content/common/sandbox_policy.cc - Issue 10913305: Enable more Windows mitigations

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_policy.cc

Issue 10913305: Enable more Windows mitigations (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 8 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_policy.cc

===================================================================

--- content/common/sandbox_policy.cc (revision 157852)

+++ content/common/sandbox_policy.cc (working copy)

@@ -727,28 +727,34 @@

return process;

}

- // TODO(jschuh): Add all Win8 mitigations. crbug.com/147752

- if (type != content::PROCESS_TYPE_NACL_LOADER) {

- if (policy->SetProcessMitigations(MITIGATION_DEP |

- MITIGATION_DEP_NO_ATL_THUNK |

- MITIGATION_SEHOP |

- MITIGATION_BOTTOM_UP_ASLR)

- != sandbox::SBOX_ALL_OK) {

- return 0;

- }

- } else {

- // TODO(jschuh): Make NaCl work with DEP and SEHOP. crbug.com/147752

- if (policy->SetDelayedProcessMitigations(MITIGATION_DEP |

- MITIGATION_DEP_NO_ATL_THUNK)

- != sandbox::SBOX_ALL_OK) {

- return 0;

- }

- if (policy->SetProcessMitigations(MITIGATION_BOTTOM_UP_ASLR)

- != sandbox::SBOX_ALL_OK) {

- return 0;

- }

+ // TODO(jschuh): Make NaCl work with DEP and SEHOP. crbug.com/147752

+ sandbox::MitigationFlags mitigations = MITIGATION_HEAP_TERMINATE |

+ MITIGATION_BOTTOM_UP_ASLR |

+ MITIGATION_HIGH_ENTROPY_ASLR;

+#if !defined(NACL_WIN64)

+ mitigations |= MITIGATION_DEP |

+ MITIGATION_DEP_NO_ATL_THUNK |

+ MITIGATION_SEHOP;

+#if defined(NDEBUG)

+ mitigations |= MITIGATION_RELOCATE_IMAGE |

+ MITIGATION_RELOCATE_IMAGE_REQUIRED;

+#endif

+ if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)

+ return 0;

+ mitigations = MITIGATION_STRICT_HANDLE_CHECKS |

+ MITIGATION_EXTENSION_DLL_DISABLE |

+ MITIGATION_DLL_SEARCH_ORDER;

+#if defined(NACL_WIN64)

+ mitigations |= MITIGATION_DEP |

+ MITIGATION_DEP_NO_ATL_THUNK;

+#endif

+ if (policy->SetDelayedProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)

+ return 0;

if (type == content::PROCESS_TYPE_PLUGIN) {

AddGenericDllEvictionPolicy(policy);

AddPluginDllEvictionPolicy(policy);

« no previous file with comments | « no previous file | no next file » | no next file with comments »