create finch for Csrss lockdown.

This was done in https://codereview.chromium.org/2862563004/ but this was reverted.
In this version the finch is created, but not enabled. It will be enabled in a subsequent CL once the issues that caused it to be reverted have been fixed.

TEST= sbox_integration_tests.exe, *

Bug: 464430
Change-Id: Ie7fd8e9f8e867929028f414af0b0c7886809b720
Reviewed-on: https://chromium-review.googlesource.com/567272Reviewed-by: Penny MacNeil <pennymac@chromium.org>
Commit-Queue: Liam Murphy <liamjm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486029}

content/common/sandbox_win.cc

@@ -12,6 +12,7 @@
 #include "base/command_line.h"
 #include "base/debug/activity_tracker.h"
 #include "base/debug/profiler.h"
+#include "base/feature_list.h"
 #include "base/files/file_util.h"
 #include "base/hash.h"
 #include "base/logging.h"
@@ -627,9 +628,24 @@ sandbox::ResultCode SetJobLevel(const base::CommandLine& cmd_line,
   return SetJobMemoryLimit(cmd_line, policy);
 }
 
+// This is for finch. See also crbug.com/464430 for details.
+const base::Feature kEnableCsrssLockdownFeature{
+    "EnableCsrssLockdown", base::FEATURE_DISABLED_BY_DEFAULT};
+
 // TODO(jschuh): Need get these restrictions applied to NaCl and Pepper.
 // Just have to figure out what needs to be warmed up first.
 sandbox::ResultCode AddBaseHandleClosePolicy(sandbox::TargetPolicy* policy) {
+  if (base::win::GetVersion() >= base::win::VERSION_WIN10) {
+    if (base::FeatureList::IsEnabled(kEnableCsrssLockdownFeature)) {
+      // Close all ALPC ports.
+      sandbox::ResultCode ret =
+          policy->AddKernelObjectToClose(L"ALPC Port", NULL);
+      if (ret != sandbox::SBOX_ALL_OK) {
+        return ret;
+      }
+    }
+  }
+
   // TODO(cpu): Add back the BaseNamedObjects policy.
   base::string16 object_path = PrependWindowsSessionPath(
       L"\\BaseNamedObjects\\windows_shell_global_counters");