diff --git a/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch b/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch index 2f113df4d753..7eb643719e42 100644 --- a/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch +++ b/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch @@ -30,5 +30,5 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc b/secu // |access| with the new value. NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes, DWORD* access) { - NtOpenKeyFunction NtOpenKey = NULL; + NtOpenKeyFunction NtOpenKey = nullptr; ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey); diff --git a/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch b/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch index 0fa73c9e9a43..344fd569d791 100644 --- a/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch +++ b/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch @@ -132,7 +132,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c break; @@ -227,32 +246,39 @@ TargetNtQueryAttributesFile(NtQueryAttri - ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name.get(), + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(), attributes, file_info, &answer); if (SBOX_ALL_OK != code) @@ -173,7 +173,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c break; @@ -284,16 +310,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu CrossCallReturn answer = {0}; - ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE, name.get(), attributes, file_info, &answer); if (SBOX_ALL_OK != code) @@ -213,7 +213,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c break; @@ -366,14 +398,15 @@ TargetNtSetInformationFile(NtSetInformat ResultCode code = - CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file, io_status_buffer, + CrossCall(ipc, IpcTag::NTSETINFO_RENAME, file, io_status_buffer, file_info_buffer, length, file_info_class, &answer); if (SBOX_ALL_OK != code) @@ -249,7 +249,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/ DWORD desired_access, DWORD options) { @@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s - ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG, + ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY, source_handle, target_process_id, desired_access, options, &answer); if (SBOX_ALL_OK != code) @@ -652,6 +652,64 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc } } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc +@@ -9,16 +9,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + NTSTATUS WINAPI + TargetNtCreateSection(NtCreateSectionFunction orig_CreateSection, + PHANDLE section_handle, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, +@@ -37,16 +38,18 @@ TargetNtCreateSection(NtCreateSectionFun + break; + if (maximum_size) + break; + if (section_page_protection != PAGE_EXECUTE) + break; + if (allocation_attributes != SEC_IMAGE) + break; + ++ mozilla::sandboxing::LogBlocked("NtCreateSection"); ++ + // IPC must be fully started. + void* memory = GetGlobalIPCMemory(); + if (!memory) + break; + + std::unique_ptr path; + + if (!NtGetPathFromHandle(file_handle, &path)) +@@ -73,16 +76,17 @@ TargetNtCreateSection(NtCreateSectionFun + if (code != SBOX_ALL_OK) + break; + + if (!NT_SUCCESS(answer.nt_status)) + break; + + __try { + *section_handle = answer.handle; ++ mozilla::sandboxing::LogAllowed("NtCreateSection"); + return answer.nt_status; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } + } while (false); + + // Fall back to the original API in all failure cases. + return orig_CreateSection(section_handle, desired_access, object_attributes, diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc --- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc +++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc diff --git a/security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch b/security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch index 01b398b7ba08..99695ba01d39 100644 --- a/security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch +++ b/security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch @@ -14,14 +14,14 @@ https://hg.mozilla.org/mozilla-central/rev/0f64b24c40c4 diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc --- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc +++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc -@@ -221,16 +221,25 @@ bool FilesystemDispatcher::NtQueryAttrib +@@ -213,16 +213,25 @@ bool FilesystemDispatcher::NtQueryAttrib params[FileName::BROKER] = ParamPickerMake(broker); // To evaluate the policy we need to call back to the policy object. We // are just middlemen in the operation since is the FileSystemPolicy which // knows what to do. EvalResult result = - policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()); + policy_base_->EvalPolicy(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase()); + // If the policies forbid access (any result other than ASK_BROKER), + // then check for user-granted access to file. @@ -40,14 +40,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc information, &nt_status)) { ipc->return_info.nt_status = STATUS_ACCESS_DENIED; return true; -@@ -261,16 +270,25 @@ bool FilesystemDispatcher::NtQueryFullAt +@@ -253,16 +262,25 @@ bool FilesystemDispatcher::NtQueryFullAt params[FileName::BROKER] = ParamPickerMake(broker); // To evaluate the policy we need to call back to the policy object. We // are just middlemen in the operation since is the FileSystemPolicy which // knows what to do. EvalResult result = policy_base_->EvalPolicy( - IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()); + IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase()); + // If the policies forbid access (any result other than ASK_BROKER), + // then check for user-granted access to file. @@ -66,14 +66,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc &nt_status)) { ipc->return_info.nt_status = STATUS_ACCESS_DENIED; return true; -@@ -316,16 +334,26 @@ bool FilesystemDispatcher::NtSetInformat +@@ -306,16 +324,26 @@ bool FilesystemDispatcher::NtSetInformat params[FileName::BROKER] = ParamPickerMake(broker); // To evaluate the policy we need to call back to the policy object. We // are just middlemen in the operation since is the FileSystemPolicy which // knows what to do. EvalResult result = - policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG, params.GetBase()); + policy_base_->EvalPolicy(IpcTag::NTSETINFO_RENAME, params.GetBase()); + // If the policies forbid access (any result other than ASK_BROKER), + // then check for user-granted write access to file. We only permit @@ -96,7 +96,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc --- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc -@@ -223,19 +223,16 @@ NTSTATUS WINAPI TargetNtQueryAttributesF +@@ -227,19 +227,16 @@ TargetNtQueryAttributesFile(NtQueryAttri sizeof(FILE_BASIC_INFORMATION)); uint32_t broker = BROKER_FALSE; @@ -105,18 +105,18 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c params[FileName::NAME] = ParamPickerMake(name_ptr); params[FileName::BROKER] = ParamPickerMake(broker); -- if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase())) +- if (!QueryBroker(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase())) - break; - SharedMemIPCClient ipc(memory); CrossCallReturn answer = {0}; - ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name.get(), + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(), attributes, file_info, &answer); if (SBOX_ALL_OK != code) break; -@@ -290,19 +287,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu +@@ -292,19 +289,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu sizeof(FILE_NETWORK_OPEN_INFORMATION)); uint32_t broker = BROKER_FALSE; @@ -125,18 +125,18 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c params[FileName::NAME] = ParamPickerMake(name_ptr); params[FileName::BROKER] = ParamPickerMake(broker); -- if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase())) +- if (!QueryBroker(IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase())) - break; - SharedMemIPCClient ipc(memory); CrossCallReturn answer = {0}; - ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE, name.get(), attributes, file_info, &answer); if (SBOX_ALL_OK != code) break; -@@ -369,19 +363,16 @@ NTSTATUS WINAPI TargetNtSetInformationFi +@@ -374,19 +368,16 @@ TargetNtSetInformationFile(NtSetInformat break; uint32_t broker = BROKER_FALSE; @@ -145,7 +145,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c params[FileName::NAME] = ParamPickerMake(name_ptr); params[FileName::BROKER] = ParamPickerMake(broker); -- if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase())) +- if (!QueryBroker(IpcTag::NTSETINFO_RENAME, params.GetBase())) - break; - InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK)); diff --git a/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch b/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch index e1b846788a40..8d497e1ff9e9 100644 --- a/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch +++ b/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch @@ -12,7 +12,7 @@ https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302 diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc --- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc +++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc -@@ -190,62 +190,67 @@ bool ResolveRegistryName(base::string16 +@@ -194,61 +194,66 @@ bool ResolveRegistryName(std::wstring na return false; } @@ -22,12 +22,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s // \Device\HarddiskVolume0\some\foo\bar // \??\HarddiskVolume0\some\foo\bar +// \??