I am definitely not an expert but this is how it seems to be done in the sandbox code.

https://cs.chromium.org/chromium/src/sandbox/win/src/process_mitigations.cc?type=cs&q=PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY&sq=package:chromium&g=0&l=234

Just set the process mitigation policy somewhere after startup when you are sure that all the Chrome DLLs you need are loaded.

The utility process used for the network service isn't sandboxed, does that make a difference?

if it's launching through the sandbox launcher (which I thought it was since it applied a job object) then you can apply policies, but if it's launching through base::process then it's harder...

Hey Will,

The documentation doesn't seem to make any reference to a precondition to using the API.

https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy

The spawned process can just call SetProcessMitigationPolicy() itself any time they want.

Shouldn't you be able to simply use these 3 lines of code to make it work?

PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = {};
policy.MicrosoftSignedOnly = true;
::SetProcessMitigationPolicy(ProcessSignaturePolicy, &policy, sizeof(policy));

yes sorry if I did not make myself clear.

Although network process is running "unsandboxed" it is still being launched by the sandbox broker (just with a very unrestrictive policy)

The point I made in #4 was, if this is still true (and looking at the code it appears it still is - see NetworkPreSpawnTarget) then it would just be a matter of setting the policy there.

If it's not being launched by sandbox code e.g. the process is running "unsandboxed" from the perspective of mojo manifest files, then it's being launched by base::launchprocess as here -> https://cs.chromium.org/chromium/src/services/service_manager/sandbox/win/sandbox_win.cc?l=882

It does appear to use sandbox though, so the correct place to add this policy would be NetworkPreSpawnTarget, and by not calling directly to the windows apis as in #5 but by adding the SetDelayedProcessMitigations(MITIGATION_FORCE_MS_SIGNED_BINS) to the policy object.