Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(418)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 1846813003: Enable default DACL lockdown for sandboxed processes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@fix_gpu_to_renderer
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 8
9 #include <string> 9 #include <string>
10 10
(...skipping 396 matching lines...) Expand 10 before | Expand all | Expand 10 after
407 if (base::win::GetVersion() > base::win::VERSION_XP) { 407 if (base::win::GetVersion() > base::win::VERSION_XP) {
408 // On 2003/Vista the initial token has to be restricted if the main 408 // On 2003/Vista the initial token has to be restricted if the main
409 // token is restricted. 409 // token is restricted.
410 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS; 410 initial_token = sandbox::USER_RESTRICTED_SAME_ACCESS;
411 } 411 }
412 412
413 policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN); 413 policy->SetTokenLevel(initial_token, sandbox::USER_LOCKDOWN);
414 // Prevents the renderers from manipulating low-integrity processes. 414 // Prevents the renderers from manipulating low-integrity processes.
415 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED); 415 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
416 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); 416 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
417 policy->SetLockdownDefaultDacl();
417 418
418 if (sandbox::SBOX_ALL_OK != policy->SetAlternateDesktop(true)) { 419 if (sandbox::SBOX_ALL_OK != policy->SetAlternateDesktop(true)) {
419 DLOG(WARNING) << "Failed to apply desktop security to the renderer"; 420 DLOG(WARNING) << "Failed to apply desktop security to the renderer";
420 } 421 }
421 422
422 return true; 423 return true;
423 } 424 }
424 425
425 // Updates the command line arguments with debug-related flags. If debug flags 426 // Updates the command line arguments with debug-related flags. If debug flags
426 // have been used with this process, they will be filtered and added to 427 // have been used with this process, they will be filtered and added to
(...skipping 451 matching lines...) Expand 10 before | Expand all | Expand 10 after
878 } 879 }
879 880
880 return false; 881 return false;
881 } 882 }
882 883
883 bool BrokerAddTargetPeer(HANDLE peer_process) { 884 bool BrokerAddTargetPeer(HANDLE peer_process) {
884 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 885 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
885 } 886 }
886 887
887 } // namespace content 888 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698