diff options
Diffstat (limited to 'chromium/sandbox/win/src/window.cc')
-rw-r--r-- | chromium/sandbox/win/src/window.cc | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/chromium/sandbox/win/src/window.cc b/chromium/sandbox/win/src/window.cc index 6b5766b325b..ed5a6626338 100644 --- a/chromium/sandbox/win/src/window.cc +++ b/chromium/sandbox/win/src/window.cc @@ -48,9 +48,8 @@ ResultCode CreateAltWindowStation(HWINSTA* winsta) { *winsta = ::CreateWindowStationW(NULL, 0, WINSTA_ALL_ACCESS, &attributes); LocalFree(attributes.lpSecurityDescriptor); - if (*winsta) { + if (*winsta) return SBOX_ALL_OK; - } return SBOX_ERROR_CANNOT_CREATE_WINSTATION; } @@ -100,11 +99,14 @@ ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) { if (*desktop) { // Replace the DACL on the new Desktop with a reduced privilege version. // We can soft fail on this for now, as it's just an extra mitigation. - static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | - DESKTOP_HOOKCONTROL | - DESKTOP_JOURNALPLAYBACK | - DESKTOP_JOURNALRECORD | - DESKTOP_SWITCHDESKTOP; + static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | + DELETE | + DESKTOP_CREATEMENU | + DESKTOP_CREATEWINDOW | + DESKTOP_HOOKCONTROL | + DESKTOP_JOURNALPLAYBACK | + DESKTOP_JOURNALRECORD | + DESKTOP_SWITCHDESKTOP; AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid), DENY_ACCESS, kDesktopDenyMask); return SBOX_ALL_OK; |