sandbox/win/src/broker_services.cc - Issue 10690058: Add sandbox support for Windows process mitigations

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/win/src/broker_services.cc

Issue 10690058: Add sandbox support for Windows process mitigations (Closed) Base URL: https://src.chromium.org/svn/trunk/src/

Patch Set: Created 8 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/win/src/broker_services.cc

===================================================================

--- sandbox/win/src/broker_services.cc (revision 155197)

+++ sandbox/win/src/broker_services.cc (working copy)

@@ -12,6 +12,7 @@

#include "base/win/startup_information.h"

#include "base/win/windows_version.h"

#include "sandbox/win/src/app_container.h"

+#include "sandbox/win/src/process_mitigations.h"

#include "sandbox/win/src/sandbox_policy_base.h"

#include "sandbox/win/src/sandbox.h"

#include "sandbox/win/src/target_process.h"

@@ -320,14 +321,51 @@

const_cast<wchar_t*>(desktop.c_str());

}

+ int attribute_count = 0;

const AppContainerAttributes* app_container = policy_base->GetAppContainer();

+ if (app_container)

+ ++attribute_count;

+ DWORD64 mitigations = GetProcessMitigationPolicyFlags(

+ policy->GetProcessMitigations());

+ if (mitigations)

+ ++attribute_count;

+ if (!startup_info.InitializeProcThreadAttributeList(attribute_count))

+ return SBOX_ERROR_GENERIC;

if (app_container) {

- startup_info.InitializeProcThreadAttributeList(1);

result = app_container->ShareForStartup(&startup_info);

if (SBOX_ALL_OK != result)

return result;

}

+ if (mitigations) {

+#ifndef _WIN64

+ // A 64-bit flags attribute is illegal on 32-bit Win 7 and below.

+ if (base::win::GetVersion() < base::win::VERSION_WIN8) {

+ DWORD mitigations32 = static_cast<DWORD>(mitigations);

+ if (!startup_info.UpdateProcThreadAttribute(

+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations32,

+ sizeof(mitigations32))) {

+ return SBOX_ERROR_GENERIC;

+ }

+ } else {

+ if (!startup_info.UpdateProcThreadAttribute(

+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,

+ sizeof(mitigations))) {

+ return SBOX_ERROR_GENERIC;

+ }

+#else

+ if (!startup_info.UpdateProcThreadAttribute(

+ PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,

+ sizeof(mitigations))) {

+ return SBOX_ERROR_GENERIC;

+ }

+#endif

+ }

// Construct the thread pool here in case it is expensive.

// The thread pool is shared by all the targets

if (NULL == thread_pool_)

« sandbox/win/sandbox_win.gypi ('K') | « sandbox/win/sandbox_win.gypi ('k') | sandbox/win/src/dep.h » ('j') | sandbox/win/src/process_mitigations.cc » ('J')