\UNC\SERVER\Share\some\foo\bar - DWORD IsReparsePoint(const base::string16& full_path) { + DWORD IsReparsePoint(const std::wstring& full_path) { // Check if it's a pipe. We can't query the attributes of a pipe. if (IsPipe(full_path)) return ERROR_NOT_A_REPARSE_POINT; - base::string16 path; + std::wstring path; bool nt_path = IsNTPath(full_path, &path); bool has_drive = StartsWithDriveLetter(path); bool is_device_path = IsDevicePath(path, &path); @@ -37,13 +37,13 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s - bool added_implied_device = false; if (!has_drive) { -- path = base::string16(kNTDotPrefix) + path; +- path = std::wstring(kNTDotPrefix) + path; - added_implied_device = true; + // Add Win32 device namespace prefix, required for some Windows APIs. + path.insert(0, kNTDotPrefix); } -- base::string16::size_type last_pos = base::string16::npos; +- std::wstring::size_type last_pos = std::wstring::npos; - bool passed_once = false; + // Ensure that volume path matches start of path. + wchar_t vol_path[MAX_PATH]; @@ -73,7 +73,6 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s - (path.rfind(L'\\') == kNTDotPrefixLen - 1)) { - break; - } - NOTREACHED_NT(); return error; } } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) { @@ -94,12 +93,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar. bool SameObject(HANDLE handle, const wchar_t* full_path) { // Check if it's a pipe. -@@ -256,63 +261,67 @@ bool SameObject(HANDLE handle, const wch - base::string16 actual_path; +@@ -258,63 +263,67 @@ bool SameObject(HANDLE handle, const wch + std::wstring actual_path; if (!GetPathFromHandle(handle, &actual_path)) return false; - base::string16 path(full_path); + std::wstring path(full_path); DCHECK_NT(!path.empty()); // This may end with a backslash. @@ -119,7 +118,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s bool has_drive = StartsWithDriveLetter(path); if (!has_drive && nt_path) { - base::string16 simple_actual_path; + std::wstring simple_actual_path; - if (!IsDevicePath(actual_path, &simple_actual_path)) - return false; - @@ -187,5 +186,5 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s // Just make a best effort here. There are lots of corner cases that we're // not expecting - and will fail to make long. - bool ConvertToLongPath(base::string16* native_path, - const base::string16* drive_letter) { + bool ConvertToLongPath(std::wstring* native_path, + const std::wstring* drive_letter) { diff --git a/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch b/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch index a64f0c888c4f..4d1817db17bd 100644 --- a/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch +++ b/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch @@ -6,32 +6,10 @@ # Parent 5ef34aa8c8918649528048dd60907862a4355e29 Bug 1515088 Part 2: Set LoaderThreads to 1 in the RTL_USER_PROCESS_PARAMETERS structure on child process start-up. r=aklotz -diff --git a/security/sandbox/chromium/sandbox/win/src/nt_internals.h b/security/sandbox/chromium/sandbox/win/src/nt_internals.h ---- a/security/sandbox/chromium/sandbox/win/src/nt_internals.h -+++ b/security/sandbox/chromium/sandbox/win/src/nt_internals.h -@@ -312,16 +312,18 @@ typedef enum _PROCESSINFOCLASS { - // Partial definition only. - typedef struct _PEB { - BYTE InheritedAddressSpace; - BYTE ReadImageFileExecOptions; - BYTE BeingDebugged; - BYTE SpareBool; - PVOID Mutant; - PVOID ImageBaseAddress; -+ PVOID Ldr; -+ PVOID ProcessParameters; - } PEB, *PPEB; - - typedef LONG KPRIORITY; - - typedef struct _PROCESS_BASIC_INFORMATION { - union { - NTSTATUS ExitStatus; - PVOID padding_for_x64_0; diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc --- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc +++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc -@@ -453,20 +453,21 @@ bool GetNtPathFromWin32Path(const base:: +@@ -456,20 +456,21 @@ bool GetNtPathFromWin32Path(const std::w bool rv = GetPathFromHandle(file, nt_path); ::CloseHandle(file); return rv; @@ -55,7 +33,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s ::WriteProcessMemory(child_process, address, buffer, length, &written) && (length == written); -@@ -511,16 +512,40 @@ void* GetProcessBaseAddress(HANDLE proce +@@ -544,16 +545,40 @@ void* GetProcessBaseAddress(HANDLE proce &bytes_read) || (sizeof(magic) != bytes_read)) { return nullptr; @@ -73,7 +51,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s + // field so there is a, probably small, risk that it might change or move in + // the future. In order to slightly guard against that we only update if the + // value is currently 0. -+ uint8_t* processParameters = static_cast(peb.ProcessParameters); ++ auto processParameters = reinterpret_cast(peb.ProcessParameters); + const uint32_t loaderThreadsOffset = 0x40c; + uint32_t maxLoaderThreads = 0; + BOOL memoryRead = ::ReadProcessMemory( @@ -91,16 +69,16 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/s return base_address; } - }; // namespace sandbox - - void ResolveNTFunctionPtr(const char* name, void* ptr) { - static volatile HMODULE ntdll = NULL; - + DWORD GetTokenInformation(HANDLE token, + TOKEN_INFORMATION_CLASS info_class, + std::unique_ptr* buffer) { + // Get the required buffer size. + DWORD size = 0; diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sandbox/chromium/sandbox/win/src/win_utils.h --- a/security/sandbox/chromium/sandbox/win/src/win_utils.h +++ b/security/sandbox/chromium/sandbox/win/src/win_utils.h -@@ -102,17 +102,18 @@ HKEY GetReservedKeyFromName(const base:: - bool ResolveRegistryName(base::string16 name, base::string16* resolved_name); +@@ -111,17 +111,18 @@ HKEY GetReservedKeyFromName(const std::w + bool ResolveRegistryName(std::wstring name, std::wstring* resolved_name); // Writes |length| bytes from the provided |buffer| into the address space of // |child_process|, at the specified |address|, preserving the original write @@ -112,10 +90,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sa + size_t length, + DWORD writeProtection = PAGE_WRITECOPY); - // Returns true if the provided path points to a pipe. - bool IsPipe(const base::string16& path); - - // Converts a NTSTATUS code to a Win32 error code. - DWORD GetLastErrorFromNtStatus(NTSTATUS status); - - // Returns the address of the main exe module in memory taking in account + // Allocates |buffer_bytes| in child (PAGE_READWRITE) and copies data + // from |local_buffer| in this process into |child|. |remote_buffer| + // contains the address in the chile. If a zero byte copy is + // requested |true| is returned and no allocation or copying is + // attempted. Returns false if allocation or copying fails. If + // copying fails, the allocation will be reversed. + bool CopyToChildMemory(HANDLE child, diff --git a/security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch b/security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch index ce4554e73305..be08d55a9a7d 100644 --- a/security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch +++ b/security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch @@ -30,10 +30,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base) : policy_base_(policy_base) { static const IPCCall create_params = { - {IPC_NTCREATEFILE_TAG, - {WCHAR_TYPE, - UINT32_TYPE, -@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile( + {IpcTag::NTCREATEFILE, + {WCHAR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE, + UINT32_TYPE, UINT32_TYPE}}, +@@ -105,16 +107,26 @@ bool FilesystemDispatcher::NtCreateFile( params[OpenFile::OPTIONS] = ParamPickerMake(create_options); params[OpenFile::BROKER] = ParamPickerMake(broker); @@ -41,7 +41,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc // are just middlemen in the operation since is the FileSystemPolicy which // knows what to do. EvalResult result = - policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG, params.GetBase()); + policy_base_->EvalPolicy(IpcTag::NTCREATEFILE, params.GetBase()); + + // If the policies forbid access (any result other than ASK_BROKER), + // then check for user-granted access to file. @@ -60,7 +60,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc file_attributes, share_access, create_disposition, create_options, &handle, &nt_status, &io_information)) { ipc->return_info.nt_status = STATUS_ACCESS_DENIED; -@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP +@@ -150,16 +162,26 @@ bool FilesystemDispatcher::NtOpenFile(IP params[OpenFile::OPTIONS] = ParamPickerMake(open_options); params[OpenFile::BROKER] = ParamPickerMake(broker); @@ -68,7 +68,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc // are just middlemen in the operation since is the FileSystemPolicy which // knows what to do. EvalResult result = - policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG, params.GetBase()); + policy_base_->EvalPolicy(IpcTag::NTOPENFILE, params.GetBase()); + + // If the policies forbid access (any result other than ASK_BROKER), + // then check for user-granted access to file. @@ -90,7 +90,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc --- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc -@@ -70,19 +70,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre +@@ -75,19 +75,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre CountedParameterSet params; const wchar_t* name_ptr = name.get(); params[OpenFile::NAME] = ParamPickerMake(name_ptr); @@ -99,7 +99,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32); params[OpenFile::BROKER] = ParamPickerMake(broker); -- if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase())) +- if (!QueryBroker(IpcTag::NTCREATEFILE, params.GetBase())) - break; - SharedMemIPCClient ipc(memory); @@ -107,25 +107,25 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c // The following call must match in the parameters with // FilesystemDispatcher::ProcessNtCreateFile. ResultCode code = - CrossCall(ipc, IPC_NTCREATEFILE_TAG, name.get(), attributes, + CrossCall(ipc, IpcTag::NTCREATEFILE, name.get(), attributes, desired_access_uint32, file_attributes, sharing, disposition, options_uint32, &answer); -@@ -154,19 +151,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF - CountedParameterSet params; +@@ -160,19 +157,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF const wchar_t* name_ptr = name.get(); + CountedParameterSet params; params[OpenFile::NAME] = ParamPickerMake(name_ptr); params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32); params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32); params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32); params[OpenFile::BROKER] = ParamPickerMake(broker); -- if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase())) +- if (!QueryBroker(IpcTag::NTOPENFILE, params.GetBase())) - break; - SharedMemIPCClient ipc(memory); CrossCallReturn answer = {0}; ResultCode code = - CrossCall(ipc, IPC_NTOPENFILE_TAG, name.get(), attributes, + CrossCall(ipc, IpcTag::NTOPENFILE, name.get(), attributes, desired_access_uint32, sharing, options_uint32, &answer); if (SBOX_ALL_OK != code) break; diff --git a/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch b/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch new file mode 100644 index 000000000000..f8250b788dd0 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch @@ -0,0 +1,94 @@ +# HG changeset patch +# User Bob Owen +# Date 1577387989 0 +# Thu Dec 26 19:19:49 2019 +0000 +# Node ID 32adf437117bdca54be4959813acbb604f65137f +# Parent 214214029beb6cca606e11ba519d11cc7dbb37af +Bug 1605867: Don't duplicate IPC shared memory when we might fail to launch the process correctly. r=handyman + +Differential Revision: https://phabricator.services.mozilla.com/D58271 + +diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc +@@ -286,45 +286,28 @@ ResultCode TargetProcess::Init(Dispatche + shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, + PAGE_READWRITE | SEC_COMMIT, 0, + shared_mem_size, nullptr)); + if (!shared_section_.IsValid()) { + *win_error = ::GetLastError(); + return SBOX_ERROR_CREATE_FILE_MAPPING; + } + +- DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY; +- HANDLE target_shared_section; +- if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(), +- sandbox_process_info_.process_handle(), +- &target_shared_section, access, false, 0)) { +- *win_error = ::GetLastError(); +- return SBOX_ERROR_DUPLICATE_SHARED_SECTION; +- } +- + void* shared_memory = ::MapViewOfFile( + shared_section_.Get(), FILE_MAP_WRITE | FILE_MAP_READ, 0, 0, 0); + if (!shared_memory) { + *win_error = ::GetLastError(); + return SBOX_ERROR_MAP_VIEW_OF_SHARED_SECTION; + } + + CopyPolicyToTarget(policy, shared_policy_size, + reinterpret_cast(shared_memory) + shared_IPC_size); + + ResultCode ret; + // Set the global variables in the target. These are not used on the broker. +- g_shared_section = target_shared_section; +- ret = TransferVariable("g_shared_section", &g_shared_section, +- sizeof(g_shared_section)); +- g_shared_section = nullptr; +- if (SBOX_ALL_OK != ret) { +- *win_error = ::GetLastError(); +- return ret; +- } + g_shared_IPC_size = shared_IPC_size; + ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size, + sizeof(g_shared_IPC_size)); + g_shared_IPC_size = 0; + if (SBOX_ALL_OK != ret) { + *win_error = ::GetLastError(); + return ret; + } +@@ -339,16 +322,34 @@ ResultCode TargetProcess::Init(Dispatche + + ipc_server_.reset(new SharedMemIPCServer( + sandbox_process_info_.process_handle(), + sandbox_process_info_.process_id(), thread_pool_, ipc_dispatcher)); + + if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize)) + return SBOX_ERROR_NO_SPACE; + ++ DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY; ++ HANDLE target_shared_section; ++ if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(), ++ sandbox_process_info_.process_handle(), ++ &target_shared_section, access, false, 0)) { ++ *win_error = ::GetLastError(); ++ return SBOX_ERROR_DUPLICATE_SHARED_SECTION; ++ } ++ ++ g_shared_section = target_shared_section; ++ ret = TransferVariable("g_shared_section", &g_shared_section, ++ sizeof(g_shared_section)); ++ g_shared_section = nullptr; ++ if (SBOX_ALL_OK != ret) { ++ *win_error = ::GetLastError(); ++ return ret; ++ } ++ + // After this point we cannot use this handle anymore. + ::CloseHandle(sandbox_process_info_.TakeThreadHandle()); + + return SBOX_ALL_OK; + } + + void TargetProcess::Terminate() { + if (!sandbox_process_info_.IsValid()) diff --git a/security/sandbox/chromium-shim/patches/after_update/patch_order.txt b/security/sandbox/chromium-shim/patches/after_update/patch_order.txt index 71365613997f..a34ddcfa41c2 100644 --- a/security/sandbox/chromium-shim/patches/after_update/patch_order.txt +++ b/security/sandbox/chromium-shim/patches/after_update/patch_order.txt @@ -5,3 +5,4 @@ consult_PermissionsService_for_file_access.patch allow_flash_temporary_files.patch arm64_set_LoaderThreads.patch change_to_DCHECK_in_CloseHandleWrapper.patch +move_shared_memory_duplication_after_initialization.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch b/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch index 6f4bf8bffe01..5a5c2f95de92 100644 --- a/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch +++ b/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch @@ -17,11 +17,11 @@ Differential Revision: https://phabricator.services.mozilla.com/D29474 diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc --- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc -@@ -400,16 +400,21 @@ void ConvertProcessMitigationsToPolicy(M +@@ -431,16 +431,21 @@ void ConvertProcessMitigationsToPolicy(M // Mitigations >= Win8.1: //---------------------------------------------------------------------------- - if (version >= base::win::VERSION_WIN8_1) { + if (version >= base::win::Version::WIN8_1) { if (flags & MITIGATION_DYNAMIC_CODE_DISABLE) { *policy_value_1 |= PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON; @@ -35,14 +35,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/ // Mitigations >= Win10: //---------------------------------------------------------------------------- - if (version >= base::win::VERSION_WIN10) { + if (version >= base::win::Version::WIN10) { if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { *policy_value_1 |= PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h --- a/security/sandbox/chromium/sandbox/win/src/security_level.h +++ b/security/sandbox/chromium/sandbox/win/src/security_level.h -@@ -273,11 +273,20 @@ const MitigationFlags MITIGATION_IMAGE_L +@@ -282,11 +282,20 @@ const MitigationFlags MITIGATION_IMAGE_L const MitigationFlags MITIGATION_IMAGE_LOAD_PREFER_SYS32 = 0x00100000; // Prevents hyperthreads from interfering with indirect branch predictions. diff --git a/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch b/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch index fcadd97fdf03..fb1253468783 100644 --- a/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch +++ b/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch @@ -12,7 +12,7 @@ https://hg.mozilla.org/mozilla-central/rev/14374cd9497a diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc --- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc -@@ -51,16 +51,17 @@ +@@ -51,16 +51,17 @@ DWORD GetObjectSecurityDescriptor(HANDLE } // namespace @@ -28,9 +28,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc if (lockdown_default_dacl) restricted_token.SetLockdownDefaultDacl(); - std::vector privilege_exceptions; + std::vector privilege_exceptions; std::vector sid_exceptions; -@@ -68,19 +69,22 @@ DWORD CreateRestrictedToken(TokenLevel s +@@ -73,19 +74,22 @@ DWORD CreateRestrictedToken(HANDLE effec deny_sids = false; remove_privileges = false; break; @@ -56,7 +56,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc sid_exceptions.push_back(WinWorldSid); sid_exceptions.push_back(WinInteractiveSid); sid_exceptions.push_back(WinAuthenticatedUserSid); -@@ -93,49 +97,57 @@ DWORD CreateRestrictedToken(TokenLevel s +@@ -108,49 +112,57 @@ DWORD CreateRestrictedToken(HANDLE effec break; } case USER_INTERACTIVE: { @@ -133,7 +133,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h --- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h -@@ -33,16 +33,17 @@ enum TokenType { +@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM // If the function succeeds, the return value is ERROR_SUCCESS. If the // function fails, the return value is the win32 error code corresponding to // the error. @@ -154,7 +154,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h -@@ -95,16 +95,21 @@ class TargetPolicy { +@@ -101,16 +101,21 @@ class TargetPolicy { virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; // Returns the initial token level. @@ -179,7 +179,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/securi diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc -@@ -149,16 +149,20 @@ ResultCode PolicyBase::SetTokenLevel(Tok +@@ -152,16 +152,20 @@ ResultCode PolicyBase::SetTokenLevel(Tok TokenLevel PolicyBase::GetInitialTokenLevel() const { return initial_level_; } @@ -200,7 +200,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ ui_exceptions_ = ui_exceptions; return SBOX_ALL_OK; } -@@ -402,17 +406,18 @@ ResultCode PolicyBase::MakeJobObject(bas +@@ -413,17 +417,18 @@ ResultCode PolicyBase::MakeJobObject(bas ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, base::win::ScopedHandle* lockdown, @@ -213,14 +213,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ + PRIMARY, lockdown_default_dacl_, + use_restricting_sids_, lockdown); if (ERROR_SUCCESS != result) - return SBOX_ERROR_GENERIC; + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; // If we're launching on the alternate desktop we need to make sure the // integrity label on the object is no higher than the sandboxed process's // integrity level. So, we lower the label on the desktop process if it's // not already low enough for our process. if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) { -@@ -466,17 +471,18 @@ ResultCode PolicyBase::MakeTokens(base:: +@@ -482,17 +487,18 @@ ResultCode PolicyBase::MakeTokens(base:: } } @@ -233,7 +233,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ + IMPERSONATION, lockdown_default_dacl_, + use_restricting_sids_, initial); if (ERROR_SUCCESS != result) - return SBOX_ERROR_GENERIC; + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN; return SBOX_ALL_OK; } @@ -243,7 +243,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h -@@ -37,16 +37,17 @@ class PolicyBase final : public TargetPo +@@ -41,16 +41,17 @@ class PolicyBase final : public TargetPo PolicyBase(); // TargetPolicy: @@ -257,11 +257,11 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/s JobLevel GetJobLevel() const override; ResultCode SetJobMemoryLimit(size_t memory_limit) override; ResultCode SetAlternateDesktop(bool alternate_winstation) override; - base::string16 GetAlternateDesktop() const override; + std::wstring GetAlternateDesktop() const override; ResultCode CreateAlternateDesktop(bool alternate_winstation) override; void DestroyAlternateDesktop() override; ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; -@@ -122,16 +123,17 @@ class PolicyBase final : public TargetPo +@@ -134,16 +135,17 @@ class PolicyBase final : public TargetPo // The policy takes ownership of them. typedef std::list TargetSet; TargetSet targets_; diff --git a/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch b/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch new file mode 100644 index 000000000000..39f6b2538d57 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch @@ -0,0 +1,461 @@ +# HG changeset patch +# User Bob Owen +# Date 1584045580 0 +# Thu Mar 12 20:39:40 2020 +0000 +# Node ID c996dbc3e3663fb372feb8e171562e86b09583b6 +# Parent f96efa1d9f5c676c0ee8fd80044a494258eff3d3 +Bug 1557282 Part 1: Take chromium commit c1ce57ea5d31208af589b4839390a44ab20b0c8f. r=handyman,gcp + +This adds AddRestrictingRandomSid feature, which fixes our issues with +SetLockdownDefaultDacl, apart from when we are running from a network drive. + +Differential Revision: https://phabricator.services.mozilla.com/D66610 + +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc +@@ -141,16 +141,24 @@ DWORD RestrictedToken::GetRestrictedToke + } else { + // Modify the default dacl on the token to contain Restricted. + if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, + GRANT_ACCESS, GENERIC_ALL)) { + return ::GetLastError(); + } + } + ++ for (const auto& default_dacl_sid : sids_for_default_dacl_) { ++ if (!AddSidToDefaultDacl(new_token.Get(), std::get<0>(default_dacl_sid), ++ std::get<1>(default_dacl_sid), ++ std::get<2>(default_dacl_sid))) { ++ return ::GetLastError(); ++ } ++ } ++ + // Add user to default dacl. + if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) + return ::GetLastError(); + + DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); + if (ERROR_SUCCESS != error) + return error; + +@@ -405,9 +413,20 @@ DWORD RestrictedToken::SetIntegrityLevel + integrity_level_ = integrity_level; + return ERROR_SUCCESS; + } + + void RestrictedToken::SetLockdownDefaultDacl() { + lockdown_default_dacl_ = true; + } + ++DWORD RestrictedToken::AddDefaultDaclSid(const Sid& sid, ++ ACCESS_MODE access_mode, ++ ACCESS_MASK access) { ++ DCHECK(init_); ++ if (!init_) ++ return ERROR_NO_TOKEN; ++ ++ sids_for_default_dacl_.push_back(std::make_tuple(sid, access_mode, access)); ++ return ERROR_SUCCESS; ++} ++ + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.h b/security/sandbox/chromium/sandbox/win/src/restricted_token.h +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.h +@@ -2,16 +2,17 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ + #define SANDBOX_SRC_RESTRICTED_TOKEN_H_ + + #include + ++#include + #include + + #include + + #include "base/macros.h" + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/security_level.h" +@@ -169,23 +170,31 @@ class RestrictedToken { + // Sets the token integrity level. This is only valid on Vista. The integrity + // level cannot be higher than your current integrity level. + DWORD SetIntegrityLevel(IntegrityLevel integrity_level); + + // Set a flag which indicates the created token should have a locked down + // default DACL when created. + void SetLockdownDefaultDacl(); + ++ // Add a SID to the default DACL. These SIDs are added regardless of the ++ // SetLockdownDefaultDacl state. ++ DWORD AddDefaultDaclSid(const Sid& sid, ++ ACCESS_MODE access_mode, ++ ACCESS_MASK access); ++ + private: + // The list of restricting sids in the restricted token. + std::vector sids_to_restrict_; + // The list of privileges to remove in the restricted token. + std::vector privileges_to_disable_; + // The list of sids to mark as Deny Only in the restricted token. + std::vector sids_for_deny_only_; ++ // The list of sids to add to the default DACL of the restricted token. ++ std::vector> sids_for_default_dacl_; + // The token to restrict. Can only be set in a constructor. + base::win::ScopedHandle effective_token_; + // The token integrity level. Only valid on Vista. + IntegrityLevel integrity_level_; + // Tells if the object is initialized or not (if Init() has been called) + bool init_; + // Lockdown the default DACL when creating new tokens. + bool lockdown_default_dacl_; +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +@@ -51,22 +51,29 @@ DWORD GetObjectSecurityDescriptor(HANDLE + + } // namespace + + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ PSID unique_restricted_sid, + bool use_restricting_sids, + base::win::ScopedHandle* token) { + RestrictedToken restricted_token; + restricted_token.Init(effective_token); + if (lockdown_default_dacl) + restricted_token.SetLockdownDefaultDacl(); ++ if (unique_restricted_sid) { ++ restricted_token.AddDefaultDaclSid(Sid(unique_restricted_sid), GRANT_ACCESS, ++ GENERIC_ALL); ++ restricted_token.AddDefaultDaclSid(Sid(WinCreatorOwnerRightsSid), ++ GRANT_ACCESS, READ_CONTROL); ++ } + + std::vector privilege_exceptions; + std::vector sid_exceptions; + + bool deny_sids = true; + bool remove_privileges = true; + + switch (security_level) { +@@ -118,50 +125,60 @@ DWORD CreateRestrictedToken(HANDLE effec + sid_exceptions.push_back(WinAuthenticatedUserSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinBuiltinUsersSid); + restricted_token.AddRestrictingSid(WinWorldSid); + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); + restricted_token.AddRestrictingSidCurrentUser(); + restricted_token.AddRestrictingSidLogonSession(); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + case USER_LIMITED: { + sid_exceptions.push_back(WinBuiltinUsersSid); + sid_exceptions.push_back(WinWorldSid); + sid_exceptions.push_back(WinInteractiveSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinBuiltinUsersSid); + restricted_token.AddRestrictingSid(WinWorldSid); + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + + // This token has to be able to create objects in BNO. + // Unfortunately, on Vista+, it needs the current logon sid + // in the token to achieve this. You should also set the process to be + // low integrity level so it can't access object created by other + // processes. + restricted_token.AddRestrictingSidLogonSession(); ++ } else { ++ restricted_token.AddUserSidForDenyOnly(); + } + break; + } + case USER_RESTRICTED: { + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + restricted_token.AddUserSidForDenyOnly(); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + case USER_LOCKDOWN: { + restricted_token.AddUserSidForDenyOnly(); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinNullSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + default: { return ERROR_BAD_ARGUMENTS; } + } + + DWORD err_code = ERROR_SUCCESS; + if (deny_sids) { +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM + // If the function succeeds, the return value is ERROR_SUCCESS. If the + // function fails, the return value is the win32 error code corresponding to + // the error. + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ PSID unique_restricted_sid, + bool use_restricting_sids, + base::win::ScopedHandle* token); + + // Sets the integrity label on a object handle. + DWORD SetObjectIntegrityLabel(HANDLE handle, + SE_OBJECT_TYPE type, + const wchar_t* ace_access, + const wchar_t* integrity_level_sid); +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +@@ -256,16 +256,20 @@ class TargetPolicy { + // ownership of the handle. + virtual void AddHandleToShare(HANDLE handle) = 0; + + // Locks down the default DACL of the created lockdown and initial tokens + // to restrict what other processes are allowed to access a process' kernel + // resources. + virtual void SetLockdownDefaultDacl() = 0; + ++ // Adds a restricting random SID to the restricted SIDs list as well as ++ // the default DACL. ++ virtual void AddRestrictingRandomSid() = 0; ++ + // Enable OPM API redirection when in Win32k lockdown. + virtual void SetEnableOPMRedirection() = 0; + // Enable OPM API emulation when in Win32k lockdown. + virtual bool GetEnableOPMRedirection() = 0; + + // Configure policy to use an AppContainer profile. |package_name| is the + // name of the profile to use. Specifying True for |create_profile| ensures + // the profile exists, if set to False process creation will fail if the +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +@@ -105,16 +105,17 @@ PolicyBase::PolicyBase() + delayed_integrity_level_(INTEGRITY_LEVEL_LAST), + mitigations_(0), + delayed_mitigations_(0), + is_csrss_connected_(true), + policy_maker_(nullptr), + policy_(nullptr), + lowbox_sid_(nullptr), + lockdown_default_dacl_(false), ++ add_restricting_random_sid_(false), + enable_opm_redirection_(false), + effective_token_(nullptr) { + ::InitializeCriticalSection(&lock_); + dispatcher_.reset(new TopLevelDispatcher(this)); + } + + PolicyBase::~PolicyBase() { + TargetSet::iterator it; +@@ -389,16 +390,20 @@ void PolicyBase::AddHandleToShare(HANDLE + + handles_to_share_.push_back(handle); + } + + void PolicyBase::SetLockdownDefaultDacl() { + lockdown_default_dacl_ = true; + } + ++void PolicyBase::AddRestrictingRandomSid() { ++ add_restricting_random_sid_ = true; ++} ++ + const base::HandlesToInheritVector& PolicyBase::GetHandlesBeingShared() { + return handles_to_share_; + } + + ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) { + if (job_level_ == JOB_NONE) { + job->Close(); + return SBOX_ALL_OK; +@@ -413,22 +418,26 @@ ResultCode PolicyBase::MakeJobObject(bas + + *job = job_obj.Take(); + return SBOX_ALL_OK; + } + + ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, + base::win::ScopedHandle* lockdown, + base::win::ScopedHandle* lowbox) { ++ Sid random_sid = Sid::GenerateRandomSid(); ++ PSID random_sid_ptr = nullptr; ++ if (add_restricting_random_sid_) ++ random_sid_ptr = random_sid.GetPSID(); ++ + // Create the 'naked' token. This will be the permanent token associated + // with the process and therefore with any thread that is not impersonating. +- DWORD result = +- CreateRestrictedToken(effective_token_, lockdown_level_, integrity_level_, +- PRIMARY, lockdown_default_dacl_, +- use_restricting_sids_, lockdown); ++ DWORD result = CreateRestrictedToken( ++ effective_token_, lockdown_level_, integrity_level_, PRIMARY, ++ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, lockdown); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; + + // If