blob: 8ba5f501bda4954f3e8257bb606aa122c0592cfc [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/policy/features.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
namespace sandbox {
namespace policy {
namespace features {
#if !defined(OS_MAC) && !defined(OS_FUCHSIA)
// Enables network service sandbox.
// (Only causes an effect when feature kNetworkService is enabled.)
const base::Feature kNetworkServiceSandbox{"NetworkServiceSandbox",
#endif // !defined(OS_MAC) && !defined(OS_FUCHSIA)
#if defined(OS_WIN)
// Emergency "off switch" for new Windows KTM security mitigation,
const base::Feature kWinSboxDisableKtmComponent{
"WinSboxDisableKtmComponent", base::FEATURE_ENABLED_BY_DEFAULT};
// Emergency "off switch" for new Windows sandbox security mitigation,
const base::Feature kWinSboxDisableExtensionPoints{
"WinSboxDisableExtensionPoint", base::FEATURE_ENABLED_BY_DEFAULT};
// Enables GPU AppContainer sandbox on Windows.
const base::Feature kGpuAppContainer{"GpuAppContainer",
// Enables GPU Low Privilege AppContainer when combined with kGpuAppContainer.
const base::Feature kGpuLPAC{"GpuLPAC", base::FEATURE_ENABLED_BY_DEFAULT};
// Use LPAC for network sandbox instead of restricted token. Relies on
// NetworkServiceSandbox being also enabled.
const base::Feature kNetworkServiceSandboxLPAC{
"NetworkServiceSandboxLPAC", base::FEATURE_DISABLED_BY_DEFAULT};
#endif // defined(OS_WIN)
#if !defined(OS_ANDROID)
// Controls whether the isolated XR service is sandboxed.
const base::Feature kXRSandbox{"XRSandbox", base::FEATURE_ENABLED_BY_DEFAULT};
#endif // !defined(OS_ANDROID)
// Controls whether the Spectre variant 2 mitigation is enabled. We use a USE
// flag on some Chrome OS boards to disable the mitigation by disabling this
// feature in exchange for system performance.
const base::Feature kSpectreVariant2Mitigation{
"SpectreVariant2Mitigation", base::FEATURE_ENABLED_BY_DEFAULT};
// An override for the Spectre variant 2 default behavior. Security sensitive
// users can enable this feature to ensure that the mitigation is always
// enabled.
const base::Feature kForceSpectreVariant2Mitigation{
"ForceSpectreVariant2Mitigation", base::FEATURE_DISABLED_BY_DEFAULT};
} // namespace features
} // namespace policy
} // namespace sandbox