summaryrefslogtreecommitdiffstats
path: root/security/sandbox/chromium-shim/base/win
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /security/sandbox/chromium-shim/base/win
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/chromium-shim/base/win')
-rw-r--r--security/sandbox/chromium-shim/base/win/base_win_buildflags.h17
-rw-r--r--security/sandbox/chromium-shim/base/win/registry.h48
-rw-r--r--security/sandbox/chromium-shim/base/win/sdkdecls.h379
-rw-r--r--security/sandbox/chromium-shim/base/win/win_util.cpp42
-rw-r--r--security/sandbox/chromium-shim/base/win/win_util.h26
5 files changed, 512 insertions, 0 deletions
diff --git a/security/sandbox/chromium-shim/base/win/base_win_buildflags.h b/security/sandbox/chromium-shim/base/win/base_win_buildflags.h
new file mode 100644
index 0000000000..93d3e11a45
--- /dev/null
+++ b/security/sandbox/chromium-shim/base/win/base_win_buildflags.h
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a dummy version of a file that is generated by the chromium build
+// from base/win/BUILD.gn.
+
+#ifndef BASE_WIN_BASE_WIN_BUILDFLAGS_H_
+#define BASE_WIN_BASE_WIN_BUILDFLAGS_H_
+
+#include "build/buildflag.h"
+
+#define BUILDFLAG_INTERNAL_SINGLE_MODULE_MODE_HANDLE_VERIFIER() (0)
+
+#endif // BASE_WIN_BASE_WIN_BUILDFLAGS_H_
diff --git a/security/sandbox/chromium-shim/base/win/registry.h b/security/sandbox/chromium-shim/base/win/registry.h
new file mode 100644
index 0000000000..e5d0f26ed2
--- /dev/null
+++ b/security/sandbox/chromium-shim/base/win/registry.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a stripped down version of Chromium source file base/win/registry.h
+// Within our copy of Chromium files this is only used in base/win/windows_version.cc
+// in OSInfo::processor_model_name, which we don't use.
+// It is also used in GetUBR, which is used as the VersionNumber.patch, which
+// again is not needed by the sandbox.
+
+#ifndef BASE_WIN_REGISTRY_H_
+#define BASE_WIN_REGISTRY_H_
+
+#include <winerror.h>
+
+namespace base {
+namespace win {
+
+class BASE_EXPORT RegKey {
+ public:
+ RegKey() {};
+ RegKey(HKEY rootkey, const wchar_t* subkey, REGSAM access) {}
+ ~RegKey() {}
+
+ LONG Open(HKEY rootkey, const wchar_t* subkey, REGSAM access) {
+ return ERROR_CANTOPEN;
+ }
+
+ LONG ReadValueDW(const wchar_t* name, DWORD* out_value) const
+ {
+ return ERROR_CANTREAD;
+ }
+
+ LONG ReadValue(const wchar_t* name, std::wstring* out_value) const
+ {
+ return ERROR_CANTREAD;
+ }
+
+ private:
+ DISALLOW_COPY_AND_ASSIGN(RegKey);
+};
+
+} // namespace win
+} // namespace base
+
+#endif // BASE_WIN_REGISTRY_H_
diff --git a/security/sandbox/chromium-shim/base/win/sdkdecls.h b/security/sandbox/chromium-shim/base/win/sdkdecls.h
new file mode 100644
index 0000000000..02c79046e8
--- /dev/null
+++ b/security/sandbox/chromium-shim/base/win/sdkdecls.h
@@ -0,0 +1,379 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
+#define _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
+
+#include <windows.h>
+
+// This file contains definitions required for things dynamically loaded
+// while building or targetting lower platform versions or lower SDKs.
