Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(303)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/win/src/security_level.h

Issue 1626623003: [Win10 sandbox mitigations] Four new Win10 mitigations added. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Code review changes, part 5. "Fix the nit." Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « sandbox/win/src/sandbox_policy_base.cc ('k') | sandbox/win/tests/common/controller.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ 5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ 6 #define SANDBOX_SRC_SECURITY_LEVEL_H_
7 7
8 #include <stdint.h> 8 #include <stdint.h>
9 9
10 namespace sandbox { 10 namespace sandbox {
(...skipping 165 matching lines...) Expand 10 before | Expand all | Expand 10 after
176 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR. 176 // enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
177 // Corresponds to 177 // Corresponds to
178 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON 178 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
179 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; 179 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
180 180
181 // Immediately raises an exception on a bad handle reference. Must be 181 // Immediately raises an exception on a bad handle reference. Must be
182 // enabled after startup. Corresponds to 182 // enabled after startup. Corresponds to
183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. 183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; 184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
185 185
186 // Prevents the process from making Win32k calls. Must be enabled after 186 // Prevents the process from making Win32k calls. Corresponds to
187 // startup. Corresponds to
188 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. 187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
189 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; 188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200;
190 189
191 // Disables common DLL injection methods (e.g. window hooks and 190 // Disables common DLL injection methods (e.g. window hooks and
192 // App_InitDLLs). Corresponds to 191 // App_InitDLLs). Corresponds to
193 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. 192 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
194 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; 193 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400;
195 194
195 // Prevents the process from loading non-system fonts into GDI.
196 // Corresponds to
197 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON
198 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800;
199
196 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional 200 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
197 // directories can be added via the Windows AddDllDirectory() function. 201 // directories can be added via the Windows AddDllDirectory() function.
198 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 202 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
199 // Must be enabled after startup. 203 // Must be enabled after startup.
200 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; 204 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32;
201 205
202 // Changes the mandatory integrity level policy on the current process' token 206 // Changes the mandatory integrity level policy on the current process' token
203 // to enable no-read and no-execute up. This prevents a lower IL process from 207 // to enable no-read and no-execute up. This prevents a lower IL process from
204 // opening the process token for impersonate/duplicate/assignment. 208 // opening the process token for impersonate/duplicate/assignment.
205 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; 209 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33;
206 210
211 // Blocks mapping of images from remote devices. Corresponds to
212 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON.
213 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52;
214
215 // Blocks mapping of images that have the low manditory label. Corresponds to
216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON.
217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56;
218
207 } // namespace sandbox 219 } // namespace sandbox
208 220
209 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ 221 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_
OLDNEW
« no previous file with comments | « sandbox/win/src/sandbox_policy_base.cc ('k') | sandbox/win/tests/common/controller.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698