Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(877)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/broker_services.cc

Issue 1626623003: [Win10 sandbox mitigations] Four new Win10 mitigations added. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Code review changes, part 2. Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/common/sandbox_win.cc ('k') | sandbox/win/src/process_mitigations.h » ('j') | sandbox/win/src/process_mitigations_test.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/broker_services.cc
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index c3df2efc96c42423ffc3deac2d987e7fd7f05119..39103c1236ad3a6bd7e6df759cb3efc2a0a92f23 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -330,13 +330,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
// Initialize the startup information from the policy.
base::win::StartupInformation startup_info;
- // The liftime of |mitigations| and |inherit_handle_list| have to be at least
- // as long as |startup_info| because |UpdateProcThreadAttribute| requires that
+ // The liftime of |mitigations|, |inherit_handle_list| and
+ // |child_process_creation| have to be at least as long as
+ // |startup_info| because |UpdateProcThreadAttribute| requires that
// its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
// called; StartupInformation's destructor makes such a call.
DWORD64 mitigations;
-
std::vector<HANDLE> inherited_handle_list;
+ DWORD child_process_creation = PROCESS_CREATION_CHILD_PROCESS_RESTRICTED;
base::string16 desktop = policy_base->GetAlternateDesktop();
if (!desktop.empty()) {
@@ -359,6 +360,13 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
if (mitigations)
++attribute_count;
+ bool restrict_child_process_creation = false;
+ if (base::win::GetVersion() >= base::win::VERSION_WIN10_TH2 &&
+ policy->GetJobLevel() <= JOB_LIMITED_USER) {
Will Harris 2016/01/27 02:04:26 policy_base
penny 2016/01/28 19:25:15 Done. Good one. I was copying the call to Conver
+ restrict_child_process_creation = true;
+ ++attribute_count;
+ }
+
HANDLE stdout_handle = policy_base->GetStdoutHandle();
HANDLE stderr_handle = policy_base->GetStderrHandle();
@@ -394,6 +402,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
}
}
+ if (restrict_child_process_creation) {
+ if (!startup_info.UpdateProcThreadAttribute(
+ PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY,
+ &child_process_creation, sizeof(child_process_creation))) {
+ return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
+ }
+ }
+
if (inherited_handle_list.size()) {
if (!startup_info.UpdateProcThreadAttribute(
PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
@@ -416,7 +432,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
if (NULL == thread_pool_)
thread_pool_ = new Win2kThreadPool();
- // Create the TargetProces object and spawn the target suspended. Note that
+ // Create the TargetProcess object and spawn the target suspended. Note that
// Brokerservices does not own the target object. It is owned by the Policy.
base::win::ScopedProcessInformation process_info;
TargetProcess* target =
« no previous file with comments | « content/common/sandbox_win.cc ('k') | sandbox/win/src/process_mitigations.h » ('j') | sandbox/win/src/process_mitigations_test.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698