+
+#if (_WIN32_WINNT < 0x0602)
+#define ProcThreadAttributeSecurityCapabilities 9
+#define PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES \
+ ProcThreadAttributeValue (ProcThreadAttributeSecurityCapabilities, FALSE, TRUE, FALSE)
+
+#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_MASK (0x00000003 << 8)
+#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_DEFER (0x00000000 << 8)
+#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000001 << 8)
+#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_OFF (0x00000002 << 8)
+#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS (0x00000003 << 8)
+#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_MASK (0x00000003 << 12)
+#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_DEFER (0x00000000 << 12)
+#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON (0x00000001 << 12)
+#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_OFF (0x00000002 << 12)
+#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_RESERVED (0x00000003 << 12)
+#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_MASK (0x00000003 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_DEFER (0x00000000 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00000001 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00000002 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_RESERVED (0x00000003 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_MASK (0x00000003 << 20)
+#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_DEFER (0x00000000 << 20)
+#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON (0x00000001 << 20)
+#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_OFF (0x00000002 << 20)
+#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_RESERVED (0x00000003 << 20)
+#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_MASK (0x00000003 << 24)
+#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_DEFER (0x00000000 << 24)
+#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON (0x00000001 << 24)
+#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_OFF (0x00000002 << 24)
+#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_RESERVED (0x00000003 << 24)
+#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_MASK (0x00000003 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_DEFER (0x00000000 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON (0x00000001 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_OFF (0x00000002 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_RESERVED (0x00000003 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_MASK (0x00000003uLL << 32)
+#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_DEFER (0x00000000uLL << 32)
+#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON (0x00000001uLL << 32)
+#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_OFF (0x00000002uLL << 32)
+#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_RESERVED (0x00000003uLL << 32)
+
+typedef struct _MEMORY_PRIORITY_INFORMATION {
+ ULONG MemoryPriority;
+} MEMORY_PRIORITY_INFORMATION, *PMEMORY_PRIORITY_INFORMATION;
+
+WINBASEAPI
+BOOL
+WINAPI
+GetThreadInformation(
+ _In_ HANDLE hThread,
+ _In_ THREAD_INFORMATION_CLASS ThreadInformationClass,
+ _Out_writes_bytes_(ThreadInformationSize) LPVOID ThreadInformation,
+ _In_ DWORD ThreadInformationSize
+ );
+
+WINBASEAPI
+BOOL
+WINAPI
+SetThreadInformation(
+ _In_ HANDLE hThread,
+ _In_ THREAD_INFORMATION_CLASS ThreadInformationClass,
+ _In_reads_bytes_(ThreadInformationSize) LPVOID ThreadInformation,
+ _In_ DWORD ThreadInformationSize
+);
+
+// Check if we're including >= win8 winnt.h
+#ifndef NTDDI_WIN8
+
+typedef struct _SECURITY_CAPABILITIES {
+ PSID AppContainerSid;
+ PSID_AND_ATTRIBUTES Capabilities;
+ DWORD CapabilityCount;
+ DWORD Reserved;
+} SECURITY_CAPABILITIES, *PSECURITY_CAPABILITIES, *LPSECURITY_CAPABILITIES;
+
+typedef enum _PROCESS_MITIGATION_POLICY {
+ ProcessDEPPolicy,
+ ProcessASLRPolicy,
+ ProcessReserved1MitigationPolicy,
+ ProcessStrictHandleCheckPolicy,
+ ProcessSystemCallDisablePolicy,
+ ProcessMitigationOptionsMask,
+ ProcessExtensionPointDisablePolicy,
+ MaxProcessMitigationPolicy
+} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
+
+#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS 0x00001000
+
+typedef struct _PROCESS_MITIGATION_ASLR_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD EnableBottomUpRandomization : 1;
+ DWORD EnableForceRelocateImages : 1;
+ DWORD EnableHighEntropy : 1;
+ DWORD DisallowStrippedImages : 1;
+ DWORD ReservedFlags : 28;
+ };
+ };
+} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY;
+
+typedef struct _PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD RaiseExceptionOnInvalidHandleReference : 1;
+ DWORD HandleExceptionsPermanentlyEnabled : 1;
+ DWORD ReservedFlags : 30;
+ };
+ };
+} PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
+
+typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD DisallowWin32kSystemCalls : 1;
+ DWORD ReservedFlags : 31;
+ };
+ };
+} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;
+
+typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD DisableExtensionPoints : 1;
+ DWORD ReservedFlags : 31;
+ };
+ };
+} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
+
+#endif // NTDDI_WIN8
+
+WINBASEAPI
+BOOL
+WINAPI
+GetProcessMitigationPolicy(
+ _In_ HANDLE hProcess,
+ _In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
+ _Out_writes_bytes_(dwLength) PVOID lpBuffer,
+ _In_ SIZE_T dwLength
+ );
+
+WINBASEAPI
+BOOL
+WINAPI
+SetProcessMitigationPolicy(
+ _In_ PROCESS_MITIGATION_POLICY MitigationPolicy,
+ _In_reads_bytes_(dwLength) PVOID lpBuffer,
+ _In_ SIZE_T dwLength
+ );
+
+#if !defined(_USERENV_)
+#define USERENVAPI DECLSPEC_IMPORT
+#else
+#define USERENVAPI
+#endif
+
+USERENVAPI
+HRESULT
+WINAPI
+CreateAppContainerProfile(_In_ PCWSTR pszAppContainerName,
+ _In_ PCWSTR pszDisplayName,
+ _In_ PCWSTR pszDescription,
+ _In_reads_opt_(dwCapabilityCount)
+ PSID_AND_ATTRIBUTES pCapabilities,
+ _In_ DWORD dwCapabilityCount,
+ _Outptr_ PSID* ppSidAppContainerSid);
+
+USERENVAPI
+HRESULT
+WINAPI
+DeleteAppContainerProfile(
+ _In_ PCWSTR pszAppContainerName);
+
+USERENVAPI
+HRESULT
+WINAPI
+GetAppContainerRegistryLocation(
+ _In_ REGSAM desiredAccess,
+ _Outptr_ PHKEY phAppContainerKey);
+
+USERENVAPI
+HRESULT
+WINAPI
+GetAppContainerFolderPath(
+ _In_ PCWSTR pszAppContainerSid,
+ _Outptr_ PWSTR *ppszPath);
+
+USERENVAPI
+HRESULT
+WINAPI
+DeriveAppContainerSidFromAppContainerName(
+ _In_ PCWSTR pszAppContainerName,
+ _Outptr_ PSID *ppsidAppContainerSid);
+
+#endif // (_WIN32_WINNT < 0x0602)
+
+#if (_WIN32_WINNT < 0x0603)
+//
+// Define dynamic code options.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_MASK (0x00000003uLL << 36)
+#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_DEFER (0x00000000uLL << 36)
+#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON (0x00000001uLL << 36)
+#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_OFF (0x00000002uLL << 36)
+#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON_ALLOW_OPT_OUT (0x00000003uLL << 36)
+
+//
+// Define Control Flow Guard (CFG) mitigation policy options. Control Flow
+// Guard allows indirect control transfers to be checked at runtime.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_MASK (0x00000003uLL << 40)
+#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_DEFER (0x00000000uLL << 40)
+#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON (0x00000001uLL << 40)
+#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF (0x00000002uLL << 40)
+#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_EXPORT_SUPPRESSION (0x00000003uLL << 40)
+
+//
+// Define module signature options. When enabled, this option will
+// block mapping of non-microsoft binaries.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_MASK (0x00000003uLL << 44)
+#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_DEFER (0x00000000uLL << 44)
+#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON (0x00000001uLL << 44)
+#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_OFF (0x00000002uLL << 44)
+#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_RESERVED (0x00000003uLL << 44)
+#endif
+
+#if (_WIN32_WINNT < 0x0A00)
+//
+// Define Font Disable Policy. When enabled, this option will
+// block loading Non System Fonts.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_MASK (0x00000003uLL << 48)
+#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_DEFER (0x00000000uLL << 48)
+#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON (0x00000001uLL << 48)
+#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_OFF (0x00000002uLL << 48)
+#define PROCESS_CREATION_MITIGATION_POLICY_AUDIT_NONSYSTEM_FONTS (0x00000003uLL << 48)
+
+//
+// Define remote image load options. When enabled, this option will
+// block mapping of images from remote devices.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_MASK (0x00000003uLL << 52)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_DEFER (0x00000000uLL << 52)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON (0x00000001uLL << 52)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_OFF (0x00000002uLL << 52)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_RESERVED (0x00000003uLL << 52)
+
+//
+// Define low IL image load options. When enabled, this option will
+// block mapping of images that have the low mandatory label.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_MASK (0x00000003uLL << 56)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_DEFER (0x00000000uLL << 56)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON (0x00000001uLL << 56)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_OFF (0x00000002uLL << 56)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_RESERVED (0x00000003uLL << 56)
+
+//
+// Define image load options to prefer System32 images compared to
+// the same images in application directory. When enabled, this option
+// will prefer loading images from system32 folder.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_MASK (0x00000003uLL << 60)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_DEFER (0x00000000uLL << 60)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON (0x00000001uLL << 60)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_OFF (0x00000002uLL << 60)
+#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_RESERVED (0x00000003uLL << 60)
+
+//
+// Define the restricted indirect branch prediction mitigation policy options.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_MASK (0x00000003ui64 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_DEFER (0x00000000ui64 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON (0x00000001ui64 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_OFF (0x00000002ui64 << 16)
+#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_RESERVED (0x00000003ui64 << 16)
+
+//
+// Define the user-mode shadow stack mitigation policy options.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_MASK (0x00000003ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_DEFER (0x00000000ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON (0x00000001ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_OFF (0x00000002ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_RESERVED (0x00000003ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE (0x00000003ui64 << 28)
+
+//
+// Define Attribute to disable creation of child process
+//
+
+#define PROCESS_CREATION_CHILD_PROCESS_RESTRICTED 0x01
+#define PROCESS_CREATION_CHILD_PROCESS_OVERRIDE 0x02
+
+//
+// Define Attribute for Desktop Appx Overide.
