Bug 1121479 Part 4: Turn on DLL_SEARCH_ORDER process-level mitigation for the GMP sandbox. r=tabraldes
authorBob Owen <bobowencode@gmail.com>
Wed, 21 Jan 2015 07:59:56 +0000
changeset 224872 2a91d4a797dfdf84883f345f1c82f9f52c324bff
parent 224871 bec06786b97447dab424d71006b636bb87325e65
child 224873 1533b263c457a802d3ad3bcd7aac92069f37e901
push idunknown
push userunknown
push dateunknown
reviewerstabraldes
bugs1121479
milestone38.0a1
Bug 1121479 Part 4: Turn on DLL_SEARCH_ORDER process-level mitigation for the GMP sandbox. r=tabraldes
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -174,16 +174,22 @@ SandboxBroker::SetSecurityLevelForGMPlug
   sandbox::MitigationFlags mitigations =
     sandbox::MITIGATION_HEAP_TERMINATE |
     sandbox::MITIGATION_SEHOP |
     sandbox::MITIGATION_DEP;
 
   result = mPolicy->SetProcessMitigations(mitigations);
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
+  mitigations =
+    sandbox::MITIGATION_DLL_SEARCH_ORDER;
+
+  result = mPolicy->SetDelayedProcessMitigations(mitigations);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                             sandbox::TargetPolicy::FILES_ALLOW_ANY,
                             L"\\??\\pipe\\chrome.*");
   ret = ret && (sandbox::SBOX_ALL_OK == result);