Bug 1796391 - Always init signed policy rules r=bobowen

Differential Revision: https://phabricator.services.mozilla.com/D159802
2022-10-20 14:19:33 +00:00 · 2022-10-20 14:19:33 +00:00 · 475f354462
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
@ -805,7 +805,7 @@ ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem,
      // consistency.
      if (base::win::GetVersion() >= base::win::Version::WIN10_TH2) {
        DCHECK_EQ(MITIGATION_FORCE_MS_SIGNED_BINS,
-                  mitigations_ & MITIGATION_FORCE_MS_SIGNED_BINS)
+                  (mitigations_ & MITIGATION_FORCE_MS_SIGNED_BINS) | (delayed_mitigations_ & MITIGATION_FORCE_MS_SIGNED_BINS))
            << "Enable MITIGATION_FORCE_MS_SIGNED_BINS before adding signed "
               "policy rules.";
        if (!SignedPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -1339,13 +1339,6 @@ bool SandboxBroker::SetSecurityLevelForUtilityProcess(
  result = mPolicy->SetProcessMitigations(mitigations);
  SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetProcessMitigations.");

-  if (exceptionModules.isSome()) {
-    // This needs to be called after MITIGATION_FORCE_MS_SIGNED_BINS is set
-    // because of DCHECK in PolicyBase::AddRuleInternal.
-    result = InitSignedPolicyRulesToBypassCig(mPolicy, exceptionModules.ref());
-    SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
-  }
-
  // Win32k lockdown might not work on earlier versions
  // Bug 1719212, 1769992
  if (IsWin10FallCreatorsUpdateOrLater()
@ -1389,6 +1382,17 @@ bool SandboxBroker::SetSecurityLevelForUtilityProcess(
  SANDBOX_ENSURE_SUCCESS(result,
                         "Invalid flags for SetDelayedProcessMitigations.");

+  // This needs to be called after MITIGATION_FORCE_MS_SIGNED_BINS is set
+  // because of DCHECK in PolicyBase::AddRuleInternal.
+  if (exceptionModules.isSome()) {
+    result = InitSignedPolicyRulesToBypassCig(mPolicy, exceptionModules.ref());
+    SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
+  } else {
+    const Vector<const wchar_t*> emptyVector;
+    result = InitSignedPolicyRulesToBypassCig(mPolicy, emptyVector);
+    SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
+  }
+
  // Add the policy for the client side of a pipe. It is just a file
  // in the \pipe\ namespace. We restrict it to pipes that start with
  // "chrome." so the sandboxed process cannot connect to system services.