Add sandbox support for Windows process mitigations

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/threading/platform_thread.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/startup_information.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/app_container.h"
+#include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox_policy_base.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/target_process.h"
 #include "sandbox/win/src/win2k_threadpool.h"
 #include "sandbox/win/src/win_utils.h"
 
 namespace {
 
 // Utility function to associate a completion port to a job object.
 bool AssociateCompletionPort(HANDLE job, HANDLE port, void* key) {
@@ skipping 288 matching lines @@
     return result;
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
   string16 desktop = policy_base->GetAlternateDesktop();
   if (!desktop.empty()) {
     startup_info.startup_info()->lpDesktop =
         const_cast<wchar_t*>(desktop.c_str());
   }
 
+  int attribute_count = 0;
   const AppContainerAttributes* app_container = policy_base->GetAppContainer();
+  if (app_container)
+    ++attribute_count;
+
+  DWORD64 mitigations = GetProcessMitigationPolicyFlags(
+                            policy->GetProcessMitigations());
+  if (mitigations)
+    ++attribute_count;
+
+  if (!startup_info.InitializeProcThreadAttributeList(attribute_count))
+    return SBOX_ERROR_GENERIC;
+
   if (app_container) {
-    startup_info.InitializeProcThreadAttributeList(1);
     result = app_container->ShareForStartup(&startup_info);
     if (SBOX_ALL_OK != result)
       return result;
   }
 
+  if (mitigations) {
+    size_t mitigation_size = sizeof(mitigations);
+    void* mitigation_ptr = &mitigations;
+
+#ifndef _WIN64
+    // A 64-bit flags attribute is illegal on 32-bit Win 7 and below.
+    DWORD mitigations32 = static_cast<DWORD>(mitigations);
+    if (base::win::GetVersion() < base::win::VERSION_WIN8) {
+      mitigation_size = sizeof(mitigations32);
+      mitigation_ptr = &mitigations32;
+    }
+#endif

[cpu_(ooo_6.6-7.5), 2012/09/06 19:46:15]

this would be clearer to me if instead you have some repetition. Liek

#ifdef _WIN64
.. all 64n part here
#else
.. all 32b part here
#endif

[jschuh, 2012/09/07 01:14:22]

Done.

+
+    if (!startup_info.UpdateProcThreadAttribute(
+             PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, mitigation_ptr,
+             mitigation_size)) {
+      return SBOX_ERROR_GENERIC;
+    }
+  }
+
   // Construct the thread pool here in case it is expensive.
   // The thread pool is shared by all the targets
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
   // Create the TargetProces object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   base::win::ScopedProcessInformation process_info;
   TargetProcess* target = new TargetProcess(initial_token.Take(),
                                             lockdown_token.Take(),
@@ skipping 94 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   string16 name =  LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox