Win: Add feature to turn on KTM Component mitigation.

This change turns on KTM Component mitigation which will be available in an upcoming Windows Release.

Bug: 1172573
Change-Id: Id6defc2e774246f9e854ff9fc8ef3c7fa07f61b4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2674135
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Emily Andrews <emiled@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#850830}

sandbox/policy/features.cc

@@ -19,6 +19,11 @@ const base::Feature kNetworkServiceSandbox{"NetworkServiceSandbox",
 #endif  // !defined(OS_MAC)
 
 #if defined(OS_WIN)
+// Emergency "off switch" for new Windows KTM security mitigation,
+// sandbox::MITIGATION_KTM_COMPONENT.
+const base::Feature kWinSboxDisableKtmComponent{
+    "WinSboxDisableKtmComponent", base::FEATURE_ENABLED_BY_DEFAULT};
+
 // Emergency "off switch" for new Windows sandbox security mitigation,
 // sandbox::MITIGATION_EXTENSION_POINT_DISABLE.
 const base::Feature kWinSboxDisableExtensionPoints{

sandbox/policy/features.h

@@ -22,6 +22,7 @@ SANDBOX_POLICY_EXPORT extern const base::Feature kNetworkServiceSandbox;
 #endif
 
 #if defined(OS_WIN)
+SANDBOX_POLICY_EXPORT extern const base::Feature kWinSboxDisableKtmComponent;
 SANDBOX_POLICY_EXPORT extern const base::Feature kWinSboxDisableExtensionPoints;
 SANDBOX_POLICY_EXPORT extern const base::Feature kGpuAppContainer;
 SANDBOX_POLICY_EXPORT extern const base::Feature kGpuLPAC;

sandbox/policy/win/sandbox_win.cc

@@ -975,6 +975,9 @@ ResultCode SandboxWin::StartSandboxedProcess(
       MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION;
 
+  if (base::FeatureList::IsEnabled(features::kWinSboxDisableKtmComponent))
+    mitigations |= MITIGATION_KTM_COMPONENT;
+
   if (sandbox_type == SandboxType::kRenderer &&
       !base::FeatureList::IsEnabled(sandbox::policy::kCetForRenderer)) {
     mitigations |= sandbox::MITIGATION_CET_DISABLED;