone | | 56 @@ -75,16 +77,17 @@ enum IntegrityLevel { 57 // and on the broker token itself. 58 // 59 // The LOCKDOWN level is designed to allow access to almost nothing that has 60 // security associated with and they are the recommended levels to run sandboxed 61 // code specially if there is a chance that the broker is process might be 62 // started by a user that belongs to the Admins or power users groups. 63 enum TokenLevel { 64 USER_LOCKDOWN = 0, 65 + USER_RESTRICTED, 66 USER_LIMITED, 67 USER_INTERACTIVE, 68 USER_RESTRICTED_NON_ADMIN, 69 USER_RESTRICTED_SAME_ACCESS, 70 USER_UNPROTECTED, 71 USER_LAST 72 };