Add sandbox support for Windows process mitigations

sandbox/win/src/sandbox_policy.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
 
 #include <string>
 
 #include "base/basictypes.h"
@@ skipping 146 matching lines @@
   // launching the sandboxed process will fail. See BrokerServices for details
   // about installing an AppContainer.
   // Note that currently Windows restricts the use of impersonation within
   // AppContainers, so this function is incompatible with the use of an initial
   // token.
   virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
 
   // Sets a capability to be enabled for the sandboxed process' AppContainer.
   virtual ResultCode SetCapability(const wchar_t* sid) = 0;
 
+  // These flags correspond to various process-level mitigations (eg. ASLR and
+  // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
+  // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
+  // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
+  // Some mitigations are implemented directly by the sandbox or emulated to
+  // the greatest extent possible when not directly supported by the OS.
+  // Flags that are unsupported for the target OS will be silently ignored.
+  // Flags that are invalid for their application (pre or post startup) will
+  // return SBOX_ERROR_BAD_PARAMS.
+  //
+  // Permanently enables DEP for the target process. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
+  static const uint64 MITIGATION_DEP                              = 0x00000001;

[rvargas (doing something else), 2012/09/08 02:23:32]

make this an enum instead? (yes, the actual variable still have to be a uint)

[rvargas (doing something else), 2012/09/08 02:23:32]

We have 12 flags and declare a 64 bit flag? why? There's still plenty of room
even if MS keeps adding flags.

(another benefit of an enum + typedef instead of hardcoding the type)

[rvargas (doing something else), 2012/09/08 02:23:32]

Candidate for moving somewhere else (policy level?,yeah, not a level). This is a
lot of noise in the middle of an interface (in any case, not the right place)

[jschuh, 2012/09/10 23:58:48]

I split custom flags and Windows mitigations on the 32-bit boundary (e.g.
MITIGATION_DLL_SEARCH_ORDER) because it seemed unintuitive to separate them, and
I anticipate crossing 32-bits quickly. However, They're now shoved into a
typedef.

I've moved the flag values and typdef into security_level.h, which made sense
because that's we're we've centralized the other mitigation stuff.

+  // Permanently Disables ATL thunk emulation when DEP is enabled. Valid
+  // only when MITIGATION_DEP is passed. Corresponds to not passing
+  // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
+  static const uint64 MITIGATION_DEP_NO_ATL_THUNK                 = 0x00000002;
+  // Enables Structured exception handling override prevention. Must be
+  // enabled prior to process start. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
+  static const uint64 MITIGATION_SEHOP                            = 0x00000004;
+  // Forces ASLR on all images in the child process. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
+  static const uint64 MITIGATION_RELOCATE_IMAGE                   = 0x00000008;
+  // Refuses to load DLLs that cannot support ASLR. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
+  static const uint64 MITIGATION_RELOCATE_IMAGE_REQUIRED          = 0x00000010;
+  // Terminates the process on Windows heap corruption. Coresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
+  static const uint64 MITIGATION_HEAP_TERMINATE                   = 0x00000020;
+  // Sets a random lower bound as the minimum user address. Must be
+  // enabled prior to process start. On 32-bit processes this is
+  // emulated to a much smaller degree. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
+  static const uint64 MITIGATION_BOTTOM_UP_ASLR                   = 0x00000040;
+  // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
+  // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
+  // Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
+  static const uint64 MITIGATION_HIGH_ENTROPY_ASLR                = 0x00000080;
+  // Immediately raises an exception on a bad handle reference. Must be
+  // enabled after startup. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
+  static const uint64 MITIGATION_STRICT_HANDLE_CHECKS             = 0x00000100;
+  // Prevents the process from making Win32k calls. Must be enabled after
+  // startup. Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
+  static const uint64 MITIGATION_WIN32K_DISABLE                   = 0x00000200;
+  // Disables common DLL injection methods (e.g. window hooks and
+  // App_InitDLLs). Corresponds to
+  // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
+  static const uint64 MITIGATION_EXTENSION_DLL_DISABLE            = 0x00000400;
+  // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
+  // directories can be added via the Windows AddDllDirectory() function.
+  // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
+  // Must be enabled after startup.
+  static const uint64 MITIGATION_DLL_SEARCH_ORDER        = 0x00000001ULL << 32;
+
+  // Sets the mitigation flags (described above) for starting the process.
+  virtual ResultCode SetProcessMitigations(uint64 flags) = 0;
+
+  // Returns the currently set mitigation flags (described above).
+  virtual uint64 GetProcessMitigations() = 0;
+
+  // Sets the process mitigation flags. These flags will not take effect
+  // in the call to LowerToken (described above).
+  virtual ResultCode SetDelayedProcessMitigations(uint64 flags) = 0;
+
+  // Returns the currently set delayed mitigation flags (described above).
+  virtual uint64 GetDelayedProcessMitigations() = 0;
+
   // Sets the interceptions to operate in strict mode. By default, interceptions
   // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
   // already patched we attempt to intercept it anyway. Setting interceptions
   // to strict mode means that when we detect that the function is patched we'll
   // refuse to perform the interception.
   virtual void SetStrictInterceptions() = 0;
 
   // Adds a policy rule effective for processes spawned using this policy.
   // subsystem: One of the above enumerated windows subsystems.
   // semantics: One of the above enumerated FileSemantics.
@@ skipping 17 matching lines @@
   // A NULL value for handle_name indicates all handles of the specified type.
   // An empty string for handle_name indicates the handle is unnamed.
   virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
                                             const wchar_t* handle_name) = 0;
 };
 
 }  // namespace sandbox
 
 
 #endif  // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_