forked from bromite/bromite
-
Notifications
You must be signed in to change notification settings - Fork 98
/
Copy pathImprove-the-browser-sandbox.patch
47 lines (44 loc) · 2.12 KB
/
Improve-the-browser-sandbox.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
From: uazo <uazo@users.noreply.github.com>
Date: Fri, 17 Feb 2023 16:23:20 +0000
Subject: Improve the browser sandbox
by enabling network service sandbox and CIG in windows and
using the new flags on android
License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html
---
.../common/features_cc/Improve-the-browser-sandbox.inc | 2 ++
.../content_features_cc/Improve-the-browser-sandbox.inc | 1 +
sandbox/policy/features.cc | 9 +++++++++
3 files changed, 12 insertions(+)
create mode 100644 cromite_flags/content/common/features_cc/Improve-the-browser-sandbox.inc
create mode 100644 cromite_flags/content/public/common/content_features_cc/Improve-the-browser-sandbox.inc
diff --git a/cromite_flags/content/common/features_cc/Improve-the-browser-sandbox.inc b/cromite_flags/content/common/features_cc/Improve-the-browser-sandbox.inc
new file mode 100644
--- /dev/null
+++ b/cromite_flags/content/common/features_cc/Improve-the-browser-sandbox.inc
@@ -0,0 +1,2 @@
+SET_CROMITE_FEATURE_ENABLED(kCommittedOriginEnforcements);
+SET_CROMITE_FEATURE_ENABLED(kCommittedOriginTracking);
diff --git a/cromite_flags/content/public/common/content_features_cc/Improve-the-browser-sandbox.inc b/cromite_flags/content/public/common/content_features_cc/Improve-the-browser-sandbox.inc
new file mode 100644
--- /dev/null
+++ b/cromite_flags/content/public/common/content_features_cc/Improve-the-browser-sandbox.inc
@@ -0,0 +1 @@
+SET_CROMITE_FEATURE_ENABLED(kUseBrowserCalculatedOrigin);
diff --git a/sandbox/policy/features.cc b/sandbox/policy/features.cc
--- a/sandbox/policy/features.cc
+++ b/sandbox/policy/features.cc
@@ -229,4 +229,13 @@ bool IsParallelLaunchEnabled() {
return base::FeatureList::IsEnabled(kWinSboxParallelProcessLaunch);
}
#endif // BUILDFLAG(IS_WIN)
+
+#if BUILDFLAG(IS_ANDROID)
+SET_CROMITE_FEATURE_ENABLED(kUseRendererProcessPolicy);
+SET_CROMITE_FEATURE_ENABLED(kRestrictRendererPoliciesInBaseline);
+#endif
+#if BUILDFLAG(IS_WIN)
+SET_CROMITE_FEATURE_ENABLED(kNetworkServiceSandbox);
+SET_CROMITE_FEATURE_ENABLED(kNetworkServiceCodeIntegrity);
+#endif
} // namespace sandbox::policy::features
--