we're launching on the alternate desktop we need to make sure the + // integrity label on the object is no higher than the sandboxed process's + // integrity level. So, we lower the label on the desktop process if it's + // not already low enough for our process. + if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) { +@@ -485,20 +494,19 @@ ResultCode PolicyBase::MakeTokens(base:: + TOKEN_ALL_ACCESS)) { + return SBOX_ERROR_CANNOT_MODIFY_LOWBOX_TOKEN_DACL; + } + } + + // Create the 'better' token. We use this token as the one that the main + // thread uses when booting up the process. It should contain most of + // what we need (before reaching main( )) +- result = +- CreateRestrictedToken(effective_token_, initial_level_, integrity_level_, +- IMPERSONATION, lockdown_default_dacl_, +- use_restricting_sids_, initial); ++ result = CreateRestrictedToken( ++ effective_token_, initial_level_, integrity_level_, IMPERSONATION, ++ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, initial); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN; + + return SBOX_ALL_OK; + } + + PSID PolicyBase::GetLowBoxSid() const { + return lowbox_sid_; +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +@@ -69,16 +69,17 @@ class PolicyBase final : public TargetPo + ResultCode AddRule(SubSystem subsystem, + Semantics semantics, + const wchar_t* pattern) override; + ResultCode AddDllToUnload(const wchar_t* dll_name) override; + ResultCode AddKernelObjectToClose(const wchar_t* handle_type, + const wchar_t* handle_name) override; + void AddHandleToShare(HANDLE handle) override; + void SetLockdownDefaultDacl() override; ++ void AddRestrictingRandomSid() override; + void SetEnableOPMRedirection() override; + bool GetEnableOPMRedirection() override; + ResultCode AddAppContainerProfile(const wchar_t* package_name, + bool create_profile) override; + scoped_refptr GetAppContainerProfile() override; + void SetEffectiveToken(HANDLE token) override; + + // Get the AppContainer profile as its internal type. +@@ -165,16 +166,17 @@ class PolicyBase final : public TargetPo + // This is a map of handle-types to names that we need to close in the + // target process. A null set means we need to close all handles of the + // given type. + HandleCloser handle_closer_; + PSID lowbox_sid_; + base::win::ScopedHandle lowbox_directory_; + std::unique_ptr dispatcher_; + bool lockdown_default_dacl_; ++ bool add_restricting_random_sid_; + + static HDESK alternate_desktop_handle_; + static HWINSTA alternate_winstation_handle_; + static HDESK alternate_desktop_local_winstation_handle_; + static IntegrityLevel alternate_desktop_integrity_level_label_; + static IntegrityLevel + alternate_desktop_local_winstation_integrity_level_label_; + +diff --git a/security/sandbox/chromium/sandbox/win/src/sid.cc b/security/sandbox/chromium/sandbox/win/src/sid.cc +--- a/security/sandbox/chromium/sandbox/win/src/sid.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sid.cc +@@ -2,18 +2,20 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "sandbox/win/src/sid.h" + + #include + + #include ++#include + + #include "base/logging.h" ++#include "base/rand_util.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/win_utils.h" + + namespace sandbox { + + namespace { + + DWORD WellKnownCapabilityToRid(WellKnownCapabilities capability) { +@@ -127,16 +129,24 @@ Sid Sid::FromSubAuthorities(PSID_IDENTIF + + Sid Sid::AllRestrictedApplicationPackages() { + SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_APP_PACKAGE_AUTHORITY}; + DWORD sub_authorities[] = {SECURITY_APP_PACKAGE_BASE_RID, + SECURITY_BUILTIN_PACKAGE_ANY_RESTRICTED_PACKAGE}; + return FromSubAuthorities(&package_authority, 2, sub_authorities); + } + ++Sid Sid::GenerateRandomSid() { ++ SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_NULL_SID_AUTHORITY}; ++ DWORD sub_authorities[4] = {}; ++ base::RandBytes(&sub_authorities, sizeof(sub_authorities)); ++ return FromSubAuthorities(&package_authority, _countof(sub_authorities), ++ sub_authorities); ++} ++ + PSID Sid::GetPSID() const { + return const_cast(sid_); + } + + bool Sid::IsValid() const { + return !!::IsValidSid(GetPSID()); + } + +diff --git a/security/sandbox/chromium/sandbox/win/src/sid.h b/security/sandbox/chromium/sandbox/win/src/sid.h +--- a/security/sandbox/chromium/sandbox/win/src/sid.h ++++ b/security/sandbox/chromium/sandbox/win/src/sid.h +@@ -47,16 +47,18 @@ class Sid { + // Create a Sid from a SDDL format string, such as S-1-1-0. + static Sid FromSddlString(const wchar_t* sddl_sid); + // Create a Sid from a set of sub authorities. + static Sid FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority, + BYTE sub_authority_count, + PDWORD sub_authorities); + // Create the restricted all application packages sid. + static Sid AllRestrictedApplicationPackages(); ++ // Generate a random SID value. ++ static Sid GenerateRandomSid(); + + // Returns sid_. + PSID GetPSID() const; + + // Gets whether the sid is valid. + bool IsValid() const; + + // Converts the SID to a SDDL format string. diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch b/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch index 133056848bac..99fe5e99bc17 100644 --- a/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch +++ b/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch @@ -9,7 +9,7 @@ Bug 1297740. diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc --- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc +++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc -@@ -301,16 +301,17 @@ DWORD WINAPI BrokerServicesBase::TargetE +@@ -414,16 +414,17 @@ DWORD WINAPI BrokerServicesBase::TargetE NOTREACHED(); return 0; } @@ -27,7 +27,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu return SBOX_ERROR_BAD_PARAMS; if (!policy) -@@ -486,17 +487,17 @@ ResultCode BrokerServicesBase::SpawnTarg +@@ -609,17 +610,17 @@ ResultCode BrokerServicesBase::SpawnTarg // Brokerservices does not own the target object. It is owned by the Policy. base::win::ScopedProcessInformation process_info; TargetProcess* target = new TargetProcess( @@ -65,9 +65,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur #include "sandbox/win/src/crosscall_server.h" #include "sandbox/win/src/job.h" #include "sandbox/win/src/sandbox.h" + #include "sandbox/win/src/sandbox_policy_base.h" #include "sandbox/win/src/sharedmem_ipc_server.h" - #include "sandbox/win/src/win2k_threadpool.h" -@@ -45,16 +46,17 @@ class BrokerServicesBase final : public +@@ -39,16 +40,17 @@ class BrokerServicesBase final : public ~BrokerServicesBase(); @@ -88,7 +88,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h -@@ -79,16 +79,17 @@ class BrokerServices { +@@ -84,16 +84,17 @@ class BrokerServices { // parameter will hold the last Win32 error value. // target: returns the resulting target process information such as process // handle and PID just as if CreateProcess() had been called. The caller is @@ -109,7 +109,25 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc --- a/security/sandbox/chromium/sandbox/win/src/target_process.cc +++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc -@@ -137,16 +137,17 @@ TargetProcess::~TargetProcess() { +@@ -9,16 +9,17 @@ + + #include + #include + #include + + #include "base/macros.h" + #include "base/memory/free_deleter.h" + #include "base/numerics/safe_conversions.h" ++#include "base/process/environment_internal.h" + #include "base/win/startup_information.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/policy_low_level.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox_types.h" + #include "sandbox/win/src/security_capabilities.h" +@@ -137,16 +138,17 @@ TargetProcess::~TargetProcess() { // Creates the target (child) process suspended and assigns it to the job // object. ResultCode TargetProcess::Create( @@ -127,10 +145,10 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur // Start the target process suspended. DWORD flags = -@@ -156,22 +157,29 @@ ResultCode TargetProcess::Create( +@@ -156,22 +158,29 @@ ResultCode TargetProcess::Create( flags |= EXTENDED_STARTUPINFO_PRESENT; - if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) { + if (job_ && base::win::GetVersion() < base::win::Version::WIN8) { // Windows 8 implements nested jobs, but for older systems we need to // break out of any job we're in to enforce our restrictions. flags |= CREATE_BREAKAWAY_FROM_JOB; @@ -138,7 +156,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur + LPTCH original_environment = GetEnvironmentStrings(); + base::NativeEnvironmentString new_environment = -+ base::AlterEnvironment(original_environment, env_changes); ++ base::internal::AlterEnvironment(original_environment, env_changes); + // Ignore return value? What can we do? + FreeEnvironmentStrings(original_environment); + LPVOID new_env_ptr = (void*)new_environment.data(); diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch index 55cec1fe8820..b147e5f9fee6 100644 --- a/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch +++ b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch @@ -6,7 +6,9 @@ # Parent 96707276b26997ea2a8e9fd8fdacc0c863717e7b Allow a special all paths rule in the Windows process sandbox when using semantics FILES_ALLOW_READONLY. r=jimm -This also changes the read only related status checks in filesystem_interception.cc to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in some cases and fails because we never ask the broker. +This also changes the read only related status checks in filesystem_interception.cc +to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in +some cases and fails because we never ask the broker. diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc --- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc @@ -52,7 +54,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c do { if (!ValidParameter(file, sizeof(HANDLE), WRITE)) -@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre +@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF ACCESS_MASK desired_access, POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status, @@ -92,7 +94,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.c do { if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) -@@ -232,17 +239,18 @@ NTSTATUS WINAPI TargetNtQueryAttributesF +@@ -232,17 +239,18 @@ TargetNtQueryAttributesFile(NtQueryAttri NTSTATUS WINAPI TargetNtQueryFullAttributesFile( NtQueryFullAttributesFileFunction orig_QueryFullAttributes, @@ -119,7 +121,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/se bool FileSystemPolicy::GenerateRules(const wchar_t* name, TargetPolicy::Semantics semantics, LowLevelPolicy* policy) { - base::string16 mod_name(name); + std::wstring mod_name(name); if (mod_name.empty()) { return false; } diff --git a/security/sandbox/chromium-shim/patches/with_update/fix_incorrect_int_use_in_Kernel32BaseVersion.patch b/security/sandbox/chromium-shim/patches/with_update/fix_incorrect_int_use_in_Kernel32BaseVersion.patch deleted file mode 100644 index 07b2445d9146..