Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(230)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 1407883005: Added field trial for enabling AppContainer and a chrome://flags entry. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Added disable switch and changed flags Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/browser/about_flags.cc ('k') | content/public/common/content_switches.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/base_switches.h" 9 #include "base/base_switches.h"
10 #include "base/command_line.h" 10 #include "base/command_line.h"
11 #include "base/debug/profiler.h" 11 #include "base/debug/profiler.h"
12 #include "base/files/file_util.h" 12 #include "base/files/file_util.h"
13 #include "base/hash.h" 13 #include "base/hash.h"
14 #include "base/logging.h" 14 #include "base/logging.h"
15 #include "base/memory/shared_memory.h" 15 #include "base/memory/shared_memory.h"
16 #include "base/metrics/field_trial.h"
16 #include "base/metrics/sparse_histogram.h" 17 #include "base/metrics/sparse_histogram.h"
17 #include "base/path_service.h" 18 #include "base/path_service.h"
18 #include "base/process/launch.h" 19 #include "base/process/launch.h"
19 #include "base/strings/string_number_conversions.h" 20 #include "base/strings/string_number_conversions.h"
20 #include "base/strings/string_util.h" 21 #include "base/strings/string_util.h"
21 #include "base/strings/stringprintf.h" 22 #include "base/strings/stringprintf.h"
22 #include "base/trace_event/trace_event.h" 23 #include "base/trace_event/trace_event.h"
23 #include "base/win/iat_patch_function.h" 24 #include "base/win/iat_patch_function.h"
24 #include "base/win/scoped_handle.h" 25 #include "base/win/scoped_handle.h"
25 #include "base/win/scoped_process_information.h" 26 #include "base/win/scoped_process_information.h"
(...skipping 507 matching lines...) Expand 10 before | Expand all | Expand 10 after
533 base::win::ScopedHandle handle(temp_handle); 534 base::win::ScopedHandle handle(temp_handle);
534 535
535 // Callers use CHECK macro to make sure we get the right stack. 536 // Callers use CHECK macro to make sure we get the right stack.
536 CheckDuplicateHandle(handle.Get()); 537 CheckDuplicateHandle(handle.Get());
537 } 538 }
538 539
539 return TRUE; 540 return TRUE;
540 } 541 }
541 #endif 542 #endif
542 543
544 bool IsAppContainerEnabled() {
545 if (base::win::GetVersion() < base::win::VERSION_WIN8)
546 return false;
547 const base::CommandLine& command_line =
548 *base::CommandLine::ForCurrentProcess();
549 const std::string appcontainer_group_name =
550 base::FieldTrialList::FindFullName("EnableAppContainer");
551 if (command_line.HasSwitch(switches::kDisableAppContainer))
552 return false;
553 if (command_line.HasSwitch(switches::kEnableAppContainer))
554 return true;
555 return base::StartsWith(appcontainer_group_name, "Enabled",
556 base::CompareCase::INSENSITIVE_ASCII);
557 }
558
543 } // namespace 559 } // namespace
544 560
545 void SetJobLevel(const base::CommandLine& cmd_line, 561 void SetJobLevel(const base::CommandLine& cmd_line,
546 sandbox::JobLevel job_level, 562 sandbox::JobLevel job_level,
547 uint32 ui_exceptions, 563 uint32 ui_exceptions,
548 sandbox::TargetPolicy* policy) { 564 sandbox::TargetPolicy* policy) {
549 if (ShouldSetJobLevel(cmd_line)) { 565 if (ShouldSetJobLevel(cmd_line)) {
550 #ifdef _WIN64 566 #ifdef _WIN64
551 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024); 567 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024);
552 #endif 568 #endif
553 policy->SetJobLevel(job_level, ui_exceptions); 569 policy->SetJobLevel(job_level, ui_exceptions);
554 } else { 570 } else {
555 policy->SetJobLevel(sandbox::JOB_NONE, 0); 571 policy->SetJobLevel(sandbox::JOB_NONE, 0);
556 } 572 }
557 } 573 }
558 574
559 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper. 575 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
560 // Just have to figure out what needs to be warmed up first. 576 // Just have to figure out what needs to be warmed up first.
561 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) { 577 void AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
562 // TODO(cpu): Add back the BaseNamedObjects policy. 578 // TODO(cpu): Add back the BaseNamedObjects policy.
563 base::string16 object_path = PrependWindowsSessionPath( 579 base::string16 object_path = PrependWindowsSessionPath(
564 L"\\BaseNamedObjects\\windows_shell_global_counters"); 580 L"\\BaseNamedObjects\\windows_shell_global_counters");
565 policy->AddKernelObjectToClose(L"Section", object_path.data()); 581 policy->AddKernelObjectToClose(L"Section", object_path.data());
566 } 582 }
567 583
568 void AddAppContainerPolicy(sandbox::TargetPolicy* policy, const wchar_t* sid) { 584 void AddAppContainerPolicy(sandbox::TargetPolicy* policy, const wchar_t* sid) {
569 if (base::win::GetVersion() >= base::win::VERSION_WIN8) { 585 if (IsAppContainerEnabled())
570 const base::CommandLine& command_line = 586 policy->SetLowBox(sid);
571 *base::CommandLine::ForCurrentProcess();
572 if (command_line.HasSwitch(switches::kEnableAppContainer)) {
573 policy->SetLowBox(sid);
574 }
575 }
576 } 587 }
577 588
578 bool AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy) { 589 bool AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy) {
579 #if !defined(NACL_WIN64) 590 #if !defined(NACL_WIN64)
580 if (!IsWin32kRendererLockdownEnabled()) 591 if (!IsWin32kRendererLockdownEnabled())
581 return true; 592 return true;
582 593
583 // Enable win32k lockdown if not already. 594 // Enable win32k lockdown if not already.
584 sandbox::MitigationFlags flags = policy->GetProcessMitigations(); 595 sandbox::MitigationFlags flags = policy->GetProcessMitigations();
585 if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) == 596 if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) ==
(...skipping 280 matching lines...) Expand 10 before | Expand all | Expand 10 after
866 } 877 }
867 878
868 return false; 879 return false;
869 } 880 }
870 881
871 bool BrokerAddTargetPeer(HANDLE peer_process) { 882 bool BrokerAddTargetPeer(HANDLE peer_process) {
872 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 883 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
873 } 884 }
874 885
875 } // namespace content 886 } // namespace content
OLDNEW
« no previous file with comments | « chrome/browser/about_flags.cc ('k') | content/public/common/content_switches.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698