Bug 1434282: Use MITIGATION_IMAGE_LOAD_NO_REMOTE/LOW_LABEL for all sandboxed child processes. r=handyman

When running from a network drive we have to remove these mitigations, otherwise
the loading of our own DLLs will fail.
This also removes the custom mitigations list for the WMF CDM utility sandbox,
because the only difference was MITIGATION_IMAGE_LOAD_PREFER_SYS32, which should
not cause any issues.

Depends on D182486

Differential Revision: https://phabricator.services.mozilla.com/D182561

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -277,6 +277,18 @@ Result<Ok, mozilla::ipc::LaunchError> SandboxBroker::LaunchApp(
   mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
   mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
 
+  // If we're running from a network drive then we can't block loading from
+  // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
+  // this situation also means the process fails to start (bug 1423296).
+  if (sRunningFromNetworkDrive) {
+    sandbox::MitigationFlags mitigations = mPolicy->GetProcessMitigations();
+    mitigations &= ~(sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+                     sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL);
+    MOZ_RELEASE_ASSERT(
+        mPolicy->SetProcessMitigations(mitigations) == sandbox::SBOX_ALL_OK,
+        "Setting the reduced set of flags should always succeed");
+  }
+
   // If logging enabled, set up the policy.
   if (aEnableLogging) {
     ApplyLoggingPolicy();
@@ -943,6 +955,8 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
       sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
       sandbox::MITIGATION_DEP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
 
 #if defined(_M_ARM64)
@@ -952,16 +966,6 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
   }
 #endif
 
-  if (aSandboxLevel > 3) {
-    // If we're running from a network drive then we can't block loading from
-    // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
-    // this situation also means the process fails to start (bug 1423296).
-    if (!sRunningFromNetworkDrive) {
-      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
-                     sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
-    }
-  }
-
   if (StaticPrefs::security_sandbox_content_shadow_stack_enabled()) {
     mitigations |= sandbox::MITIGATION_CET_COMPAT_MODE;
   }
@@ -1184,7 +1188,8 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
   sandbox::MitigationFlags mitigations =
       sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
-      sandbox::MITIGATION_DEP;
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_DEP;
 
   if (StaticPrefs::security_sandbox_gpu_shadow_stack_enabled()) {
     mitigations |= sandbox::MITIGATION_CET_COMPAT_MODE;
@@ -1290,6 +1295,8 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
 
   if (StaticPrefs::security_sandbox_rdd_shadow_stack_enabled()) {
@@ -1395,6 +1402,8 @@ bool SandboxBroker::SetSecurityLevelForSocketProcess() {
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
 
   if (StaticPrefs::security_sandbox_socket_shadow_stack_enabled()) {
@@ -1475,6 +1484,8 @@ struct UtilitySandboxProps {
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32 |
       sandbox::MITIGATION_CET_COMPAT_MODE;
 
@@ -1548,14 +1559,6 @@ struct UtilityMfMediaEngineCdmSandboxProps : public UtilitySandboxProps {
       };
     }
     mUseWin32kLockdown = false;
-    mInitialMitigations =
-        sandbox::MITIGATION_BOTTOM_UP_ASLR |
-        sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP |
-        sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
-        sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
-        sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
-        sandbox::MITIGATION_CET_COMPAT_MODE;
-
     mDelayedMitigations = sandbox::MITIGATION_DLL_SEARCH_ORDER;
   }
 };
@@ -1800,6 +1803,8 @@ bool SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
       sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
       sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+      sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
       sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP;
 
   if (StaticPrefs::security_sandbox_gmp_shadow_stack_enabled()) {