Index: sandbox/win/src/restricted_token_utils.h |
diff --git a/sandbox/win/src/restricted_token_utils.h b/sandbox/win/src/restricted_token_utils.h |
index 69462b4da28b8f9ec30626222bddff1cfdebef66..7cb959944473299e5cc7468d20ca1361ce1fdc92 100644 |
--- a/sandbox/win/src/restricted_token_utils.h |
+++ b/sandbox/win/src/restricted_token_utils.h |
@@ -82,6 +82,19 @@ const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level); |
// current integrity level, the function will fail. |
DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level); |
+// Hardens the integrity level policy on a token. This is only valid on Vista |
cpu_(ooo_6.6-7.5)
2014/12/20 01:10:05
win7 in the comment.
|
+// and above. Specifically it sets the policy to block read and execute so |
+// that a lower privileged process cannot open the token for impersonate or |
+// duplicate permissions. This should limit potential security holes. |
+DWORD HardenTokenIntegrityLevelPolicy(HANDLE token); |
+ |
+// Hardens the integrity level policy on the current process. This is only |
+// valid on Vista and above. Specifically it sets the policy to block read |
cpu_(ooo_6.6-7.5)
2014/12/20 01:10:05
win7
|
+// and execute so that a lower privileged process cannot open the token for |
+// impersonate or duplicate permissions. This should limit potential security |
+// holes. |
+DWORD HardenProcessIntegrityLevelPolicy(); |
+ |
} // namespace sandbox |
#endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__ |