Bug 1569139: Add a static pref to enable win32k lockdown in the Windows content process sandbox policy. r=aklotz

Differential Revision: https://phabricator.services.mozilla.com/D39870

--HG--
extra : moz-landing-system : lando

modules/libpref/init/StaticPrefList.yaml

@@ -5720,6 +5720,15 @@
   value: true
   mirror: always
 
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+# Whether win32k is disabled for content processes.
+# true means win32k system calls are not permitted.
+- name: security.sandbox.content.win32k-disable
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+#endif
+
 # Hardware Origin-bound Second Factor Support
 - name: security.webauth.webauthn
   type: bool

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -15,6 +15,7 @@
 #include "mozilla/Logging.h"
 #include "mozilla/NSPRLogModulesParser.h"
 #include "mozilla/Preferences.h"
+#include "mozilla/StaticPrefs_security.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/WindowsVersion.h"
@@ -509,6 +510,14 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
     mPolicy->SetLockdownDefaultDacl();
   }
 
+  if (aSandboxLevel > 4) {
+    result = mPolicy->SetAlternateDesktop(false);
+    if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {
+      LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result,
+            ::GetLastError());
+    }
+  }
+
   sandbox::MitigationFlags mitigations =
       sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
       sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
@@ -522,14 +531,6 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
   }
 #endif
 
-  if (aSandboxLevel > 4) {
-    result = mPolicy->SetAlternateDesktop(false);
-    if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {
-      LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result,
-            ::GetLastError());
-    }
-  }
-
   if (aSandboxLevel > 3) {
     // If we're running from a network drive then we can't block loading from
     // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
@@ -540,6 +541,18 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
     }
   }
 
+  // On Windows 7, where Win32k lockdown is not supported, the Chromium
+  // sandbox does something weird that breaks COM instantiation.
+  if (StaticPrefs::security_sandbox_content_win32k_disable() &&
+      IsWin8OrLater()) {
+    mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
+    result =
+        mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
+                         sandbox::TargetPolicy::FAKE_USER_GDI_INIT, nullptr);
+    MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+                       "Failed to set FAKE_USER_GDI_INIT policy.");
+  }
+
   result = mPolicy->SetProcessMitigations(mitigations);
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "Invalid flags for SetProcessMitigations.");