Skip to content

GitLab

T
tangled
Commit 0491c375 authored by Penny MacNeil's avatar Penny MacNeil Committed by Commit Bot
Browse files
Options

[Windows Sandbox] Remove temp emergency-off switch. 

Remove "WinSboxForceMsSigned" feature off switch.  The mitigation has been on for
all sandboxed child processes since M62.

R: forshaw@chromium.org
BUG: 750886
Change-Id: I9ea899e512d16db110fe9da33fa2d50758c3da82
Reviewed-on: https://chromium-review.googlesource.com/972360
Commit-Queue: Penny MacNeil <pennymac@chromium.org>
Reviewed-by: default avatarJames Forshaw <forshaw@chromium.org>
Reviewed-by: default avatarTom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546196}
parent 2d3de74e
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 11 deletions
services/service_manager/sandbox/features.cc
View file @ 0491c375
...@@ -14,11 +14,6 @@ namespace features { ...@@ -14,11 +14,6 @@ namespace features {
// sandbox::MITIGATION_EXTENSION_POINT_DISABLE. // sandbox::MITIGATION_EXTENSION_POINT_DISABLE.
const base::Feature kWinSboxDisableExtensionPoints{ const base::Feature kWinSboxDisableExtensionPoints{
"WinSboxDisableExtensionPoint", base::FEATURE_ENABLED_BY_DEFAULT}; "WinSboxDisableExtensionPoint", base::FEATURE_ENABLED_BY_DEFAULT};
// Emergency "off switch" for new Windows sandbox security mitigation,
// sandbox::MITIGATION_FORCE_MS_SIGNED_BINS.
const base::Feature kWinSboxForceMsSigned{"WinSboxForceMsSigned",
base::FEATURE_ENABLED_BY_DEFAULT};
#endif // defined(OS_WIN) #endif // defined(OS_WIN)
} // namespace features } // namespace features
......
services/service_manager/sandbox/features.h
View file @ 0491c375
...@@ -18,7 +18,6 @@ namespace features { ...@@ -18,7 +18,6 @@ namespace features {
#if defined(OS_WIN) #if defined(OS_WIN)
SERVICE_MANAGER_SANDBOX_EXPORT extern const base::Feature SERVICE_MANAGER_SANDBOX_EXPORT extern const base::Feature
kWinSboxDisableExtensionPoints; kWinSboxDisableExtensionPoints;
SERVICE_MANAGER_SANDBOX_EXPORT extern const base::Feature kWinSboxForceMsSigned;
#endif // defined(OS_WIN) #endif // defined(OS_WIN)
} // namespace features } // namespace features
......
services/service_manager/sandbox/win/sandbox_win.cc
View file @ 0491c375
...@@ -13,7 +13,6 @@ ...@@ -13,7 +13,6 @@
#include "base/command_line.h" #include "base/command_line.h"
#include "base/debug/activity_tracker.h" #include "base/debug/activity_tracker.h"
#include "base/debug/profiler.h" #include "base/debug/profiler.h"
#include "base/feature_list.h"
#include "base/files/file_path.h" #include "base/files/file_path.h"
#include "base/files/file_util.h" #include "base/files/file_util.h"
#include "base/hash.h" #include "base/hash.h"
...@@ -872,11 +871,9 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess( ...@@ -872,11 +871,9 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess(
// Post-startup mitigations. // Post-startup mitigations.
mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS | mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER; sandbox::MITIGATION_DLL_SEARCH_ORDER;
if (base::FeatureList::IsEnabled( if (!cmd_line->HasSwitch(switches::kAllowThirdPartyModules))
service_manager::features::kWinSboxForceMsSigned) &&
!cmd_line->HasSwitch(switches::kAllowThirdPartyModules)) {
mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS; mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
}
result = policy->SetDelayedProcessMitigations(mitigations); result = policy->SetDelayedProcessMitigations(mitigations);
if (result != sandbox::SBOX_ALL_OK) if (result != sandbox::SBOX_ALL_OK)
return result; return result;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment