Close DeviceApi in Win8+ lockdown

BUG=346957 Review URL: https://codereview.chromium.org/290053003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271496 0039d316-1c4b-4281-b951-d872f2087c98

Close DeviceApi in Win8+ lockdown
BUG=346957 Review URL: https://codereview.chromium.org/290053003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271496 0039d316-1c4b-4281-b951-d872f2087c98
0285540b · jschuh@chromium.org · 61aea8a0 · 0285540b
Commit 0285540b authored May 19, 2014 by jschuh@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

content/common/sandbox_win.cc content/common/sandbox_win.cc +4 -0

No files found.
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -343,6 +343,10 @@ bool AddPolicyForSandboxedProcess(sandbox::TargetPolicy* policy) {
  if (result != sandbox::SBOX_ALL_OK)
    return false;

+  // Win8+ adds a device DeviceApi that we don't need.
+  if (base::win::GetVersion() > base::win::VERSION_WIN7)
+    policy->AddKernelObjectToClose(L"File", L"\\Device\\DeviceApi");
+
  sandbox::TokenLevel initial_token = sandbox::USER_UNPROTECTED;
  if (base::win::GetVersion() > base::win::VERSION_XP) {
    // On 2003/Vista the initial token has to be restricted if the main