[Win10 sandbox mitigations] Four new Win10 mitigations added.

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include <AclAPI.h>
 #include <stddef.h>
 
 #include "base/logging.h"
@@ skipping 312 matching lines @@
   if (SBOX_ALL_OK != result)
     return result;
 
   base::win::ScopedHandle job;
   result = policy_base->MakeJobObject(&job);
   if (SBOX_ALL_OK != result)
     return result;
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
-  // The liftime of |mitigations| and |inherit_handle_list| have to be at least
+  // The liftime of |mitigations|, |inherit_handle_list| and
+  // |child_process_creation| have to be at least
   // as long as |startup_info| because |UpdateProcThreadAttribute| requires that
   // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
   // called; StartupInformation's destructor makes such a call.
   DWORD64 mitigations;
-
   std::vector<HANDLE> inherited_handle_list;
+  DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED;

[jschuh, 2016/01/25 23:53:51]

This feels awkward. The job object already has flags to determine if child
processes are being blocked. So, why not just infer from that rather than plumb
it in and out of the process mitigations policy? If you want to avoid making
this function more complicated, you can just put the logic in an anonymous
helper function.

[penny, 2016/01/26 22:37:10]

Acknowledged.  See my comments on this.

 
   base::string16 desktop = policy_base->GetAlternateDesktop();
   if (!desktop.empty()) {
     startup_info.startup_info()->lpDesktop =
         const_cast<wchar_t*>(desktop.c_str());
   }
 
   bool inherit_handles = false;
 
   if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
     int attribute_count = 0;
     const AppContainerAttributes* app_container =
         policy_base->GetAppContainer();
     if (app_container)
       ++attribute_count;
 
     size_t mitigations_size;
+    bool restrict_child_process_creation;
     ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(),
-                                      &mitigations, &mitigations_size);
+                                      &mitigations, &mitigations_size,
+                                      &restrict_child_process_creation);
     if (mitigations)
       ++attribute_count;
+    if (restrict_child_process_creation)
+      ++attribute_count;
 
     HANDLE stdout_handle = policy_base->GetStdoutHandle();
     HANDLE stderr_handle = policy_base->GetStderrHandle();
 
     if (stdout_handle != INVALID_HANDLE_VALUE)
       inherited_handle_list.push_back(stdout_handle);
 
     // Handles in the list must be unique.
     if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE)
       inherited_handle_list.push_back(stderr_handle);
@@ skipping 16 matching lines @@
     }
 
     if (mitigations) {
       if (!startup_info.UpdateProcThreadAttribute(
                PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,
                mitigations_size)) {
         return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
       }
     }
 
+    if (restrict_child_process_creation) {
+      if (!startup_info.UpdateProcThreadAttribute(
+              PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY,
+              &child_process_creation, sizeof(child_process_creation))) {
+        return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
+      }
+    }
+
     if (inherited_handle_list.size()) {
       if (!startup_info.UpdateProcThreadAttribute(
               PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
               &inherited_handle_list[0],
               sizeof(HANDLE) * inherited_handle_list.size())) {
         return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
       }
       startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES;
       startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE;
       startup_info.startup_info()->hStdOutput = stdout_handle;
       startup_info.startup_info()->hStdError = stderr_handle;
       // Allowing inheritance of handles is only secure now that we
       // have limited which handles will be inherited.
       inherit_handles = true;
     }
   }
 
   // Construct the thread pool here in case it is expensive.
   // The thread pool is shared by all the targets
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
-  // Create the TargetProces object and spawn the target suspended. Note that
+  // Create the TargetProcess object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   base::win::ScopedProcessInformation process_info;
   TargetProcess* target =
       new TargetProcess(initial_token.Pass(), lockdown_token.Pass(),
                         lowbox_token.Pass(), job.Get(), thread_pool_);
 
   DWORD win_result = target->Create(exe_path, command_line, inherit_handles,
                                     startup_info, &process_info);
 
   policy_base->ClearSharedHandles();
@@ skipping 111 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox