_FX BOOLEAN File_BlockInternetAccess(PROCESS *proc)
{
BOOLEAN is_open, is_closed;
BOOLEAN ok;
//
// is this process excempted from the blocade
//
if (proc->AllowInternetAccess)
return TRUE;
//
// should we warn on access to internet resources
//
proc->file_warn_internet = Conf_Get_Boolean(
proc->box->name, L"NotifyInternetAccessDenied", 0, TRUE);
if (proc->image_sbie)
proc->file_warn_internet = FALSE;
//
// add Internet devices if ClosedFilePath=InternetAccessDevices
//
Process_MatchPath(
proc->pool, L"InternetAccessDevices", 21,
NULL, &proc->closed_file_paths,
&is_open, &is_closed);
ok = TRUE;
if (is_closed) {
//
// if the configuration specifies to block the pseudo Internet
// device, add real Internet devices. keep in sync with the
// list of devices in File_Api_CheckInternetAccess
//
if (ok) // \Device\RawIp6
ok = File_BlockInternetAccess2(proc, File_RawIp, 0);
if (ok) // \Device\RawIp4
ok = File_BlockInternetAccess2(proc, File_RawIp, -1);
if (ok) // \Device\Http\*
ok = File_BlockInternetAccess2(proc, File_Http, +1);
if (ok) // \Device\Tcp6
ok = File_BlockInternetAccess2(proc, File_Tcp, 0);
if (ok) // \Device\Tcp4
ok = File_BlockInternetAccess2(proc, File_Tcp, -1);
if (ok) // \Device\Udp6
ok = File_BlockInternetAccess2(proc, File_Udp, 0);
if (ok) // \Device\Udp4
ok = File_BlockInternetAccess2(proc, File_Udp, -1);
if (ok) // \Device\Ip6
ok = File_BlockInternetAccess2(proc, File_Ip, 0);
if (ok) // \Device\Ip4
ok = File_BlockInternetAccess2(proc, File_Ip, -1);
if (ok) // \Device\Afd*
ok = File_BlockInternetAccess2(proc, File_Afd, +1);
if (ok) // \Device\Nsi
ok = File_BlockInternetAccess2(proc, File_Nsi, 0);
}
return ok;
}