Index: sandbox/win/src/process_mitigations.cc |
diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc |
index 80e428483052b606211c977572ea57bb13d9255b..904365d79bb98a7f801362538dee918571b39848 100644 |
--- a/sandbox/win/src/process_mitigations.cc |
+++ b/sandbox/win/src/process_mitigations.cc |
@@ -8,6 +8,7 @@ |
#include "base/win/windows_version.h" |
#include "sandbox/win/src/nt_internals.h" |
+#include "sandbox/win/src/restricted_token_utils.h" |
#include "sandbox/win/src/win_utils.h" |
namespace { |
@@ -59,6 +60,13 @@ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { |
} |
} |
+ if (version >= base::win::VERSION_VISTA && |
cpu_(ooo_6.6-7.5)
2014/12/18 21:05:36
if you don't mind start at win7. we have very poor
forshaw
2014/12/19 08:30:00
Done.
|
+ (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY)) { |
+ DWORD error = HardenProcessIntegrityLevelPolicy(); |
+ if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED)) |
+ return false; |
+ } |
+ |
#if !defined(_WIN64) // DEP is always enabled on 64-bit. |
if (flags & MITIGATION_DEP) { |
DWORD dep_flags = PROCESS_DEP_ENABLE; |
@@ -309,7 +317,8 @@ bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) { |
MITIGATION_BOTTOM_UP_ASLR | |
MITIGATION_STRICT_HANDLE_CHECKS | |
MITIGATION_EXTENSION_DLL_DISABLE | |
- MITIGATION_DLL_SEARCH_ORDER)); |
+ MITIGATION_DLL_SEARCH_ORDER | |
+ MITIGATION_HARDEN_TOKEN_IL_POLICY)); |
} |
bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { |