Mercurial > trustbridge
diff common/util.c @ 1029:6684e5012b7a
(issue98) Set integrity level to medium on restricted token and
evaluate it to determine if the process is elevated.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Thu, 04 Sep 2014 11:00:55 +0200 |
| parents | 427e2e18b8c8 |
| children | 1f23803e1f83 |
line wrap: on
line diff
--- a/common/util.c Wed Sep 03 15:48:34 2014 +0200 +++ b/common/util.c Thu Sep 04 11:00:55 2014 +0200 @@ -406,6 +406,51 @@ #endif bool +has_high_integrity(HANDLE hToken) +{ + PTOKEN_MANDATORY_LABEL integrity_label = NULL; + DWORD integrity_level = 0, + size = 0; + + if (hToken == NULL || hToken == INVALID_HANDLE_VALUE) + { + DEBUGPRINTF ("Invalid parameters."); + return false; + } + + /* Get the required size */ + if (!GetTokenInformation(hToken, TokenIntegrityLevel, + NULL, 0, &size) == ERROR_INSUFFICIENT_BUFFER) + { + PRINTLASTERROR ("Failed to get required size.\n"); + return false; + } + integrity_label = (PTOKEN_MANDATORY_LABEL) LocalAlloc(0, size); + if (integrity_label == NULL) + { + ERRORPRINTF ("Failed to allocate label. \n"); + return false; + } + + if (!GetTokenInformation(hToken, TokenIntegrityLevel, + integrity_label, size, &size)) + { + PRINTLASTERROR ("Failed to get integrity level.\n"); + LocalFree(integrity_label); + return false; + } + + /* Get the last integrity level */ + integrity_level = *GetSidSubAuthority(integrity_label->Label.Sid, + (DWORD)(UCHAR)(*GetSidSubAuthorityCount( + integrity_label->Label.Sid) - 1)); + + LocalFree (integrity_label); + + return integrity_level >= SECURITY_MANDATORY_HIGH_RID; +} + +bool is_elevated() { bool ret = false; @@ -423,6 +468,13 @@ ret = elevation; } } + /* Elevation will be true and ElevationType TokenElevationTypeFull even + if the token is a user token created by SAFER so we additionally + check the integrity level of the token which will only be high in + the real elevated process and medium otherwise. */ + + ret = ret && has_high_integrity (hToken); + if (hToken) CloseHandle (hToken); #endif