Add sandbox support for Windows process mitigations

content/app/startup_helper_win.cc

Index: content/app/startup_helper_win.cc
===================================================================
--- content/app/startup_helper_win.cc	(revision 155197)
+++ content/app/startup_helper_win.cc	(working copy)
@@ -10,7 +10,7 @@
 #include "base/base_switches.h"
 #include "base/command_line.h"
 #include "base/win/windows_version.h"
-#include "sandbox/win/src/dep.h"
+#include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox_factory.h"
 
 namespace {
@@ -37,12 +37,18 @@
 
 void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
   info->broker_services = sandbox::SandboxFactory::GetBrokerServices();
-  if (!info->broker_services)
+  if (!info->broker_services) {
     info->target_services = sandbox::SandboxFactory::GetTargetServices();
-
-  if (base::win::GetVersion() < base::win::VERSION_VISTA) {
-    // Enforces strong DEP support. Vista uses the NXCOMPAT flag in the exe.
-    sandbox::SetCurrentProcessDEP(sandbox::DEP_ENABLED);
+  } else {
+    // Ensure the proper mitigations are enforced for the broker process.

[cpu_(ooo_6.6-7.5), 2012/09/07 19:22:55]

consider using browser instead of broker when in chrome land.

[jschuh, 2012/09/07 20:23:14]

Done.

+    sandbox::SetProcessMitigationsForCurrentProcess(
+        sandbox::TargetPolicy::MITIGATION_HEAP_TERMINATE |
+        sandbox::TargetPolicy::MITIGATION_DEP |
+        sandbox::TargetPolicy::MITIGATION_DEP_NO_ATL_THUNK |
+        sandbox::TargetPolicy::MITIGATION_RELOCATE_IMAGE |
+        sandbox::TargetPolicy::MITIGATION_RELOCATE_IMAGE_REQUIRED |
+        sandbox::TargetPolicy::MITIGATION_BOTTOM_UP_ASLR |
+        sandbox::TargetPolicy::MITIGATION_DLL_SEARCH_ORDER);
   }
 }