Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6940)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome_elf/chrome_elf_util.cc

Issue 1656453002: [Chrome ELF] Early browser security support. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: test Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome_elf/chrome_elf_util.h ('k') | chrome_elf/chrome_elf_util_unittest.cc » ('j') | chrome_elf/chrome_elf_util_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome_elf/chrome_elf_util.cc
diff --git a/chrome_elf/chrome_elf_util.cc b/chrome_elf/chrome_elf_util.cc
index a3fd727e9d2ebdf54d795bf3bd3b76e0d97bca86..1c2855206886f00043a6b5f220572390f558e29f 100644
--- a/chrome_elf/chrome_elf_util.cc
+++ b/chrome_elf/chrome_elf_util.cc
@@ -5,8 +5,9 @@
#include "chrome_elf/chrome_elf_util.h"
#include <assert.h>
-#include <windows.h>
#include <stddef.h>
+#include <windows.h>
+#include <versionhelpers.h> // windows.h must be before
#include "base/macros.h"
#include "base/strings/string16.h"
@@ -222,3 +223,42 @@ bool IsNonBrowserProcess() {
assert(g_process_type != ProcessType::UNINITIALIZED);
return g_process_type == ProcessType::NON_BROWSER_PROCESS;
}
+
+typedef decltype(SetProcessMitigationPolicy)* SetProcessMitigationPolicyFunc;
robertshield 2016/04/12 20:53:12 Any reason not to keep this typedef inside the sco
penny 2016/04/15 18:03:51 Done.
+
+void EarlyBrowserSecurity() {
+ // This function is called from within DllMain.
+ // Don't do anything naughty while we have the loader lock.
+ NTSTATUS ret_val;
robertshield 2016/04/12 20:53:12 initialize to STATUS_SUCCESS
penny 2016/04/15 18:03:51 Done.
+ HANDLE handle;
robertshield 2016/04/12 20:53:12 initialize this to NULL
penny 2016/04/15 18:03:51 Done.
+
+ // Check for kRegistrySecurityFinchPath. If it exists,
+ // we do NOT disable extension points. (Emergency off flag.)
+ if (nt::OpenRegKey(nt::HKCU, elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE,
+ &handle, &ret_val)) {
+ nt::CloseRegKey(handle);
+ return;
+ }
+#ifdef _DEBUG
+ // The only failure expected is for the path not existing.
+ if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND)
+ assert(false);
+#endif
+
+ if (::IsWindows8OrGreater()) {
+ SetProcessMitigationPolicyFunc set_process_mitigation_policy =
+ reinterpret_cast<SetProcessMitigationPolicyFunc>(::GetProcAddress(
+ ::GetModuleHandleW(L"kernel32.dll"), "SetProcessMitigationPolicy"));
+ if (set_process_mitigation_policy) {
+ // Disable extension points in this process.
+ // (Legacy hooking.)
+ PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
+ policy.DisableExtensionPoints = true;
+
+ set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, &policy,
+ sizeof(policy));
+ }
+ }
+
+ return;
+}
« no previous file with comments | « chrome_elf/chrome_elf_util.h ('k') | chrome_elf/chrome_elf_util_unittest.cc » ('j') | chrome_elf/chrome_elf_util_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698