[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes.

chrome/browser/win/chrome_elf_init.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/win/chrome_elf_init.h"
 
 #include <stddef.h>
 
 #include "base/bind.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
 #include "chrome/common/chrome_version.h"
 #include "chrome_elf/blacklist/blacklist.h"
 #include "chrome_elf/chrome_elf_constants.h"
 #include "chrome_elf/dll_hash/dll_hash.h"
 #include "components/variations/variations_associated_data.h"
 #include "content/public/browser/browser_thread.h"
+#include "content/public/common/content_features.h"
 
 const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
 const char kBrowserBlacklistTrialDisabledGroupName[] = "NoBlacklist";
 
 namespace {
 
 // How long to wait, in seconds, before reporting for the second (and last
 // time), what dlls were blocked from the browser process.
 const int kBlacklistReportingDelaySec = 600;
 
@@ skipping 71 matching lines @@
   ReportSuccessfulBlocks();
 
   // Schedule another task to report all successful interceptions later.
   // This time delay should be long enough to catch any dlls that attempt to
   // inject after Chrome has started up.
   content::BrowserThread::PostDelayedTask(
       content::BrowserThread::UI,
       FROM_HERE,
       base::Bind(&ReportSuccessfulBlocks),
       base::TimeDelta::FromSeconds(kBlacklistReportingDelaySec));
+
+  // Make sure the early finch emergency "off switch" for
+  // sandbox::MITIGATION_EXTENSION_POINT_DISABLE is set properly in reg.
+  // Note: the very existence of this key signals elf to not enable
+  // this mitigation on browser next start.
+  base::win::RegKey finch_security_registry_key(
+      HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_READ);
+
+  if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) {
+    if (finch_security_registry_key.Valid())
+      finch_security_registry_key.DeleteKey(L"");
+  } else {
+    if (!finch_security_registry_key.Valid())
+      finch_security_registry_key.Create(
+          HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_WRITE);
+  }
 }
 
 void BrowserBlacklistBeaconSetup() {
   base::win::RegKey blacklist_registry_key(HKEY_CURRENT_USER,
                                            blacklist::kRegistryBeaconPath,
                                            KEY_QUERY_VALUE | KEY_SET_VALUE);
 
   // No point in trying to continue if the registry key isn't valid.
   if (!blacklist_registry_key.Valid())
     return;
@@ skipping 47 matching lines @@
 
     blacklist_registry_key.WriteValue(blacklist::kBeaconAttemptCount,
                                       static_cast<DWORD>(0));
 
     // Only report the blacklist as getting setup when both registry writes
     // succeed, since otherwise the blacklist wasn't properly setup.
     if (set_version == ERROR_SUCCESS && set_state == ERROR_SUCCESS)
       RecordBlacklistSetupEvent(BLACKLIST_SETUP_ENABLED);
   }
 }