1 // Copyright 2018 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "services/network/network_sandbox_win.h"
6 
7 #include "sandbox/win/src/sandbox_types.h"
8 #include "services/service_manager/sandbox/win/sandbox_win.h"
9 
10 // NOTE: changes to this code need to be reviewed by the security team.
11 namespace network {
12 
13 // Right now, this policy is essentially unsandboxed, but with default process
14 // mitigations applied. This will be tighted up in future releases.
NetworkPreSpawnTarget(sandbox::TargetPolicy * policy,const base::CommandLine & cmd_line)15 bool NetworkPreSpawnTarget(sandbox::TargetPolicy* policy,
16                            const base::CommandLine& cmd_line) {
17   sandbox::ResultCode result = policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
18                                                      sandbox::USER_UNPROTECTED);
19   if (result != sandbox::ResultCode::SBOX_ALL_OK)
20     return false;
21   result = service_manager::SandboxWin::SetJobLevel(
22       cmd_line, sandbox::JOB_UNPROTECTED, 0, policy);
23   if (result != sandbox::ResultCode::SBOX_ALL_OK)
24     return false;
25   return true;
26 }
27 
28 }  // namespace network
29