Add sandbox support for Windows process mitigations

sandbox/win/src/sandbox_policy_base.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_
 #define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_
 
 #include <windows.h>
 
 #include <list>
@@ skipping 34 matching lines @@
                                  uint32 ui_exceptions) OVERRIDE;
   virtual ResultCode SetAlternateDesktop(bool alternate_winstation) OVERRIDE;
   virtual string16 GetAlternateDesktop() const OVERRIDE;
   virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) OVERRIDE;
   virtual void DestroyAlternateDesktop() OVERRIDE;
   virtual ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) OVERRIDE;
   virtual ResultCode SetDelayedIntegrityLevel(
       IntegrityLevel integrity_level) OVERRIDE;
   virtual ResultCode SetAppContainer(const wchar_t* sid) OVERRIDE;
   virtual ResultCode SetCapability(const wchar_t* sid) OVERRIDE;
+  virtual ResultCode SetProcessMitigations(uint64 flags) OVERRIDE;

[rvargas (doing something else), 2012/09/08 02:23:32]

There is a little something between calling this method SetProcesblah (and I
think the name is correct), and also calling the function that actually applies
the settings SetProcessBlah... Maybe change the other one to ApplyFoo?

[jschuh, 2012/09/10 23:58:48]

Done.

+  virtual uint64 GetProcessMitigations() OVERRIDE;
+  virtual ResultCode SetDelayedProcessMitigations(uint64 flags) OVERRIDE;
+  virtual uint64 GetDelayedProcessMitigations() OVERRIDE;
   virtual void SetStrictInterceptions() OVERRIDE;
   virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
                              const wchar_t* pattern) OVERRIDE;
   virtual ResultCode AddDllToUnload(const wchar_t* dll_name);
   virtual ResultCode AddKernelObjectToClose(const char16* handle_type,
                                             const char16* handle_name) OVERRIDE;
 
   // Dispatcher:
   virtual Dispatcher* OnMessageReady(IPCParams* ipc,
                                      CallbackGeneric* callback) OVERRIDE;
@@ skipping 48 matching lines @@
   TokenLevel initial_level_;
   JobLevel job_level_;
   uint32 ui_exceptions_;
   bool use_alternate_desktop_;
   bool use_alternate_winstation_;
   // Helps the file system policy initialization.
   bool file_system_init_;
   bool relaxed_interceptions_;
   IntegrityLevel integrity_level_;
   IntegrityLevel delayed_integrity_level_;
+  uint64 mitigations_;
+  uint64 delayed_mitigations_;
   // The array of objects that will answer IPC calls.
   Dispatcher* ipc_targets_[IPC_LAST_TAG];
   // Object in charge of generating the low level policy.
   LowLevelPolicy* policy_maker_;
   // Memory structure that stores the low level policy.
   PolicyGlobal* policy_;
   // The list of dlls to unload in the target process.
   std::vector<string16> blacklisted_dlls_;
   // This is a map of handle-types to names that we need to close in the
   // target process. A null set means we need to close all handles of the
   // given type.
   HandleCloser handle_closer_;
   std::vector<string16> capabilities_;
   scoped_ptr<AppContainerAttributes> appcontainer_list_;
 
   static HDESK alternate_desktop_handle_;
   static HWINSTA alternate_winstation_handle_;
 
   DISALLOW_COPY_AND_ASSIGN(PolicyBase);
 };
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_