Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

750 lines
20 KiB

/*++
Copyright (c) 1997-2001 Microsoft Corporation
Module Name:
winsafer.h
Abstract:
This file implements the publicly exported functions, data types,
data structures, and definitions usable by programs that directly
interact with the Windows SAFER APIs.
--*/
#ifndef _WINSAFER_H
#define _WINSAFER_H
#include <guiddef.h>
#include <wincrypt.h>
;begin_both
#ifdef __cplusplus
extern "C" {
#endif
;end_both
//
// Opaque datatype for representing handles to Safer objects.
//
DECLARE_HANDLE(SAFER_LEVEL_HANDLE);
//
// Constants to represent scope with SaferCreateLevel and others.
//
#define SAFER_SCOPEID_MACHINE 1
#define SAFER_SCOPEID_USER 2
;begin_internal
#define SAFER_SCOPEID_REGISTRY 3
;end_internal
//
// Pre-defined levels that can be used with SaferCreateLevel
//
#define SAFER_LEVELID_FULLYTRUSTED 0x40000
#define SAFER_LEVELID_NORMALUSER 0x20000
#define SAFER_LEVELID_CONSTRAINED 0x10000
#define SAFER_LEVELID_UNTRUSTED 0x01000
#define SAFER_LEVELID_DISALLOWED 0x00000
//
// Flags to use when creating/opening a Level with SaferCreateLevel
//
#define SAFER_LEVEL_OPEN 1
;begin_internal
#define SAFER_LEVEL_DELETE 2
#define SAFER_LEVEL_CREATE 4
;end_internal
//
// Maximum string size.
//
#define SAFER_MAX_FRIENDLYNAME_SIZE 256
#define SAFER_MAX_DESCRIPTION_SIZE 256
#define SAFER_MAX_HASH_SIZE 64
//
// Flags to use with SaferComputeTokenFromLevel.
//
#define SAFER_TOKEN_NULL_IF_EQUAL 0x00000001
#define SAFER_TOKEN_COMPARE_ONLY 0x00000002
#define SAFER_TOKEN_MAKE_INERT 0x00000004
#define SAFER_TOKEN_WANT_FLAGS 0x00000008
//
// Flags for specifying what criteria within SAFER_CODE_PROPERTIES to evaluate
// when finding code identity with SaferIdentifyLevel.
//
#define SAFER_CRITERIA_IMAGEPATH 0x00001
#define SAFER_CRITERIA_IMAGEHASH 0x00004
#define SAFER_CRITERIA_AUTHENTICODE 0x00008
#define SAFER_CRITERIA_URLZONE 0x00010
#define SAFER_CRITERIA_IMAGEPATH_NT 0x01000
//
// Code image information structure passed to SaferIdentifyLevel.
//
#include <pshpack8.h>
typedef struct _SAFER_CODE_PROPERTIES
{
//
// Must be initialized to be the size of this structure,
// for the purposes of future/backwards compatibility.
//
DWORD cbSize;
//
// Must be initialized to the types of criteria that should
// be considered when evaluating this structure. This can be
// a combination of the SAFER_CRITERIA_xxxx flags. If not enough
// of the structure elements needed to evaluate the criteria
// types indicated were supplied, then some of those criteria
// flags may be silently ignored. Specifying 0 for this value
// will cause the entire structure's contents to be ignored.
//
DWORD dwCheckFlags;
//
// Optionally specifies the fully-qualified path and filename
// to be used for discrimination checks based on the path.
// The ImagePath will additionally be used to open and read the
// file to identify any other discrimination criteria that was
// unsupplied in this structure.
//
LPCWSTR ImagePath;
//
// Optionally specifies a file handle that has been opened to
// code image with at least GENERIC_READ access. The handle will
// be used instead of explicitly opening the file again to compute
// other discrimination criteria that was unsupplied in this structure.
//
HANDLE hImageFileHandle;
//
// Optionally specifies the pre-determined Internet Explorer
// security zone. These enums are defined within urlmon.h
// For example: URLZONE_LOCAL_MACHINE, URLZONE_INTRANET,
// URLZONE_TRUSTED, URLZONE_INTERNET, or URLZONE_UNTRUSTED.
//
DWORD UrlZoneId;
//
// Optionally specifies the pre-computed hash of the image.
// The supplied hash is interpreted as being valid if ImageSize
// is non-zero and dwImageHashSize is non-zero and HashAlgorithm
// represents a valid hashing algorithm from wincrypt.h
//
// If the supplied hash fails to meet the conditions above, then
// the hash will be automatically computed against:
// 1) by using ImageSize and pByteBlock if both are non-zero.
// 2) by using hImageFileHandle if it is non-null.
// 3) by attempting to open ImagePath if it is non-null.
//
BYTE ImageHash[SAFER_MAX_HASH_SIZE];
DWORD dwImageHashSize;
LARGE_INTEGER ImageSize;
ALG_ID HashAlgorithm;
//
// Optionally specifies a memory block of memory representing
// the image for which the trust is being requested for. When
// this member is specified, ImageSize must also be supplied.
//
LPBYTE pByteBlock;
//
// Optionally gives the arguments used for Authenticode signer
// certificate verification. These arguments are supplied to the
// WinVerifyTrust() API and control the user-interface prompting
// to accept untrusted certificates.
//
HWND hWndParent;
DWORD dwWVTUIChoice;
} SAFER_CODE_PROPERTIES, *PSAFER_CODE_PROPERTIES;
#include <poppack.h>
//
// Masks for the per-identity WinSafer flags
//
#define SAFER_POLICY_JOBID_MASK 0xFF000000
#define SAFER_POLICY_JOBID_CONSTRAINED 0x04000000
#define SAFER_POLICY_JOBID_UNTRUSTED 0x03000000
#define SAFER_POLICY_ONLY_EXES 0x00010000
#define SAFER_POLICY_SANDBOX_INERT 0x00020000
#define SAFER_POLICY_UIFLAGS_MASK 0x000000FF
#define SAFER_POLICY_UIFLAGS_INFORMATION_PROMPT 0x00000001
#define SAFER_POLICY_UIFLAGS_OPTION_PROMPT 0x00000002
//
// Information classes on the overall policy that can be queried
// with SaferSet/GetPolicyInformation and set at different
// policy scopes based on access of the caller.
//
typedef enum _SAFER_POLICY_INFO_CLASS
{
//
// Accesses the list of all Levels defined in a policy.
// The corresponding data element is a buffer that is filled
// with multiple DWORDs, each representing the LevelIds that
// are defined within this scope.
//
SaferPolicyLevelList = 1,
//
// for transparent enforcement of policy in the execution
// framework -- will be used by native code execution but can
// be used by any policy enforcement environment.
// Corresponding data element is a DWORD holding a Boolean value.
//
SaferPolicyEnableTransparentEnforcement,
//
// Returns the name of the Level that has been designed
// as the default level within the specified scope.
// The corresponding data element is a single DWORD buffer
// representing the LevelId of the default Level. If no
// level has been configured to be the default, then the
// GetInfo API will return FALSE and GetLastError will
// return ERROR_NOT_FOUND.
//
SaferPolicyDefaultLevel,
//
// Returns whether Code Identities or Default Level within the
// user scope can be considered during identification.
//
SaferPolicyEvaluateUserScope,
//
// Control Flags for for safer policy scope.
//
SaferPolicyScopeFlags
} SAFER_POLICY_INFO_CLASS;
//
// Enumerations used for retrieving specific information about a
// single authorization Level via SaferGet/SetInformationFromLevel.
//
typedef enum _SAFER_OBJECT_INFO_CLASS
{
SaferObjectLevelId = 1, // get: DWORD
SaferObjectScopeId, // get: DWORD
SaferObjectFriendlyName, // get/set: LPCWSTR
SaferObjectDescription, // get/set: LPCWSTR
SaferObjectBuiltin, // get: DWORD boolean
SaferObjectDisallowed, // get: DWORD boolean
SaferObjectDisableMaxPrivilege, // get: DWORD boolean
SaferObjectInvertDeletedPrivileges, // get: DWORD boolean
SaferObjectDeletedPrivileges, // get: TOKEN_PRIVILEGES
SaferObjectDefaultOwner, // get: TOKEN_OWNER
SaferObjectSidsToDisable, // get: TOKEN_GROUPS
SaferObjectRestrictedSidsInverted, // get: TOKEN_GROUPS
SaferObjectRestrictedSidsAdded, // get: TOKEN_GROUPS
//
// To enumerate all identities, call GetInfo with
// SaferObjectAllIdentificationGuids.
//
SaferObjectAllIdentificationGuids, // get: SAFER_IDENTIFICATION_GUIDS
//
// To create a new identity, call SetInfo with
// SaferObjectSingleIdentification with a new
// unique GUID that you have generated.
// To get details on a single identity, call GetInfo with
// SaferObjectSingleIdentification with desired GUID.
// To modify details of a single identity, call SetInfo with
// SaferObjectSingleIdentification with desired info and GUID.
