wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1166669: Enable process-level mitigations for the Windows content process sandbox. r=tabraldes

Browse Source
This commit is contained in:
Bob Owen 2015-06-03 09:13:00 +01:00
parent ec73ce58fd
commit e417ad7bcb
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -123,6 +123,25 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
ret = ret && (sandbox::SBOX_ALL_OK == result);
}
if (aSandboxLevel >= 1) {
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR |
sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP |
sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_DEP;
result = mPolicy->SetProcessMitigations(mitigations);
ret = ret && (sandbox::SBOX_ALL_OK == result);
mitigations =
sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
result = mPolicy->SetDelayedProcessMitigations(mitigations);
ret = ret && (sandbox::SBOX_ALL_OK == result);
}
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.