| OLD | NEW |
|---|
| 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ | 5 #ifndef SANDBOX_SRC_SECURITY_LEVEL_H_ |
| 6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ | 6 #define SANDBOX_SRC_SECURITY_LEVEL_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 namespace sandbox { | 10 namespace sandbox { |
| (...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 180 | 180 |
| 181 // Immediately raises an exception on a bad handle reference. Must be | 181 // Immediately raises an exception on a bad handle reference. Must be |
| 182 // enabled after startup. Corresponds to | 182 // enabled after startup. Corresponds to |
| 183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. | 183 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. |
| 184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; | 184 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; |
| 185 | 185 |
| 186 // Prevents the process from making Win32k calls. Corresponds to | 186 // Prevents the process from making Win32k calls. Corresponds to |
| 187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. | 187 // PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON. |
| 188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; | 188 const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200; |
| 189 | 189 |
| 190 // Disables common DLL injection methods (e.g. window hooks and | 190 // Prevents certain built-in third party extension points from being used. |
| 191 // App_InitDLLs). Corresponds to | 191 // - App_Init DLLs |
| 192 // - Winsock Layered Service Providers (LSPs) |
| 193 // - Global Windows Hooks (NOT thread-targeted hooks) |
| 194 // - Legacy Input Method Editors (IMEs). |
| 195 // I.e.: Disable legacy hooking mechanisms. Corresponds to |
| 192 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. | 196 // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON. |
| 193 const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; | 197 const MitigationFlags MITIGATION_EXTENSION_POINT_DISABLE = 0x00000400; |
| 194 | 198 |
| 195 // Prevents the process from loading non-system fonts into GDI. | 199 // Prevents the process from loading non-system fonts into GDI. |
| 196 // Corresponds to | 200 // Corresponds to |
| 197 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON | 201 // PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON |
| 198 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800; | 202 const MitigationFlags MITIGATION_NONSYSTEM_FONT_DISABLE = 0x00000800; |
| 199 | 203 |
| 200 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional | 204 // Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional |
| 201 // directories can be added via the Windows AddDllDirectory() function. | 205 // directories can be added via the Windows AddDllDirectory() function. |
| 202 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 | 206 // http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 |
| 203 // Must be enabled after startup. | 207 // Must be enabled after startup. |
| 204 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; | 208 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; |
| 205 | 209 |
| 206 // Changes the mandatory integrity level policy on the current process' token | 210 // Changes the mandatory integrity level policy on the current process' token |
| 207 // to enable no-read and no-execute up. This prevents a lower IL process from | 211 // to enable no-read and no-execute up. This prevents a lower IL process from |
| 208 // opening the process token for impersonate/duplicate/assignment. | 212 // opening the process token for impersonate/duplicate/assignment. |
| 209 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; | 213 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; |
| 210 | 214 |
| 211 // Blocks mapping of images from remote devices. Corresponds to | 215 // Blocks mapping of images from remote devices. Corresponds to |
| 212 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON. | 216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON. |
| 213 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52; | 217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_REMOTE = 0x00000001ULL << 52; |
| 214 | 218 |
| 215 // Blocks mapping of images that have the low manditory label. Corresponds to | 219 // Blocks mapping of images that have the low manditory label. Corresponds to |
| 216 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON. | 220 // PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON. |
| 217 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56; | 221 const MitigationFlags MITIGATION_IMAGE_LOAD_NO_LOW_LABEL = 0x00000001ULL << 56; |
| 218 | 222 |
| 219 } // namespace sandbox | 223 } // namespace sandbox |
| 220 | 224 |
| 221 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ | 225 #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1835003003:
[Windows Sandbox] MITIGATION_EXTENSION_POINT_DISABLE support for children. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master