// To delete an identity, call SetInfo with
// SaferObjectSingleIdentification with the
// header.dwIdentificationType set to 0.
//
SaferObjectSingleIdentification, // get/set: SAFER_IDENTIFICATION_*
SaferObjectExtendedError // get: DWORD dwError
} SAFER_OBJECT_INFO_CLASS;
//
// Structures and enums used by the SaferGet/SetLevelInformation APIs.
//
#include <pshpack8.h>
typedef enum _SAFER_IDENTIFICATION_TYPES
{
SaferIdentityDefault,
SaferIdentityTypeImageName = 1,
SaferIdentityTypeImageHash,
SaferIdentityTypeUrlZone,
SaferIdentityTypeCertificate
} SAFER_IDENTIFICATION_TYPES;
typedef struct _SAFER_IDENTIFICATION_HEADER
{
//
// indicates the type of the structure, one of SaferIdentityType*
//
SAFER_IDENTIFICATION_TYPES dwIdentificationType;
//
// size of the whole structure, not just the common header.
//
DWORD cbStructSize;
//
// the unique GUID of the Identity in question.
//
GUID IdentificationGuid;
//
// last change of this identification.
//
FILETIME lastModified;
} SAFER_IDENTIFICATION_HEADER, *PSAFER_IDENTIFICATION_HEADER;
typedef struct _SAFER_PATHNAME_IDENTIFICATION
{
//
// header.dwIdentificationType must be SaferIdentityTypeImageName
// header.cbStructSize must be sizeof(SAFER_PATHNAME_IDENTIFICATION)
//
SAFER_IDENTIFICATION_HEADER header;
//
// user-entered description
//
WCHAR Description[SAFER_MAX_DESCRIPTION_SIZE];
//
// filepath or name, possibly with vars
//
PWCHAR ImageName;
//
// any combo of SAFER_POL_SAFERFLAGS_*
//
DWORD dwSaferFlags;
} SAFER_PATHNAME_IDENTIFICATION, *PSAFER_PATHNAME_IDENTIFICATION;
typedef struct _SAFER_HASH_IDENTIFICATION
{
//
// header.dwIdentificationType must be SaferIdentityTypeImageHash
// header.cbStructSize must be sizeof(SAFER_HASH_IDENTIFICATION)
//
SAFER_IDENTIFICATION_HEADER header;
//
// user-entered friendly name, initially from file's resources.
//
WCHAR Description[SAFER_MAX_DESCRIPTION_SIZE];
//
// user-entered description.
//
WCHAR FriendlyName[SAFER_MAX_FRIENDLYNAME_SIZE];
//
// amount of ImageHash actually used, in bytes (MD5 is 16 bytes).
//
DWORD HashSize;
//
// computed hash data itself.
//
BYTE ImageHash[SAFER_MAX_HASH_SIZE];
//
// algorithm in which the hash was computed (CALG_MD5, etc).
//
ALG_ID HashAlgorithm;
//
// size of the original file in bytes.
//
LARGE_INTEGER ImageSize;
//
// any combo of SAFER_POL_SAFERFLAGS_*
//
DWORD dwSaferFlags;
} SAFER_HASH_IDENTIFICATION, *PSAFER_HASH_IDENTIFICATION;
typedef struct _SAFER_URLZONE_IDENTIFICATION
{
//
// header.dwIdentificationType must be SaferIdentityTypeUrlZone
// header.cbStructSize must be sizeof(SAFER_URLZONE_IDENTIFICATION)
//
SAFER_IDENTIFICATION_HEADER header;
//
// any single URLZONE_* from urlmon.h
//
DWORD UrlZoneId;
//
// any combo of SAFER_POLICY_*
//
DWORD dwSaferFlags;
} SAFER_URLZONE_IDENTIFICATION, *PSAFER_URLZONE_IDENTIFICATION;
#include <poppack.h>
//
// Functions related to querying and setting the global policy
// controls to disable transparent enforcement, and perform level
// enumeration operations.
//
WINADVAPI
BOOL WINAPI
SaferGetPolicyInformation(
IN DWORD dwScopeId,
IN SAFER_POLICY_INFO_CLASS SaferPolicyInfoClass,
IN DWORD InfoBufferSize,
IN OUT PVOID InfoBuffer,
IN OUT PDWORD InfoBufferRetSize,
IN LPVOID lpReserved
);
WINADVAPI
BOOL WINAPI
SaferSetPolicyInformation(
IN DWORD dwScopeId,
IN SAFER_POLICY_INFO_CLASS SaferPolicyInfoClass,
IN DWORD InfoBufferSize,
IN PVOID InfoBuffer,
IN LPVOID lpReserved
);
//
// Functions to open or close a handle to a Safer Level.
//
WINADVAPI
BOOL WINAPI
SaferCreateLevel(
IN DWORD dwScopeId,
IN DWORD dwLevelId,
IN DWORD OpenFlags,
OUT SAFER_LEVEL_HANDLE * pLevelHandle,
IN LPVOID lpReserved
);
WINADVAPI
BOOL WINAPI
SaferCloseLevel(
IN SAFER_LEVEL_HANDLE hLevelHandle
);
WINADVAPI
BOOL WINAPI
SaferIdentifyLevel(
IN DWORD dwNumProperties,
IN PSAFER_CODE_PROPERTIES pCodeProperties,
OUT SAFER_LEVEL_HANDLE * pLevelHandle,
IN LPVOID lpReserved
);
WINADVAPI
BOOL WINAPI
SaferComputeTokenFromLevel(
IN SAFER_LEVEL_HANDLE LevelHandle,
IN HANDLE InAccessToken OPTIONAL,
OUT PHANDLE OutAccessToken,
IN DWORD dwFlags,
IN LPVOID lpReserved
);
WINADVAPI
BOOL WINAPI
SaferGetLevelInformation(
IN SAFER_LEVEL_HANDLE LevelHandle,
IN SAFER_OBJECT_INFO_CLASS dwInfoType,
OUT LPVOID lpQueryBuffer OPTIONAL,
IN DWORD dwInBufferSize,
OUT LPDWORD lpdwOutBufferSize
);
WINADVAPI
BOOL WINAPI
SaferSetLevelInformation(
IN SAFER_LEVEL_HANDLE LevelHandle,
IN SAFER_OBJECT_INFO_CLASS dwInfoType,
IN LPVOID lpQueryBuffer,
IN DWORD dwInBufferSize
);
//
// This function performs logging of messages to the Application
// event log. This is called by the hooks within CreateProcess,
// ShellExecute and cmd when a lower trust evaluation result occurs.
//
WINADVAPI
BOOL WINAPI
SaferRecordEventLogEntry(
IN SAFER_LEVEL_HANDLE hLevel,
IN LPCWSTR szTargetPath,
IN LPVOID lpReserved
);
;begin_internal
//
// Private registry key locations.
//
#define SAFER_HKLM_REGBASE L"Software\\Policies\\Microsoft\\Windows\\Safer"
#define SAFER_HKCU_REGBASE L"Software\\Policies\\Microsoft\\Windows\\Safer"
//
// default winsafer executable file types as a multisz string
//
#define SAFER_DEFAULT_EXECUTABLE_FILE_TYPES L"ADE\0ADP\0BAS\0BAT\0CHM\0\
CMD\0COM\0CPL\0CRT\0EXE\0HLP\0HTA\0INF\0INS\0ISP\0LNK\0MDB\0MDE\0MSC\0\
MSI\0MSP\0MST\0OCX\0PCD\0PIF\0REG\0SCR\0SHS\0URL\0VB\0WSC\0"
//
// name of the objects sub-branch.
//
#define SAFER_OBJECTS_REGSUBKEY L"LevelObjects"
//
// names of the values under each of the object sub-branches.
//
#define SAFER_OBJFRIENDLYNAME_REGVALUEW L"FriendlyName"
#define SAFER_OBJDESCRIPTION_REGVALUEW L"Description"
#define SAFER_OBJDISALLOW_REGVALUE L"DisallowExecution"
//
// name of the code identifiers sub-branch
//
#define SAFER_CODEIDS_REGSUBKEY L"CodeIdentifiers"
//
// name of the value under the top level code identifier branch.
//
#define SAFER_DEFAULTOBJ_REGVALUE L"DefaultLevel"
#define SAFER_TRANSPARENTENABLED_REGVALUE L"TransparentEnabled"
#define SAFER_HONORUSER_REGVALUE L"HonorUserIdentities"
#define SAFER_EXETYPES_REGVALUE L"ExecutableTypes"
#define SAFER_POLICY_SCOPE L"PolicyScope"
#define SAFER_LOGFILE_NAME L"LogFileName"
#define SAFER_HIDDEN_LEVELS L"Levels"
#define SAFER_AUTHENTICODE_REGVALUE L"AuthenticodeEnabled"
//
// names of the various subkeys under the code identifier sub-branches
//
#define SAFER_PATHS_REGSUBKEY L"Paths"
#define SAFER_HASHMD5_REGSUBKEY L"Hashes"
#define SAFER_SOURCEURL_REGSUBKEY L"UrlZones"
//
// names of the various values under each code identifiery sub-branch.
