Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(161)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 2871723002: Revert of Create CSRSS Lockdown feature for finching (Closed)
Patch Set: Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | testing/variations/fieldtrial_testing_config.json » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <stddef.h> 7 #include <stddef.h>
8 8
9 #include <string> 9 #include <string>
10 10
11 #include "base/base_switches.h" 11 #include "base/base_switches.h"
12 #include "base/command_line.h" 12 #include "base/command_line.h"
13 #include "base/debug/activity_tracker.h" 13 #include "base/debug/activity_tracker.h"
14 #include "base/debug/profiler.h" 14 #include "base/debug/profiler.h"
15 #include "base/feature_list.h"
16 #include "base/files/file_util.h" 15 #include "base/files/file_util.h"
17 #include "base/hash.h" 16 #include "base/hash.h"
18 #include "base/logging.h" 17 #include "base/logging.h"
19 #include "base/macros.h" 18 #include "base/macros.h"
20 #include "base/memory/shared_memory.h" 19 #include "base/memory/shared_memory.h"
21 #include "base/metrics/field_trial.h" 20 #include "base/metrics/field_trial.h"
22 #include "base/metrics/histogram_macros.h" 21 #include "base/metrics/histogram_macros.h"
23 #include "base/path_service.h" 22 #include "base/path_service.h"
24 #include "base/process/launch.h" 23 #include "base/process/launch.h"
25 #include "base/strings/string_number_conversions.h" 24 #include "base/strings/string_number_conversions.h"
(...skipping 569 matching lines...) Expand 10 before | Expand all | Expand 10 after
595 594
596 #ifdef _WIN64 595 #ifdef _WIN64
597 sandbox::ResultCode ret = 596 sandbox::ResultCode ret =
598 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024); 597 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024);
599 if (ret != sandbox::SBOX_ALL_OK) 598 if (ret != sandbox::SBOX_ALL_OK)
600 return ret; 599 return ret;
601 #endif 600 #endif
602 return policy->SetJobLevel(job_level, ui_exceptions); 601 return policy->SetJobLevel(job_level, ui_exceptions);
603 } 602 }
604 603
605 // This is for finch. See also crbug.com/464430 for details.
606 const base::Feature kEnableCsrssLockdownFeature{
607 "EnableCsrssLockdown", base::FEATURE_DISABLED_BY_DEFAULT};
608
609 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper. 604 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
610 // Just have to figure out what needs to be warmed up first. 605 // Just have to figure out what needs to be warmed up first.
611 sandbox::ResultCode AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) { 606 sandbox::ResultCode AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
612 if (base::win::GetVersion() >= base::win::VERSION_WIN10) {
613 if (base::FeatureList::IsEnabled(kEnableCsrssLockdownFeature)) {
614 // Close all ALPC ports.
615 sandbox::ResultCode ret =
616 policy->AddKernelObjectToClose(L"ALPC Port", NULL);
617 if (ret != sandbox::SBOX_ALL_OK) {
618 return ret;
619 }
620 }
621 }
622 // TODO(cpu): Add back the BaseNamedObjects policy. 607 // TODO(cpu): Add back the BaseNamedObjects policy.
623 base::string16 object_path = PrependWindowsSessionPath( 608 base::string16 object_path = PrependWindowsSessionPath(
624 L"\\BaseNamedObjects\\windows_shell_global_counters"); 609 L"\\BaseNamedObjects\\windows_shell_global_counters");
625 return policy->AddKernelObjectToClose(L"Section", object_path.data()); 610 return policy->AddKernelObjectToClose(L"Section", object_path.data());
626 } 611 }
627 612
628 sandbox::ResultCode AddAppContainerPolicy(sandbox::TargetPolicy* policy, 613 sandbox::ResultCode AddAppContainerPolicy(sandbox::TargetPolicy* policy,
629 const wchar_t* sid) { 614 const wchar_t* sid) {
630 if (IsAppContainerEnabled()) 615 if (IsAppContainerEnabled())
631 return policy->SetLowBox(sid); 616 return policy->SetLowBox(sid);
(...skipping 244 matching lines...) Expand 10 before | Expand all | Expand 10 after
876 } 861 }
877 862
878 delegate->PostSpawnTarget(target.process_handle()); 863 delegate->PostSpawnTarget(target.process_handle());
879 864
880 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); 865 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1));
881 *process = base::Process(target.TakeProcessHandle()); 866 *process = base::Process(target.TakeProcessHandle());
882 return sandbox::SBOX_ALL_OK; 867 return sandbox::SBOX_ALL_OK;
883 } 868 }
884 869
885 } // namespace content 870 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | testing/variations/fieldtrial_testing_config.json » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698