Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(134)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_win.cc

Issue 318603003: Sandbox policy and intercepts for the MITIGATION_WIN32K_DISABLE policy for renderer processes. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fixed comment Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | sandbox/win/sandbox_win.gypi » ('j') | sandbox/win/sandbox_win.gypi » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_win.h" 5 #include "content/common/sandbox_win.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/base_switches.h" 9 #include "base/base_switches.h"
10 #include "base/command_line.h" 10 #include "base/command_line.h"
(...skipping 316 matching lines...) Expand 10 before | Expand all | Expand 10 after
327 debug_message = debug_message.AppendASCII("debug_message.exe"); 327 debug_message = debug_message.AppendASCII("debug_message.exe");
328 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS, 328 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
329 sandbox::TargetPolicy::PROCESS_MIN_EXEC, 329 sandbox::TargetPolicy::PROCESS_MIN_EXEC,
330 debug_message.value().c_str()); 330 debug_message.value().c_str());
331 if (result != sandbox::SBOX_ALL_OK) 331 if (result != sandbox::SBOX_ALL_OK)
332 return false; 332 return false;
333 #endif // NDEBUG 333 #endif // NDEBUG
334 334
335 AddGenericDllEvictionPolicy(policy); 335 AddGenericDllEvictionPolicy(policy);
336 336
337 if (base::win::GetVersion() >= base::win::VERSION_WIN8) {
338 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
jschuh 2014/06/06 03:23:36 Just remove this section. You're already setting t
ananta 2014/06/06 23:57:34 Leaving this as is as this is needed for the polic
339 sandbox::TargetPolicy::LOCKDOWN_WIN32K,
340 L"Lockdown_Win32K");
341 if (result != sandbox::SBOX_ALL_OK)
342 return false;
343 }
337 return true; 344 return true;
338 } 345 }
339 346
340 bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) { 347 bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
341 sandbox::ResultCode result; 348 sandbox::ResultCode result;
342 // Renderers need to share events with plugins. 349 // Renderers need to share events with plugins.
343 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, 350 result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
344 sandbox::TargetPolicy::HANDLES_DUP_ANY, 351 sandbox::TargetPolicy::HANDLES_DUP_ANY,
345 L"Event"); 352 L"Event");
346 if (result != sandbox::SBOX_ALL_OK) 353 if (result != sandbox::SBOX_ALL_OK)
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after
603 sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE | 610 sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE |
604 sandbox::MITIGATION_BOTTOM_UP_ASLR | 611 sandbox::MITIGATION_BOTTOM_UP_ASLR |
605 sandbox::MITIGATION_DEP | 612 sandbox::MITIGATION_DEP |
606 sandbox::MITIGATION_DEP_NO_ATL_THUNK | 613 sandbox::MITIGATION_DEP_NO_ATL_THUNK |
607 sandbox::MITIGATION_SEHOP; 614 sandbox::MITIGATION_SEHOP;
608 615
609 if (base::win::GetVersion() >= base::win::VERSION_WIN8 && 616 if (base::win::GetVersion() >= base::win::VERSION_WIN8 &&
610 type_str == switches::kRendererProcess && 617 type_str == switches::kRendererProcess &&
611 browser_command_line.HasSwitch( 618 browser_command_line.HasSwitch(
612 switches::kEnableWin32kRendererLockDown)) { 619 switches::kEnableWin32kRendererLockDown)) {
613 mitigations |= sandbox::MITIGATION_WIN32K_DISABLE; 620 mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
jschuh 2014/06/06 03:23:36 You're already doing exactly what you need to enab
ananta 2014/06/06 23:57:34 Explained above. Leaving the policy stuff as is.
614 } 621 }
615 622
616 if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK) 623 if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
617 return 0; 624 return 0;
618 625
619 mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS | 626 mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
620 sandbox::MITIGATION_DLL_SEARCH_ORDER; 627 sandbox::MITIGATION_DLL_SEARCH_ORDER;
621 628
622 if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK) 629 if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
623 return 0; 630 return 0;
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after
741 } 748 }
742 749
743 return false; 750 return false;
744 } 751 }
745 752
746 bool BrokerAddTargetPeer(HANDLE peer_process) { 753 bool BrokerAddTargetPeer(HANDLE peer_process) {
747 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 754 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
748 } 755 }
749 756
750 } // namespace content 757 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | sandbox/win/sandbox_win.gypi » ('j') | sandbox/win/sandbox_win.gypi » ('J')

Powered by Google App Engine
This is Rietveld 408576698