Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(113)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_policy.cc

Issue 10913305: Enable more Windows mitigations (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_policy.h" 5 #include "content/common/sandbox_policy.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/command_line.h" 9 #include "base/command_line.h"
10 #include "base/debug/debugger.h" 10 #include "base/debug/debugger.h"
(...skipping 709 matching lines...) Expand 10 before | Expand all | Expand 10 after
720 #endif 720 #endif
721 721
722 if (!in_sandbox) { 722 if (!in_sandbox) {
723 policy->Release(); 723 policy->Release();
724 base::ProcessHandle process = 0; 724 base::ProcessHandle process = 0;
725 base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process); 725 base::LaunchProcess(*cmd_line, base::LaunchOptions(), &process);
726 g_broker_services->AddTargetPeer(process); 726 g_broker_services->AddTargetPeer(process);
727 return process; 727 return process;
728 } 728 }
729 729
730 // TODO(jschuh): Add all Win8 mitigations. crbug.com/147752 730 // TODO(jschuh): Make NaCl work with DEP and SEHOP. crbug.com/147752
731 if (type != content::PROCESS_TYPE_NACL_LOADER) { 731 sandbox::MitigationFlags mitigations = MITIGATION_HEAP_TERMINATE |
732 if (policy->SetProcessMitigations(MITIGATION_DEP | 732 MITIGATION_BOTTOM_UP_ASLR |
733 MITIGATION_DEP_NO_ATL_THUNK | 733 MITIGATION_HIGH_ENTROPY_ASLR;
734 MITIGATION_SEHOP | 734 #if !defined(NACL_WIN64)
735 MITIGATION_BOTTOM_UP_ASLR) 735 mitigations |= MITIGATION_DEP |
736 != sandbox::SBOX_ALL_OK) { 736 MITIGATION_DEP_NO_ATL_THUNK |
737 return 0; 737 MITIGATION_SEHOP;
738 } 738 #if defined(NDEBUG)
739 } else { 739 mitigations |= MITIGATION_RELOCATE_IMAGE |
740 // TODO(jschuh): Make NaCl work with DEP and SEHOP. crbug.com/147752 740 MITIGATION_RELOCATE_IMAGE_REQUIRED;
741 if (policy->SetDelayedProcessMitigations(MITIGATION_DEP | 741 #endif
742 MITIGATION_DEP_NO_ATL_THUNK) 742 #endif
743 != sandbox::SBOX_ALL_OK) { 743
744 return 0; 744 if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
745 } 745 return 0;
746 if (policy->SetProcessMitigations(MITIGATION_BOTTOM_UP_ASLR) 746
747 != sandbox::SBOX_ALL_OK) { 747 mitigations = MITIGATION_STRICT_HANDLE_CHECKS |
748 return 0; 748 MITIGATION_EXTENSION_DLL_DISABLE |
749 } 749 MITIGATION_DLL_SEARCH_ORDER;
750 } 750 #if defined(NACL_WIN64)
751 mitigations |= MITIGATION_DEP |
752 MITIGATION_DEP_NO_ATL_THUNK;
753 #endif
754
755 if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
756 return 0;
751 757
752 if (type == content::PROCESS_TYPE_PLUGIN) { 758 if (type == content::PROCESS_TYPE_PLUGIN) {
753 AddGenericDllEvictionPolicy(policy); 759 AddGenericDllEvictionPolicy(policy);
754 AddPluginDllEvictionPolicy(policy); 760 AddPluginDllEvictionPolicy(policy);
755 } else if (type == content::PROCESS_TYPE_GPU) { 761 } else if (type == content::PROCESS_TYPE_GPU) {
756 if (!AddPolicyForGPU(cmd_line, policy)) 762 if (!AddPolicyForGPU(cmd_line, policy))
757 return 0; 763 return 0;
758 } else { 764 } else {
759 if (!AddPolicyForRenderer(policy)) 765 if (!AddPolicyForRenderer(policy))
760 return 0; 766 return 0;
(...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after
888 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 894 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
889 } 895 }
890 896
891 base::ProcessHandle StartProcessWithAccess( 897 base::ProcessHandle StartProcessWithAccess(
892 CommandLine* cmd_line, 898 CommandLine* cmd_line,
893 const FilePath& exposed_dir) { 899 const FilePath& exposed_dir) {
894 return sandbox::StartProcessWithAccess(cmd_line, exposed_dir); 900 return sandbox::StartProcessWithAccess(cmd_line, exposed_dir);
895 } 901 }
896 902
897 } // namespace content 903 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698