From 04a22e2232e5ca03bf65cd5d6727e4d96bba8311 Mon Sep 17 00:00:00 2001 From: Bob Owen Date: Thu, 6 Jul 2023 13:35:56 +0000 Subject: [PATCH] Bug 1434282: Use MITIGATION_IMAGE_LOAD_NO_REMOTE/LOW_LABEL for all sandboxed child processes. r=handyman When running from a network drive we have to remove these mitigations, otherwise the loading of our own DLLs will fail. This also removes the custom mitigations list for the WMF CDM utility sandbox, because the only difference was MITIGATION_IMAGE_LOAD_PREFER_SYS32, which should not cause any issues. Depends on D182486 Differential Revision: https://phabricator.services.mozilla.com/D182561 --- .../win/src/sandboxbroker/sandboxBroker.cpp | 43 +++++++++++-------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp index da600253a15a..0c908b133131 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -277,6 +277,18 @@ Result SandboxBroker::LaunchApp( mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE)); mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE)); + // If we're running from a network drive then we can't block loading from + // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in + // this situation also means the process fails to start (bug 1423296). + if (sRunningFromNetworkDrive) { + sandbox::MitigationFlags mitigations = mPolicy->GetProcessMitigations(); + mitigations &= ~(sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL); + MOZ_RELEASE_ASSERT( + mPolicy->SetProcessMitigations(mitigations) == sandbox::SBOX_ALL_OK, + "Setting the reduced set of flags should always succeed"); + } + // If logging enabled, set up the policy. if (aEnableLogging) { ApplyLoggingPolicy(); @@ -943,6 +955,8 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel, sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32; #if defined(_M_ARM64) @@ -952,16 +966,6 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel, } #endif - if (aSandboxLevel > 3) { - // If we're running from a network drive then we can't block loading from - // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in - // this situation also means the process fails to start (bug 1423296). - if (!sRunningFromNetworkDrive) { - mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | - sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL; - } - } - if (StaticPrefs::security_sandbox_content_shadow_stack_enabled()) { mitigations |= sandbox::MITIGATION_CET_COMPAT_MODE; } @@ -1184,7 +1188,8 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) { sandbox::MitigationFlags mitigations = sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_DEP; if (StaticPrefs::security_sandbox_gpu_shadow_stack_enabled()) { mitigations |= sandbox::MITIGATION_CET_COMPAT_MODE; @@ -1290,6 +1295,8 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() { sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32; if (StaticPrefs::security_sandbox_rdd_shadow_stack_enabled()) { @@ -1395,6 +1402,8 @@ bool SandboxBroker::SetSecurityLevelForSocketProcess() { sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32; if (StaticPrefs::security_sandbox_socket_shadow_stack_enabled()) { @@ -1475,6 +1484,8 @@ struct UtilitySandboxProps { sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32 | sandbox::MITIGATION_CET_COMPAT_MODE; @@ -1548,14 +1559,6 @@ struct UtilityMfMediaEngineCdmSandboxProps : public UtilitySandboxProps { }; } mUseWin32kLockdown = false; - mInitialMitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_EXTENSION_POINT_DISABLE | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | - sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | - sandbox::MITIGATION_CET_COMPAT_MODE; - mDelayedMitigations = sandbox::MITIGATION_DLL_SEARCH_ORDER; } }; @@ -1800,6 +1803,8 @@ bool SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel, sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE | + sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE | + sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP; if (StaticPrefs::security_sandbox_gmp_shadow_stack_enabled()) {