Bug 1595994 - PE: Loosen RDD sandbox. r=bobowen

For performant video decoding we need access to DXGI/D3D11 similarly to GPU process. Depends on D54883 Differential Revision: https://phabricator.services.mozilla.com/D56856
2020-10-20 23:27:00 +00:00 · 2020-10-20 23:27:00 +00:00 · b47c6221dd
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -9296,7 +9296,7 @@
  # true means that win32k system calls are not permitted.
 -   name: security.sandbox.rdd.win32k-disable
    type: RelaxedAtomicBool
-    value: true
+    value: false
    mirror: always

  # Note: win32k is currently _not_ disabled for GMP due to intermittent test
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -867,7 +867,7 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
      "SetJobLevel should never fail with these arguments, what happened?");

  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                  sandbox::USER_LOCKDOWN);
+                                  sandbox::USER_LIMITED);
  SANDBOX_ENSURE_SUCCESS(
      result,
      "SetTokenLevel should never fail with these arguments, what happened?");
@ -884,7 +884,7 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
                         "arguments, what happened?");

  result =
-      mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
+      mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
  SANDBOX_ENSURE_SUCCESS(result,
                         "SetDelayedIntegrityLevel should never fail with "
                         "these arguments, what happened?");
@ -907,10 +907,13 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
  }

  mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
-                sandbox::MITIGATION_DYNAMIC_CODE_DISABLE |
                sandbox::MITIGATION_DLL_SEARCH_ORDER |
                sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;

+#if defined(_WIN64)
+  mitigations |= sandbox::MITIGATION_DYNAMIC_CODE_DISABLE;
+#endif
+
  result = mPolicy->SetDelayedProcessMitigations(mitigations);
  SANDBOX_ENSURE_SUCCESS(result,
                         "Invalid flags for SetDelayedProcessMitigations.");