Bug 1769845 p1: Use command line to pass whether win32k is locked down in policy. r=handyman

Differential Revision: https://phabricator.services.mozilla.com/D146930
2022-05-23 07:53:41 +00:00 · 2022-05-23 07:53:41 +00:00 · b48aea26d9
--- a/browser/app/nsBrowserApp.cpp
+++ b/browser/app/nsBrowserApp.cpp
@ -27,8 +27,10 @@
 #  include "mozilla/PreXULSkeletonUI.h"
 #  include "freestanding/SharedSection.h"
 #  include "LauncherProcessWin.h"
+#  include "mozilla/GeckoArgs.h"
 #  include "mozilla/WindowsDllBlocklist.h"
 #  include "mozilla/WindowsDpiInitialization.h"
+#  include "mozilla/WindowsProcessMitigations.h"

 #  define XRE_WANT_ENVIRON
 #  define strcasecmp _stricmp
@ -298,6 +300,15 @@ int main(int argc, char* argv[], char* envp[]) {
                            eDllBlocklistInitFlagIsChildProcess);
 #  endif
 #  if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    // We need to set whether our process is supposed to have win32k locked down
+    // from the command line setting before GetInitializedTargetServices and
+    // WindowsDpiInitialization.
+    Maybe<bool> win32kLockedDown =
+        mozilla::geckoargs::sWin32kLockedDown.Get(argc, argv);
+    if (win32kLockedDown.isSome() && *win32kLockedDown) {
+      mozilla::SetWin32kLockedDownInPolicy();
+    }
+
    // We need to initialize the sandbox TargetServices before InitXPCOMGlue
    // because we might need the sandbox broker to give access to some files.
    if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
@ -309,8 +320,6 @@ int main(int argc, char* argv[], char* envp[]) {
    // Ideally, we would be able to set our DPI awareness in
    // firefox.exe.manifest Unfortunately, that would cause Win32k calls when
    // user32.dll gets loaded, which would be incompatible with Win32k Lockdown
-    // We need to call this after GetInitializedTargetServices because it can
-    // affect the detection of the win32k lockdown status.
    //
    // MSDN says that it's allowed-but-not-recommended to initialize DPI
    // programatically, as long as it's done before any HWNDs are created.
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -1463,6 +1463,11 @@ bool WindowsProcessLauncher::DoSetup() {
         ++it) {
      mResults.mSandboxBroker->AllowReadFile(it->c_str());
    }
+
+    if (mResults.mSandboxBroker->IsWin32kLockedDown()) {
+      mCmdLine->AppendLooseValue(
+          UTF8ToWide(geckoargs::sWin32kLockedDown.Name()));
+    }
  }
 #  endif  // defined(MOZ_SANDBOX)

--- a/security/sandbox/win/SandboxInitialization.cpp
+++ b/security/sandbox/win/SandboxInitialization.cpp
@ -13,10 +13,6 @@
 #include "mozilla/sandboxing/permissionsService.h"
 #include "mozilla/WindowsProcessMitigations.h"

-namespace sandbox {
-extern "C" MitigationFlags g_shared_mitigations;
-}
-
 namespace mozilla {
 namespace sandboxing {

@ -134,12 +130,6 @@ static sandbox::TargetServices* InitializeTargetServices() {
  // This might disable the verifier, so we want to do it before it is used.
  InitializeHandleVerifier();

-  // This needs to be set before anything calls IsWin32kLockedDown, which
-  // EnableApiQueryInterception does.
-  if (sandbox::g_shared_mitigations & sandbox::MITIGATION_WIN32K_DISABLE) {
-    SetWin32kLockedDownInPolicy();
-  }
-
  EnableApiQueryInterception();

  sandbox::TargetServices* targetServices =
--- a/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
+++ b/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
@ -46,6 +46,8 @@ class RemoteSandboxBroker : public AbstractSandboxBroker {
  bool AllowReadFile(wchar_t const* file) override;
  void AddHandleToShare(HANDLE aHandle) override;

+  bool IsWin32kLockedDown() final { return false; };
+
 private:
  virtual ~RemoteSandboxBroker();

--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -1622,6 +1622,10 @@ void SandboxBroker::AddHandleToShare(HANDLE aHandle) {
  mPolicy->AddHandleToShare(aHandle);
 }

+bool SandboxBroker::IsWin32kLockedDown() {
+  return mPolicy->GetProcessMitigations() & sandbox::MITIGATION_WIN32K_DISABLE;
+}
+
 void SandboxBroker::ApplyLoggingPolicy() {
  MOZ_ASSERT(mPolicy);

--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@ -65,6 +65,11 @@ class AbstractSandboxBroker {
   */
  virtual void AddHandleToShare(HANDLE aHandle) = 0;

+  /**
+   * @return true if policy has win32k locked down, otherwise false
+   */
+  virtual bool IsWin32kLockedDown() = 0;
+
 protected:
  virtual ~AbstractSandboxBroker() {}
 };
@ -120,6 +125,8 @@ class SandboxBroker : public AbstractSandboxBroker {
   */
  void AddHandleToShare(HANDLE aHandle) override;

+  bool IsWin32kLockedDown() final;
+
  // Set up dummy interceptions via the broker, so we can log calls.
  void ApplyLoggingPolicy();

--- a/toolkit/xre/GeckoArgs.h
+++ b/toolkit/xre/GeckoArgs.h
@ -129,10 +129,16 @@ static CommandLineArg<bool> sSafeMode{"-safeMode", "safemode"};
 static CommandLineArg<bool> sIsForBrowser{"-isForBrowser", "isforbrowser"};
 static CommandLineArg<bool> sNotForBrowser{"-notForBrowser", "notforbrowser"};

-#if defined(XP_WIN) && defined(ACCESSIBILITY)
+#if defined(XP_WIN)
+#  if defined(MOZ_SANDBOX)
+static CommandLineArg<bool> sWin32kLockedDown{"-win32kLockedDown",
+                                              "win32klockeddown"};
+#  endif  // defined(MOZ_SANDBOX)
+#  if defined(ACCESSIBILITY)
 static CommandLineArg<uint64_t> sA11yResourceId{"-a11yResourceId",
                                                "a11yresourceid"};
-#endif  // defined(XP_WIN) && defined(ACCESSIBILITY)
+#  endif  // defined(ACCESSIBILITY)
+#endif    // defined(XP_WIN) && defined(ACCESSIBILITY)

 #if defined(__GNUC__)
 #  pragma GCC diagnostic pop