diff options
| author | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-05 10:09:21 +0000 |
|---|---|---|
| committer | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-05 10:09:21 +0000 |
| commit | c4d0292069f70522e7bc878f8403be2b2ef5b0d9 (patch) | |
| tree | 7eed23b143057712f1b2ab73df0b84c66e272d43 /sandbox/win | |
| parent | a3feff5b9df53fb289441feec9f026617c8fb7e7 (diff) | |
| download | chromium_src-c4d0292069f70522e7bc878f8403be2b2ef5b0d9.zip chromium_src-c4d0292069f70522e7bc878f8403be2b2ef5b0d9.tar.gz chromium_src-c4d0292069f70522e7bc878f8403be2b2ef5b0d9.tar.bz2 | |
Further tighten desktop permissions and cleanup style nits
Also removed a debug hook that's obseleted by new permissions.
BUG=346586
R=cpu@chromium.org,jamesr@chromium.org
Review URL: https://codereview.chromium.org/185533017
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@254993 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/win')
| -rw-r--r-- | sandbox/win/src/window.cc | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/sandbox/win/src/window.cc b/sandbox/win/src/window.cc index 32c02b2..a448b59f 100644 --- a/sandbox/win/src/window.cc +++ b/sandbox/win/src/window.cc @@ -51,13 +51,13 @@ ResultCode CreateAltWindowStation(HWINSTA* winsta) { if (*winsta) { // Replace the DACL on the new Winstation with a reduced privilege version. // We can soft fail on this for now, as it's just an extra mitigation. - static const ACCESS_MASK kWinstaDenyMask = DELETE | WRITE_DAC | - WRITE_OWNER | - WINSTA_ACCESSCLIPBOARD | - WINSTA_CREATEDESKTOP | - WINSTA_ENUMDESKTOPS | - WINSTA_ENUMERATE | - WINSTA_EXITWINDOWS; + static const ACCESS_MASK kWinstaDenyMask = DELETE | WRITE_DAC | + WRITE_OWNER | + WINSTA_ACCESSCLIPBOARD | + WINSTA_CREATEDESKTOP | + WINSTA_ENUMDESKTOPS | + WINSTA_ENUMERATE | + WINSTA_EXITWINDOWS; AddKnownSidToObject(*winsta, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid), DENY_ACCESS, kWinstaDenyMask); return SBOX_ALL_OK; @@ -111,11 +111,13 @@ ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) { if (*desktop) { // Replace the DACL on the new Desktop with a reduced privilege version. // We can soft fail on this for now, as it's just an extra mitigation. - static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | - DESKTOP_HOOKCONTROL | - DESKTOP_JOURNALPLAYBACK | - DESKTOP_JOURNALRECORD | - DESKTOP_SWITCHDESKTOP; + static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | + DESKTOP_CREATEMENU | + DESKTOP_CREATEWINDOW | + DESKTOP_HOOKCONTROL | + DESKTOP_JOURNALPLAYBACK | + DESKTOP_JOURNALRECORD | + DESKTOP_SWITCHDESKTOP; AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid), DENY_ACCESS, kDesktopDenyMask); return SBOX_ALL_OK; |