Index: sandbox/win/src/process_mitigations.cc |
diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc |
index 80e428483052b606211c977572ea57bb13d9255b..d187c55e3e0c7d8eb04530ff7480e18aa6f275a4 100644 |
--- a/sandbox/win/src/process_mitigations.cc |
+++ b/sandbox/win/src/process_mitigations.cc |
@@ -8,6 +8,7 @@ |
#include "base/win/windows_version.h" |
#include "sandbox/win/src/nt_internals.h" |
+#include "sandbox/win/src/restricted_token_utils.h" |
#include "sandbox/win/src/win_utils.h" |
namespace { |
@@ -59,6 +60,13 @@ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { |
} |
} |
+ if (version >= base::win::VERSION_WIN7 && |
+ (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY)) { |
+ DWORD error = HardenProcessIntegrityLevelPolicy(); |
+ if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED)) |
+ return false; |
+ } |
+ |
#if !defined(_WIN64) // DEP is always enabled on 64-bit. |
if (flags & MITIGATION_DEP) { |
DWORD dep_flags = PROCESS_DEP_ENABLE; |
@@ -309,7 +317,8 @@ bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) { |
MITIGATION_BOTTOM_UP_ASLR | |
MITIGATION_STRICT_HANDLE_CHECKS | |
MITIGATION_EXTENSION_DLL_DISABLE | |
- MITIGATION_DLL_SEARCH_ORDER)); |
+ MITIGATION_DLL_SEARCH_ORDER | |
+ MITIGATION_HARDEN_TOKEN_IL_POLICY)); |
} |
bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) { |