//
#define SAFER_IDS_LASTMODIFIED_REGVALUE L"LastModified"
#define SAFER_IDS_DESCRIPTION_REGVALUE L"Description"
#define SAFER_IDS_ITEMSIZE_REGVALUE L"ItemSize"
#define SAFER_IDS_ITEMDATA_REGVALUE L"ItemData"
#define SAFER_IDS_SAFERFLAGS_REGVALUE L"SaferFlags"
#define SAFER_IDS_FRIENDLYNAME_REGVALUE L"FriendlyName"
#define SAFER_IDS_HASHALG_REGVALUE L"HashAlg"
#define SAFER_VALUE_NAME_DEFAULT_LEVEL L"DefaultLevel"
#define SAFER_VALUE_NAME_HASH_SIZE L"HashSize"
//
// registry values
//
#define SAFER_IDS_LEVEL_DESCRIPTION_FULLY_TRUSTED L"DescriptionFullyTrusted"
#define SAFER_IDS_LEVEL_DESCRIPTION_NORMAL_USER L"DescriptionNormalUser"
#define SAFER_IDS_LEVEL_DESCRIPTION_CONSTRAINED L"DescriptionConstrained"
#define SAFER_IDS_LEVEL_DESCRIPTION_UNTRUSTED L"DescriptionUntrusted"
#define SAFER_IDS_LEVEL_DESCRIPTION_DISALLOWED L"DescriptionDisallowed"
//
// defines for OOB rules
//
//#define SAFER_DEFAULT_OLK_RULE_PATH L"%USERPROFILE%\\Local Settings\\Temporary Internet Files\\OLK\\"
#define SAFER_LEVEL_ZERO L"0"
#define SAFER_REGKEY_SEPERATOR L"\\"
#define SAFER_DEFAULT_RULE_GUID L"{dda3f824-d8cb-441b-834d-be2efd2c1a33}"
#define SAFER_GUID_RESULT_TRUSTED_CERT \
{ 0xc59e7b5a, \
0xaf71, \
0x4595, \
{0xb8, 0xdb, 0x46, 0xb4, 0x91, 0xe8, 0x90, 0x07} }
#define SAFER_GUID_RESULT_DEFAULT_LEVEL \
{ 0x11015445, \
0xd282, \
0x4f86, \
{0x96, 0xa2, 0x9e, 0x48, 0x5f, 0x59, 0x33, 0x02} }
//
// The following is a private function that is exported
// for WinVerifyTrust to call to determine if a given hash has a
// WinSafer policy associated with it.
//
BOOL WINAPI
SaferiSearchMatchingHashRules(
IN ALG_ID HashAlgorithm OPTIONAL,
IN PBYTE pHashBytes,
IN DWORD dwHashSize,
IN DWORD dwOriginalImageSize OPTIONAL,
OUT PDWORD pdwFoundLevel,
OUT PDWORD pdwSaferFlags
);
//
// The following is a private function exported to allow the current
// registry scope to be altered. This has the effect of changing
// how AUTHZSCOPEID_REGISTRY is interepreted.
//
WINADVAPI
BOOL WINAPI
SaferiChangeRegistryScope(
IN HKEY hKeyCustomRoot OPTIONAL,
IN DWORD dwKeyOptions
);
//
// The following is a private function provided to try to empiracally
// determine if the two access token have been restricted with comparable
// WinSafer authorization Levels. When TRUE is returned, the pdwResult
// output parameter will receive any of the following values:
// -1 = Client's access token is more authorized than Server's.
// 0 = Client's access token is comparable level to Server's.
// 1 = Server's access token is more authorized than Clients's.
//
WINADVAPI
BOOL WINAPI
SaferiCompareTokenLevels (
IN HANDLE ClientAccessToken,
IN HANDLE ServerAccessToken,
OUT PDWORD pdwResult
);
WINADVAPI
BOOL WINAPI
SaferiIsExecutableFileType(
IN LPCWSTR szFullPathname,
IN BOOLEAN bFromShellExecute
);
//
// The following is a private function exported to allow population if defaults in
// the registry.
//
BOOL WINAPI
SaferiPopulateDefaultsInRegistry(
IN HKEY hKeyBase,
OUT BOOL *pbSetDefaults
);
;end_internal
;begin_both
#ifdef __cplusplus
}
#endif
;end_both
#endif