+//
+
+#define PROCESS_CREATION_DESKTOP_APPX_OVERRIDE 0x04
+
+#define ProcThreadAttributeChildProcessPolicy 14
+
+#define PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY \
+ ProcThreadAttributeValue (ProcThreadAttributeChildProcessPolicy, FALSE, TRUE, FALSE)
+
+//
+// Define Attribute to opt out of matching All Application Packages
+//
+
+#define PROCESS_CREATION_ALL_APPLICATION_PACKAGES_OPT_OUT 0x01
+
+#define ProcThreadAttributeAllApplicationPackagesPolicy 15
+
+#define PROC_THREAD_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \
+ ProcThreadAttributeValue (ProcThreadAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE)
+
+//
+// Define functions declared only when _WIN32_WINNT >= 0x0A00
+//
+
+WINBASEAPI
+BOOL
+WINAPI
+IsWow64Process2(
+ _In_ HANDLE hProcess,
+ _Out_ USHORT* pProcessMachine,
+ _Out_opt_ USHORT* pNativeMachine
+ );
+
+WINBASEAPI
+BOOL
+WINAPI
+IsUserCetAvailableInEnvironment(
+ _In_ DWORD UserCetEnvironment
+ );
+
+#define USER_CET_ENVIRONMENT_WIN32_PROCESS 0x00000000
+
+#endif // (_WIN32_WINNT < 0x0A00)
+
+#if defined(__MINGW32__)
+
+// winnt.h
+#define THREAD_DYNAMIC_CODE_ALLOW 1 // Opt-out of dynamic code generation.
+
+// Mingw uses an old version THREAD_INFORMATION_CLASS defined in winbase.h
+// where ThreadDynamicCodePolicy does not exist.
+#define ThreadDynamicCodePolicy static_cast<THREAD_INFORMATION_CLASS>(2)
+
+#endif // defined(__MINGW32__)
+
+#endif // _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
diff --git a/security/sandbox/chromium-shim/base/win/win_util.cpp b/security/sandbox/chromium-shim/base/win/win_util.cpp
new file mode 100644
index 0000000000..3ea789675d
--- /dev/null
+++ b/security/sandbox/chromium-shim/base/win/win_util.cpp
@@ -0,0 +1,42 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a partial implementation of Chromium's source file
+// base/win/win_util.cc
+
+#include "base/win/win_util.h"
+
+#include "base/logging.h"
+#include "base/strings/string_util.h"
+
+namespace base {
+namespace win {
+
+std::wstring GetWindowObjectName(HANDLE handle) {
+ // Get the size of the name.
+ std::wstring object_name;
+
+ DWORD size = 0;
+ ::GetUserObjectInformation(handle, UOI_NAME, nullptr, 0, &size);
+ if (!size) {
+ DPCHECK(false);
+ return object_name;
+ }
+
+ LOG_ASSERT(size % sizeof(wchar_t) == 0u);
+
+ // Query the name of the object.
+ if (!::GetUserObjectInformation(
+ handle, UOI_NAME, WriteInto(&object_name, size / sizeof(wchar_t)),
+ size, &size)) {
+ DPCHECK(false);
+ }
+
+ return object_name;
+}
+
+} // namespace win
+} // namespace base
diff --git a/security/sandbox/chromium-shim/base/win/win_util.h b/security/sandbox/chromium-shim/base/win/win_util.h
new file mode 100644
index 0000000000..3e91e63d59
--- /dev/null
+++ b/security/sandbox/chromium-shim/base/win/win_util.h
@@ -0,0 +1,26 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a partial implementation of Chromium's source file
+// base/win/win_util.h
+
+#ifndef BASE_WIN_WIN_UTIL_H_
+#define BASE_WIN_WIN_UTIL_H_
+
+#include <string>
+
+#include "base/base_export.h"
+
+namespace base {
+namespace win {
+
+// Returns the name of a desktop or a window station.
+BASE_EXPORT std::wstring GetWindowObjectName(HANDLE handle);
+
+} // namespace win
+} // namespace base
+
+#endif // BASE_WIN_WIN_UTIL_H_