Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(89)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 2411483002: Enable win32k lockdown for ppapi processes. (Closed)
Patch Set: readd entry Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_switches_internal.cc ('k') | content/public/browser/content_browser_client.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 8
9 #include <string> 9 #include <string>
10 10
(...skipping 583 matching lines...) Expand 10 before | Expand all | Expand 10 after
594 sandbox::ResultCode AddAppContainerPolicy(sandbox::TargetPolicy* policy, 594 sandbox::ResultCode AddAppContainerPolicy(sandbox::TargetPolicy* policy,
595 const wchar_t* sid) { 595 const wchar_t* sid) {
596 if (IsAppContainerEnabled()) 596 if (IsAppContainerEnabled())
597 return policy->SetLowBox(sid); 597 return policy->SetLowBox(sid);
598 return sandbox::SBOX_ALL_OK; 598 return sandbox::SBOX_ALL_OK;
599 } 599 }
600 600
601 sandbox::ResultCode AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy, 601 sandbox::ResultCode AddWin32kLockdownPolicy(sandbox::TargetPolicy* policy,
602 bool enable_opm) { 602 bool enable_opm) {
603 #if !defined(NACL_WIN64) 603 #if !defined(NACL_WIN64)
604 if (!IsWin32kRendererLockdownEnabled()) 604 if (!IsWin32kLockdownEnabled())
605 return sandbox::SBOX_ALL_OK; 605 return sandbox::SBOX_ALL_OK;
606 606
607 // Enable win32k lockdown if not already. 607 // Enable win32k lockdown if not already.
608 sandbox::MitigationFlags flags = policy->GetProcessMitigations(); 608 sandbox::MitigationFlags flags = policy->GetProcessMitigations();
609 if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) == 609 if ((flags & sandbox::MITIGATION_WIN32K_DISABLE) ==
610 sandbox::MITIGATION_WIN32K_DISABLE) 610 sandbox::MITIGATION_WIN32K_DISABLE)
611 return sandbox::SBOX_ALL_OK; 611 return sandbox::SBOX_ALL_OK;
612 612
613 sandbox::ResultCode result = 613 sandbox::ResultCode result =
614 policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN, 614 policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after
729 if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) 729 if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints))
730 mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE; 730 mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE;
731 731
732 sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC; 732 sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
733 result = policy->SetProcessMitigations(mitigations); 733 result = policy->SetProcessMitigations(mitigations);
734 734
735 if (result != sandbox::SBOX_ALL_OK) 735 if (result != sandbox::SBOX_ALL_OK)
736 return result; 736 return result;
737 737
738 #if !defined(NACL_WIN64) 738 #if !defined(NACL_WIN64)
739 if (type_str == switches::kRendererProcess && 739 if (type_str == switches::kRendererProcess && IsWin32kLockdownEnabled()) {
740 IsWin32kRendererLockdownEnabled()) {
741 result = AddWin32kLockdownPolicy(policy.get(), false); 740 result = AddWin32kLockdownPolicy(policy.get(), false);
742 if (result != sandbox::SBOX_ALL_OK) 741 if (result != sandbox::SBOX_ALL_OK)
743 return result; 742 return result;
744 } 743 }
745 #endif 744 #endif
746 745
747 // Post-startup mitigations. 746 // Post-startup mitigations.
748 mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS | 747 mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
749 sandbox::MITIGATION_DLL_SEARCH_ORDER; 748 sandbox::MITIGATION_DLL_SEARCH_ORDER;
750 749
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
834 } 833 }
835 834
836 delegate->PostSpawnTarget(target.process_handle()); 835 delegate->PostSpawnTarget(target.process_handle());
837 836
838 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); 837 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1));
839 *process = base::Process(target.TakeProcessHandle()); 838 *process = base::Process(target.TakeProcessHandle());
840 return sandbox::SBOX_ALL_OK; 839 return sandbox::SBOX_ALL_OK;
841 } 840 }
842 841
843 } // namespace content 842 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_switches_internal.cc ('k') | content/public/browser/content_browser_client.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698