Bug 1415160: Part 1 - Enable new NPAPI Windows Process Mitigations; r=bobowen

Enables new process mitigations that have been included from Chromium upstream. --HG-- extra : rebase_source : 8997bef9c6a6c660b39e68ebfabf90f4de162bca
2024-11-24 05:11:16 +00:00 · 2017-12-20 22:58:26 -08:00 · 2017-12-20 22:58:26 -08:00 · 90d62139c0
commit 90d62139c0
parent 04e873a402
1 changed files with 16 additions and 5 deletions
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -776,11 +776,22 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
    sandbox::MITIGATION_HEAP_TERMINATE |
    sandbox::MITIGATION_SEHOP |
    sandbox::MITIGATION_DEP_NO_ATL_THUNK |
-    sandbox::MITIGATION_DEP;
-
-  result = mPolicy->SetProcessMitigations(mitigations);
-  SANDBOX_ENSURE_SUCCESS(result,
-                         "Invalid flags for SetProcessMitigations.");
+    sandbox::MITIGATION_DEP |
+    sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY |
+    sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
+    sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+    sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
+
+  result = mPolicy->SetProcessMitigations(mitigations);
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "Invalid flags for SetProcessMitigations.");
+
+  sandbox::MitigationFlags delayedMitigations =
+    sandbox::MITIGATION_DLL_SEARCH_ORDER;
+
+  result = mPolicy->SetDelayedProcessMitigations(delayedMitigations);
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "Invalid flags for SetDelayedProcessMitigations.");

  if (aSandboxLevel >= 2) {
    // Level 2 and above uses low integrity, so we need to give write access to