[Win10 sandbox mitigations] Four new Win10 mitigations added.

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include <AclAPI.h>
 #include <stddef.h>
 
 #include "base/logging.h"
@@ skipping 312 matching lines @@
   if (SBOX_ALL_OK != result)
     return result;
 
   base::win::ScopedHandle job;
   result = policy_base->MakeJobObject(&job);
   if (SBOX_ALL_OK != result)
     return result;
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
-  // The liftime of |mitigations| and |inherit_handle_list| have to be at least
-  // as long as |startup_info| because |UpdateProcThreadAttribute| requires that
+  // The liftime of |mitigations|, |inherit_handle_list| and
+  // |child_process_creation| have to be at least as long as
+  // |startup_info| because |UpdateProcThreadAttribute| requires that
   // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
   // called; StartupInformation's destructor makes such a call.
   DWORD64 mitigations;
-
   std::vector<HANDLE> inherited_handle_list;
+  DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED;
 
   base::string16 desktop = policy_base->GetAlternateDesktop();
   if (!desktop.empty()) {
     startup_info.startup_info()->lpDesktop =
         const_cast<wchar_t*>(desktop.c_str());
   }
 
   bool inherit_handles = false;
 
   if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
     int attribute_count = 0;
     const AppContainerAttributes* app_container =
         policy_base->GetAppContainer();
     if (app_container)
       ++attribute_count;
 
     size_t mitigations_size;
-    ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(),
+    ConvertProcessMitigationsToPolicy(policy_base->GetProcessMitigations(),
                                       &mitigations, &mitigations_size);
     if (mitigations)
       ++attribute_count;
 
+    bool restrict_child_process_creation = false;
+    if (base::win::GetVersion() >= base::win::VERSION_WIN10_TH2 &&
+        policy_base->GetJobLevel() <= JOB_LIMITED_USER) {
+      restrict_child_process_creation = true;
+      ++attribute_count;
+    }
+
     HANDLE stdout_handle = policy_base->GetStdoutHandle();
     HANDLE stderr_handle = policy_base->GetStderrHandle();
 
     if (stdout_handle != INVALID_HANDLE_VALUE)
       inherited_handle_list.push_back(stdout_handle);
 
     // Handles in the list must be unique.
     if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE)
       inherited_handle_list.push_back(stderr_handle);
 
@@ skipping 15 matching lines @@
     }
 
     if (mitigations) {
       if (!startup_info.UpdateProcThreadAttribute(
                PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,
                mitigations_size)) {
         return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
       }
     }
 
+    if (restrict_child_process_creation) {
+      if (!startup_info.UpdateProcThreadAttribute(
+              PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY,
+              &child_process_creation, sizeof(child_process_creation))) {
+        return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
+      }
+    }
+
     if (inherited_handle_list.size()) {
       if (!startup_info.UpdateProcThreadAttribute(
               PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
               &inherited_handle_list[0],
               sizeof(HANDLE) * inherited_handle_list.size())) {
         return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
       }
       startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES;
       startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE;
       startup_info.startup_info()->hStdOutput = stdout_handle;
       startup_info.startup_info()->hStdError = stderr_handle;
       // Allowing inheritance of handles is only secure now that we
       // have limited which handles will be inherited.
       inherit_handles = true;
     }
   }
 
   // Construct the thread pool here in case it is expensive.
   // The thread pool is shared by all the targets
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
-  // Create the TargetProces object and spawn the target suspended. Note that
+  // Create the TargetProcess object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   base::win::ScopedProcessInformation process_info;
   TargetProcess* target =
       new TargetProcess(initial_token.Pass(), lockdown_token.Pass(),
                         lowbox_token.Pass(), job.Get(), thread_pool_);
 
   DWORD win_result = target->Create(exe_path, command_line, inherit_handles,
                                     startup_info, &process_info);
 
   policy_base->ClearSharedHandles();
@@ skipping 111 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox