mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1639030 - Part 1: Update with_update and after_update patches. r=bobowen 

This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update.  See patch files for
the details of each patch.

This also removes the following patches from with_update no longer needed.

1) update_chromium_linux_x86_syscalls.patch is included in
   b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
   we use ApplyMitigationsToCurrentThread since the following commit.
   4bed2eb502
3) mingw_base_win_get_caller.patch is included in
   d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
   https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
   environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
   base::subtle::MemoryBarrier was removed by
   bdbaaf4e7e
7) public_siginfo_fields.patch is included in
   6bd491daaf

Differential Revision: https://phabricator.services.mozilla.com/D79558
This commit is contained in:
Toshihito Kikuchi 2020-07-08 12:54:18 +00:00
Родитель 7c8221e962
Коммит b7f3f014fe
35 изменённых файлов: 1382 добавлений и 2802 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch
Просмотреть файл

@ -30,5 +30,5 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc b/secu
// |access| with the new value.
NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes,
DWORD* access) {
NtOpenKeyFunction NtOpenKey = NULL;
NtOpenKeyFunction NtOpenKey = nullptr;
ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey);

66
security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch
Просмотреть файл

@ -132,7 +132,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
break;
@@ -227,32 +246,39 @@ TargetNtQueryAttributesFile(NtQueryAttri
ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name.get(),
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(),
attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
@ -173,7 +173,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
break;
@@ -284,16 +310,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG,
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE,
name.get(), attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
@ -213,7 +213,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
break;
@@ -366,14 +398,15 @@ TargetNtSetInformationFile(NtSetInformat
ResultCode code =
CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file, io_status_buffer,
CrossCall(ipc, IpcTag::NTSETINFO_RENAME, file, io_status_buffer,
file_info_buffer, length, file_info_class, &answer);
if (SBOX_ALL_OK != code)
@ -249,7 +249,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/
DWORD desired_access,
DWORD options) {
@@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s
ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY,
source_handle, target_process_id,
desired_access, options, &answer);
if (SBOX_ALL_OK != code)
@ -652,6 +652,64 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
}
} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc
@@ -9,16 +9,17 @@
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/ipc_tags.h"
#include "sandbox/win/src/policy_params.h"
#include "sandbox/win/src/policy_target.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "sandbox/win/src/sandbox_nt_util.h"
#include "sandbox/win/src/sharedmem_ipc_client.h"
#include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
namespace sandbox {
NTSTATUS WINAPI
TargetNtCreateSection(NtCreateSectionFunction orig_CreateSection,
PHANDLE section_handle,
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
@@ -37,16 +38,18 @@ TargetNtCreateSection(NtCreateSectionFun
break;
if (maximum_size)
break;
if (section_page_protection != PAGE_EXECUTE)
break;
if (allocation_attributes != SEC_IMAGE)
break;
+ mozilla::sandboxing::LogBlocked("NtCreateSection");
+
// IPC must be fully started.
void* memory = GetGlobalIPCMemory();
if (!memory)
break;
std::unique_ptr<wchar_t, NtAllocDeleter> path;
if (!NtGetPathFromHandle(file_handle, &path))
@@ -73,16 +76,17 @@ TargetNtCreateSection(NtCreateSectionFun
if (code != SBOX_ALL_OK)
break;
if (!NT_SUCCESS(answer.nt_status))
break;
__try {
*section_handle = answer.handle;
+ mozilla::sandboxing::LogAllowed("NtCreateSection");
return answer.nt_status;
} __except (EXCEPTION_EXECUTE_HANDLER) {
break;
}
} while (false);
// Fall back to the original API in all failure cases.
return orig_CreateSection(section_handle, desired_access, object_attributes,
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc

28
security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch
Просмотреть файл

@ -14,14 +14,14 @@ https://hg.mozilla.org/mozilla-central/rev/0f64b24c40c4
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -221,16 +221,25 @@ bool FilesystemDispatcher::NtQueryAttrib
@@ -213,16 +213,25 @@ bool FilesystemDispatcher::NtQueryAttrib
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase());
policy_base_->EvalPolicy(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
@ -40,14 +40,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
information, &nt_status)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
@@ -261,16 +270,25 @@ bool FilesystemDispatcher::NtQueryFullAt
@@ -253,16 +262,25 @@ bool FilesystemDispatcher::NtQueryFullAt
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result = policy_base_->EvalPolicy(
IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase());
IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
@ -66,14 +66,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
&nt_status)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
@@ -316,16 +334,26 @@ bool FilesystemDispatcher::NtSetInformat
@@ -306,16 +324,26 @@ bool FilesystemDispatcher::NtSetInformat
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG, params.GetBase());
policy_base_->EvalPolicy(IpcTag::NTSETINFO_RENAME, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted write access to file. We only permit
@ -96,7 +96,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -223,19 +223,16 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
@@ -227,19 +227,16 @@ TargetNtQueryAttributesFile(NtQueryAttri
sizeof(FILE_BASIC_INFORMATION));
uint32_t broker = BROKER_FALSE;
@ -105,18 +105,18 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()))
- if (!QueryBroker(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name.get(),
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(),
attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
break;
@@ -290,19 +287,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
@@ -292,19 +289,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
sizeof(FILE_NETWORK_OPEN_INFORMATION));
uint32_t broker = BROKER_FALSE;
@ -125,18 +125,18 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()))
- if (!QueryBroker(IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG,
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE,
name.get(), attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
break;
@@ -369,19 +363,16 @@ NTSTATUS WINAPI TargetNtSetInformationFi
@@ -374,19 +368,16 @@ TargetNtSetInformationFile(NtSetInformat
break;
uint32_t broker = BROKER_FALSE;
@ -145,7 +145,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase()))
- if (!QueryBroker(IpcTag::NTSETINFO_RENAME, params.GetBase()))
- break;
-
InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));

23
security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch
Просмотреть файл

@ -12,7 +12,7 @@ https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
@@ -190,62 +190,67 @@ bool ResolveRegistryName(base::string16
@@ -194,61 +194,66 @@ bool ResolveRegistryName(std::wstring na
return false;
}
@ -22,12 +22,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
// \Device\HarddiskVolume0\some\foo\bar
// \??\HarddiskVolume0\some\foo\bar
+// \??\UNC\SERVER\Share\some\foo\bar
DWORD IsReparsePoint(const base::string16& full_path) {
DWORD IsReparsePoint(const std::wstring& full_path) {
// Check if it's a pipe. We can't query the attributes of a pipe.
if (IsPipe(full_path))
return ERROR_NOT_A_REPARSE_POINT;
base::string16 path;
std::wstring path;
bool nt_path = IsNTPath(full_path, &path);
bool has_drive = StartsWithDriveLetter(path);
bool is_device_path = IsDevicePath(path, &path);
@ -37,13 +37,13 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
- bool added_implied_device = false;
if (!has_drive) {
- path = base::string16(kNTDotPrefix) + path;
- path = std::wstring(kNTDotPrefix) + path;
- added_implied_device = true;
+ // Add Win32 device namespace prefix, required for some Windows APIs.
+ path.insert(0, kNTDotPrefix);
}
- base::string16::size_type last_pos = base::string16::npos;
- std::wstring::size_type last_pos = std::wstring::npos;
- bool passed_once = false;
+ // Ensure that volume path matches start of path.
+ wchar_t vol_path[MAX_PATH];
@ -73,7 +73,6 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
- (path.rfind(L'\\') == kNTDotPrefixLen - 1)) {
- break;
- }
NOTREACHED_NT();
return error;
}
} else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
@ -94,12 +93,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
// we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
bool SameObject(HANDLE handle, const wchar_t* full_path) {
// Check if it's a pipe.
@@ -256,63 +261,67 @@ bool SameObject(HANDLE handle, const wch
base::string16 actual_path;
@@ -258,63 +263,67 @@ bool SameObject(HANDLE handle, const wch
std::wstring actual_path;
if (!GetPathFromHandle(handle, &actual_path))
return false;
base::string16 path(full_path);
std::wstring path(full_path);
DCHECK_NT(!path.empty());
// This may end with a backslash.
@ -119,7 +118,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
bool has_drive = StartsWithDriveLetter(path);
if (!has_drive && nt_path) {
base::string16 simple_actual_path;
std::wstring simple_actual_path;
- if (!IsDevicePath(actual_path, &simple_actual_path))
- return false;
-
@ -187,5 +186,5 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
// Just make a best effort here. There are lots of corner cases that we're
// not expecting - and will fail to make long.
bool ConvertToLongPath(base::string16* native_path,
const base::string16* drive_letter) {
bool ConvertToLongPath(std::wstring* native_path,
const std::wstring* drive_letter) {

56
security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch
Просмотреть файл

@ -6,32 +6,10 @@
# Parent 5ef34aa8c8918649528048dd60907862a4355e29
Bug 1515088 Part 2: Set LoaderThreads to 1 in the RTL_USER_PROCESS_PARAMETERS structure on child process start-up. r=aklotz
diff --git a/security/sandbox/chromium/sandbox/win/src/nt_internals.h b/security/sandbox/chromium/sandbox/win/src/nt_internals.h
--- a/security/sandbox/chromium/sandbox/win/src/nt_internals.h
+++ b/security/sandbox/chromium/sandbox/win/src/nt_internals.h
@@ -312,16 +312,18 @@ typedef enum _PROCESSINFOCLASS {
// Partial definition only.
typedef struct _PEB {
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
BYTE SpareBool;
PVOID Mutant;
PVOID ImageBaseAddress;
+ PVOID Ldr;
+ PVOID ProcessParameters;
} PEB, *PPEB;
typedef LONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION {
union {
NTSTATUS ExitStatus;
PVOID padding_for_x64_0;
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
@@ -453,20 +453,21 @@ bool GetNtPathFromWin32Path(const base::
@@ -456,20 +456,21 @@ bool GetNtPathFromWin32Path(const std::w
bool rv = GetPathFromHandle(file, nt_path);
::CloseHandle(file);
return rv;
@ -55,7 +33,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
::WriteProcessMemory(child_process, address, buffer, length, &written) &&
(length == written);
@@ -511,16 +512,40 @@ void* GetProcessBaseAddress(HANDLE proce
@@ -544,16 +545,40 @@ void* GetProcessBaseAddress(HANDLE proce
&bytes_read) ||
(sizeof(magic) != bytes_read)) {
return nullptr;
@ -73,7 +51,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
+ // field so there is a, probably small, risk that it might change or move in
+ // the future. In order to slightly guard against that we only update if the
+ // value is currently 0.
+ uint8_t* processParameters = static_cast<uint8_t*>(peb.ProcessParameters);
+ auto processParameters = reinterpret_cast<uint8_t*>(peb.ProcessParameters);
+ const uint32_t loaderThreadsOffset = 0x40c;
+ uint32_t maxLoaderThreads = 0;
+ BOOL memoryRead = ::ReadProcessMemory(
@ -91,16 +69,16 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s
return base_address;
}
}; // namespace sandbox
void ResolveNTFunctionPtr(const char* name, void* ptr) {
static volatile HMODULE ntdll = NULL;
DWORD GetTokenInformation(HANDLE token,
TOKEN_INFORMATION_CLASS info_class,
std::unique_ptr<BYTE[]>* buffer) {
// Get the required buffer size.
DWORD size = 0;
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sandbox/chromium/sandbox/win/src/win_utils.h
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.h
+++ b/security/sandbox/chromium/sandbox/win/src/win_utils.h
@@ -102,17 +102,18 @@ HKEY GetReservedKeyFromName(const base::
bool ResolveRegistryName(base::string16 name, base::string16* resolved_name);
@@ -111,17 +111,18 @@ HKEY GetReservedKeyFromName(const std::w
bool ResolveRegistryName(std::wstring name, std::wstring* resolved_name);
// Writes |length| bytes from the provided |buffer| into the address space of
// |child_process|, at the specified |address|, preserving the original write
@ -112,10 +90,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sa
+ size_t length,
+ DWORD writeProtection = PAGE_WRITECOPY);
// Returns true if the provided path points to a pipe.
bool IsPipe(const base::string16& path);
// Converts a NTSTATUS code to a Win32 error code.
DWORD GetLastErrorFromNtStatus(NTSTATUS status);
// Returns the address of the main exe module in memory taking in account
// Allocates |buffer_bytes| in child (PAGE_READWRITE) and copies data
// from |local_buffer| in this process into |child|. |remote_buffer|
// contains the address in the chile. If a zero byte copy is
// requested |true| is returned and no allocation or copying is
// attempted. Returns false if allocation or copying fails. If
// copying fails, the allocation will be reversed.
bool CopyToChildMemory(HANDLE child,

28
security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch
Просмотреть файл

@ -30,10 +30,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
: policy_base_(policy_base) {
static const IPCCall create_params = {
{IPC_NTCREATEFILE_TAG,
{WCHAR_TYPE,
UINT32_TYPE,
@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile(
{IpcTag::NTCREATEFILE,
{WCHAR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE,
UINT32_TYPE, UINT32_TYPE}},
@@ -105,16 +107,26 @@ bool FilesystemDispatcher::NtCreateFile(
params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
params[OpenFile::BROKER] = ParamPickerMake(broker);
@ -41,7 +41,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG, params.GetBase());
policy_base_->EvalPolicy(IpcTag::NTCREATEFILE, params.GetBase());
+
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
@ -60,7 +60,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
file_attributes, share_access, create_disposition, create_options,
&handle, &nt_status, &io_information)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
@@ -150,16 +162,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
params[OpenFile::BROKER] = ParamPickerMake(broker);
@ -68,7 +68,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG, params.GetBase());
policy_base_->EvalPolicy(IpcTag::NTOPENFILE, params.GetBase());
+
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
@ -90,7 +90,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -70,19 +70,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
@@ -75,19 +75,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
CountedParameterSet<OpenFile> params;
const wchar_t* name_ptr = name.get();
params[OpenFile::NAME] = ParamPickerMake(name_ptr);
@ -99,7 +99,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
- if (!QueryBroker(IpcTag::NTCREATEFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
@ -107,25 +107,25 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
// The following call must match in the parameters with
// FilesystemDispatcher::ProcessNtCreateFile.
ResultCode code =
CrossCall(ipc, IPC_NTCREATEFILE_TAG, name.get(), attributes,
CrossCall(ipc, IpcTag::NTCREATEFILE, name.get(), attributes,
desired_access_uint32, file_attributes, sharing, disposition,
options_uint32, &answer);
@@ -154,19 +151,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
CountedParameterSet<OpenFile> params;
@@ -160,19 +157,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
const wchar_t* name_ptr = name.get();
CountedParameterSet<OpenFile> params;
params[OpenFile::NAME] = ParamPickerMake(name_ptr);
params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
- if (!QueryBroker(IpcTag::NTOPENFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code =
CrossCall(ipc, IPC_NTOPENFILE_TAG, name.get(), attributes,
CrossCall(ipc, IpcTag::NTOPENFILE, name.get(), attributes,
desired_access_uint32, sharing, options_uint32, &answer);
if (SBOX_ALL_OK != code)
break;

94
security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch Normal file
Просмотреть файл

@ -0,0 +1,94 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1577387989 0
# Thu Dec 26 19:19:49 2019 +0000
# Node ID 32adf437117bdca54be4959813acbb604f65137f
# Parent 214214029beb6cca606e11ba519d11cc7dbb37af
Bug 1605867: Don't duplicate IPC shared memory when we might fail to launch the process correctly. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D58271
diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc
--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc
+++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc
@@ -286,45 +286,28 @@ ResultCode TargetProcess::Init(Dispatche
shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr,
PAGE_READWRITE | SEC_COMMIT, 0,
shared_mem_size, nullptr));
if (!shared_section_.IsValid()) {
*win_error = ::GetLastError();
return SBOX_ERROR_CREATE_FILE_MAPPING;
}
- DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY;
- HANDLE target_shared_section;
- if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(),
- sandbox_process_info_.process_handle(),
- &target_shared_section, access, false, 0)) {
- *win_error = ::GetLastError();
- return SBOX_ERROR_DUPLICATE_SHARED_SECTION;
- }
-
void* shared_memory = ::MapViewOfFile(
shared_section_.Get(), FILE_MAP_WRITE | FILE_MAP_READ, 0, 0, 0);
if (!shared_memory) {
*win_error = ::GetLastError();
return SBOX_ERROR_MAP_VIEW_OF_SHARED_SECTION;
}
CopyPolicyToTarget(policy, shared_policy_size,
reinterpret_cast<char*>(shared_memory) + shared_IPC_size);
ResultCode ret;
// Set the global variables in the target. These are not used on the broker.
- g_shared_section = target_shared_section;
- ret = TransferVariable("g_shared_section", &g_shared_section,
- sizeof(g_shared_section));
- g_shared_section = nullptr;
- if (SBOX_ALL_OK != ret) {
- *win_error = ::GetLastError();
- return ret;
- }
g_shared_IPC_size = shared_IPC_size;
ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size,
sizeof(g_shared_IPC_size));
g_shared_IPC_size = 0;
if (SBOX_ALL_OK != ret) {
*win_error = ::GetLastError();
return ret;
}
@@ -339,16 +322,34 @@ ResultCode TargetProcess::Init(Dispatche
ipc_server_.reset(new SharedMemIPCServer(
sandbox_process_info_.process_handle(),
sandbox_process_info_.process_id(), thread_pool_, ipc_dispatcher));
if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize))
return SBOX_ERROR_NO_SPACE;
+ DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY;
+ HANDLE target_shared_section;
+ if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(),
+ sandbox_process_info_.process_handle(),
+ &target_shared_section, access, false, 0)) {
+ *win_error = ::GetLastError();
+ return SBOX_ERROR_DUPLICATE_SHARED_SECTION;
+ }
+
+ g_shared_section = target_shared_section;
+ ret = TransferVariable("g_shared_section", &g_shared_section,
+ sizeof(g_shared_section));
+ g_shared_section = nullptr;
+ if (SBOX_ALL_OK != ret) {
+ *win_error = ::GetLastError();
+ return ret;
+ }
+
// After this point we cannot use this handle anymore.
::CloseHandle(sandbox_process_info_.TakeThreadHandle());
return SBOX_ALL_OK;
}
void TargetProcess::Terminate() {
if (!sandbox_process_info_.IsValid())

1
security/sandbox/chromium-shim/patches/after_update/patch_order.txt
Просмотреть файл

@ -5,3 +5,4 @@ consult_PermissionsService_for_file_access.patch
allow_flash_temporary_files.patch
arm64_set_LoaderThreads.patch
change_to_DCHECK_in_CloseHandleWrapper.patch
move_shared_memory_duplication_after_initialization.patch

8
security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch
Просмотреть файл

@ -17,11 +17,11 @@ Differential Revision: https://phabricator.services.mozilla.com/D29474
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
@@ -400,16 +400,21 @@ void ConvertProcessMitigationsToPolicy(M
@@ -431,16 +431,21 @@ void ConvertProcessMitigationsToPolicy(M
// Mitigations >= Win8.1:
//----------------------------------------------------------------------------
if (version >= base::win::VERSION_WIN8_1) {
if (version >= base::win::Version::WIN8_1) {
if (flags & MITIGATION_DYNAMIC_CODE_DISABLE) {
*policy_value_1 |=
PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON;
@ -35,14 +35,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/
// Mitigations >= Win10:
//----------------------------------------------------------------------------
if (version >= base::win::VERSION_WIN10) {
if (version >= base::win::Version::WIN10) {
if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) {
*policy_value_1 |=
PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON;
diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
+++ b/security/sandbox/chromium/sandbox/win/src/security_level.h
@@ -273,11 +273,20 @@ const MitigationFlags MITIGATION_IMAGE_L
@@ -282,11 +282,20 @@ const MitigationFlags MITIGATION_IMAGE_L
const MitigationFlags MITIGATION_IMAGE_LOAD_PREFER_SYS32 = 0x00100000;
// Prevents hyperthreads from interfering with indirect branch predictions.

28
security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch
Просмотреть файл

@ -12,7 +12,7 @@ https://hg.mozilla.org/mozilla-central/rev/14374cd9497a
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -51,16 +51,17 @@
@@ -51,16 +51,17 @@ DWORD GetObjectSecurityDescriptor(HANDLE
} // namespace
@ -28,9 +28,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
if (lockdown_default_dacl)
restricted_token.SetLockdownDefaultDacl();
std::vector<base::string16> privilege_exceptions;
std::vector<std::wstring> privilege_exceptions;
std::vector<Sid> sid_exceptions;
@@ -68,19 +69,22 @@ DWORD CreateRestrictedToken(TokenLevel s
@@ -73,19 +74,22 @@ DWORD CreateRestrictedToken(HANDLE effec
deny_sids = false;
remove_privileges = false;
break;
@ -56,7 +56,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
sid_exceptions.push_back(WinWorldSid);
sid_exceptions.push_back(WinInteractiveSid);
sid_exceptions.push_back(WinAuthenticatedUserSid);
@@ -93,49 +97,57 @@ DWORD CreateRestrictedToken(TokenLevel s
@@ -108,49 +112,57 @@ DWORD CreateRestrictedToken(HANDLE effec
break;
}
case USER_INTERACTIVE: {
@ -133,7 +133,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
@@ -33,16 +33,17 @@ enum TokenType {
@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM
// If the function succeeds, the return value is ERROR_SUCCESS. If the
// function fails, the return value is the win32 error code corresponding to
// the error.
@ -154,7 +154,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
@@ -95,16 +95,21 @@ class TargetPolicy {
@@ -101,16 +101,21 @@ class TargetPolicy {
virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
// Returns the initial token level.
@ -179,7 +179,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/securi
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
@@ -149,16 +149,20 @@ ResultCode PolicyBase::SetTokenLevel(Tok
@@ -152,16 +152,20 @@ ResultCode PolicyBase::SetTokenLevel(Tok
TokenLevel PolicyBase::GetInitialTokenLevel() const {
return initial_level_;
}
@ -200,7 +200,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
ui_exceptions_ = ui_exceptions;
return SBOX_ALL_OK;
}
@@ -402,17 +406,18 @@ ResultCode PolicyBase::MakeJobObject(bas
@@ -413,17 +417,18 @@ ResultCode PolicyBase::MakeJobObject(bas
ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
base::win::ScopedHandle* lockdown,
@ -213,14 +213,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
+ PRIMARY, lockdown_default_dacl_,
+ use_restricting_sids_, lockdown);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_GENERIC;
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN;
// If we're launching on the alternate desktop we need to make sure the
// integrity label on the object is no higher than the sandboxed process's
// integrity level. So, we lower the label on the desktop process if it's
// not already low enough for our process.
if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) {
@@ -466,17 +471,18 @@ ResultCode PolicyBase::MakeTokens(base::
@@ -482,17 +487,18 @@ ResultCode PolicyBase::MakeTokens(base::
}
}
@ -233,7 +233,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
+ IMPERSONATION, lockdown_default_dacl_,
+ use_restricting_sids_, initial);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_GENERIC;
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN;
return SBOX_ALL_OK;
}
@ -243,7 +243,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
@@ -37,16 +37,17 @@ class PolicyBase final : public TargetPo
@@ -41,16 +41,17 @@ class PolicyBase final : public TargetPo
PolicyBase();
// TargetPolicy:
@ -257,11 +257,11 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/s
JobLevel GetJobLevel() const override;
ResultCode SetJobMemoryLimit(size_t memory_limit) override;
ResultCode SetAlternateDesktop(bool alternate_winstation) override;
base::string16 GetAlternateDesktop() const override;
std::wstring GetAlternateDesktop() const override;
ResultCode CreateAlternateDesktop(bool alternate_winstation) override;
void DestroyAlternateDesktop() override;
ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override;
@@ -122,16 +123,17 @@ class PolicyBase final : public TargetPo
@@ -134,16 +135,17 @@ class PolicyBase final : public TargetPo
// The policy takes ownership of them.
typedef std::list<TargetProcess*> TargetSet;
TargetSet targets_;

461
security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch Normal file
Просмотреть файл

@ -0,0 +1,461 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1584045580 0
# Thu Mar 12 20:39:40 2020 +0000
# Node ID c996dbc3e3663fb372feb8e171562e86b09583b6
# Parent f96efa1d9f5c676c0ee8fd80044a494258eff3d3
Bug 1557282 Part 1: Take chromium commit c1ce57ea5d31208af589b4839390a44ab20b0c8f. r=handyman,gcp
This adds AddRestrictingRandomSid feature, which fixes our issues with
SetLockdownDefaultDacl, apart from when we are running from a network drive.
Differential Revision: https://phabricator.services.mozilla.com/D66610
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
@@ -141,16 +141,24 @@ DWORD RestrictedToken::GetRestrictedToke
} else {
// Modify the default dacl on the token to contain Restricted.
if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid,
GRANT_ACCESS, GENERIC_ALL)) {
return ::GetLastError();
}
}
+ for (const auto& default_dacl_sid : sids_for_default_dacl_) {
+ if (!AddSidToDefaultDacl(new_token.Get(), std::get<0>(default_dacl_sid),
+ std::get<1>(default_dacl_sid),
+ std::get<2>(default_dacl_sid))) {
+ return ::GetLastError();
+ }
+ }
+
// Add user to default dacl.
if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL))
return ::GetLastError();
DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_);
if (ERROR_SUCCESS != error)
return error;
@@ -405,9 +413,20 @@ DWORD RestrictedToken::SetIntegrityLevel
integrity_level_ = integrity_level;
return ERROR_SUCCESS;
}
void RestrictedToken::SetLockdownDefaultDacl() {
lockdown_default_dacl_ = true;
}
+DWORD RestrictedToken::AddDefaultDaclSid(const Sid& sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access) {
+ DCHECK(init_);
+ if (!init_)
+ return ERROR_NO_TOKEN;
+
+ sids_for_default_dacl_.push_back(std::make_tuple(sid, access_mode, access));
+ return ERROR_SUCCESS;
+}
+
} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.h b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
@@ -2,16 +2,17 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_
#define SANDBOX_SRC_RESTRICTED_TOKEN_H_
#include <windows.h>
+#include <tuple>
#include <vector>
#include <string>
#include "base/macros.h"
#include "base/win/scoped_handle.h"
#include "sandbox/win/src/restricted_token_utils.h"
#include "sandbox/win/src/security_level.h"
@@ -169,23 +170,31 @@ class RestrictedToken {
// Sets the token integrity level. This is only valid on Vista. The integrity
// level cannot be higher than your current integrity level.
DWORD SetIntegrityLevel(IntegrityLevel integrity_level);
// Set a flag which indicates the created token should have a locked down
// default DACL when created.
void SetLockdownDefaultDacl();
+ // Add a SID to the default DACL. These SIDs are added regardless of the
+ // SetLockdownDefaultDacl state.
+ DWORD AddDefaultDaclSid(const Sid& sid,
+ ACCESS_MODE access_mode,
+ ACCESS_MASK access);
+
private:
// The list of restricting sids in the restricted token.
std::vector<Sid> sids_to_restrict_;
// The list of privileges to remove in the restricted token.
std::vector<LUID> privileges_to_disable_;
// The list of sids to mark as Deny Only in the restricted token.
std::vector<Sid> sids_for_deny_only_;
+ // The list of sids to add to the default DACL of the restricted token.
+ std::vector<std::tuple<Sid, ACCESS_MODE, ACCESS_MASK>> sids_for_default_dacl_;
// The token to restrict. Can only be set in a constructor.
base::win::ScopedHandle effective_token_;
// The token integrity level. Only valid on Vista.
IntegrityLevel integrity_level_;
// Tells if the object is initialized or not (if Init() has been called)
bool init_;
// Lockdown the default DACL when creating new tokens.
bool lockdown_default_dacl_;
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -51,22 +51,29 @@ DWORD GetObjectSecurityDescriptor(HANDLE
} // namespace
DWORD CreateRestrictedToken(HANDLE effective_token,
TokenLevel security_level,
IntegrityLevel integrity_level,
TokenType token_type,
bool lockdown_default_dacl,
+ PSID unique_restricted_sid,
bool use_restricting_sids,
base::win::ScopedHandle* token) {
RestrictedToken restricted_token;
restricted_token.Init(effective_token);
if (lockdown_default_dacl)
restricted_token.SetLockdownDefaultDacl();
+ if (unique_restricted_sid) {
+ restricted_token.AddDefaultDaclSid(Sid(unique_restricted_sid), GRANT_ACCESS,
+ GENERIC_ALL);
+ restricted_token.AddDefaultDaclSid(Sid(WinCreatorOwnerRightsSid),
+ GRANT_ACCESS, READ_CONTROL);
+ }
std::vector<std::wstring> privilege_exceptions;
std::vector<Sid> sid_exceptions;
bool deny_sids = true;
bool remove_privileges = true;
switch (security_level) {
@@ -118,50 +125,60 @@ DWORD CreateRestrictedToken(HANDLE effec
sid_exceptions.push_back(WinAuthenticatedUserSid);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
if (use_restricting_sids) {
restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
restricted_token.AddRestrictingSid(WinWorldSid);
restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
restricted_token.AddRestrictingSidCurrentUser();
restricted_token.AddRestrictingSidLogonSession();
+ if (unique_restricted_sid)
+ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
}
break;
}
case USER_LIMITED: {
sid_exceptions.push_back(WinBuiltinUsersSid);
sid_exceptions.push_back(WinWorldSid);
sid_exceptions.push_back(WinInteractiveSid);
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
if (use_restricting_sids) {
restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
restricted_token.AddRestrictingSid(WinWorldSid);
restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ if (unique_restricted_sid)
+ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
// This token has to be able to create objects in BNO.
// Unfortunately, on Vista+, it needs the current logon sid
// in the token to achieve this. You should also set the process to be
// low integrity level so it can't access object created by other
// processes.
restricted_token.AddRestrictingSidLogonSession();
+ } else {
+ restricted_token.AddUserSidForDenyOnly();
}
break;
}
case USER_RESTRICTED: {
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
restricted_token.AddUserSidForDenyOnly();
if (use_restricting_sids) {
restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+ if (unique_restricted_sid)
+ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
}
break;
}
case USER_LOCKDOWN: {
restricted_token.AddUserSidForDenyOnly();
if (use_restricting_sids) {
restricted_token.AddRestrictingSid(WinNullSid);
+ if (unique_restricted_sid)
+ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid));
}
break;
}
default: { return ERROR_BAD_ARGUMENTS; }
}
DWORD err_code = ERROR_SUCCESS;
if (deny_sids) {
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM
// If the function succeeds, the return value is ERROR_SUCCESS. If the
// function fails, the return value is the win32 error code corresponding to
// the error.
DWORD CreateRestrictedToken(HANDLE effective_token,
TokenLevel security_level,
IntegrityLevel integrity_level,
TokenType token_type,
bool lockdown_default_dacl,
+ PSID unique_restricted_sid,
bool use_restricting_sids,
base::win::ScopedHandle* token);
// Sets the integrity label on a object handle.
DWORD SetObjectIntegrityLabel(HANDLE handle,
SE_OBJECT_TYPE type,
const wchar_t* ace_access,
const wchar_t* integrity_level_sid);
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
@@ -256,16 +256,20 @@ class TargetPolicy {
// ownership of the handle.
virtual void AddHandleToShare(HANDLE handle) = 0;
// Locks down the default DACL of the created lockdown and initial tokens
// to restrict what other processes are allowed to access a process' kernel
// resources.
virtual void SetLockdownDefaultDacl() = 0;
+ // Adds a restricting random SID to the restricted SIDs list as well as
+ // the default DACL.
+ virtual void AddRestrictingRandomSid() = 0;
+
// Enable OPM API redirection when in Win32k lockdown.
virtual void SetEnableOPMRedirection() = 0;
// Enable OPM API emulation when in Win32k lockdown.
virtual bool GetEnableOPMRedirection() = 0;
// Configure policy to use an AppContainer profile. |package_name| is the
// name of the profile to use. Specifying True for |create_profile| ensures
// the profile exists, if set to False process creation will fail if the
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
@@ -105,16 +105,17 @@ PolicyBase::PolicyBase()
delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
mitigations_(0),
delayed_mitigations_(0),
is_csrss_connected_(true),
policy_maker_(nullptr),
policy_(nullptr),
lowbox_sid_(nullptr),
lockdown_default_dacl_(false),
+ add_restricting_random_sid_(false),
enable_opm_redirection_(false),
effective_token_(nullptr) {
::InitializeCriticalSection(&lock_);
dispatcher_.reset(new TopLevelDispatcher(this));
}
PolicyBase::~PolicyBase() {
TargetSet::iterator it;
@@ -389,16 +390,20 @@ void PolicyBase::AddHandleToShare(HANDLE
handles_to_share_.push_back(handle);
}
void PolicyBase::SetLockdownDefaultDacl() {
lockdown_default_dacl_ = true;
}
+void PolicyBase::AddRestrictingRandomSid() {
+ add_restricting_random_sid_ = true;
+}
+
const base::HandlesToInheritVector& PolicyBase::GetHandlesBeingShared() {
return handles_to_share_;
}
ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) {
if (job_level_ == JOB_NONE) {
job->Close();
return SBOX_ALL_OK;
@@ -413,22 +418,26 @@ ResultCode PolicyBase::MakeJobObject(bas
*job = job_obj.Take();
return SBOX_ALL_OK;
}
ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
base::win::ScopedHandle* lockdown,
base::win::ScopedHandle* lowbox) {
+ Sid random_sid = Sid::GenerateRandomSid();
+ PSID random_sid_ptr = nullptr;
+ if (add_restricting_random_sid_)
+ random_sid_ptr = random_sid.GetPSID();
+
// Create the 'naked' token. This will be the permanent token associated
// with the process and therefore with any thread that is not impersonating.
- DWORD result =
- CreateRestrictedToken(effective_token_, lockdown_level_, integrity_level_,
- PRIMARY, lockdown_default_dacl_,
- use_restricting_sids_, lockdown);
+ DWORD result = CreateRestrictedToken(
+ effective_token_, lockdown_level_, integrity_level_, PRIMARY,
+ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, lockdown);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN;
// If we're launching on the alternate desktop we need to make sure the
// integrity label on the object is no higher than the sandboxed process's
// integrity level. So, we lower the label on the desktop process if it's
// not already low enough for our process.
if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) {
@@ -485,20 +494,19 @@ ResultCode PolicyBase::MakeTokens(base::
TOKEN_ALL_ACCESS)) {
return SBOX_ERROR_CANNOT_MODIFY_LOWBOX_TOKEN_DACL;
}
}
// Create the 'better' token. We use this token as the one that the main
// thread uses when booting up the process. It should contain most of
// what we need (before reaching main( ))
- result =
- CreateRestrictedToken(effective_token_, initial_level_, integrity_level_,
- IMPERSONATION, lockdown_default_dacl_,
- use_restricting_sids_, initial);
+ result = CreateRestrictedToken(
+ effective_token_, initial_level_, integrity_level_, IMPERSONATION,
+ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, initial);
if (ERROR_SUCCESS != result)
return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN;
return SBOX_ALL_OK;
}
PSID PolicyBase::GetLowBoxSid() const {
return lowbox_sid_;
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
@@ -69,16 +69,17 @@ class PolicyBase final : public TargetPo
ResultCode AddRule(SubSystem subsystem,
Semantics semantics,
const wchar_t* pattern) override;
ResultCode AddDllToUnload(const wchar_t* dll_name) override;
ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
const wchar_t* handle_name) override;
void AddHandleToShare(HANDLE handle) override;
void SetLockdownDefaultDacl() override;
+ void AddRestrictingRandomSid() override;
void SetEnableOPMRedirection() override;
bool GetEnableOPMRedirection() override;
ResultCode AddAppContainerProfile(const wchar_t* package_name,
bool create_profile) override;
scoped_refptr<AppContainerProfile> GetAppContainerProfile() override;
void SetEffectiveToken(HANDLE token) override;
// Get the AppContainer profile as its internal type.
@@ -165,16 +166,17 @@ class PolicyBase final : public TargetPo
// This is a map of handle-types to names that we need to close in the
// target process. A null set means we need to close all handles of the
// given type.
HandleCloser handle_closer_;
PSID lowbox_sid_;
base::win::ScopedHandle lowbox_directory_;
std::unique_ptr<Dispatcher> dispatcher_;
bool lockdown_default_dacl_;
+ bool add_restricting_random_sid_;
static HDESK alternate_desktop_handle_;
static HWINSTA alternate_winstation_handle_;
static HDESK alternate_desktop_local_winstation_handle_;
static IntegrityLevel alternate_desktop_integrity_level_label_;
static IntegrityLevel
alternate_desktop_local_winstation_integrity_level_label_;
diff --git a/security/sandbox/chromium/sandbox/win/src/sid.cc b/security/sandbox/chromium/sandbox/win/src/sid.cc
--- a/security/sandbox/chromium/sandbox/win/src/sid.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sid.cc
@@ -2,18 +2,20 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/win/src/sid.h"
#include <memory>
#include <sddl.h>
+#include <stdlib.h>
#include "base/logging.h"
+#include "base/rand_util.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/win_utils.h"
namespace sandbox {
namespace {
DWORD WellKnownCapabilityToRid(WellKnownCapabilities capability) {
@@ -127,16 +129,24 @@ Sid Sid::FromSubAuthorities(PSID_IDENTIF
Sid Sid::AllRestrictedApplicationPackages() {
SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_APP_PACKAGE_AUTHORITY};
DWORD sub_authorities[] = {SECURITY_APP_PACKAGE_BASE_RID,
SECURITY_BUILTIN_PACKAGE_ANY_RESTRICTED_PACKAGE};
return FromSubAuthorities(&package_authority, 2, sub_authorities);
}
+Sid Sid::GenerateRandomSid() {
+ SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_NULL_SID_AUTHORITY};
+ DWORD sub_authorities[4] = {};
+ base::RandBytes(&sub_authorities, sizeof(sub_authorities));
+ return FromSubAuthorities(&package_authority, _countof(sub_authorities),
+ sub_authorities);
+}
+
PSID Sid::GetPSID() const {
return const_cast<BYTE*>(sid_);
}
bool Sid::IsValid() const {
return !!::IsValidSid(GetPSID());
}
diff --git a/security/sandbox/chromium/sandbox/win/src/sid.h b/security/sandbox/chromium/sandbox/win/src/sid.h
--- a/security/sandbox/chromium/sandbox/win/src/sid.h
+++ b/security/sandbox/chromium/sandbox/win/src/sid.h
@@ -47,16 +47,18 @@ class Sid {
// Create a Sid from a SDDL format string, such as S-1-1-0.
static Sid FromSddlString(const wchar_t* sddl_sid);
// Create a Sid from a set of sub authorities.
static Sid FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority,
BYTE sub_authority_count,
PDWORD sub_authorities);
// Create the restricted all application packages sid.
static Sid AllRestrictedApplicationPackages();
+ // Generate a random SID value.
+ static Sid GenerateRandomSid();
// Returns sid_.
PSID GetPSID() const;
// Gets whether the sid is valid.
bool IsValid() const;
// Converts the SID to a SDDL format string.

36
security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch
Просмотреть файл

@ -9,7 +9,7 @@ Bug 1297740.
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc
+++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
@@ -301,16 +301,17 @@ DWORD WINAPI BrokerServicesBase::TargetE
@@ -414,16 +414,17 @@ DWORD WINAPI BrokerServicesBase::TargetE
NOTREACHED();
return 0;
}
@ -27,7 +27,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu
return SBOX_ERROR_BAD_PARAMS;
if (!policy)
@@ -486,17 +487,17 @@ ResultCode BrokerServicesBase::SpawnTarg
@@ -609,17 +610,17 @@ ResultCode BrokerServicesBase::SpawnTarg
// Brokerservices does not own the target object. It is owned by the Policy.
base::win::ScopedProcessInformation process_info;
TargetProcess* target = new TargetProcess(
@ -65,9 +65,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/job.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_policy_base.h"
#include "sandbox/win/src/sharedmem_ipc_server.h"
#include "sandbox/win/src/win2k_threadpool.h"
@@ -45,16 +46,17 @@ class BrokerServicesBase final : public
@@ -39,16 +40,17 @@ class BrokerServicesBase final : public
~BrokerServicesBase();
@ -88,7 +88,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h
@@ -79,16 +79,17 @@ class BrokerServices {
@@ -84,16 +84,17 @@ class BrokerServices {
// parameter will hold the last Win32 error value.
// target: returns the resulting target process information such as process
// handle and PID just as if CreateProcess() had been called. The caller is
@ -109,7 +109,25 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand
diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc
--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc
+++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc
@@ -137,16 +137,17 @@ TargetProcess::~TargetProcess() {
@@ -9,16 +9,17 @@
#include <memory>
#include <utility>
#include <vector>
#include "base/macros.h"
#include "base/memory/free_deleter.h"
#include "base/numerics/safe_conversions.h"
+#include "base/process/environment_internal.h"
#include "base/win/startup_information.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/crosscall_client.h"
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/policy_low_level.h"
#include "sandbox/win/src/restricted_token_utils.h"
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/security_capabilities.h"
@@ -137,16 +138,17 @@ TargetProcess::~TargetProcess() {
// Creates the target (child) process suspended and assigns it to the job
// object.
ResultCode TargetProcess::Create(
@ -127,10 +145,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur
// Start the target process suspended.
DWORD flags =
@@ -156,22 +157,29 @@ ResultCode TargetProcess::Create(
@@ -156,22 +158,29 @@ ResultCode TargetProcess::Create(
flags |= EXTENDED_STARTUPINFO_PRESENT;
if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) {
if (job_ && base::win::GetVersion() < base::win::Version::WIN8) {
// Windows 8 implements nested jobs, but for older systems we need to
// break out of any job we're in to enforce our restrictions.
flags |= CREATE_BREAKAWAY_FROM_JOB;
@ -138,7 +156,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur
+ LPTCH original_environment = GetEnvironmentStrings();
+ base::NativeEnvironmentString new_environment =
+ base::AlterEnvironment(original_environment, env_changes);
+ base::internal::AlterEnvironment(original_environment, env_changes);
+ // Ignore return value? What can we do?
+ FreeEnvironmentStrings(original_environment);
+ LPVOID new_env_ptr = (void*)new_environment.data();

10
security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch
Просмотреть файл

@ -6,7 +6,9 @@
# Parent 96707276b26997ea2a8e9fd8fdacc0c863717e7b
Allow a special all paths rule in the Windows process sandbox when using semantics FILES_ALLOW_READONLY. r=jimm
This also changes the read only related status checks in filesystem_interception.cc to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in some cases and fails because we never ask the broker.
This also changes the read only related status checks in filesystem_interception.cc
to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in
some cases and fails because we never ask the broker.
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@ -52,7 +54,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
do {
if (!ValidParameter(file, sizeof(HANDLE), WRITE))
@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes,
PIO_STATUS_BLOCK io_status,
@ -92,7 +94,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c
do {
if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
@@ -232,17 +239,18 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
@@ -232,17 +239,18 @@ TargetNtQueryAttributesFile(NtQueryAttri
NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
NtQueryFullAttributesFileFunction orig_QueryFullAttributes,
@ -119,7 +121,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/se
bool FileSystemPolicy::GenerateRules(const wchar_t* name,
TargetPolicy::Semantics semantics,
LowLevelPolicy* policy) {
base::string16 mod_name(name);
std::wstring mod_name(name);
if (mod_name.empty()) {
return false;
}

40
security/sandbox/chromium-shim/patches/with_update/fix_incorrect_int_use_in_Kernel32BaseVersion.patch
Просмотреть файл

@ -1,40 +0,0 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1549903491 0
# Mon Feb 11 16:44:51 2019 +0000
# Node ID 3bb3e5a6275db53530d50549b7b329cc1248d450
# Parent fc9d5e40028058abeb06f8bdc2f75fc868fbe14b
Fix incorrect int use in Kernel32BaseVersion in windows_version.cc. r=aklotz
diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc
--- a/security/sandbox/chromium/base/win/windows_version.cc
+++ b/security/sandbox/chromium/base/win/windows_version.cc
@@ -236,23 +236,23 @@ Version OSInfo::Kernel32Version() const
// kernel32 will still be the "real" version.
base::Version OSInfo::Kernel32BaseVersion() const {
static const base::NoDestructor<base::Version> version([] {
std::unique_ptr<FileVersionInfoWin> file_version_info(
static_cast<FileVersionInfoWin*>(
FileVersionInfoWin::CreateFileVersionInfo(
base::FilePath(FILE_PATH_LITERAL("kernel32.dll")))));
DCHECK(file_version_info);
- const int major =
+ const uint32_t major =
HIWORD(file_version_info->fixed_file_info()->dwFileVersionMS);
- const int minor =
+ const uint32_t minor =
LOWORD(file_version_info->fixed_file_info()->dwFileVersionMS);
- const int build =
+ const uint32_t build =
HIWORD(file_version_info->fixed_file_info()->dwFileVersionLS);
- const int patch =
+ const uint32_t patch =
LOWORD(file_version_info->fixed_file_info()->dwFileVersionLS);
return base::Version(std::vector<uint32_t>{major, minor, build, patch});
}());
return *version;
}
std::string OSInfo::processor_model_name() {
if (processor_model_name_.empty()) {

4
security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch
Просмотреть файл

@ -46,7 +46,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_profile_bas
GetModuleHandle(L"userenv"), "GetAppContainerFolderPath"));
if (!get_app_container_folder_path)
return false;
base::string16 sddl_str;
std::wstring sddl_str;
if (!package_sid_.ToSddlString(&sddl_str))
return false;
base::win::ScopedCoMem<wchar_t> path_str;
@ -62,7 +62,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_profile_bas
+#if defined(MOZ_SANDBOX)
+ IMMEDIATE_CRASH();
+#else
base::string16 sddl_str;
std::wstring sddl_str;
if (!package_sid_.ToSddlString(&sddl_str))
return false;
*pipe_path = base::FilePath(base::StringPrintf(L"\\\\.\\pipe\\%ls\\%ls",

52
security/sandbox/chromium-shim/patches/with_update/ifdef_out_ApplyMitigationsToCurrentThread.patch
Просмотреть файл

@ -1,52 +0,0 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1509027042 -3600
# Thu Oct 26 15:10:42 2017 +0100
# Node ID c4557696d42ef22c6eccfd178b3d739a265e2894
# Parent ec58d9068a540487e67c0eac2c60c53dea31d3c3
Don't compile sandbox::ApplyMitigationsToCurrentThread. r=aklotz
This brings in new dependencies via FilePath and we don't currently use it.
As far as I can tell Chromium doesn't use it either.
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
@@ -230,16 +230,19 @@ bool ApplyProcessMitigationsToCurrentPro
ERROR_ACCESS_DENIED != ::GetLastError()) {
return false;
}
}
return true;
}
+// This function isn't used yet and adds dependencies for FilePath and
+// ScopedNativeLibrary.
+#if !defined(MOZ_SANDBOX)
bool ApplyMitigationsToCurrentThread(MitigationFlags flags) {
if (!CanSetMitigationsPerThread(flags))
return false;
base::win::Version version = base::win::GetVersion();
if (version < base::win::VERSION_WIN10_RS1)
return true;
@@ -263,16 +266,17 @@ bool ApplyMitigationsToCurrentThread(Mit
if (!set_thread_info_function(::GetCurrentThread(), ThreadDynamicCodePolicy,
&thread_policy, sizeof(thread_policy))) {
return false;
}
}
return true;
}
+#endif
void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
DWORD64* policy_flags,
size_t* size) {
base::win::Version version = base::win::GetVersion();
*policy_flags = 0;
#if defined(_WIN64)

10
security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch
Просмотреть файл

@ -14,10 +14,10 @@ https://hg.mozilla.org/mozilla-central/rev/477b991bf6fa7b4511768649c9bf37c7275d3
diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chromium/base/time/time.cc
--- a/security/sandbox/chromium/base/time/time.cc
+++ b/security/sandbox/chromium/base/time/time.cc
@@ -241,16 +241,17 @@ Time Time::LocalMidnight() const {
Time out_time;
if (FromLocalExploded(exploded, &out_time))
return out_time;
@@ -281,16 +281,17 @@ Time Time::Midnight(bool is_local) const
if (FromExploded(is_local, exploded, &out_time))
return out_time;
}
// This function must not fail.
NOTREACHED();
return Time();
@ -32,7 +32,7 @@ diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chro
if (time_string[0] == '\0')
return false;
@@ -261,16 +262,17 @@ bool Time::FromStringInternal(const char
@@ -301,16 +302,17 @@ bool Time::FromStringInternal(const char
&result_time);
if (PR_SUCCESS != result)
return false;

34
security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch Normal file
Просмотреть файл

@ -0,0 +1,34 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1588735588 25200
# Tue May 05 20:26:28 2020 -0700
# Node ID 8214c0253f550d73b5e79dfd825b09f5c1a06fbd
# Parent 2d5ee142bde533ba4f93afaae081a444eac0abe2
Lower SDK version requirement from 19H1 to RS4. r=bobowen
We still use 10.0.17134.0 SDK while Chromium requires 10.0.18362.0 or higher.
diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc
--- a/security/sandbox/chromium/base/win/windows_version.cc
+++ b/security/sandbox/chromium/base/win/windows_version.cc
@@ -17,18 +17,18 @@
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/registry.h"
#if !defined(__clang__) && _MSC_FULL_VER < 191125507
#error VS 2017 Update 3.2 or higher is required
#endif
-#if !defined(NTDDI_WIN10_19H1)
-#error Windows 10.0.18362.0 SDK or higher required.
+#if !defined(NTDDI_WIN10_RS4)
+#error Windows 10.0.17134.0 SDK or higher required.
#endif
namespace base {
namespace win {
namespace {
// The values under the CurrentVersion registry hive are mirrored under

37
security/sandbox/chromium-shim/patches/with_update/mingw_base_win_get_caller.patch
Просмотреть файл

@ -1,37 +0,0 @@
# HG changeset patch
# User Tom Ritter <tom@mozilla.com>
# Date 1516824525 21600
# Wed Jan 24 14:08:45 2018 -0600
# Node ID b09622ad2731f02ed7f231295bc9421d76b083e6
# Parent 2b890d81a1e3ebc4872958022c8d425d5689b31d
Bug 1432790 Remove a stray \ to fix the MinGW build. r?bobowen
The GCC case includes a stray \ at the end of the line that gcc
complains about.
For reference purposes, this commit is a combination of Bug 1431621
and Bug 1432790 combined together so that it looks like I hadn't
screwed it up.
diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h
--- a/security/sandbox/chromium/base/win/scoped_handle.h
+++ b/security/sandbox/chromium/base/win/scoped_handle.h
@@ -13,17 +13,17 @@
#include "base/logging.h"
#include "base/macros.h"
// TODO(rvargas): remove this with the rest of the verifier.
#if defined(COMPILER_MSVC)
#include <intrin.h>
#define BASE_WIN_GET_CALLER _ReturnAddress()
#elif defined(COMPILER_GCC)
-#define BASE_WIN_GET_CALLER __builtin_extract_return_addr(\\
+#define BASE_WIN_GET_CALLER __builtin_extract_return_addr(\
__builtin_return_address(0))
#endif
namespace base {
namespace win {
// Generic wrapper for raw handles that takes care of closing handles
// automatically. The class interface follows the style of

4
security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch
Просмотреть файл

@ -32,10 +32,10 @@ diff --git a/security/sandbox/chromium/base/win/pe_image.h b/security/sandbox/ch
--- a/security/sandbox/chromium/base/win/pe_image.h
+++ b/security/sandbox/chromium/base/win/pe_image.h
@@ -14,17 +14,17 @@
#include <stdint.h>
#include <windows.h>
#include <stdint.h>
#if defined(_WIN32_WINNT_WIN8)
// The Windows 8 SDK defines FACILITY_VISUALCPP in winerror.h.
#undef FACILITY_VISUALCPP

4
security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch
Просмотреть файл

@ -20,14 +20,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur
#if SANDBOX_EXPORTS
HMODULE module = ::LoadLibrary(exe_name_.get());
if (!module)
return SBOX_ERROR_GENERIC;
return SBOX_ERROR_CANNOT_LOADLIBRARY_EXECUTABLE;
- child_var = ::GetProcAddress(module, name);
+ child_var = reinterpret_cast<void*>(::GetProcAddress(module, name));
::FreeLibrary(module);
if (!child_var)
return SBOX_ERROR_GENERIC;
return SBOX_ERROR_CANNOT_FIND_VARIABLE_ADDRESS;
size_t offset =
reinterpret_cast<char*>(child_var) - reinterpret_cast<char*>(module);

8
security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch
Просмотреть файл

@ -11,7 +11,7 @@ MozReview-Commit-ID: D7REZiAIMpN
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
+++ b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
@@ -61,16 +61,17 @@ union MultiType {
@@ -78,16 +78,17 @@ union MultiType {
ULONG_PTR ulong_ptr;
};
@ -29,9 +29,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/secu
uint32_t offset_;
uint32_t size_;
};
@@ -271,16 +272,18 @@ class ActualCallParams : public CrossCal
@@ -287,16 +288,18 @@ class ActualCallParams : public CrossCal
protected:
ActualCallParams() : CrossCallParams(0, NUMBER_PARAMS) { }
ActualCallParams() : CrossCallParams(IpcTag::UNUSED, NUMBER_PARAMS) {}
private:
ParamInfo param_info_[NUMBER_PARAMS + 1];
@ -167,7 +167,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/sec
// Avoid compiler optimizations across this point. Any value stored in
// memory should be stored for real, and values previously read from memory
// should be actually read.
base::subtle::MemoryBarrier();
std::atomic_thread_fence(std::memory_order_seq_cst);
- min_declared_size =
- sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo));

52
security/sandbox/chromium-shim/patches/with_update/mingw_undefine_MemoryBarrier.patch
Просмотреть файл

@ -1,52 +0,0 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1558340081 -3600
# Mon May 20 09:14:41 2019 +0100
# Node ID ba49022852e0cd13ddb6afa501b61c1f603d60b7
# Parent 672e222dce87dd64c3e2a1381d16aec71b21aef6
Bug 1552160: always undefine MemoryBarrier in Windows sandbox on MinGW.
diff --git a/security/sandbox/chromium/base/atomicops.h b/security/sandbox/chromium/base/atomicops.h
--- a/security/sandbox/chromium/base/atomicops.h
+++ b/security/sandbox/chromium/base/atomicops.h
@@ -34,17 +34,17 @@
// identify the STL implementation.
// - libc++: captures __config for _LIBCPP_VERSION
// - libstdc++: captures bits/c++config.h for __GLIBCXX__
#include <cstddef>
#include "base/base_export.h"
#include "build/build_config.h"
-#if defined(OS_WIN) && defined(ARCH_CPU_64_BITS)
+#if defined(OS_WIN) && (defined(ARCH_CPU_64_BITS) || defined(__MINGW32__))
// windows.h #defines this (only on x64). This causes problems because the
// public API also uses MemoryBarrier at the public name for this fence. So, on
// X64, undef it, and call its documented
// (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx)
// implementation directly.
#undef MemoryBarrier
#endif
diff --git a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h
--- a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h
+++ b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h
@@ -9,17 +9,17 @@
#include "base/win/windows_types.h"
#include <intrin.h>
#include "base/macros.h"
#include "build/build_config.h"
-#if defined(ARCH_CPU_64_BITS)
+#if defined(ARCH_CPU_64_BITS) || defined(__MINGW32__)
// windows.h #defines this (only on x64). This causes problems because the
// public API also uses MemoryBarrier at the public name for this fence. So, on
// X64, undef it, and call its documented
// (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx)
// implementation directly.
#undef MemoryBarrier
#endif

1939
security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

14
security/sandbox/chromium-shim/patches/with_update/patch_order.txt
Просмотреть файл

@ -1,28 +1,28 @@
update_chromium_linux_x86_syscalls.patch
revert_remove_AddTargetPeer.patch
revert_remove_BrokerDuplicateHandle.patch
ifdef_out_ApplyMitigationsToCurrentThread.patch
replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch
ifdef_out_FromStringInternal.patch
add_option_to_not_use_restricting_sids.patch
ifdef_out_SequenceChecker_code.patch
allow_read_only_all_paths_rule.patch
revert_TargetNtSetInformationThread_change.patch
mingw_base_win_get_caller.patch
mingw_copy_s.patch
mingw_operator_new.patch
mingw_cast_getprocaddress.patch
mingw_capitalization.patch
mingw_disable_one_try.patch
mingw_offsetof.patch
fix_incorrect_int_use_in_Kernel32BaseVersion.patch
revert_removal_of_AlterEnvironment_on_Windows.patch
allow_env_changes.patch
ifdef_out_AppContainerProfileBase_testing_functions.patch
mingw_missing_windows_types_defines.patch
mingw_undefine_MemoryBarrier.patch
add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch
include_atomic_header_in_platform_thread.patch
aarch64_control_flow_guard.patch
revert_removal_of_app_dir_for_DLL_load.patch
more_chromium_linux_x86_x64_syscalls.patch
public_siginfo_fields.patch
add_support_for_random_restricted_SID.patch
revert_Token_serialization_and_deserialization.patch
remove_unused_functions_from_StrtodTrimmed.patch
remove_extraneous_backslash_introduced_by_clang_tidy.patch
remove_include_delayimp_h_from_pe_image_cc.patch
lower_SDK_version_requirement.patch

52
security/sandbox/chromium-shim/patches/with_update/public_siginfo_fields.patch
Просмотреть файл

@ -1,52 +0,0 @@
# HG changeset patch
# User Michael Forney <mforney@mforney.org>
# Date 1581009438 0
# Thu Feb 06 17:17:18 2020 +0000
# Node ID 3ec8c96f4d53916de5223b2eda5e8d66fb6ca227
# Parent 362056ef41086e1faf6ee088c1daef9c73e01370
Bug 1611565 - Cherry-pick upstream patch to use public siginfo_t fields r=gcp
Upstream patch:
https://chromium.googlesource.com/chromium/src.git/+/6bd491daaf28a8281136931133504c23a18f819f%5E%21/#F0
_sifields is a glibc-internal field, and is not available on musl
libc. Instead, use the public-facing fields si_call_addr, si_syscall,
and si_arch, if they are available.
Differential Revision: https://phabricator.services.mozilla.com/D61051
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
+++ b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
@@ -159,21 +159,28 @@ void Trap::SigSys(int nr, LinuxSigInfo*
// See crbug.com/178166.
// TODO(jln): add a DCHECK or move back to FATAL.
RAW_LOG(ERROR, "Unexpected SIGSYS received.");
errno = old_errno;
return;
}
- // Obtain the siginfo information that is specific to SIGSYS. Unfortunately,
- // most versions of glibc don't include this information in siginfo_t. So,
- // we need to explicitly copy it into a arch_sigsys structure.
+ // Obtain the siginfo information that is specific to SIGSYS.
struct arch_sigsys sigsys;
+#if defined(si_call_addr) && !defined(__native_client_nonsfi__)
+ sigsys.ip = info->si_call_addr;
+ sigsys.nr = info->si_syscall;
+ sigsys.arch = info->si_arch;
+#else
+ // If the version of glibc doesn't include this information in
+ // siginfo_t (older than 2.17), we need to explicitly copy it
+ // into an arch_sigsys structure.
memcpy(&sigsys, &info->_sifields, sizeof(sigsys));
+#endif
#if defined(__mips__)
// When indirect syscall (syscall(__NR_foo, ...)) is made on Mips, the
// number in register SECCOMP_SYSCALL(ctx) is always __NR_syscall and the
// real number of a syscall (__NR_foo) is in SECCOMP_PARM1(ctx)
bool sigsys_nr_is_bad = sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) &&
sigsys.nr != static_cast<int>(SECCOMP_PARM1(ctx));
#else

34
security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch Normal file
Просмотреть файл

@ -0,0 +1,34 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1588867789 25200
# Thu May 07 09:09:49 2020 -0700
# Node ID 29fbfefe6f5f533fb5aa4339015cea4746ad6493
# Parent 044c15e89ecca19afc1750c439f4e82879679462
Remove Extraneous Backslash Introduced by clang-tidy in ScopedHandle. r=bobowen
Need the following commit to compile with Mingw, which has not reached
the stable channel yet.
https://chromium.googlesource.com/chromium/src.git/+/1620fe70c299f1f18b2f2c652d16739f6e3c5f78
diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h
--- a/security/sandbox/chromium/base/win/scoped_handle.h
+++ b/security/sandbox/chromium/base/win/scoped_handle.h
@@ -15,17 +15,17 @@
#include "base/macros.h"
// TODO(rvargas): remove this with the rest of the verifier.
#if defined(COMPILER_MSVC)
#include <intrin.h>
#define BASE_WIN_GET_CALLER _ReturnAddress()
#elif defined(COMPILER_GCC)
#define BASE_WIN_GET_CALLER \
- __builtin_extract_return_addr(\ __builtin_return_address(0))
+ __builtin_extract_return_addr(__builtin_return_address(0))
#endif
namespace base {
namespace win {
// Generic wrapper for raw handles that takes care of closing handles
// automatically. The class interface follows the style of
// the ScopedFILE class with two additions:

32
security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch Normal file
Просмотреть файл

@ -0,0 +1,32 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1588871424 25200
# Thu May 07 10:10:24 2020 -0700
# Node ID 2d5ee142bde533ba4f93afaae081a444eac0abe2
# Parent 29fbfefe6f5f533fb5aa4339015cea4746ad6493
Don't include delayimp.h twice from //base/win/pe_image.cc to compile with Mingw. r=bobowen
The second include was introduced by
https://chromium.googlesource.com/chromium/src.git/+/5c23d46846111ea16aaf2a9b45355cca5ddbf6d8
diff --git a/security/sandbox/chromium/base/win/pe_image.cc b/security/sandbox/chromium/base/win/pe_image.cc
--- a/security/sandbox/chromium/base/win/pe_image.cc
+++ b/security/sandbox/chromium/base/win/pe_image.cc
@@ -2,17 +2,16 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file implements PEImage, a generic class to manipulate PE files.
// This file was adapted from GreenBorder's Code.
#include "base/win/pe_image.h"
-#include <delayimp.h>
#include <stddef.h>
#include <set>
#include <string>
#include "base/no_destructor.h"
#include "base/win/current_module.h"
namespace base {

48
security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch Normal file
Просмотреть файл

@ -0,0 +1,48 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1588733379 25200
# Tue May 05 19:49:39 2020 -0700
# Node ID 044c15e89ecca19afc1750c439f4e82879679462
# Parent a18431660425e41c26c716413aac0294987c985a
Remove unused functions from //base/third_party/double_conversion/double-conversion to compile. r=bobowen
diff --git a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc
--- a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc
+++ b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc
@@ -445,36 +445,18 @@ static bool ComputeGuess(Vector<const ch
return true;
}
if (*guess == Double::Infinity()) {
return true;
}
return false;
}
-static bool IsDigit(const char d) {
- return ('0' <= d) && (d <= '9');
-}
-
-static bool IsNonZeroDigit(const char d) {
- return ('1' <= d) && (d <= '9');
-}
-
-static bool AssertTrimmedDigits(const Vector<const char>& buffer) {
- for(int i = 0; i < buffer.length(); ++i) {
- if(!IsDigit(buffer[i])) {
- return false;
- }
- }
- return (buffer.length() == 0) || (IsNonZeroDigit(buffer[0]) && IsNonZeroDigit(buffer[buffer.length()-1]));
-}
-
double StrtodTrimmed(Vector<const char> trimmed, int exponent) {
DOUBLE_CONVERSION_ASSERT(trimmed.length() <= kMaxSignificantDecimalDigits);
- DOUBLE_CONVERSION_ASSERT(AssertTrimmedDigits(trimmed));
double guess;
const bool is_correct = ComputeGuess(trimmed, exponent, &guess);
if (is_correct) {
return guess;
}
DiyFp upper_boundary = Double(guess).UpperBoundary();
int comparison = CompareBufferWithDiyFp(trimmed, exponent, upper_boundary);
if (comparison < 0) {

59
security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch Normal file
Просмотреть файл

@ -0,0 +1,59 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1589672273 25200
# Sat May 16 16:37:53 2020 -0700
# Node ID c14ef8304c36fdc2570b77b63b36114cff2d070d
# Parent 90b5f63770f52fab163adaed1d5812b2887b335a
Use GetModuleHandle/GetProcAddress in ApplyMitigationsToCurrentThread. r=bobowen
This patch removes the use of base::ScopedNativeLibrary from
sandbox::ApplyMitigationsToCurrentThread because to avoid
new dependencies.
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
@@ -5,18 +5,16 @@
#include "sandbox/win/src/process_mitigations.h"
#include <stddef.h>
#include <windows.h>
#include <wow64apiset.h>
#include <algorithm>
-#include "base/files/file_path.h"
-#include "base/scoped_native_library.h"
#include "base/win/windows_version.h"
#include "build/build_config.h"
#include "sandbox/win/src/nt_internals.h"
#include "sandbox/win/src/restricted_token_utils.h"
#include "sandbox/win/src/sandbox_rand.h"
#include "sandbox/win/src/win_utils.h"
namespace {
@@ -321,22 +319,19 @@ bool ApplyMitigationsToCurrentThread(Mit
return true;
// Enable dynamic code per-thread policies.
if (flags & MITIGATION_DYNAMIC_CODE_OPT_OUT_THIS_THREAD) {
DWORD thread_policy = THREAD_DYNAMIC_CODE_ALLOW;
// NOTE: SetThreadInformation API only exists on >= Win8. Dynamically
// get function handle.
- base::ScopedNativeLibrary dll(base::FilePath(L"kernel32.dll"));
- if (!dll.is_valid())
- return false;
SetThreadInformationFunction set_thread_info_function =
- reinterpret_cast<SetThreadInformationFunction>(
- dll.GetFunctionPointer("SetThreadInformation"));
+ reinterpret_cast<SetThreadInformationFunction>(::GetProcAddress(
+ ::GetModuleHandleA("kernel32.dll"), "SetThreadInformation"));
if (!set_thread_info_function)
return false;
// NOTE: Must use the pseudo-handle here, a thread HANDLE won't work.
if (!set_thread_info_function(::GetCurrentThread(), ThreadDynamicCodePolicy,
&thread_policy, sizeof(thread_policy))) {
return false;
}

100
security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch Normal file
Просмотреть файл

@ -0,0 +1,100 @@
# HG changeset patch
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1588530677 25200
# Sun May 03 11:31:17 2020 -0700
# Node ID a18431660425e41c26c716413aac0294987c985a
# Parent e149b1937231ccc3c1c07f45acf0e7e71117854f
Revert chromium's ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee. r=bobowen
Undoing the following commit as it brings more dependency but unused in our code.
https://chromium.googlesource.com/chromium/src.git/+/ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee
diff --git a/security/sandbox/chromium/base/token.cc b/security/sandbox/chromium/base/token.cc
--- a/security/sandbox/chromium/base/token.cc
+++ b/security/sandbox/chromium/base/token.cc
@@ -1,17 +1,16 @@
// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/token.h"
#include <inttypes.h>
-#include "base/pickle.h"
#include "base/rand_util.h"
#include "base/strings/stringprintf.h"
namespace base {
// static
Token Token::CreateRandom() {
Token token;
@@ -21,26 +20,9 @@ Token Token::CreateRandom() {
base::RandBytes(&token, sizeof(token));
return token;
}
std::string Token::ToString() const {
return base::StringPrintf("%016" PRIX64 "%016" PRIX64, high_, low_);
}
-void WriteTokenToPickle(Pickle* pickle, const Token& token) {
- pickle->WriteUInt64(token.high());
- pickle->WriteUInt64(token.low());
-}
-
-Optional<Token> ReadTokenFromPickle(PickleIterator* pickle_iterator) {
- uint64_t high;
- if (!pickle_iterator->ReadUInt64(&high))
- return nullopt;
-
- uint64_t low;
- if (!pickle_iterator->ReadUInt64(&low))
- return nullopt;
-
- return Token(high, low);
-}
-
} // namespace base
diff --git a/security/sandbox/chromium/base/token.h b/security/sandbox/chromium/base/token.h
--- a/security/sandbox/chromium/base/token.h
+++ b/security/sandbox/chromium/base/token.h
@@ -7,17 +7,16 @@
#include <stdint.h>
#include <iosfwd>
#include <tuple>
#include "base/base_export.h"
#include "base/hash/hash.h"
-#include "base/optional.h"
namespace base {
// A Token is a randomly chosen 128-bit integer. This class supports generation
// from a cryptographically strong random source, or constexpr construction over
// fixed values (e.g. to store a pre-generated constant value). Tokens are
// similar in spirit and purpose to UUIDs, without many of the constraints and
// expectations (such as byte layout and string representation) clasically
@@ -63,19 +62,11 @@ class BASE_EXPORT Token {
// For use in std::unordered_map.
struct TokenHash {
size_t operator()(const base::Token& token) const {
return base::HashInts64(token.high(), token.low());
}
};
-class Pickle;
-class PickleIterator;
-
-// For serializing and deserializing Token values.
-BASE_EXPORT void WriteTokenToPickle(Pickle* pickle, const Token& token);
-BASE_EXPORT Optional<Token> ReadTokenFromPickle(
- PickleIterator* pickle_iterator);
-
} // namespace base
#endif // BASE_TOKEN_H_

150
security/sandbox/chromium-shim/patches/with_update/revert_removal_of_AlterEnvironment_on_Windows.patch
Просмотреть файл

@ -1,150 +0,0 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1560256605 -3600
# Tue Jun 11 13:36:45 2019 +0100
# Node ID 686d4b711b65b7cd8692e92e9a7ae152a942b69e
# Parent 213d707af158b3d276c8cce56aba2e3c27abda82
Bug 1552160: Revert removal of AlterEnvironment from chromium code on Windows. r=jld
diff --git a/security/sandbox/chromium/base/environment.cc b/security/sandbox/chromium/base/environment.cc
--- a/security/sandbox/chromium/base/environment.cc
+++ b/security/sandbox/chromium/base/environment.cc
@@ -96,34 +96,32 @@ class EnvironmentImpl : public Environme
return !!SetEnvironmentVariable(UTF8ToWide(variable_name).c_str(), nullptr);
#elif defined(OS_POSIX) || defined(OS_FUCHSIA)
// On success, zero is returned.
return !unsetenv(variable_name.data());
#endif
}
};
-#if defined(OS_POSIX) || defined(OS_FUCHSIA)
// Parses a null-terminated input string of an environment block. The key is
// placed into the given string, and the total length of the line, including
// the terminating null, is returned.
size_t ParseEnvLine(const NativeEnvironmentString::value_type* input,
NativeEnvironmentString* key) {
// Skip to the equals or end of the string, this is the key.
size_t cur = 0;
while (input[cur] && input[cur] != '=')
cur++;
*key = NativeEnvironmentString(&input[0], cur);
// Now just skip to the end of the string.
while (input[cur])
cur++;
return cur + 1;
}
-#endif
} // namespace
namespace env_vars {
#if defined(OS_POSIX) || defined(OS_FUCHSIA)
// On Posix systems, this variable contains the location of the user's home
// directory. (e.g, /home/username/).
@@ -138,17 +136,57 @@ Environment::~Environment() = default;
std::unique_ptr<Environment> Environment::Create() {
return std::make_unique<EnvironmentImpl>();
}
bool Environment::HasVar(StringPiece variable_name) {
return GetVar(variable_name, nullptr);
}
-#if defined(OS_POSIX) || defined(OS_FUCHSIA)
+#if defined(OS_WIN)
+
+string16 AlterEnvironment(const wchar_t* env,
+ const EnvironmentMap& changes) {
+ string16 result;
+
+ // First copy all unmodified values to the output.
+ size_t cur_env = 0;
+ string16 key;
+ while (env[cur_env]) {
+ const wchar_t* line = &env[cur_env];
+ size_t line_length = ParseEnvLine(line, &key);
+
+ // Keep only values not specified in the change vector.
+ EnvironmentMap::const_iterator found_change = changes.find(key);
+ if (found_change == changes.end())
+ result.append(line, line_length);
+
+ cur_env += line_length;
+ }
+
+ // Now append all modified and new values.
+ for (EnvironmentMap::const_iterator i = changes.begin();
+ i != changes.end(); ++i) {
+ if (!i->second.empty()) {
+ result.append(i->first);
+ result.push_back('=');
+ result.append(i->second);
+ result.push_back(0);
+ }
+ }
+
+ // An additional null marks the end of the list. We always need a double-null
+ // in case nothing was added above.
+ if (result.empty())
+ result.push_back(0);
+ result.push_back(0);
+ return result;
+}
+
+#elif defined(OS_POSIX) || defined(OS_FUCHSIA)
std::unique_ptr<char* []> AlterEnvironment(const char* const* const env,
const EnvironmentMap& changes) {
std::string value_storage; // Holds concatenated null-terminated strings.
std::vector<size_t> result_indices; // Line indices into value_storage.
// First build up all of the unchanged environment strings. These are
// null-terminated of the form "key=value".
diff --git a/security/sandbox/chromium/base/environment.h b/security/sandbox/chromium/base/environment.h
--- a/security/sandbox/chromium/base/environment.h
+++ b/security/sandbox/chromium/base/environment.h
@@ -48,27 +48,36 @@ class BASE_EXPORT Environment {
#if defined(OS_WIN)
typedef string16 NativeEnvironmentString;
typedef std::map<NativeEnvironmentString, NativeEnvironmentString>
EnvironmentMap;
+// Returns a modified environment vector constructed from the given environment
+// and the list of changes given in |changes|. Each key in the environment is
+// matched against the first element of the pairs. In the event of a match, the
+// value is replaced by the second of the pair, unless the second is empty, in
+// which case the key-value is removed.
+//
+// This Windows version takes and returns a Windows-style environment block
+// which is a concatenated list of null-terminated 16-bit strings. The end is
+// marked by a double-null terminator. The size of the returned string will
+// include the terminators.
+BASE_EXPORT string16 AlterEnvironment(const wchar_t* env,
+ const EnvironmentMap& changes);
+
#elif defined(OS_POSIX) || defined(OS_FUCHSIA)
typedef std::string NativeEnvironmentString;
typedef std::map<NativeEnvironmentString, NativeEnvironmentString>
EnvironmentMap;
-// Returns a modified environment vector constructed from the given environment
-// and the list of changes given in |changes|. Each key in the environment is
-// matched against the first element of the pairs. In the event of a match, the
-// value is replaced by the second of the pair, unless the second is empty, in
-// which case the key-value is removed.
+// See general comments for the Windows version above.
//
// This Posix version takes and returns a Posix-style environment block, which
// is a null-terminated list of pointers to null-terminated strings. The
// returned array will have appended to it the storage for the array itself so
// there is only one pointer to manage, but this means that you can't copy the
// array without keeping the original around.
BASE_EXPORT std::unique_ptr<char* []> AlterEnvironment(
const char* const* env,

410
security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch
Просмотреть файл

@ -1,88 +1,53 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1485985799 0
# Wed Feb 01 21:49:59 2017 +0000
# Node ID 8faee368c603dab03076d8900f01acfd776caaeb
# Parent dba4611d335189b9a3314f5dc57935f554c8b945
Reinstate sandbox::BrokerServices::AddTargetPeer r=aklotz
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1589671259 25200
# Sat May 16 16:20:59 2020 -0700
# Node ID 0b5183a01df78cc85264f2eae2c4d8e407bb1112
# Parent d093cd9ccfcf06f4a1f0d7f1a4bd0f143ef92b4b
Add BrokerServicesBase::IsSafeDuplicationTarget. r=bobowen
This is basically a revert of chromium commit 996b42db5296bd3d11b3d7fde1a4602bbcefed2c.
This patch adds BrokerServicesBase::IsSafeDuplicationTarget and
BrokerServicesBase::AddTargetPeer using the new ProcessTracker introduced by
https://chromium.googlesource.com/chromium/src.git/+/3d8382cf9dd44cf9c05e43e42c500f4825e1fed8
We need these methods for HandlePolicy which is added as a different patch.
Chromium used to have AddTargetPeer and IsActiveTarget, but removed by
the following commits because they were no longer used in Chromium.
https://chromium.googlesource.com/chromium/src.git/+/996b42db5296bd3d11b3d7fde1a4602bbcefed2c
https://chromium.googlesource.com/chromium/src.git/+/e615a1152ac6e10f1a91f0629fb8b5ca223ffbdc
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc
+++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
@@ -41,16 +41,17 @@ sandbox::ResultCode SpawnCleanup(sandbox
delete target;
return sandbox::SBOX_ERROR_GENERIC;
}
// the different commands that you can send to the worker thread that
// executes TargetEventsThread().
enum {
THREAD_CTRL_NONE,
+ THREAD_CTRL_REMOVE_PEER,
THREAD_CTRL_QUIT,
THREAD_CTRL_LAST,
};
// Helper structure that allows the Broker to associate a job notification
// with a job object and with a policy.
struct JobTracker {
JobTracker(base::win::ScopedHandle job,
@@ -77,16 +78,37 @@ void JobTracker::FreeResources() {
HANDLE stale_job_handle = job.Get();
job.Close();
// In OnJobEmpty() we don't actually use the job handle directly.
policy->OnJobEmpty(stale_job_handle);
policy = nullptr;
}
}
+
+// Helper structure that allows the broker to track peer processes
+struct PeerTracker {
+ PeerTracker(DWORD process_id, HANDLE broker_job_port)
+ : wait_object(NULL), id(process_id), job_port(broker_job_port) {
+ }
+
+ HANDLE wait_object;
+ base::win::ScopedHandle process;
+ DWORD id;
+ HANDLE job_port;
+};
+
+void DeregisterPeerTracker(PeerTracker* peer) {
+ // Deregistration shouldn't fail, but we leak rather than crash if it does.
+ if (::UnregisterWaitEx(peer->wait_object, INVALID_HANDLE_VALUE)) {
+ delete peer;
+ } else {
+ NOTREACHED();
+ }
+}
} // namespace
namespace sandbox {
@@ -154,16 +154,18 @@ namespace sandbox {
BrokerServicesBase::BrokerServicesBase() {}
// The broker uses a dedicated worker thread that services the job completion
@@ -132,16 +154,22 @@ BrokerServicesBase::~BrokerServicesBase(
// port to perform policy notifications and associated cleanup tasks.
ResultCode BrokerServicesBase::Init() {
if (job_port_.IsValid() || thread_pool_)
return SBOX_ERROR_UNEXPECTED_CALL;
+ ::InitializeCriticalSection(&lock_);
+
job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0));
if (!job_port_.IsValid())
return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES;
no_targets_.Set(::CreateEventW(nullptr, true, false, nullptr));
job_thread_.Set(::CreateThread(nullptr, 0, // Default security and stack.
TargetEventsThread, this, 0, nullptr));
@@ -191,16 +193,17 @@ BrokerServicesBase::~BrokerServicesBase(
if (job_thread_.IsValid() &&
WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) {
// Cannot clean broker services.
NOTREACHED();
return;
}
tracker_list_.clear();
thread_pool_.reset();
+ // Cancel the wait events and delete remaining peer trackers.
+ for (PeerTrackerMap::iterator it = peer_map_.begin();
+ it != peer_map_.end(); ++it) {
+ DeregisterPeerTracker(it->second);
+ }
+
::DeleteCriticalSection(&lock_);
+ ::DeleteCriticalSection(&lock_);
}
scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() {
@ -90,45 +55,99 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu
// change the downcast to it in SpawnTarget().
scoped_refptr<TargetPolicy> policy(new PolicyBase);
// PolicyBase starts with refcount 1.
@@ -247,16 +275,23 @@ DWORD WINAPI BrokerServicesBase::TargetE
policy->Release();
@@ -283,16 +286,21 @@ DWORD WINAPI BrokerServicesBase::TargetE
if (1 == target_counter) {
::ResetEvent(no_targets);
}
break;
}
default: {
NOTREACHED();
break;
}
case JOB_OBJECT_MSG_EXIT_PROCESS:
case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: {
+ {
+ AutoLock lock(&broker->lock_);
+ broker->active_targets_.erase(
+ static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
+ }
size_t erase_result = child_process_ids.erase(
static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
if (erase_result != 1U) {
// The process was untracked e.g. a child process of the target.
--untracked_target_counter;
DCHECK(untracked_target_counter >= 0);
}
--target_counter;
@@ -348,27 +356,31 @@ DWORD WINAPI BrokerServicesBase::TargetE
tracker->wait_handle = INVALID_HANDLE_VALUE;
}
+ } else if (THREAD_CTRL_REMOVE_PEER == key) {
+ // Remove a process from our list of peers.
+ AutoLock lock(&broker->lock_);
+ PeerTrackerMap::iterator it = broker->peer_map_.find(
+ static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
+ DeregisterPeerTracker(it->second);
+ broker->peer_map_.erase(it);
} else if (THREAD_CTRL_QUIT == key) {
// The broker object is being destroyed so the thread needs to exit.
return 0;
} else {
// We have not implemented more commands.
NOTREACHED();
}
}
@@ -460,25 +495,70 @@ ResultCode BrokerServicesBase::SpawnTarg
// TODO(wfh): Find a way to make this have the correct lifetime.
policy_base->AddRef();
processes.push_back(std::move(tracker));
// We have to signal the event once here because the completion port will
// never get a message that this target is being terminated thus we should
// not block WaitForAllTargets until we have at least one target with job.
if (child_process_ids_.empty())
::SetEvent(no_targets_.Get());
+ // We can not track the life time of such processes and it is responsibility
+ // of the host application to make sure that spawned targets without jobs
+ // are terminated when the main application don't need them anymore.
+ // Sandbox policy engine needs to know that these processes are valid
+ // targets for e.g. BrokerDuplicateHandle so track them as peer processes.
+ AddTargetPeer(process_info.process_handle());
} else if (THREAD_CTRL_PROCESS_SIGNALLED == key) {
ProcessTracker* tracker =
static_cast<ProcessTracker*>(reinterpret_cast<void*>(ovl));
+ {
+ AutoLock lock(&broker->lock_);
+ broker->active_targets_.erase(tracker->process_id);
+ }
+
::UnregisterWait(tracker->wait_handle);
tracker->wait_handle = INVALID_HANDLE_VALUE;
// PID is unique until the process handle is closed in dtor.
processes.erase(std::remove_if(processes.begin(), processes.end(),
[&](auto&& p) -> bool {
return p->process_id ==
tracker->process_id;
}),
processes.end());
-
} else if (THREAD_CTRL_GET_POLICY_INFO == key) {
// Clone the policies for sandbox diagnostics.
std::unique_ptr<PolicyDiagnosticsReceiver> receiver;
receiver.reset(static_cast<PolicyDiagnosticsReceiver*>(
reinterpret_cast<void*>(ovl)));
// The PollicyInfo ctor copies essential information from the trackers.
auto policy_list = std::make_unique<PolicyDiagnosticList>();
for (auto&& process_tracker : processes) {
@@ -637,47 +649,79 @@ ResultCode BrokerServicesBase::SpawnTarg
// the tracker. The worker thread takes ownership of these objects.
CHECK(::PostQueuedCompletionStatus(
job_port_.Get(), 0, THREAD_CTRL_NEW_JOB_TRACKER,
reinterpret_cast<LPOVERLAPPED>(tracker)));
// There is no obvious recovery after failure here. Previous version with
// SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639
CHECK(
AssociateCompletionPort(tracker->job.Get(), job_port_.Get(), tracker));
+
+ AutoLock lock(&lock_);
+ active_targets_.insert(process_info.process_id());
} else {
- // Duplicate the process handle to give the tracking machinery
- // something valid to wait on in the tracking thread.
- HANDLE tmp_process_handle = INVALID_HANDLE_VALUE;
- if (!::DuplicateHandle(::GetCurrentProcess(), process_info.process_handle(),
- ::GetCurrentProcess(), &tmp_process_handle,
- SYNCHRONIZE, false, 0 /*no options*/)) {
- *last_error = ::GetLastError();
+ result = AddTargetPeerInternal(process_info.process_handle(),
+ process_info.process_id(),
+ policy_base, last_error);
+ if (result != SBOX_ALL_OK) {
// This may fail in the same way as Job associated processes.
// crbug.com/480639.
SpawnCleanup(target);
- return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE;
+ return result;
}
- base::win::ScopedHandle dup_process_handle(tmp_process_handle);
- ProcessTracker* tracker = new ProcessTracker(
- policy_base, process_info.process_id(), std::move(dup_process_handle));
- // The tracker and policy will leak if this call fails.
- ::PostQueuedCompletionStatus(job_port_.Get(), 0,
- THREAD_CTRL_NEW_PROCESS_TRACKER,
- reinterpret_cast<LPOVERLAPPED>(tracker));
}
*target_info = process_info.Take();
@ -140,74 +159,75 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu
return SBOX_ALL_OK;
}
bool BrokerServicesBase::IsActiveTarget(DWORD process_id) {
AutoLock lock(&lock_);
- return child_process_ids_.find(process_id) != child_process_ids_.end();
+ return child_process_ids_.find(process_id) != child_process_ids_.end() ||
+ peer_map_.find(process_id) != peer_map_.end();
+bool BrokerServicesBase::IsSafeDuplicationTarget(DWORD process_id) {
+ AutoLock lock(&lock_);
+ return active_targets_.find(process_id) != active_targets_.end();
+}
+
+VOID CALLBACK BrokerServicesBase::RemovePeer(PVOID parameter, BOOLEAN timeout) {
+ PeerTracker* peer = reinterpret_cast<PeerTracker*>(parameter);
+ // Don't check the return code because we this may fail (safely) at shutdown.
+ ::PostQueuedCompletionStatus(
+ peer->job_port, 0, THREAD_CTRL_REMOVE_PEER,
+ reinterpret_cast<LPOVERLAPPED>(static_cast<uintptr_t>(peer->id)));
+ResultCode BrokerServicesBase::AddTargetPeerInternal(
+ HANDLE peer_process_handle,
+ DWORD peer_process_id,
+ scoped_refptr<PolicyBase> policy_base,
+ DWORD* last_error) {
+ // Duplicate the process handle to give the tracking machinery
+ // something valid to wait on in the tracking thread.
+ HANDLE tmp_process_handle = INVALID_HANDLE_VALUE;
+ if (!::DuplicateHandle(::GetCurrentProcess(), peer_process_handle,
+ ::GetCurrentProcess(), &tmp_process_handle,
+ SYNCHRONIZE, false, 0 /*no options*/)) {
+ *last_error = ::GetLastError();
+ return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE;
+ }
+ base::win::ScopedHandle dup_process_handle(tmp_process_handle);
+ ProcessTracker* tracker = new ProcessTracker(
+ policy_base, peer_process_id, std::move(dup_process_handle));
+ // The tracker and policy will leak if this call fails.
+ ::PostQueuedCompletionStatus(job_port_.Get(), 0,
+ THREAD_CTRL_NEW_PROCESS_TRACKER,
+ reinterpret_cast<LPOVERLAPPED>(tracker));
+
+ AutoLock lock(&lock_);
+ active_targets_.insert(peer_process_id);
+
+ return SBOX_ALL_OK;
+}
+
+ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) {
+ std::unique_ptr<PeerTracker> peer(
+ new PeerTracker(::GetProcessId(peer_process), job_port_.Get()));
+ if (!peer->id)
+ return SBOX_ERROR_GENERIC;
+ DWORD last_error;
+ return AddTargetPeerInternal(peer_process, ::GetProcessId(peer_process),
+ nullptr, &last_error);
+}
+
+ HANDLE process_handle;
+ if (!::DuplicateHandle(::GetCurrentProcess(), peer_process,
+ ::GetCurrentProcess(), &process_handle,
+ SYNCHRONIZE, FALSE, 0)) {
+ return SBOX_ERROR_GENERIC;
+ }
+ peer->process.Set(process_handle);
+
+ AutoLock lock(&lock_);
+ if (!peer_map_.insert(std::make_pair(peer->id, peer.get())).second)
+ return SBOX_ERROR_BAD_PARAMS;
+
+ if (!::RegisterWaitForSingleObject(
+ &peer->wait_object, peer->process.Get(), RemovePeer, peer.get(),
+ INFINITE, WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD)) {
+ peer_map_.erase(peer->id);
+ return SBOX_ERROR_GENERIC;
+ }
+
+ // Release the pointer since it will be cleaned up by the callback.
+ ignore_result(peer.release());
+ return SBOX_ALL_OK;
}
} // namespace sandbox
ResultCode BrokerServicesBase::GetPolicyDiagnostics(
std::unique_ptr<PolicyDiagnosticsReceiver> receiver) {
CHECK(job_thread_.IsValid());
// Post to the job thread.
if (!::PostQueuedCompletionStatus(
job_port_.Get(), 0, THREAD_CTRL_GET_POLICY_INFO,
reinterpret_cast<LPOVERLAPPED>(receiver.get()))) {
receiver->OnError(SBOX_ERROR_GENERIC);
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h
+++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h
@@ -19,16 +19,17 @@
@@ -13,16 +13,17 @@
#include "base/compiler_specific.h"
#include "base/macros.h"
#include "base/memory/scoped_refptr.h"
#include "base/win/scoped_handle.h"
#include "sandbox/win/src/crosscall_server.h"
#include "sandbox/win/src/job.h"
#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_policy_base.h"
#include "sandbox/win/src/sharedmem_ipc_server.h"
#include "sandbox/win/src/win2k_threadpool.h"
#include "sandbox/win/src/win_utils.h"
namespace {
struct JobTracker;
+struct PeerTracker;
} // namespace
namespace sandbox {
// BrokerServicesBase ---------------------------------------------------------
// Broker implementation version 0
//
@@ -48,28 +49,35 @@ class BrokerServicesBase final : public
@@ -43,16 +44,24 @@ class BrokerServicesBase final : public
scoped_refptr<TargetPolicy> CreatePolicy() override;
ResultCode SpawnTarget(const wchar_t* exe_path,
const wchar_t* command_line,
@ -217,58 +237,53 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur
PROCESS_INFORMATION* target) override;
ResultCode WaitForAllTargets() override;
+ ResultCode AddTargetPeer(HANDLE peer_process) override;
// Checks if the supplied process ID matches one of the broker's active
// target processes
// Returns:
// true if there is an active target process for this ID, otherwise false.
bool IsActiveTarget(DWORD process_id);
+
+ // Checks if the supplied process ID matches one of the broker's active
+ // target processes. We use this method for the specific purpose of
+ // checking if we can safely duplicate a handle to the supplied process
+ // in DuplicateHandleProxyAction.
+ bool IsSafeDuplicationTarget(DWORD process_id);
+
ResultCode GetPolicyDiagnostics(
std::unique_ptr<PolicyDiagnosticsReceiver> receiver) override;
private:
+ typedef std::list<JobTracker*> JobTrackerList;
+ typedef std::map<DWORD, PeerTracker*> PeerTrackerMap;
+
// The routine that the worker thread executes. It is in charge of
// notifications and cleanup-related tasks.
static DWORD WINAPI TargetEventsThread(PVOID param);
+ // Removes a target peer from the process list if it expires.
+ static VOID CALLBACK RemovePeer(PVOID parameter, BOOLEAN timeout);
+
// The completion port used by the job objects to communicate events to
// the worker thread.
base::win::ScopedHandle job_port_;
// Handle to a manual-reset event that is signaled when the total target
// process count reaches zero.
@@ -65,14 +74,27 @@ class BrokerServicesBase final : public
base::win::ScopedHandle no_targets_;
@@ -81,16 +89,20 @@ class BrokerServicesBase final : public
CRITICAL_SECTION lock_;
// Handle to the worker thread that reacts to job notifications.
base::win::ScopedHandle job_thread_;
// Provides a pool of threads that are used to wait on the IPC calls.
std::unique_ptr<ThreadProvider> thread_pool_;
// List of the trackers for closing and cleanup purposes.
std::list<std::unique_ptr<JobTracker>> tracker_list_;
+ // Maps peer process IDs to the saved handle and wait event.
+ // Prevents peer callbacks from accessing the broker after destruction.
+ PeerTrackerMap peer_map_;
+ // The set representing the broker's active target processes including
+ // both sandboxed and unsandboxed peer processes.
+ std::set<DWORD> active_targets_;
+
+ // Lock used to protect active_targets_ from being simultaneously accessed
+ // by multiple threads.
+ CRITICAL_SECTION lock_;
+
+ ResultCode AddTargetPeerInternal(HANDLE peer_process_handle,
+ DWORD peer_process_id,
+ scoped_refptr<PolicyBase> policy_base,
+ DWORD* last_error);
+
// Provides a fast lookup to identify sandboxed processes that belong to a
// job. Consult |jobless_process_handles_| for handles of processes without
// jobs.
std::set<DWORD> child_process_ids_;
DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase);
};
} // namespace sandbox
#endif // SANDBOX_WIN_SRC_BROKER_SERVICES_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h
@@ -86,16 +86,24 @@ class BrokerServices {
PROCESS_INFORMATION* target) = 0;
@@ -96,16 +96,24 @@ class BrokerServices {
// This call blocks (waits) for all the targets to terminate.
// Returns:
@ -276,7 +291,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand
// If the return is ERROR_GENERIC, you can call ::GetLastError() to get
// more information.
virtual ResultCode WaitForAllTargets() = 0;
+
+ // Adds an unsandboxed process as a peer for policy decisions (e.g.
+ // HANDLES_DUP_ANY policy).
+ // Returns:
@ -284,11 +299,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand
+ // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
+ // more information.
+ virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0;
protected:
~BrokerServices() {}
};
// TargetServices models the current process from the perspective
// of a target process. To obtain a pointer to it use
// Sandbox::GetTargetServices(). Note that this call returns a non-null
+
// This call creates a snapshot of policies managed by the sandbox and
// returns them via a helper class.
// Parameters:
// receiver: The |PolicyDiagnosticsReceiver| implementation will be
// called to accept the results of the call.
// Returns:
// ALL_OK if the request was dispatched. All other return values
// imply failure, and the responder will not receive its completion

167
security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch
Просмотреть файл

