Mercurial > trustbridge
comparison cinst/nssstore_win.c @ 1029:6684e5012b7a
(issue98) Set integrity level to medium on restricted token and
evaluate it to determine if the process is elevated.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Thu, 04 Sep 2014 11:00:55 +0200 |
| parents | 1743895b39b8 |
| children | 317ee9dc4684 |
comparison
equal
deleted
inserted
replaced
| 1028:461db8f903f5 | 1029:6684e5012b7a |
|---|---|
| 108 static HANDLE | 108 static HANDLE |
| 109 get_restricted_token() | 109 get_restricted_token() |
| 110 { | 110 { |
| 111 SAFER_LEVEL_HANDLE user_level = NULL; | 111 SAFER_LEVEL_HANDLE user_level = NULL; |
| 112 HANDLE retval = NULL; | 112 HANDLE retval = NULL; |
| 113 SID_IDENTIFIER_AUTHORITY medium_identifier = {SECURITY_MANDATORY_LABEL_AUTHORITY}; | |
| 114 PSID medium_sid = NULL; | |
| 115 TOKEN_MANDATORY_LABEL integrity_label; | |
| 116 | |
| 117 memset (&integrity_label, 0, sizeof (integrity_label)); | |
| 118 | |
| 113 if (!SaferCreateLevel(SAFER_SCOPEID_USER, | 119 if (!SaferCreateLevel(SAFER_SCOPEID_USER, |
| 114 SAFER_LEVELID_NORMALUSER, | 120 SAFER_LEVELID_NORMALUSER, |
| 115 SAFER_LEVEL_OPEN, &user_level, NULL)) | 121 SAFER_LEVEL_OPEN, &user_level, NULL)) |
| 116 { | 122 { |
| 117 PRINTLASTERROR ("Failed to create user level.\n"); | 123 PRINTLASTERROR ("Failed to create user level.\n"); |
| 119 } | 125 } |
| 120 | 126 |
| 121 if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL)) | 127 if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL)) |
| 122 { | 128 { |
| 123 SaferCloseLevel(user_level); | 129 SaferCloseLevel(user_level); |
| 130 return NULL; | |
| 131 } | |
| 132 | |
| 133 SaferCloseLevel(user_level); | |
| 134 | |
| 135 /* Set the SID to medium it will still be high otherwise. Even if | |
| 136 there is no high access allowed. */ | |
| 137 if (!AllocateAndInitializeSid(&medium_identifier, | |
| 138 1, | |
| 139 SECURITY_MANDATORY_MEDIUM_RID, | |
| 140 0, | |
| 141 0, | |
| 142 0, | |
| 143 0, | |
| 144 0, | |
| 145 0, | |
| 146 0, | |
| 147 &medium_sid)) | |
| 148 { | |
| 149 PRINTLASTERROR ("Failed to initialize sid.\n"); | |
| 150 return NULL; | |
| 151 } | |
| 152 | |
| 153 integrity_label.Label.Attributes = SE_GROUP_INTEGRITY; | |
| 154 integrity_label.Label.Sid = medium_sid; | |
| 155 | |
| 156 if (!SetTokenInformation(retval, | |
| 157 TokenIntegrityLevel, | |
| 158 &integrity_label, | |
| 159 sizeof(TOKEN_MANDATORY_LABEL))) | |
| 160 { | |
| 161 PRINTLASTERROR ("Failed to set token integrity.\n"); | |
| 124 return NULL; | 162 return NULL; |
| 125 } | 163 } |
| 126 | 164 |
| 127 return retval; | 165 return retval; |
| 128 } | 166 } |