Allow the MITIGATION_WIN32K_DISABLE process mitigation to be set in the renderer sandbox.

This is controllable by a command line switch "enable_gdi_user32_renderer_lockdown" at the moment.
Defaults to not being set.

BUG=365160

Review URL: https://codereview.chromium.org/282133007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271235 0039d316-1c4b-4281-b951-d872f2087c98

content/common/sandbox_win.cc

@@ -602,6 +602,13 @@ base::ProcessHandle StartSandboxedProcess(
                                          sandbox::MITIGATION_DEP_NO_ATL_THUNK |
                                          sandbox::MITIGATION_SEHOP;
 
+ if (base::win::GetVersion() >= base::win::VERSION_WIN8 &&
+     type_str == switches::kRendererProcess &&
+     browser_command_line.HasSwitch(
+        switches::kEnableWin32kRendererLockDown)) {
+   mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
+ }
+
   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return 0;
 

content/public/common/content_switches.cc

@@ -430,6 +430,12 @@ const char kEnableDirectWrite[]             = "enable-direct-write";
 
 // Use high resolution timers for TimeTicks.
 const char kEnableHighResolutionTime[]      = "enable-high-resolution-time";
+
+// Enable the Win32K process mitigation policy for renderer processes which
+// prevents them from invoking user32 and gdi32 system calls which enter
+// the kernel. This is only supported on Windows 8 and beyond.
+const char kEnableWin32kRendererLockDown[]
+    = "enable_win32k_renderer_lockdown";
 #endif
 
 // Paint content on the compositor thread instead of the main thread.

content/public/common/content_switches.h

@@ -126,6 +126,9 @@ CONTENT_EXPORT extern const char kEnableHighDpiCompositingForFixedPosition[];
 #if defined(OS_WIN)
 CONTENT_EXPORT extern const char kDisableLegacyIntermediateWindow[];
 CONTENT_EXPORT extern const char kEnableDirectWrite[];
+// This switch will be removed when we enable the win32K lockdown process
+// mitigation.
+CONTENT_EXPORT extern const char kEnableWin32kRendererLockDown[];
 CONTENT_EXPORT extern const char kEnableHighResolutionTime[];
 #endif
 CONTENT_EXPORT extern const char kEnableImplSidePainting[];

sandbox/win/src/process_mitigations.cc

@@ -308,7 +308,6 @@ bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) {
                      MITIGATION_RELOCATE_IMAGE_REQUIRED |
                      MITIGATION_BOTTOM_UP_ASLR |
                      MITIGATION_STRICT_HANDLE_CHECKS |
-                     MITIGATION_WIN32K_DISABLE |
                      MITIGATION_EXTENSION_DLL_DISABLE |
                      MITIGATION_DLL_SEARCH_ORDER));
 }
@@ -316,7 +315,6 @@ bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) {
 bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) {
   // These mitigations cannot be enabled prior to startup.
   return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS |
-                    MITIGATION_WIN32K_DISABLE |
                     MITIGATION_DLL_SEARCH_ORDER));
 }
 

sandbox/win/src/process_mitigations_test.cc

@@ -129,8 +129,7 @@ TEST(ProcessMitigationsTest, CheckWin8) {
 
   EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
 
-  mitigations |= MITIGATION_STRICT_HANDLE_CHECKS |
-                 MITIGATION_WIN32K_DISABLE;
+  mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
 
   EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);