@ -1,18 +1,22 @@
# HG changeset patch
# User Bob Owen <bobowencode@gmail.com>
# Date 1485985575 0
# Wed Feb 01 21:46:15 2017 +0000
# Node ID 9328428e5f863472f3702057b01d472b46b7b6a2
# Parent 4c1880ac25a66dec6455dc88ba693096d65df704
Reinstate sandbox::TargetServices::BrokerDuplicateHandle. r=aklotz
# User Toshihito Kikuchi <tkikuchi@mozilla.com>
# Date 1589671733 25200
# Sat May 16 16:28:53 2020 -0700
# Node ID 91bb5c3807cfe657cc24c9a3c217dd1f57db6d5c
# Parent 22eb0bf7180801edf775be44cf299a50e01eb7bf
Reinstate sandbox::TargetServices::BrokerDuplicateHandle. r=bobowen
This basically reverts chromium commit 569193665184525ca366e65d0735f5c851106e43.
This patch reverts the commit removing sandbox::TargetServices::BrokerDuplicateHandle
and applies the new IpcTag type.
https://chromium.googlesource.com/chromium/src.git/+/569193665184525ca366e65d0735f5c851106e43
https://chromium.googlesource.com/chromium/src.git/+/c8cff7f9663ce6d1ef35e5c717f43c867c3906eb
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
@@ -0,0 +1,92 @@
@@ -0,0 +1,93 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
@ -37,7 +41,7 @@ new file mode 100644
+HandleDispatcher::HandleDispatcher(PolicyBase* policy_base)
+ : policy_base_(policy_base) {
+ static const IPCCall duplicate_handle_proxy = {
+ {IPC_DUPLICATEHANDLEPROXY_TAG,
+ {IpcTag::DUPLICATEHANDLEPROXY,
+ {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}},
+ reinterpret_cast<CallbackGeneric>(
+ &HandleDispatcher::DuplicateHandleProxy)};
@ -46,14 +50,15 @@ new file mode 100644
+}
+
+bool HandleDispatcher::SetupService(InterceptionManager* manager,
+ int service) {
+ IpcTag service) {
+ // We perform no interceptions for handles right now.
+ switch (service) {
+ case IPC_DUPLICATEHANDLEPROXY_TAG:
+ return true;
+ }
+ case IpcTag::DUPLICATEHANDLEPROXY:
+ return true;
+
+ return false;
+ default:
+ return false;
+ }
+}
+
+bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc,
@ -93,7 +98,7 @@ new file mode 100644
+ params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer);
+ params[HandleTarget::TARGET] = ParamPickerMake(target_process_id);
+
+ EvalResult eval = policy_base_->EvalPolicy(IPC_DUPLICATEHANDLEPROXY_TAG,
+ EvalResult eval = policy_base_->EvalPolicy(IpcTag::DUPLICATEHANDLEPROXY,
+ params.GetBase());
+ ipc->return_info.win32_result =
+ HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(),
@ -132,7 +137,7 @@ new file mode 100644
+ ~HandleDispatcher() override {}
+
+ // Dispatcher interface.
+ bool SetupService(InterceptionManager* manager, int service) override;
+ bool SetupService(InterceptionManager* manager, IpcTag service) override;
+
+ private:
+ // Processes IPC requests coming from calls to
@ -184,7 +189,7 @@ new file mode 100644
+
+ SharedMemIPCClient ipc(memory);
+ CrossCallReturn answer = {0};
+ ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
+ ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY,
+ source_handle, target_process_id,
+ desired_access, options, &answer);
+ if (SBOX_ALL_OK != code)
@ -234,7 +239,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/securi
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc
@@ -0,0 +1,92 @@
@@ -0,0 +1,93 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
@ -282,7 +287,7 @@ new file mode 100644
+ CASE_INSENSITIVE)) {
+ return false;
+ }
+ if (!policy->AddRule(IPC_DUPLICATEHANDLEPROXY_TAG, &duplicate_rule)) {
+ if (!policy->AddRule(IpcTag::DUPLICATEHANDLEPROXY, &duplicate_rule)) {
+ return false;
+ }
+ return true;
@ -302,7 +307,8 @@ new file mode 100644
+ base::win::ScopedHandle remote_target_process;
+ if (target_process_id != ::GetCurrentProcessId()) {
+ // Sandboxed children are dynamic, so we check that manually.
+ if (!BrokerServicesBase::GetInstance()->IsActiveTarget(target_process_id)) {
+ if (!BrokerServicesBase::GetInstance()->IsSafeDuplicationTarget(
+ target_process_id)) {
+ return ERROR_ACCESS_DENIED;
+ }
+
@ -493,29 +499,28 @@ new file mode 100644
diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
--- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
+++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
@@ -23,16 +23,17 @@ enum {
IPC_NTOPENPROCESS_TAG,
IPC_NTOPENPROCESSTOKEN_TAG,
IPC_NTOPENPROCESSTOKENEX_TAG,
IPC_CREATEPROCESSW_TAG,
IPC_CREATEEVENT_TAG,
IPC_OPENEVENT_TAG,
IPC_NTCREATEKEY_TAG,
IPC_NTOPENKEY_TAG,
+ IPC_DUPLICATEHANDLEPROXY_TAG,
IPC_GDI_GDIDLLINITIALIZE_TAG,
IPC_GDI_GETSTOCKOBJECT_TAG,
IPC_USER_REGISTERCLASSW_TAG,
IPC_CREATETHREAD_TAG,
IPC_USER_ENUMDISPLAYMONITORS_TAG,
IPC_USER_ENUMDISPLAYDEVICES_TAG,
IPC_USER_GETMONITORINFO_TAG,
IPC_GDI_CREATEOPMPROTECTEDOUTPUTS_TAG,
@@ -23,16 +23,17 @@ enum class IpcTag {
NTOPENPROCESS,
NTOPENPROCESSTOKEN,
NTOPENPROCESSTOKENEX,
CREATEPROCESSW,
CREATEEVENT,
OPENEVENT,
NTCREATEKEY,
NTOPENKEY,
+ DUPLICATEHANDLEPROXY,
GDI_GDIDLLINITIALIZE,
GDI_GETSTOCKOBJECT,
USER_REGISTERCLASSW,
CREATETHREAD,
USER_ENUMDISPLAYMONITORS,
USER_ENUMDISPLAYDEVICES,
USER_GETMONITORINFO,
GDI_CREATEOPMPROTECTEDOUTPUTS,
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h
@@ -136,16 +136,30 @@ class TargetServices {
// processing any untrusted data or running third-party code. If this call
@@ -161,16 +161,30 @@ class TargetServices {
// fails the current process could be terminated immediately.
virtual void LowerToken() = 0;
@ -523,7 +528,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand
// information about the current state of the process, such as whether
// LowerToken has been called or not.
virtual ProcessState* GetState() = 0;
+
+ // Requests the broker to duplicate the supplied handle into the target
+ // process. The target process must be an active sandbox child process
+ // and the source process must have a corresponding policy allowing
@ -537,28 +542,30 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand
+ HANDLE* target_handle,
+ DWORD desired_access,
+ DWORD options) = 0;
+
protected:
~TargetServices() {}
};
} // namespace sandbox
class PolicyInfo {
public:
// Returns a JSON representation of the policy snapshot.
// This pointer has the same lifetime as this PolicyInfo object.
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
@@ -24,27 +24,31 @@ class TargetPolicy {
@@ -25,28 +25,32 @@ class TargetPolicy {
// exactly like the CreateProcess API does. See the comment at the top of
// process_thread_dispatcher.cc for more details.
enum SubSystem {
SUBSYS_FILES, // Creation and opening of files and pipes.
SUBSYS_NAMED_PIPES, // Creation of named pipes.
SUBSYS_PROCESS, // Creation of child processes.
SUBSYS_REGISTRY, // Creation and opening of registry keys.
SUBSYS_SYNC, // Creation of named sync objects.
+ SUBSYS_HANDLES, // Duplication of handles to other processes.
SUBSYS_WIN32K_LOCKDOWN // Win32K Lockdown related policy.
SUBSYS_FILES, // Creation and opening of files and pipes.
SUBSYS_NAMED_PIPES, // Creation of named pipes.
SUBSYS_PROCESS, // Creation of child processes.
SUBSYS_REGISTRY, // Creation and opening of registry keys.
SUBSYS_SYNC, // Creation of named sync objects.
+ SUBSYS_HANDLES, // Duplication of handles to other processes.
SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy.
SUBSYS_SIGNED_BINARY // Signed binary policy.
};
// Allowable semantics when a rule is matched.
@ -583,14 +590,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/securi
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
@@ -10,16 +10,17 @@
#include "base/callback.h"
@@ -12,16 +12,17 @@
#include "base/logging.h"
#include "base/macros.h"
#include "base/stl_util.h"
#include "base/strings/stringprintf.h"
#include "base/win/win_util.h"
#include "base/win/windows_version.h"
#include "sandbox/win/src/acl.h"
#include "sandbox/win/src/filesystem_policy.h"
+#include "sandbox/win/src/handle_policy.h"
#include "sandbox/win/src/interception.h"
@ -601,7 +608,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
#include "sandbox/win/src/policy_low_level.h"
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/process_mitigations_win32k_policy.h"
@@ -733,16 +734,24 @@ ResultCode PolicyBase::AddRuleInternal(S
@@ -754,16 +755,24 @@ ResultCode PolicyBase::AddRuleInternal(S
}
case SUBSYS_REGISTRY: {
if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
@ -619,13 +626,13 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/
+ }
+
case SUBSYS_WIN32K_LOCKDOWN: {
if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
pattern, semantics, policy_maker_)) {
NOTREACHED();
return SBOX_ERROR_BAD_PARAMS;
}
break;
}
// Win32k intercept rules only supported on Windows 8 and above. This must
// match the version checks in process_mitigations.cc for consistency.
if (base::win::GetVersion() >= base::win::Version::WIN8) {
DCHECK_EQ(MITIGATION_WIN32K_DISABLE,
mitigations_ & MITIGATION_WIN32K_DISABLE)
<< "Enable MITIGATION_WIN32K_DISABLE before adding win32k policy "
"rules.";
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc
--- a/security/sandbox/chromium/sandbox/win/src/target_services.cc
+++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc
@ -647,9 +654,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/secu
#include "sandbox/win/src/sandbox_nt_util.h"
#include "sandbox/win/src/sandbox_types.h"
#include "sandbox/win/src/sharedmem_ipc_client.h"
@@ -259,9 +260,19 @@ void ProcessState::SetRevertedToSelf() {
if (process_state_ < 3)
process_state_ = 3;
@@ -239,9 +240,19 @@ void ProcessState::SetRevertedToSelf() {
if (process_state_ < ProcessStateInternal::REVERTED_TO_SELF)
process_state_ = ProcessStateInternal::REVERTED_TO_SELF;
}
void ProcessState::SetCsrssConnected(bool csrss_connected) {
@ -670,7 +677,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/secu
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h
--- a/security/sandbox/chromium/sandbox/win/src/target_services.h
+++ b/security/sandbox/chromium/sandbox/win/src/target_services.h
@@ -41,16 +41,21 @@ class ProcessState {
@@ -40,16 +40,21 @@ class ProcessState {
class TargetServicesBase : public TargetServices {
public:
TargetServicesBase();
@ -713,24 +720,24 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b
#include "sandbox/win/src/process_thread_dispatcher.h"
#include "sandbox/win/src/registry_dispatcher.h"
#include "sandbox/win/src/sandbox_policy_base.h"
@@ -53,16 +54,20 @@ TopLevelDispatcher::TopLevelDispatcher(P
ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher;
@@ -55,16 +56,20 @@ TopLevelDispatcher::TopLevelDispatcher(P
ipc_targets_[static_cast<size_t>(IpcTag::OPENEVENT)] = dispatcher;
sync_dispatcher_.reset(dispatcher);
dispatcher = new RegistryDispatcher(policy_);
ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher;
ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::NTCREATEKEY)] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::NTOPENKEY)] = dispatcher;
registry_dispatcher_.reset(dispatcher);
+ dispatcher = new HandleDispatcher(policy_);
+ ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher;
+ ipc_targets_[static_cast<size_t>(IpcTag::DUPLICATEHANDLEPROXY)] = dispatcher;
+ handle_dispatcher_.reset(dispatcher);
+
dispatcher = new ProcessMitigationsWin32KDispatcher(policy_);
ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher;
ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher;
ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher;
ipc_targets_[IPC_USER_ENUMDISPLAYMONITORS_TAG] = dispatcher;
ipc_targets_[IPC_USER_ENUMDISPLAYDEVICES_TAG] = dispatcher;
ipc_targets_[IPC_USER_GETMONITORINFO_TAG] = dispatcher;
ipc_targets_[IPC_GDI_CREATEOPMPROTECTEDOUTPUTS_TAG] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::GDI_GDIDLLINITIALIZE)] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::GDI_GETSTOCKOBJECT)] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::USER_REGISTERCLASSW)] = dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::USER_ENUMDISPLAYMONITORS)] =
dispatcher;
ipc_targets_[static_cast<size_t>(IpcTag::USER_ENUMDISPLAYDEVICES)] =
dispatcher;

93
security/sandbox/chromium-shim/patches/with_update/update_chromium_linux_x86_syscalls.patch
Просмотреть файл

@ -1,93 +0,0 @@
# HG changeset patch
# User Gian-Carlo Pascutto <gcp@mozilla.com>
# Date 1465410964 -7200
# Wed Jun 08 20:36:04 2016 +0200
# Node ID 37ac7119fe8df776c850624a9a95dd182ff469b0
# Parent 5d0dab9cddb8410f891f22a1bead1c1975adb5bd
Update chromium's list of linux-x86-32 syscalls. r=jld
Originally landed as changset:
https://hg.mozilla.org/mozilla-central/rev/adb1d2a92e0d
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
@@ -1417,10 +1417,78 @@
#if !defined(__NR_getrandom)
#define __NR_getrandom 355
#endif
#if !defined(__NR_memfd_create)
#define __NR_memfd_create 356
#endif
+#if !defined(__NR_bpf)
+#define __NR_bpf 357
+#endif
+
+#if !defined(__NR_execveat)
+#define __NR_execveat 358
+#endif
+
+#if !defined(__NR_socket)
+#define __NR_socket 359
+#endif
+
+#if !defined(__NR_socketpair)
+#define __NR_socketpair 360
+#endif
+
+#if !defined(__NR_bind)
+#define __NR_bind 361
+#endif
+
+#if !defined(__NR_connect)
+#define __NR_connect 362
+#endif
+
+#if !defined(__NR_listen)
+#define __NR_listen 363
+#endif
+
+#if !defined(__NR_accept4)
+#define __NR_accept4 364
+#endif
+
+#if !defined(__NR_getsockopt)
+#define __NR_getsockopt 365
+#endif
+
+#if !defined(__NR_setsockopt)
+#define __NR_setsockopt 366
+#endif
+
+#if !defined(__NR_getsockname)
+#define __NR_getsockname 367
+#endif
+
+#if !defined(__NR_getpeername)
+#define __NR_getpeername 368
+#endif
+
+#if !defined(__NR_sendto)
+#define __NR_sendto 369
+#endif
+
+#if !defined(__NR_sendmsg)
+#define __NR_sendmsg 370
+#endif
+
+#if !defined(__NR_recvfrom)
+#define __NR_recvfrom 371
+#endif
+
+#if !defined(__NR_recvmsg)
+#define __NR_recvmsg 372
+#endif
+
+#if !defined(__NR_shutdown)
+#define __NR_shutdown 373
+#endif
+
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_