Mercurial > trustbridge
diff cinst/nssstore_win.c @ 1029:6684e5012b7a
(issue98) Set integrity level to medium on restricted token and
evaluate it to determine if the process is elevated.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Thu, 04 Sep 2014 11:00:55 +0200 |
| parents | 1743895b39b8 |
| children | 317ee9dc4684 |
line wrap: on
line diff
--- a/cinst/nssstore_win.c Wed Sep 03 15:48:34 2014 +0200 +++ b/cinst/nssstore_win.c Thu Sep 04 11:00:55 2014 +0200 @@ -110,6 +110,12 @@ { SAFER_LEVEL_HANDLE user_level = NULL; HANDLE retval = NULL; + SID_IDENTIFIER_AUTHORITY medium_identifier = {SECURITY_MANDATORY_LABEL_AUTHORITY}; + PSID medium_sid = NULL; + TOKEN_MANDATORY_LABEL integrity_label; + + memset (&integrity_label, 0, sizeof (integrity_label)); + if (!SaferCreateLevel(SAFER_SCOPEID_USER, SAFER_LEVELID_NORMALUSER, SAFER_LEVEL_OPEN, &user_level, NULL)) @@ -124,6 +130,38 @@ return NULL; } + SaferCloseLevel(user_level); + + /* Set the SID to medium it will still be high otherwise. Even if + there is no high access allowed. */ + if (!AllocateAndInitializeSid(&medium_identifier, + 1, + SECURITY_MANDATORY_MEDIUM_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &medium_sid)) + { + PRINTLASTERROR ("Failed to initialize sid.\n"); + return NULL; + } + + integrity_label.Label.Attributes = SE_GROUP_INTEGRITY; + integrity_label.Label.Sid = medium_sid; + + if (!SetTokenInformation(retval, + TokenIntegrityLevel, + &integrity_label, + sizeof(TOKEN_MANDATORY_LABEL))) + { + PRINTLASTERROR ("Failed to set token integrity.\n"); + return NULL; + } + return retval; }