| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/win/src/process_mitigations.h" | 5 #include "sandbox/win/src/process_mitigations.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 | 10 |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 130 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; | 130 PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {}; |
| 131 policy.DisallowWin32kSystemCalls = true; | 131 policy.DisallowWin32kSystemCalls = true; |
| 132 | 132 |
| 133 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy, | 133 if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy, |
| 134 sizeof(policy)) && | 134 sizeof(policy)) && |
| 135 ERROR_ACCESS_DENIED != ::GetLastError()) { | 135 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 136 return false; | 136 return false; |
| 137 } | 137 } |
| 138 } | 138 } |
| 139 | 139 |
| 140 // Enable dll extension policies. | 140 // Enable extension point policies. |
| 141 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | 141 if (flags & MITIGATION_EXTENSION_POINT_DISABLE) { |
| 142 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; | 142 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {}; |
| 143 policy.DisableExtensionPoints = true; | 143 policy.DisableExtensionPoints = true; |
| 144 | 144 |
| 145 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, | 145 if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, |
| 146 &policy, sizeof(policy)) && | 146 &policy, sizeof(policy)) && |
| 147 ERROR_ACCESS_DENIED != ::GetLastError()) { | 147 ERROR_ACCESS_DENIED != ::GetLastError()) { |
| 148 return false; | 148 return false; |
| 149 } | 149 } |
| 150 } | 150 } |
| 151 | 151 |
| (...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { | 247 if (flags & MITIGATION_STRICT_HANDLE_CHECKS) { |
| 248 *policy_flags |= | 248 *policy_flags |= |
| 249 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON; | 249 PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON; |
| 250 } | 250 } |
| 251 | 251 |
| 252 if (flags & MITIGATION_WIN32K_DISABLE) { | 252 if (flags & MITIGATION_WIN32K_DISABLE) { |
| 253 *policy_flags |= | 253 *policy_flags |= |
| 254 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON; | 254 PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON; |
| 255 } | 255 } |
| 256 | 256 |
| 257 if (flags & MITIGATION_EXTENSION_DLL_DISABLE) { | 257 if (flags & MITIGATION_EXTENSION_POINT_DISABLE) { |
| 258 *policy_flags |= | 258 *policy_flags |= |
| 259 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON; | 259 PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON; |
| 260 } | 260 } |
| 261 | 261 |
| 262 if (version < base::win::VERSION_WIN10) | 262 if (version < base::win::VERSION_WIN10) |
| 263 return; | 263 return; |
| 264 | 264 |
| 265 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { | 265 if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { |
| 266 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; | 266 *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; |
| 267 } | 267 } |
| (...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 326 // All of these mitigations can be enabled after startup. | 326 // All of these mitigations can be enabled after startup. |
| 327 return !( | 327 return !( |
| 328 flags & | 328 flags & |
| 329 ~(MITIGATION_HEAP_TERMINATE | | 329 ~(MITIGATION_HEAP_TERMINATE | |
| 330 MITIGATION_DEP | | 330 MITIGATION_DEP | |
| 331 MITIGATION_DEP_NO_ATL_THUNK | | 331 MITIGATION_DEP_NO_ATL_THUNK | |
| 332 MITIGATION_RELOCATE_IMAGE | | 332 MITIGATION_RELOCATE_IMAGE | |
| 333 MITIGATION_RELOCATE_IMAGE_REQUIRED | | 333 MITIGATION_RELOCATE_IMAGE_REQUIRED | |
| 334 MITIGATION_BOTTOM_UP_ASLR | | 334 MITIGATION_BOTTOM_UP_ASLR | |
| 335 MITIGATION_STRICT_HANDLE_CHECKS | | 335 MITIGATION_STRICT_HANDLE_CHECKS | |
| 336 MITIGATION_EXTENSION_DLL_DISABLE | | 336 MITIGATION_EXTENSION_POINT_DISABLE | |
| 337 MITIGATION_DLL_SEARCH_ORDER | | 337 MITIGATION_DLL_SEARCH_ORDER | |
| 338 MITIGATION_HARDEN_TOKEN_IL_POLICY | | 338 MITIGATION_HARDEN_TOKEN_IL_POLICY | |
| 339 MITIGATION_WIN32K_DISABLE | | 339 MITIGATION_WIN32K_DISABLE | |
| 340 MITIGATION_NONSYSTEM_FONT_DISABLE | | 340 MITIGATION_NONSYSTEM_FONT_DISABLE | |
| 341 MITIGATION_IMAGE_LOAD_NO_REMOTE | | 341 MITIGATION_IMAGE_LOAD_NO_REMOTE | |
| 342 MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)); | 342 MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)); |
| 343 } | 343 } |
| 344 | 344 |
| 345 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { | 345 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { |
| 346 // These mitigations cannot be enabled prior to startup. | 346 // These mitigations cannot be enabled prior to startup. |
| 347 return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS | | 347 return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS | |
| 348 MITIGATION_DLL_SEARCH_ORDER)); | 348 MITIGATION_DLL_SEARCH_ORDER)); |
| 349 } | 349 } |
| 350 | 350 |
| 351 } // namespace sandbox | 351 } // namespace sandbox |
| 352 | 352 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1835003003:
[Windows Sandbox] MITIGATION_EXTENSION_POINT_DISABLE support for children. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master