Add sandbox support for Windows process mitigations

sandbox/win/src/target_services.cc

Index: sandbox/win/src/target_services.cc
===================================================================
--- sandbox/win/src/target_services.cc	(revision 155197)
+++ sandbox/win/src/target_services.cc	(working copy)
@@ -11,6 +11,7 @@
 #include "sandbox/win/src/handle_closer_agent.h"
 #include "sandbox/win/src/handle_interception.h"
 #include "sandbox/win/src/ipc_tags.h"
+#include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/restricted_token_utils.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_types.h"
@@ -62,6 +63,8 @@
 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
     INTEGRITY_LEVEL_LAST;
 

[rvargas (doing something else), 2012/09/08 02:23:32]

remove

[jschuh, 2012/09/10 23:58:48]

Done.

+SANDBOX_INTERCEPT uint64 g_shared_delayed_mitigations = 0;
+
 TargetServicesBase::TargetServicesBase() {
 }
 
@@ -86,6 +89,10 @@
     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
   if (!CloseOpenHandles())
     ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
+  // Enabling mitigations must happen last otherwise handle closing breaks
+  if (g_shared_delayed_mitigations &&
+      !SetProcessMitigationsForCurrentProcess(g_shared_delayed_mitigations))
+    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
 }
 
 ProcessState* TargetServicesBase::GetState() {