diff options
| author | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-11 17:19:08 +0000 |
|---|---|---|
| committer | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-11 17:19:08 +0000 |
| commit | 8bd3b0dd728973362d70a076e3f2d9984abd94e7 (patch) | |
| tree | 60b9008041f76da2ee835bb7daeb092d9f36bf5e /sandbox | |
| parent | f302cc3f6c2232ab752a9333a9ecea1b573b0b64 (diff) | |
| download | chromium_src-8bd3b0dd728973362d70a076e3f2d9984abd94e7.zip chromium_src-8bd3b0dd728973362d70a076e3f2d9984abd94e7.tar.gz chromium_src-8bd3b0dd728973362d70a076e3f2d9984abd94e7.tar.bz2 | |
Remove DELETE permission on the sandboxed desktop
It's not needed, and it may allow a narrow window where the desktop
can be deleted and replaced by one with looser permissions.
BUG=346586
R=cpu
Review URL: https://codereview.chromium.org/189993005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@256261 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/win/src/window.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sandbox/win/src/window.cc b/sandbox/win/src/window.cc index b8d6358..ed5a662 100644 --- a/sandbox/win/src/window.cc +++ b/sandbox/win/src/window.cc @@ -100,6 +100,7 @@ ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) { // Replace the DACL on the new Desktop with a reduced privilege version. // We can soft fail on this for now, as it's just an extra mitigation. static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | + DELETE | DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_HOOKCONTROL | |