Create CSRSS Lockdown feature for finching

content/common/sandbox_win.cc

Index: content/common/sandbox_win.cc
diff --git a/content/common/sandbox_win.cc b/content/common/sandbox_win.cc
index c1ab69baa8fefd2271cb313e901a640ab4811520..eab4521ba41d3a5f8420e70866c0937c4c3816a0 100644
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -12,6 +12,7 @@
 #include "base/command_line.h"
 #include "base/debug/activity_tracker.h"
 #include "base/debug/profiler.h"
+#include "base/feature_list.h"
 #include "base/files/file_util.h"
 #include "base/hash.h"
 #include "base/logging.h"
@@ -601,9 +602,23 @@ sandbox::ResultCode SetJobLevel(const base::CommandLine& cmd_line,
   return policy->SetJobLevel(job_level, ui_exceptions);
 }
 
+// This is for finch. See also crbug.com/464430 for details.
+const base::Feature kEnableCsrssLockdownFeature{
+    "EnableCsrssLockdown", base::FEATURE_DISABLED_BY_DEFAULT};
+
 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
 // Just have to figure out what needs to be warmed up first.
 sandbox::ResultCode AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
+  if (base::win::GetVersion() >= base::win::VERSION_WIN10) {
+    if (base::FeatureList::IsEnabled(kEnableCsrssLockdownFeature)) {
+      // Close all ALPC ports.
+      sandbox::ResultCode ret =
+          policy->AddKernelObjectToClose(L"ALPC Port", NULL);
+      if (ret != sandbox::SBOX_ALL_OK) {
+        return ret;
+      }
+    }
+  }
   // TODO(cpu): Add back the BaseNamedObjects policy.
   base::string16 object_path = PrependWindowsSessionPath(
       L"\\BaseNamedObjects\\windows_shell_global_counters");