1 // Copyright 2022 The ChromiumOS Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 use crate::IntegrityLevel; 6 use crate::JobLevel; 7 use crate::Semantics; 8 use crate::SubSystem; 9 use crate::TokenLevel; 10 use crate::JOB_OBJECT_UILIMIT_DESKTOP; 11 use crate::JOB_OBJECT_UILIMIT_DISPLAYSETTINGS; 12 use crate::JOB_OBJECT_UILIMIT_EXITWINDOWS; 13 use crate::JOB_OBJECT_UILIMIT_READCLIPBOARD; 14 use crate::JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS; 15 use crate::JOB_OBJECT_UILIMIT_WRITECLIPBOARD; 16 17 /// Policy struct for describing how a sandbox `TargetPolicy` should be 18 /// constructed for a particular process. 19 pub struct Policy { 20 pub initial_token_level: TokenLevel, 21 pub lockdown_token_level: TokenLevel, 22 pub integrity_level: IntegrityLevel, 23 pub delayed_integrity_level: IntegrityLevel, 24 pub job_level: JobLevel, 25 pub ui_exceptions: u32, 26 pub alternate_desktop: bool, 27 pub alternate_winstation: bool, 28 pub exceptions: Vec<Rule>, 29 pub dll_blocklist: Vec<String>, 30 } 31 32 /// Rule struct describing a sandbox rule that should be added to the 33 /// `TargetPolicy`. 34 pub struct Rule { 35 pub subsystem: SubSystem, 36 pub semantics: Semantics, 37 pub pattern: String, 38 } 39 40 /// Policy for the main emulator process. 41 pub const MAIN: Policy = Policy { 42 // Token levels and integrity levels needed for access to hypervisor APIs. 43 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 44 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 45 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 46 // Needed for access to audio APIs. 47 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 48 // Needed for access to UI APIs. 49 job_level: JobLevel::JOB_LIMITED_USER, 50 ui_exceptions: JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_WRITECLIPBOARD, 51 // Needed to display window on main desktop. 52 alternate_desktop: false, 53 alternate_winstation: false, 54 exceptions: vec![], 55 dll_blocklist: vec![], 56 }; 57 58 /// Policy for the metrics process. 59 pub const METRICS: Policy = Policy { 60 // Needed for access to WinINet. 61 initial_token_level: TokenLevel::USER_NON_ADMIN, 62 lockdown_token_level: TokenLevel::USER_NON_ADMIN, 63 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 64 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 65 job_level: JobLevel::JOB_LOCKDOWN, 66 ui_exceptions: 0, 67 alternate_desktop: true, 68 alternate_winstation: true, 69 exceptions: vec![], 70 dll_blocklist: vec![], 71 }; 72 73 /// Policy for a block device process. 74 pub const BLOCK: Policy = Policy { 75 initial_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 76 lockdown_token_level: TokenLevel::USER_LOCKDOWN, 77 // INTEGRITY_LEVEL_MEDIUM needed to open disk file. 78 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 79 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 80 job_level: JobLevel::JOB_LOCKDOWN, 81 ui_exceptions: 0, 82 alternate_desktop: true, 83 alternate_winstation: true, 84 exceptions: vec![], 85 dll_blocklist: vec![], 86 }; 87 88 /// Policy for the network process. 89 pub const NET: Policy = Policy { 90 // Needed to connect to crash handler. 91 initial_token_level: TokenLevel::USER_INTERACTIVE, 92 lockdown_token_level: TokenLevel::USER_LOCKDOWN, 93 // Process won't start below this level as loading ntdll will fail. 94 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 95 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 96 job_level: JobLevel::JOB_LOCKDOWN, 97 ui_exceptions: 0, 98 alternate_desktop: true, 99 alternate_winstation: true, 100 exceptions: vec![], 101 dll_blocklist: vec![], 102 }; 103 104 /// Policy for the slirp process. 105 pub const SLIRP: Policy = Policy { 106 // Needed to connect to crash handler. 107 initial_token_level: TokenLevel::USER_INTERACTIVE, 108 // Needed for access to winsock. 109 lockdown_token_level: TokenLevel::USER_LIMITED, 110 // Needed for access to winsock. 111 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 112 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_UNTRUSTED, 113 job_level: JobLevel::JOB_LOCKDOWN, 114 ui_exceptions: 0, 115 alternate_desktop: true, 116 alternate_winstation: true, 117 exceptions: vec![], 118 dll_blocklist: vec![], 119 }; 120 121 /// Policy for the GPU process. 122 pub const GPU: Policy = Policy { 123 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 124 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 125 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_MEDIUM, 126 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 127 // Needed for access to UI APIs. 128 job_level: JobLevel::JOB_LIMITED_USER, 129 // needed for copy and paste. READ_CLIPBOARD/WRITE_CLIPBOARD are already implicit in 130 // JOB_LIMITED_USER. It's not clear why these are needed for copy&paste, but verified that 131 // removing any one of these UILIMITS break paste into the emulator. 132 ui_exceptions: JOB_OBJECT_UILIMIT_DESKTOP 133 | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS 134 | JOB_OBJECT_UILIMIT_EXITWINDOWS 135 | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS, 136 // Needed to display window on main desktop. 137 alternate_desktop: false, 138 alternate_winstation: false, 139 exceptions: vec![], 140 dll_blocklist: vec![], 141 }; 142 143 /// Policy for the sound process. 144 pub const SND: Policy = Policy { 145 // Needed for CoInitializeEx. 146 initial_token_level: TokenLevel::USER_RESTRICTED_SAME_ACCESS, 147 // Needed for subsequent CoCreateInstance requests. 148 lockdown_token_level: TokenLevel::USER_RESTRICTED_NON_ADMIN, 149 // Needed for access to audio APIs. 150 integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 151 delayed_integrity_level: IntegrityLevel::INTEGRITY_LEVEL_LOW, 152 job_level: JobLevel::JOB_LOCKDOWN, 153 ui_exceptions: 0, 154 alternate_desktop: true, 155 alternate_winstation: true, 156 exceptions: vec![], 157 dll_blocklist: vec![], 158 }; 159