Index: sandbox/win/src/security_level.h |
diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h |
index da84b75252b5596bfea0c59ce88ed1ff464a2ecd..c89bbb4e249e003727ebf8fe2456978f9443fd62 100644 |
--- a/sandbox/win/src/security_level.h |
+++ b/sandbox/win/src/security_level.h |
@@ -199,6 +199,11 @@ const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400; |
// Must be enabled after startup. |
const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32; |
+// Changes the mandatory integrity level policy on the current process' token |
+// to enable no-read and no-execute up. This prevents a lower IL process from |
+// opening the process token for impersonate/duplicate/assignment. |
+const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33; |
+ |
} // namespace sandbox |
#endif // SANDBOX_SRC_SECURITY_LEVEL_H_ |