[Windows] Add DACL lockdown and Random Restricted SID for GPU process.

This CL adds support to enable default DACL lockdown on GPU processes as well as enabling the random restricted SID feature to limit cross process access. Bug: 1057218 Change-Id: I669e0d32a5eb2cd3724a876a5cef5f306d7db8a5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091901Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: James Forshaw <forshaw@chromium.org> Cr-Commit-Position: refs/heads/master@{#747838}

[Windows] Add DACL lockdown and Random Restricted SID for GPU process.
This CL adds support to enable default DACL lockdown on GPU processes as well as enabling the random restricted SID feature to limit cross process access. Bug: 1057218 Change-Id: I669e0d32a5eb2cd3724a876a5cef5f306d7db8a5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091901Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: James Forshaw <forshaw@chromium.org> Cr-Commit-Position: refs/heads/master@{#747838}
a670e7a2 · James Forshaw · Commit Bot · 0e8c98fa · a670e7a2
Commit a670e7a2 authored Mar 06, 2020 by James Forshaw Committed by Commit Bot Mar 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

services/service_manager/sandbox/win/sandbox_win.cc services/service_manager/sandbox/win/sandbox_win.cc +7 -0

No files found.
--- a/services/service_manager/sandbox/win/sandbox_win.cc
+++ b/services/service_manager/sandbox/win/sandbox_win.cc
@@ -941,6 +941,13 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess(
      return result;
  }
+  if (process_type == service_manager::switches::kGpuProcess &&
+      base::FeatureList::IsEnabled(
+          {"GpuLockdownDefaultDacl", base::FEATURE_ENABLED_BY_DEFAULT})) {
+    policy->SetLockdownDefaultDacl();
+    policy->AddRestrictingRandomSid();
+  }
 #if !defined(NACL_WIN64)
  if (process_type == service_manager::switches::kRendererProcess ||
      process_type == service_manager::switches::kPpapiPluginProcess ||