Chromium Code Reviews Chromium Code Reviews
Issue 10690058:
Add sandbox support for Windows process mitigations (Closed)
Base URL: https://src.chromium.org/svn/trunk/src/| Index: sandbox/win/src/sandbox_policy.h |
| =================================================================== |
| --- sandbox/win/src/sandbox_policy.h (revision 155197) |
| +++ sandbox/win/src/sandbox_policy.h (working copy) |
| @@ -164,6 +164,77 @@ |
| // Sets a capability to be enabled for the sandboxed process' AppContainer. |
| virtual ResultCode SetCapability(const wchar_t* sid) = 0; |
| + // These flags correspond to various process-level mitigations (eg. ASLR and |
| + // DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for |
| + // the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented |
| + // here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880 |
| + // Some mitigations are implemented directly by the sandbox or emulated to |
| + // the greatest extent possible when not directly supported by the OS. |
| + // Flags that are unsupported for the target OS will be silently ignored. |
| + // Flags that are invalid for their application (pre or post startup) will |
| + // return SBOX_ERROR_BAD_PARAMS. |
| + // |
| + // Permanently enables DEP for the target process. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE. |
| + static const uint64 MITIGATION_DEP = 0x00000001; |
|
rvargas (doing something else)
2012/09/08 02:23:32
make this an enum instead? (yes, the actual variab
rvargas (doing something else)
2012/09/08 02:23:32
We have 12 flags and declare a 64 bit flag? why? T
rvargas (doing something else)
2012/09/08 02:23:32
Candidate for moving somewhere else (policy level?
jschuh
2012/09/10 23:58:48
I split custom flags and Windows mitigations on th
|
| + // Permanently Disables ATL thunk emulation when DEP is enabled. Valid |
| + // only when MITIGATION_DEP is passed. Corresponds to not passing |
| + // PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE. |
| + static const uint64 MITIGATION_DEP_NO_ATL_THUNK = 0x00000002; |
| + // Enables Structured exception handling override prevention. Must be |
| + // enabled prior to process start. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE. |
| + static const uint64 MITIGATION_SEHOP = 0x00000004; |
| + // Forces ASLR on all images in the child process. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON . |
| + static const uint64 MITIGATION_RELOCATE_IMAGE = 0x00000008; |
| + // Refuses to load DLLs that cannot support ASLR. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS. |
| + static const uint64 MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010; |
| + // Terminates the process on Windows heap corruption. Coresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON. |
| + static const uint64 MITIGATION_HEAP_TERMINATE = 0x00000020; |
| + // Sets a random lower bound as the minimum user address. Must be |
| + // enabled prior to process start. On 32-bit processes this is |
| + // emulated to a much smaller degree. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON. |
| + static const uint64 MITIGATION_BOTTOM_UP_ASLR = 0x00000040; |
| + // Increases the randomness range of bottom-up ASLR to up to 1TB. Must be |
| + // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. |
| + // Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON |
| + static const uint64 MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; |
| + // Immediately raises an exception on a bad handle reference. Must be |
| + // enabled after startup. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. |
| + static const uint64 MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; |
| + // Prevents the process from making Win32k calls. Must be enabled after |
| + // startup. Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. |
| + static const uint64 MITIGATION_WIN32K_DISABLE = 0x00000200; |
| + // Disables common DLL injection methods (e.g. window hooks and |
| + // App_InitDLLs). Corresponds to |
| + // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. |
| + static const uint64 MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; |
| + // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional |
| + // directories can be added via the Windows AddDllDirectory() function. |
| + // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 |
| + // Must be enabled after startup. |
| + static const uint64 MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; |
| + |
| + // Sets the mitigation flags (described above) for starting the process. |
| + virtual ResultCode SetProcessMitigations(uint64 flags) = 0; |
| + |
| + // Returns the currently set mitigation flags (described above). |
| + virtual uint64 GetProcessMitigations() = 0; |
| + |
| + // Sets the process mitigation flags. These flags will not take effect |
| + // in the call to LowerToken (described above). |
| + virtual ResultCode SetDelayedProcessMitigations(uint64 flags) = 0; |
| + |
| + // Returns the currently set delayed mitigation flags (described above). |
| + virtual uint64 GetDelayedProcessMitigations() = 0; |
| + |
| // Sets the interceptions to operate in strict mode. By default, interceptions |
| // are performed in "relaxed" mode, where if something inside NTDLL.DLL is |
| // already patched we attempt to intercept it anyway. Setting interceptions |
