forked from microsoft/terminal
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathProcessPolicy.cpp
More file actions
88 lines (75 loc) · 3.21 KB
/
Copy pathProcessPolicy.cpp
File metadata and controls
88 lines (75 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
#include "precomp.h"
#include "ProcessPolicy.h"
#include "..\inc\conint.h"
// Routine Description:
// - Constructs a new instance of the process policy class.
// Arguments:
// - All arguments specify a true/false status to a policy that could be applied to a console client app.
ConsoleProcessPolicy::ConsoleProcessPolicy(const bool fCanReadOutputBuffer,
const bool fCanWriteInputBuffer) :
_fCanReadOutputBuffer(fCanReadOutputBuffer),
_fCanWriteInputBuffer(fCanWriteInputBuffer)
{
}
// Routine Description:
// - Destructs an instance of the process policy class.
ConsoleProcessPolicy::~ConsoleProcessPolicy()
{
}
// Routine Description:
// - Opens the process token for the given handle and resolves the application model policies
// that apply to the given process handle. This may reveal restrictions on operations that are
// supposed to be enforced against a given console client application.
// Arguments:
// - hProcess - Handle to a connected process
// Return Value:
// - ConsoleProcessPolicy object containing resolved policy data.
ConsoleProcessPolicy ConsoleProcessPolicy::s_CreateInstance(const HANDLE hProcess)
{
// If we cannot determine the policy status, then we block access by default.
bool fCanReadOutputBuffer = false;
bool fCanWriteInputBuffer = false;
wil::unique_handle hToken;
if (LOG_IF_WIN32_BOOL_FALSE(OpenProcessToken(hProcess, TOKEN_READ, &hToken)))
{
bool fIsWrongWayBlocked = true;
// First check AppModel Policy:
LOG_IF_FAILED(Microsoft::Console::Internal::ProcessPolicy::CheckAppModelPolicy(hToken.get(), fIsWrongWayBlocked));
// If we're not restricted by AppModel Policy, also check for Integrity Level below our own.
if (!fIsWrongWayBlocked)
{
LOG_IF_FAILED(Microsoft::Console::Internal::ProcessPolicy::CheckIntegrityLevelPolicy(hToken.get(), fIsWrongWayBlocked));
}
// If we're not blocking wrong way verbs, adjust the read/write policies to permit read out and write in.
if (!fIsWrongWayBlocked)
{
fCanReadOutputBuffer = true;
fCanWriteInputBuffer = true;
}
}
return ConsoleProcessPolicy(fCanReadOutputBuffer, fCanWriteInputBuffer);
}
// Routine Description:
// - Determines whether a console client should be allowed to read back from the output buffers.
// - This includes any of our classic APIs which could allow retrieving data from the output "screen buffer".
// Arguments:
// - <none>
// Return Value:
// - True if read back is allowed. False otherwise.
bool ConsoleProcessPolicy::CanReadOutputBuffer() const
{
return _fCanReadOutputBuffer;
}
// Routine Description:
// - Determines whether a console client should be allowed to write to the input buffers.
// - This includes any of our classic APIs which could allow inserting data into the input buffer.
// Arguments:
// - <none>
// Return Value:
// - True if writing input is allowed. False otherwise.
bool ConsoleProcessPolicy::CanWriteInputBuffer() const
{
return _fCanWriteInputBuffer;
}