| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_win.h" | 5 #include "content/common/sandbox_win.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 | 10 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 24 #include "base/strings/string_util.h" | 24 #include "base/strings/string_util.h" |
| 25 #include "base/strings/stringprintf.h" | 25 #include "base/strings/stringprintf.h" |
| 26 #include "base/trace_event/trace_event.h" | 26 #include "base/trace_event/trace_event.h" |
| 27 #include "base/win/iat_patch_function.h" | 27 #include "base/win/iat_patch_function.h" |
| 28 #include "base/win/scoped_handle.h" | 28 #include "base/win/scoped_handle.h" |
| 29 #include "base/win/scoped_process_information.h" | 29 #include "base/win/scoped_process_information.h" |
| 30 #include "base/win/win_util.h" | 30 #include "base/win/win_util.h" |
| 31 #include "base/win/windows_version.h" | 31 #include "base/win/windows_version.h" |
| 32 #include "content/common/content_switches_internal.h" | 32 #include "content/common/content_switches_internal.h" |
| 33 #include "content/public/common/content_client.h" | 33 #include "content/public/common/content_client.h" |
| 34 #include "content/public/common/content_features.h" |
| 34 #include "content/public/common/content_switches.h" | 35 #include "content/public/common/content_switches.h" |
| 35 #include "content/public/common/sandbox_init.h" | 36 #include "content/public/common/sandbox_init.h" |
| 36 #include "content/public/common/sandboxed_process_launcher_delegate.h" | 37 #include "content/public/common/sandboxed_process_launcher_delegate.h" |
| 37 #include "sandbox/win/src/process_mitigations.h" | 38 #include "sandbox/win/src/process_mitigations.h" |
| 38 #include "sandbox/win/src/sandbox.h" | 39 #include "sandbox/win/src/sandbox.h" |
| 39 #include "sandbox/win/src/sandbox_nt_util.h" | 40 #include "sandbox/win/src/sandbox_nt_util.h" |
| 40 #include "sandbox/win/src/sandbox_policy_base.h" | 41 #include "sandbox/win/src/sandbox_policy_base.h" |
| 41 #include "sandbox/win/src/win_utils.h" | 42 #include "sandbox/win/src/win_utils.h" |
| 42 | 43 |
| 43 #if !defined(NACL_WIN64) | 44 #if !defined(NACL_WIN64) |
| (...skipping 673 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 717 sandbox::MitigationFlags mitigations = | 718 sandbox::MitigationFlags mitigations = |
| 718 sandbox::MITIGATION_HEAP_TERMINATE | | 719 sandbox::MITIGATION_HEAP_TERMINATE | |
| 719 sandbox::MITIGATION_BOTTOM_UP_ASLR | | 720 sandbox::MITIGATION_BOTTOM_UP_ASLR | |
| 720 sandbox::MITIGATION_DEP | | 721 sandbox::MITIGATION_DEP | |
| 721 sandbox::MITIGATION_DEP_NO_ATL_THUNK | | 722 sandbox::MITIGATION_DEP_NO_ATL_THUNK | |
| 722 sandbox::MITIGATION_SEHOP | | 723 sandbox::MITIGATION_SEHOP | |
| 723 sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | | 724 sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | |
| 724 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | | 725 sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | |
| 725 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL; | 726 sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL; |
| 726 | 727 |
| 728 if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) |
| 729 mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE; |
| 730 |
| 727 sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC; | 731 sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC; |
| 728 | |
| 729 result = policy->SetProcessMitigations(mitigations); | 732 result = policy->SetProcessMitigations(mitigations); |
| 730 | 733 |
| 731 if (result != sandbox::SBOX_ALL_OK) | 734 if (result != sandbox::SBOX_ALL_OK) |
| 732 return result; | 735 return result; |
| 733 | 736 |
| 734 #if !defined(NACL_WIN64) | 737 #if !defined(NACL_WIN64) |
| 735 if (type_str == switches::kRendererProcess && | 738 if (type_str == switches::kRendererProcess && |
| 736 IsWin32kRendererLockdownEnabled()) { | 739 IsWin32kRendererLockdownEnabled()) { |
| 737 result = AddWin32kLockdownPolicy(policy, false); | 740 result = AddWin32kLockdownPolicy(policy, false); |
| 738 if (result != sandbox::SBOX_ALL_OK) | 741 if (result != sandbox::SBOX_ALL_OK) |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 830 } | 833 } |
| 831 | 834 |
| 832 delegate->PostSpawnTarget(target.process_handle()); | 835 delegate->PostSpawnTarget(target.process_handle()); |
| 833 | 836 |
| 834 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); | 837 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); |
| 835 *process = base::Process(target.TakeProcessHandle()); | 838 *process = base::Process(target.TakeProcessHandle()); |
| 836 return sandbox::SBOX_ALL_OK; | 839 return sandbox::SBOX_ALL_OK; |
| 837 } | 840 } |
| 838 | 841 |
| 839 } // namespace content | 842 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1854323002:
[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master