[Win10 sandbox mitigations] Four new Win10 mitigations added.

sandbox/win/src/broker_services.cc

Index: sandbox/win/src/broker_services.cc
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index c3df2efc96c42423ffc3deac2d987e7fd7f05119..5aa4f4055e9a2079bfaf194ebed51164a7c01f03 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -330,13 +330,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
 
   // Initialize the startup information from the policy.
   base::win::StartupInformation startup_info;
-  // The liftime of |mitigations| and |inherit_handle_list| have to be at least
+  // The liftime of |mitigations|, |inherit_handle_list| and
+  // |child_process_creation| have to be at least
   // as long as |startup_info| because |UpdateProcThreadAttribute| requires that
   // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
   // called; StartupInformation's destructor makes such a call.
   DWORD64 mitigations;
-
   std::vector<HANDLE> inherited_handle_list;
+  DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED;

[jschuh, 2016/01/25 23:53:51]

This feels awkward. The job object already has flags to determine if child
processes are being blocked. So, why not just infer from that rather than plumb
it in and out of the process mitigations policy? If you want to avoid making
this function more complicated, you can just put the logic in an anonymous
helper function.

[penny, 2016/01/26 22:37:10]

Acknowledged.  See my comments on this.

 
   base::string16 desktop = policy_base->GetAlternateDesktop();
   if (!desktop.empty()) {
@@ -354,10 +355,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
       ++attribute_count;
 
     size_t mitigations_size;
+    bool restrict_child_process_creation;
     ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(),
-                                      &mitigations, &mitigations_size);
+                                      &mitigations, &mitigations_size,
+                                      &restrict_child_process_creation);
     if (mitigations)
       ++attribute_count;
+    if (restrict_child_process_creation)
+      ++attribute_count;
 
     HANDLE stdout_handle = policy_base->GetStdoutHandle();
     HANDLE stderr_handle = policy_base->GetStderrHandle();
@@ -394,6 +399,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
       }
     }
 
+    if (restrict_child_process_creation) {
+      if (!startup_info.UpdateProcThreadAttribute(
+              PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY,
+              &child_process_creation, sizeof(child_process_creation))) {
+        return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
+      }
+    }
+
     if (inherited_handle_list.size()) {
       if (!startup_info.UpdateProcThreadAttribute(
               PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
@@ -416,7 +429,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
   if (NULL == thread_pool_)
     thread_pool_ = new Win2kThreadPool();
 
-  // Create the TargetProces object and spawn the target suspended. Note that
+  // Create the TargetProcess object and spawn the target suspended. Note that
   // Brokerservices does not own the target object. It is owned by the Policy.
   base::win::ScopedProcessInformation process_info;
   TargetProcess* target =