Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(735)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/broker_services.cc

Issue 10690058: Add sandbox support for Windows process mitigations (Closed) Base URL: https://src.chromium.org/svn/trunk/src/
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/win/sandbox_win.gypi ('k') | sandbox/win/src/dep.h » ('j') | sandbox/win/src/nt_internals.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/broker_services.cc
===================================================================
--- sandbox/win/src/broker_services.cc (revision 155197)
+++ sandbox/win/src/broker_services.cc (working copy)
@@ -12,6 +12,7 @@
#include "base/win/startup_information.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/app_container.h"
+#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox_policy_base.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/target_process.h"
@@ -320,14 +321,51 @@
const_cast<wchar_t*>(desktop.c_str());
}
+ int attribute_count = 0;
const AppContainerAttributes* app_container = policy_base->GetAppContainer();
+ if (app_container)
+ ++attribute_count;
+
+ DWORD64 mitigations = GetProcessMitigationPolicyFlags(
+ policy->GetProcessMitigations());
+ if (mitigations)
+ ++attribute_count;
+
+ if (!startup_info.InitializeProcThreadAttributeList(attribute_count))
+ return SBOX_ERROR_GENERIC;
rvargas (doing something else) 2012/09/08 02:23:32 Use a specific error code (and below)
jschuh 2012/09/10 23:58:48 Done.
+
if (app_container) {
- startup_info.InitializeProcThreadAttributeList(1);
result = app_container->ShareForStartup(&startup_info);
if (SBOX_ALL_OK != result)
return result;
}
+ if (mitigations) {
+#ifndef _WIN64
rvargas (doing something else) 2012/09/08 02:23:32 #if defined(_WIN64)
jschuh 2012/09/10 23:58:48 Done.
+ // A 64-bit flags attribute is illegal on 32-bit Win 7 and below.
+ if (base::win::GetVersion() < base::win::VERSION_WIN8) {
rvargas (doing something else) 2012/09/08 02:23:32 Can we send all this logic somewhere else?
jschuh 2012/09/10 23:58:48 Done.
+ DWORD mitigations32 = static_cast<DWORD>(mitigations);
+ if (!startup_info.UpdateProcThreadAttribute(
+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations32,
+ sizeof(mitigations32))) {
+ return SBOX_ERROR_GENERIC;
+ }
+ } else {
+ if (!startup_info.UpdateProcThreadAttribute(
+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,
+ sizeof(mitigations))) {
+ return SBOX_ERROR_GENERIC;
+ }
+ }
+#else
+ if (!startup_info.UpdateProcThreadAttribute(
+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,
+ sizeof(mitigations))) {
+ return SBOX_ERROR_GENERIC;
+ }
+#endif
+ }
+
// Construct the thread pool here in case it is expensive.
// The thread pool is shared by all the targets
if (NULL == thread_pool_)
« no previous file with comments | « sandbox/win/sandbox_win.gypi ('k') | sandbox/win/src/dep.h » ('j') | sandbox/win/src/nt_internals.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698