Add sandbox support for Windows process mitigations

BUG=147752
Review URL: https://codereview.chromium.org/10690058

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@156657 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 46 insertions, 0 deletions

diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index 3950a0c..f942ff5a 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -15,6 +15,7 @@
 #include "sandbox/win/src/handle_policy.h"
 #include "sandbox/win/src/job.h"
 #include "sandbox/win/src/interception.h"
+#include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/named_pipe_dispatcher.h"
 #include "sandbox/win/src/named_pipe_policy.h"
 #include "sandbox/win/src/policy_broker.h"
@@ -53,6 +54,7 @@ sandbox::PolicyGlobal* MakeBrokerPolicyMemory() {
 namespace sandbox {
 
 SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
+SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
 
 // Initializes static members.
 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
@@ -70,6 +72,8 @@ PolicyBase::PolicyBase()
       relaxed_interceptions_(true),
       integrity_level_(INTEGRITY_LEVEL_LAST),
       delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
+      mitigations_(0),
+      delayed_mitigations_(0),
       policy_maker_(NULL),
       policy_(NULL) {
   ::InitializeCriticalSection(&lock_);
@@ -276,6 +280,30 @@ ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
   return SBOX_ALL_OK;
 }
 
+ResultCode PolicyBase::SetProcessMitigations(
+    MitigationFlags flags) {
+  if (!CanSetProcessMitigationsPreStartup(flags))
+    return SBOX_ERROR_BAD_PARAMS;
+  mitigations_ = flags;
+  return SBOX_ALL_OK;
+}
+
+MitigationFlags PolicyBase::GetProcessMitigations() {
+  return mitigations_;
+}
+
+ResultCode PolicyBase::SetDelayedProcessMitigations(
+    MitigationFlags flags) {
+  if (!CanSetProcessMitigationsPostStartup(flags))
+    return SBOX_ERROR_BAD_PARAMS;
+  delayed_mitigations_ = flags;
+  return SBOX_ALL_OK;
+}
+
+MitigationFlags PolicyBase::GetDelayedProcessMitigations() {
+  return delayed_mitigations_;
+}
+
 void PolicyBase::SetStrictInterceptions() {
   relaxed_interceptions_ = false;
 }
@@ -450,6 +478,11 @@ bool PolicyBase::AddTarget(TargetProcess* target) {
   if (NULL != policy_)
     policy_maker_->Done();
 
+  if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
+                                                 mitigations_)) {
+    return false;
+  }
+
   if (!SetupAllInterceptions(target))
     return false;
 
@@ -469,6 +502,19 @@ bool PolicyBase::AddTarget(TargetProcess* target) {
   if (SBOX_ALL_OK != ret)
     return false;
 
+  // Add in delayed mitigations and pseudo-mitigations enforced at startup.
+  g_shared_delayed_mitigations = delayed_mitigations_ |
+      FilterPostStartupProcessMitigations(mitigations_);
+  if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations))
+    return false;
+
+  ret = target->TransferVariable("g_shared_delayed_mitigations",
+                                 &g_shared_delayed_mitigations,
+                                 sizeof(g_shared_delayed_mitigations));
+  g_shared_delayed_mitigations = 0;
+  if (SBOX_ALL_OK != ret)
+    return false;
+
   AutoLock lock(&lock_);
   targets_.push_back(target);
   return true;