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/fix_incorrect_int_use_in_Kernel32BaseVersion.patch +++ /dev/null @@ -1,40 +0,0 @@ -# HG changeset patch -# User Bob Owen -# Date 1549903491 0 -# Mon Feb 11 16:44:51 2019 +0000 -# Node ID 3bb3e5a6275db53530d50549b7b329cc1248d450 -# Parent fc9d5e40028058abeb06f8bdc2f75fc868fbe14b - -Fix incorrect int use in Kernel32BaseVersion in windows_version.cc. r=aklotz - -diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc ---- a/security/sandbox/chromium/base/win/windows_version.cc -+++ b/security/sandbox/chromium/base/win/windows_version.cc -@@ -236,23 +236,23 @@ Version OSInfo::Kernel32Version() const - // kernel32 will still be the "real" version. - base::Version OSInfo::Kernel32BaseVersion() const { - static const base::NoDestructor version([] { - std::unique_ptr file_version_info( - static_cast( - FileVersionInfoWin::CreateFileVersionInfo( - base::FilePath(FILE_PATH_LITERAL("kernel32.dll"))))); - DCHECK(file_version_info); -- const int major = -+ const uint32_t major = - HIWORD(file_version_info->fixed_file_info()->dwFileVersionMS); -- const int minor = -+ const uint32_t minor = - LOWORD(file_version_info->fixed_file_info()->dwFileVersionMS); -- const int build = -+ const uint32_t build = - HIWORD(file_version_info->fixed_file_info()->dwFileVersionLS); -- const int patch = -+ const uint32_t patch = - LOWORD(file_version_info->fixed_file_info()->dwFileVersionLS); - return base::Version(std::vector{major, minor, build, patch}); - }()); - return *version; - } - - std::string OSInfo::processor_model_name() { - if (processor_model_name_.empty()) { diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch index af9f30ffbace..325d23cc1926 100644 --- a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch +++ b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch @@ -46,7 +46,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_profile_bas GetModuleHandle(L"userenv"), "GetAppContainerFolderPath")); if (!get_app_container_folder_path) return false; - base::string16 sddl_str; + std::wstring sddl_str; if (!package_sid_.ToSddlString(&sddl_str)) return false; base::win::ScopedCoMem path_str; @@ -62,7 +62,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_profile_bas +#if defined(MOZ_SANDBOX) + IMMEDIATE_CRASH(); +#else - base::string16 sddl_str; + std::wstring sddl_str; if (!package_sid_.ToSddlString(&sddl_str)) return false; *pipe_path = base::FilePath(base::StringPrintf(L"\\\\.\\pipe\\%ls\\%ls", diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_ApplyMitigationsToCurrentThread.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_ApplyMitigationsToCurrentThread.patch deleted file mode 100644 index 872544a612dd..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_ApplyMitigationsToCurrentThread.patch +++ /dev/null @@ -1,52 +0,0 @@ -# HG changeset patch -# User Bob Owen -# Date 1509027042 -3600 -# Thu Oct 26 15:10:42 2017 +0100 -# Node ID c4557696d42ef22c6eccfd178b3d739a265e2894 -# Parent ec58d9068a540487e67c0eac2c60c53dea31d3c3 -Don't compile sandbox::ApplyMitigationsToCurrentThread. r=aklotz - -This brings in new dependencies via FilePath and we don't currently use it. -As far as I can tell Chromium doesn't use it either. - -diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ---- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc -+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc -@@ -230,16 +230,19 @@ bool ApplyProcessMitigationsToCurrentPro - ERROR_ACCESS_DENIED != ::GetLastError()) { - return false; - } - } - - return true; - } - -+// This function isn't used yet and adds dependencies for FilePath and -+// ScopedNativeLibrary. -+#if !defined(MOZ_SANDBOX) - bool ApplyMitigationsToCurrentThread(MitigationFlags flags) { - if (!CanSetMitigationsPerThread(flags)) - return false; - - base::win::Version version = base::win::GetVersion(); - - if (version < base::win::VERSION_WIN10_RS1) - return true; -@@ -263,16 +266,17 @@ bool ApplyMitigationsToCurrentThread(Mit - if (!set_thread_info_function(::GetCurrentThread(), ThreadDynamicCodePolicy, - &thread_policy, sizeof(thread_policy))) { - return false; - } - } - - return true; - } -+#endif - - void ConvertProcessMitigationsToPolicy(MitigationFlags flags, - DWORD64* policy_flags, - size_t* size) { - base::win::Version version = base::win::GetVersion(); - - *policy_flags = 0; - #if defined(_WIN64) diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch index b668b50bdba1..411d8965707b 100644 --- a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch +++ b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch @@ -14,10 +14,10 @@ https://hg.mozilla.org/mozilla-central/rev/477b991bf6fa7b4511768649c9bf37c7275d3 diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chromium/base/time/time.cc --- a/security/sandbox/chromium/base/time/time.cc +++ b/security/sandbox/chromium/base/time/time.cc -@@ -241,16 +241,17 @@ Time Time::LocalMidnight() const { - Time out_time; - if (FromLocalExploded(exploded, &out_time)) - return out_time; +@@ -281,16 +281,17 @@ Time Time::Midnight(bool is_local) const + if (FromExploded(is_local, exploded, &out_time)) + return out_time; + } // This function must not fail. NOTREACHED(); return Time(); @@ -32,7 +32,7 @@ diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chro if (time_string[0] == '\0') return false; -@@ -261,16 +262,17 @@ bool Time::FromStringInternal(const char +@@ -301,16 +302,17 @@ bool Time::FromStringInternal(const char &result_time); if (PR_SUCCESS != result) return false; diff --git a/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch b/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch new file mode 100644 index 000000000000..185e128d837d --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588735588 25200 +# Tue May 05 20:26:28 2020 -0700 +# Node ID 8214c0253f550d73b5e79dfd825b09f5c1a06fbd +# Parent 2d5ee142bde533ba4f93afaae081a444eac0abe2 +Lower SDK version requirement from 19H1 to RS4. r=bobowen + +We still use 10.0.17134.0 SDK while Chromium requires 10.0.18362.0 or higher. + +diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc +--- a/security/sandbox/chromium/base/win/windows_version.cc ++++ b/security/sandbox/chromium/base/win/windows_version.cc +@@ -17,18 +17,18 @@ + #include "base/strings/string_util.h" + #include "base/strings/utf_string_conversions.h" + #include "base/win/registry.h" + + #if !defined(__clang__) && _MSC_FULL_VER < 191125507 + #error VS 2017 Update 3.2 or higher is required + #endif + +-#if !defined(NTDDI_WIN10_19H1) +-#error Windows 10.0.18362.0 SDK or higher required. ++#if !defined(NTDDI_WIN10_RS4) ++#error Windows 10.0.17134.0 SDK or higher required. + #endif + + namespace base { + namespace win { + + namespace { + + // The values under the CurrentVersion registry hive are mirrored under diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_base_win_get_caller.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_base_win_get_caller.patch deleted file mode 100644 index 762b2054f0f4..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/mingw_base_win_get_caller.patch +++ /dev/null @@ -1,37 +0,0 @@ -# HG changeset patch -# User Tom Ritter -# Date 1516824525 21600 -# Wed Jan 24 14:08:45 2018 -0600 -# Node ID b09622ad2731f02ed7f231295bc9421d76b083e6 -# Parent 2b890d81a1e3ebc4872958022c8d425d5689b31d -Bug 1432790 Remove a stray \ to fix the MinGW build. r?bobowen - -The GCC case includes a stray \ at the end of the line that gcc -complains about. - -For reference purposes, this commit is a combination of Bug 1431621 -and Bug 1432790 combined together so that it looks like I hadn't -screwed it up. - -diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h ---- a/security/sandbox/chromium/base/win/scoped_handle.h -+++ b/security/sandbox/chromium/base/win/scoped_handle.h -@@ -13,17 +13,17 @@ - #include "base/logging.h" - #include "base/macros.h" - - // TODO(rvargas): remove this with the rest of the verifier. - #if defined(COMPILER_MSVC) - #include - #define BASE_WIN_GET_CALLER _ReturnAddress() - #elif defined(COMPILER_GCC) --#define BASE_WIN_GET_CALLER __builtin_extract_return_addr(\\ -+#define BASE_WIN_GET_CALLER __builtin_extract_return_addr(\ - __builtin_return_address(0)) - #endif - - namespace base { - namespace win { - - // Generic wrapper for raw handles that takes care of closing handles - // automatically. The class interface follows the style of diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch index 0a6769f13dc6..0c2703230744 100644 --- a/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch @@ -32,10 +32,10 @@ diff --git a/security/sandbox/chromium/base/win/pe_image.h b/security/sandbox/ch --- a/security/sandbox/chromium/base/win/pe_image.h +++ b/security/sandbox/chromium/base/win/pe_image.h @@ -14,17 +14,17 @@ - #include - #include + #include + #if defined(_WIN32_WINNT_WIN8) // The Windows 8 SDK defines FACILITY_VISUALCPP in winerror.h. #undef FACILITY_VISUALCPP diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch index 5e7de50c77a1..1251be114fce 100644 --- a/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch @@ -20,14 +20,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/secur #if SANDBOX_EXPORTS HMODULE module = ::LoadLibrary(exe_name_.get()); if (!module) - return SBOX_ERROR_GENERIC; + return SBOX_ERROR_CANNOT_LOADLIBRARY_EXECUTABLE; - child_var = ::GetProcAddress(module, name); + child_var = reinterpret_cast(::GetProcAddress(module, name)); ::FreeLibrary(module); if (!child_var) - return SBOX_ERROR_GENERIC; + return SBOX_ERROR_CANNOT_FIND_VARIABLE_ADDRESS; size_t offset = reinterpret_cast(child_var) - reinterpret_cast(module); diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch index 761fbf47c329..89072da69b1a 100644 --- a/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch @@ -11,7 +11,7 @@ MozReview-Commit-ID: D7REZiAIMpN diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h --- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h +++ b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h -@@ -61,16 +61,17 @@ union MultiType { +@@ -78,16 +78,17 @@ union MultiType { ULONG_PTR ulong_ptr; }; @@ -29,9 +29,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/secu uint32_t offset_; uint32_t size_; }; -@@ -271,16 +272,18 @@ class ActualCallParams : public CrossCal +@@ -287,16 +288,18 @@ class ActualCallParams : public CrossCal protected: - ActualCallParams() : CrossCallParams(0, NUMBER_PARAMS) { } + ActualCallParams() : CrossCallParams(IpcTag::UNUSED, NUMBER_PARAMS) {} private: ParamInfo param_info_[NUMBER_PARAMS + 1]; @@ -167,7 +167,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/sec // Avoid compiler optimizations across this point. Any value stored in // memory should be stored for real, and values previously read from memory // should be actually read. - base::subtle::MemoryBarrier(); + std::atomic_thread_fence(std::memory_order_seq_cst); - min_declared_size = - sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo)); diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_undefine_MemoryBarrier.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_undefine_MemoryBarrier.patch deleted file mode 100644 index 9a8492ca0152..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/mingw_undefine_MemoryBarrier.patch +++ /dev/null @@ -1,52 +0,0 @@ -# HG changeset patch -# User Bob Owen -# Date 1558340081 -3600 -# Mon May 20 09:14:41 2019 +0100 -# Node ID ba49022852e0cd13ddb6afa501b61c1f603d60b7 -# Parent 672e222dce87dd64c3e2a1381d16aec71b21aef6 -Bug 1552160: always undefine MemoryBarrier in Windows sandbox on MinGW. - -diff --git a/security/sandbox/chromium/base/atomicops.h b/security/sandbox/chromium/base/atomicops.h ---- a/security/sandbox/chromium/base/atomicops.h -+++ b/security/sandbox/chromium/base/atomicops.h -@@ -34,17 +34,17 @@ - // identify the STL implementation. - // - libc++: captures __config for _LIBCPP_VERSION - // - libstdc++: captures bits/c++config.h for __GLIBCXX__ - #include - - #include "base/base_export.h" - #include "build/build_config.h" - --#if defined(OS_WIN) && defined(ARCH_CPU_64_BITS) -+#if defined(OS_WIN) && (defined(ARCH_CPU_64_BITS) || defined(__MINGW32__)) - // windows.h #defines this (only on x64). This causes problems because the - // public API also uses MemoryBarrier at the public name for this fence. So, on - // X64, undef it, and call its documented - // (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx) - // implementation directly. - #undef MemoryBarrier - #endif - -diff --git a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h ---- a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h -+++ b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h -@@ -9,17 +9,17 @@ - - #include "base/win/windows_types.h" - - #include - - #include "base/macros.h" - #include "build/build_config.h" - --#if defined(ARCH_CPU_64_BITS) -+#if defined(ARCH_CPU_64_BITS) || defined(__MINGW32__) - // windows.h #defines this (only on x64). This causes problems because the - // public API also uses MemoryBarrier at the public name for this fence. So, on - // X64, undef it, and call its documented - // (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx) - // implementation directly. - #undef MemoryBarrier - #endif - diff --git a/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch b/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch index a5601339231e..4b32171d0474 100644 --- a/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch +++ b/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch @@ -8,190 +8,37 @@ Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r=jld Differential Revision: https://phabricator.services.mozilla.com/D50623 -diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h ---- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h -+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h -@@ -1485,10 +1485,230 @@ - #if !defined(__NR_recvmsg) - #define __NR_recvmsg 372 +diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h +--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h ++++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h +@@ -1,13 +1,17 @@ + // Copyright (c) 2012 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + +-// Generated from the Linux kernel's syscall_64.tbl. ++/* Constructed by running a vim macro over ++ linux-kernel/arch/x86/entry/syscalls/syscall_64.tbl ++ version 39a38bcba4ab6e5285b07675b0e42c96eec35e67 ++ which is close to Linux 5.4. ++*/ + #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ + #define SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ + + #if !defined(__x86_64__) + #error "Including header on wrong architecture" #endif - #if !defined(__NR_shutdown) - #define __NR_shutdown 373 + #if !defined(__NR_read) +@@ -1345,10 +1349,57 @@ + #if !defined(__NR_io_pgetevents) + #define __NR_io_pgetevents 333 + #endif + + #if !defined(__NR_rseq) + #define __NR_rseq 334 #endif -+#if !defined(__NR_userfaultfd) -+#define __NR_userfaultfd 374 -+#endif -+ -+#if !defined(__NR_membarrier) -+#define __NR_membarrier 375 -+#endif -+ -+#if !defined(__NR_mlock2) -+#define __NR_mlock2 376 -+#endif -+ -+#if !defined(__NR_copy_file_range) -+#define __NR_copy_file_range 377 -+#endif -+ -+#if !defined(__NR_preadv2) -+#define __NR_preadv2 378 -+#endif -+ -+#if !defined(__NR_pwritev2) -+#define __NR_pwritev2 379 -+#endif -+ -+#if !defined(__NR_pkey_mprotect) -+#define __NR_pkey_mprotect 380 -+#endif -+ -+#if !defined(__NR_pkey_alloc) -+#define __NR_pkey_alloc 381 -+#endif -+ -+#if !defined(__NR_pkey_free) -+#define __NR_pkey_free 382 -+#endif -+ -+#if !defined(__NR_statx) -+#define __NR_statx 383 -+#endif -+ -+#if !defined(__NR_arch_prctl) -+#define __NR_arch_prctl 384 -+#endif -+ -+#if !defined(__NR_io_pgetevents) -+#define __NR_io_pgetevents 385 -+#endif -+ -+#if !defined(__NR_rseq) -+#define __NR_rseq 386 -+#endif -+ -+#if !defined(__NR_semget) -+#define __NR_semget 393 -+#endif -+ -+#if !defined(__NR_semctl) -+#define __NR_semctl 394 -+#endif -+ -+#if !defined(__NR_shmget) -+#define __NR_shmget 395 -+#endif -+ -+#if !defined(__NR_shmctl) -+#define __NR_shmctl 396 -+#endif -+ -+#if !defined(__NR_shmat) -+#define __NR_shmat 397 -+#endif -+ -+#if !defined(__NR_shmdt) -+#define __NR_shmdt 398 -+#endif -+ -+#if !defined(__NR_msgget) -+#define __NR_msgget 399 -+#endif -+ -+#if !defined(__NR_msgsnd) -+#define __NR_msgsnd 400 -+#endif -+ -+#if !defined(__NR_msgrcv) -+#define __NR_msgrcv 401 -+#endif -+ -+#if !defined(__NR_msgctl) -+#define __NR_msgctl 402 -+#endif -+ -+#if !defined(__NR_clock_gettime64) -+#define __NR_clock_gettime64 403 -+#endif -+ -+#if !defined(__NR_clock_settime64) -+#define __NR_clock_settime64 404 -+#endif -+ -+#if !defined(__NR_clock_adjtime64) -+#define __NR_clock_adjtime64 405 -+#endif -+ -+#if !defined(__NR_clock_getres_time64) -+#define __NR_clock_getres_time64 406 -+#endif -+ -+#if !defined(__NR_clock_nanosleep_time64) -+#define __NR_clock_nanosleep_time64 407 -+#endif -+ -+#if !defined(__NR_timer_gettime64) -+#define __NR_timer_gettime64 408 -+#endif -+ -+#if !defined(__NR_timer_settime64) -+#define __NR_timer_settime64 409 -+#endif -+ -+#if !defined(__NR_timerfd_gettime64) -+#define __NR_timerfd_gettime64 410 -+#endif -+ -+#if !defined(__NR_timerfd_settime64) -+#define __NR_timerfd_settime64 411 -+#endif -+ -+#if !defined(__NR_utimensat_time64) -+#define __NR_utimensat_time64 412 -+#endif -+ -+#if !defined(__NR_pselect6_time64) -+#define __NR_pselect6_time64 413 -+#endif -+ -+#if !defined(__NR_ppoll_time64) -+#define __NR_ppoll_time64 414 -+#endif -+ -+#if !defined(__NR_io_pgetevents_time64) -+#define __NR_io_pgetevents_time64 416 -+#endif -+ -+#if !defined(__NR_recvmmsg_time64) -+#define __NR_recvmmsg_time64 417 -+#endif -+ -+#if !defined(__NR_mq_timedsend_time64) -+#define __NR_mq_timedsend_time64 418 -+#endif -+ -+#if !defined(__NR_mq_timedreceive_time64) -+#define __NR_mq_timedreceive_time64 419 -+#endif -+ -+#if !defined(__NR_semtimedop_time64) -+#define __NR_semtimedop_time64 420 -+#endif -+ -+#if !defined(__NR_rt_sigtimedwait_time64) -+#define __NR_rt_sigtimedwait_time64 421 -+#endif -+ -+#if !defined(__NR_futex_time64) -+#define __NR_futex_time64 422 -+#endif -+ -+#if !defined(__NR_sched_rr_get_interval_time64) -+#define __NR_sched_rr_get_interval_time64 423 -+#endif -+ +#if !defined(__NR_pidfd_send_signal) +#define __NR_pidfd_send_signal 424 +#endif @@ -240,1737 +87,5 @@ diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux +#define __NR_clone3 435 +#endif + - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_ - -diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h ---- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h -+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h -@@ -1,1294 +1,1405 @@ - // Copyright (c) 2012 The Chromium Authors. All rights reserved. - // Use of this source code is governed by a BSD-style license that can be - // found in the LICENSE file. - --// Generated from the Linux kernel's syscall_64.tbl. -+/* Constructed by running a vim macro over -+ linux-kernel/arch/x86/entry/syscalls/syscall_64.tbl -+ version 39a38bcba4ab6e5285b07675b0e42c96eec35e67 -+ which is close to Linux 5.4. -+*/ - #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ - #define SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ - - #if !defined(__x86_64__) --#error "Including header on wrong architecture" -+# error "Including header on wrong architecture" - #endif - - #if !defined(__NR_read) --#define __NR_read 0 -+# define __NR_read 0 - #endif - - #if !defined(__NR_write) --#define __NR_write 1 -+# define __NR_write 1 - #endif - - #if !defined(__NR_open) --#define __NR_open 2 -+# define __NR_open 2 - #endif - - #if !defined(__NR_close) --#define __NR_close 3 -+# define __NR_close 3 - #endif - - #if !defined(__NR_stat) --#define __NR_stat 4 -+# define __NR_stat 4 - #endif - - #if !defined(__NR_fstat) --#define __NR_fstat 5 -+# define __NR_fstat 5 - #endif - - #if !defined(__NR_lstat) --#define __NR_lstat 6 -+# define __NR_lstat 6 - #endif - - #if !defined(__NR_poll) --#define __NR_poll 7 -+# define __NR_poll 7 - #endif - - #if !defined(__NR_lseek) --#define __NR_lseek 8 -+# define __NR_lseek 8 - #endif - - #if !defined(__NR_mmap) --#define __NR_mmap 9 -+# define __NR_mmap 9 - #endif - - #if !defined(__NR_mprotect) --#define __NR_mprotect 10 -+# define __NR_mprotect 10 - #endif - - #if !defined(__NR_munmap) --#define __NR_munmap 11 -+# define __NR_munmap 11 - #endif - - #if !defined(__NR_brk) --#define __NR_brk 12 -+# define __NR_brk 12 - #endif - - #if !defined(__NR_rt_sigaction) --#define __NR_rt_sigaction 13 -+# define __NR_rt_sigaction 13 - #endif - - #if !defined(__NR_rt_sigprocmask) --#define __NR_rt_sigprocmask 14 -+# define __NR_rt_sigprocmask 14 - #endif - - #if !defined(__NR_rt_sigreturn) --#define __NR_rt_sigreturn 15 -+# define __NR_rt_sigreturn 15 - #endif - - #if !defined(__NR_ioctl) --#define __NR_ioctl 16 -+# define __NR_ioctl 16 - #endif - - #if !defined(__NR_pread64) --#define __NR_pread64 17 -+# define __NR_pread64 17 - #endif - - #if !defined(__NR_pwrite64) --#define __NR_pwrite64 18 -+# define __NR_pwrite64 18 - #endif - - #if !defined(__NR_readv) --#define __NR_readv 19 -+# define __NR_readv 19 - #endif - - #if !defined(__NR_writev) --#define __NR_writev 20 -+# define __NR_writev 20 - #endif - - #if !defined(__NR_access) --#define __NR_access 21 -+# define __NR_access 21 - #endif - - #if !defined(__NR_pipe) --#define __NR_pipe 22 -+# define __NR_pipe 22 - #endif - - #if !defined(__NR_select) --#define __NR_select 23 -+# define __NR_select 23 - #endif - - #if !defined(__NR_sched_yield) --#define __NR_sched_yield 24 -+# define __NR_sched_yield 24 - #endif - - #if !defined(__NR_mremap) --#define __NR_mremap 25 -+# define __NR_mremap 25 - #endif - - #if !defined(__NR_msync) --#define __NR_msync 26 -+# define __NR_msync 26 - #endif - - #if !defined(__NR_mincore) --#define __NR_mincore 27 -+# define __NR_mincore 27 - #endif - - #if !defined(__NR_madvise) --#define __NR_madvise 28 -+# define __NR_madvise 28 - #endif - - #if !defined(__NR_shmget) --#define __NR_shmget 29 -+# define __NR_shmget 29 - #endif - - #if !defined(__NR_shmat) --#define __NR_shmat 30 -+# define __NR_shmat 30 - #endif - - #if !defined(__NR_shmctl) --#define __NR_shmctl 31 -+# define __NR_shmctl 31 - #endif - - #if !defined(__NR_dup) --#define __NR_dup 32 -+# define __NR_dup 32 - #endif - - #if !defined(__NR_dup2) --#define __NR_dup2 33 -+# define __NR_dup2 33 - #endif - - #if !defined(__NR_pause) --#define __NR_pause 34 -+# define __NR_pause 34 - #endif - - #if !defined(__NR_nanosleep) --#define __NR_nanosleep 35 -+# define __NR_nanosleep 35 - #endif - - #if !defined(__NR_getitimer) --#define __NR_getitimer 36 -+# define __NR_getitimer 36 - #endif - - #if !defined(__NR_alarm) --#define __NR_alarm 37 -+# define __NR_alarm 37 - #endif - - #if !defined(__NR_setitimer) --#define __NR_setitimer 38 -+# define __NR_setitimer 38 - #endif - - #if !defined(__NR_getpid) --#define __NR_getpid 39 -+# define __NR_getpid 39 - #endif - - #if !defined(__NR_sendfile) --#define __NR_sendfile 40 -+# define __NR_sendfile 40 - #endif - - #if !defined(__NR_socket) --#define __NR_socket 41 -+# define __NR_socket 41 - #endif - - #if !defined(__NR_connect) --#define __NR_connect 42 -+# define __NR_connect 42 - #endif - - #if !defined(__NR_accept) --#define __NR_accept 43 -+# define __NR_accept 43 - #endif - - #if !defined(__NR_sendto) --#define __NR_sendto 44 -+# define __NR_sendto 44 - #endif - - #if !defined(__NR_recvfrom) --#define __NR_recvfrom 45 -+# define __NR_recvfrom 45 - #endif - - #if !defined(__NR_sendmsg) --#define __NR_sendmsg 46 -+# define __NR_sendmsg 46 - #endif - - #if !defined(__NR_recvmsg) --#define __NR_recvmsg 47 -+# define __NR_recvmsg 47 - #endif - - #if !defined(__NR_shutdown) --#define __NR_shutdown 48 -+# define __NR_shutdown 48 - #endif - - #if !defined(__NR_bind) --#define __NR_bind 49 -+# define __NR_bind 49 - #endif - - #if !defined(__NR_listen) --#define __NR_listen 50 -+# define __NR_listen 50 - #endif - - #if !defined(__NR_getsockname) --#define __NR_getsockname 51 -+# define __NR_getsockname 51 - #endif - - #if !defined(__NR_getpeername) --#define __NR_getpeername 52 -+# define __NR_getpeername 52 - #endif - - #if !defined(__NR_socketpair) --#define __NR_socketpair 53 -+# define __NR_socketpair 53 - #endif - - #if !defined(__NR_setsockopt) --#define __NR_setsockopt 54 -+# define __NR_setsockopt 54 - #endif - - #if !defined(__NR_getsockopt) --#define __NR_getsockopt 55 -+# define __NR_getsockopt 55 - #endif - - #if !defined(__NR_clone) --#define __NR_clone 56 -+# define __NR_clone 56 - #endif - - #if !defined(__NR_fork) --#define __NR_fork 57 -+# define __NR_fork 57 - #endif - - #if !defined(__NR_vfork) --#define __NR_vfork 58 -+# define __NR_vfork 58 - #endif - - #if !defined(__NR_execve) --#define __NR_execve 59 -+# define __NR_execve 59 - #endif - - #if !defined(__NR_exit) --#define __NR_exit 60 -+# define __NR_exit 60 - #endif - - #if !defined(__NR_wait4) --#define __NR_wait4 61 -+# define __NR_wait4 61 - #endif - - #if !defined(__NR_kill) --#define __NR_kill 62 -+# define __NR_kill 62 - #endif - - #if !defined(__NR_uname) --#define __NR_uname 63 -+# define __NR_uname 63 - #endif - - #if !defined(__NR_semget) --#define __NR_semget 64 -+# define __NR_semget 64 - #endif - - #if !defined(__NR_semop) --#define __NR_semop 65 -+# define __NR_semop 65 - #endif - - #if !defined(__NR_semctl) --#define __NR_semctl 66 -+# define __NR_semctl 66 - #endif - - #if !defined(__NR_shmdt) --#define __NR_shmdt 67 -+# define __NR_shmdt 67 - #endif - - #if !defined(__NR_msgget) --#define __NR_msgget 68 -+# define __NR_msgget 68 - #endif - - #if !defined(__NR_msgsnd) --#define __NR_msgsnd 69 -+# define __NR_msgsnd 69 - #endif - - #if !defined(__NR_msgrcv) --#define __NR_msgrcv 70 -+# define __NR_msgrcv 70 - #endif - - #if !defined(__NR_msgctl) --#define __NR_msgctl 71 -+# define __NR_msgctl 71 - #endif - - #if !defined(__NR_fcntl) --#define __NR_fcntl 72 -+# define __NR_fcntl 72 - #endif - - #if !defined(__NR_flock) --#define __NR_flock 73 -+# define __NR_flock 73 - #endif - - #if !defined(__NR_fsync) --#define __NR_fsync 74 -+# define __NR_fsync 74 - #endif - - #if !defined(__NR_fdatasync) --#define __NR_fdatasync 75 -+# define __NR_fdatasync 75 - #endif - - #if !defined(__NR_truncate) --#define __NR_truncate 76 -+# define __NR_truncate 76 - #endif - - #if !defined(__NR_ftruncate) --#define __NR_ftruncate 77 -+# define __NR_ftruncate 77 - #endif - - #if !defined(__NR_getdents) --#define __NR_getdents 78 -+# define __NR_getdents 78 - #endif - - #if !defined(__NR_getcwd) --#define __NR_getcwd 79 -+# define __NR_getcwd 79 - #endif - - #if !defined(__NR_chdir) --#define __NR_chdir 80 -+# define __NR_chdir 80 - #endif - - #if !defined(__NR_fchdir) --#define __NR_fchdir 81 -+# define __NR_fchdir 81 - #endif - - #if !defined(__NR_rename) --#define __NR_rename 82 -+# define __NR_rename 82 - #endif - - #if !defined(__NR_mkdir) --#define __NR_mkdir 83 -+# define __NR_mkdir 83 - #endif - - #if !defined(__NR_rmdir) --#define __NR_rmdir 84 -+# define __NR_rmdir 84 - #endif - - #if !defined(__NR_creat) --#define __NR_creat 85 -+# define __NR_creat 85 - #endif - - #if !defined(__NR_link) --#define __NR_link 86 -+# define __NR_link 86 - #endif - - #if !defined(__NR_unlink) --#define __NR_unlink 87 -+# define __NR_unlink 87 - #endif - - #if !defined(__NR_symlink) --#define __NR_symlink 88 -+# define __NR_symlink 88 - #endif - - #if !defined(__NR_readlink) --#define __NR_readlink 89 -+# define __NR_readlink 89 - #endif - - #if !defined(__NR_chmod) --#define __NR_chmod 90 -+# define __NR_chmod 90 - #endif - - #if !defined(__NR_fchmod) --#define __NR_fchmod 91 -+# define __NR_fchmod 91 - #endif - - #if !defined(__NR_chown) --#define __NR_chown 92 -+# define __NR_chown 92 - #endif - - #if !defined(__NR_fchown) --#define __NR_fchown 93 -+# define __NR_fchown 93 - #endif - - #if !defined(__NR_lchown) --#define __NR_lchown 94 -+# define __NR_lchown 94 - #endif - - #if !defined(__NR_umask) --#define __NR_umask 95 -+# define __NR_umask 95 - #endif - - #if !defined(__NR_gettimeofday) --#define __NR_gettimeofday 96 -+# define __NR_gettimeofday 96 - #endif - - #if !defined(__NR_getrlimit) --#define __NR_getrlimit 97 -+# define __NR_getrlimit 97 - #endif - - #if !defined(__NR_getrusage) --#define __NR_getrusage 98 -+# define __NR_getrusage 98 - #endif - - #if !defined(__NR_sysinfo) --#define __NR_sysinfo 99 -+# define __NR_sysinfo 99 - #endif - - #if !defined(__NR_times) --#define __NR_times 100 -+# define __NR_times 100 - #endif - - #if !defined(__NR_ptrace) --#define __NR_ptrace 101 -+# define __NR_ptrace 101 - #endif - - #if !defined(__NR_getuid) --#define __NR_getuid 102 -+# define __NR_getuid 102 - #endif - - #if !defined(__NR_syslog) --#define __NR_syslog 103 -+# define __NR_syslog 103 - #endif - - #if !defined(__NR_getgid) --#define __NR_getgid 104 -+# define __NR_getgid 104 - #endif - - #if !defined(__NR_setuid) --#define __NR_setuid 105 -+# define __NR_setuid 105 - #endif - - #if !defined(__NR_setgid) --#define __NR_setgid 106 -+# define __NR_setgid 106 - #endif - - #if !defined(__NR_geteuid) --#define __NR_geteuid 107 -+# define __NR_geteuid 107 - #endif - - #if !defined(__NR_getegid) --#define __NR_getegid 108 -+# define __NR_getegid 108 - #endif - - #if !defined(__NR_setpgid) --#define __NR_setpgid 109 -+# define __NR_setpgid 109 - #endif - - #if !defined(__NR_getppid) --#define __NR_getppid 110 -+# define __NR_getppid 110 - #endif - - #if !defined(__NR_getpgrp) --#define __NR_getpgrp 111 -+# define __NR_getpgrp 111 - #endif - - #if !defined(__NR_setsid) --#define __NR_setsid 112 -+# define __NR_setsid 112 - #endif - - #if !defined(__NR_setreuid) --#define __NR_setreuid 113 -+# define __NR_setreuid 113 - #endif - - #if !defined(__NR_setregid) --#define __NR_setregid 114 -+# define __NR_setregid 114 - #endif - - #if !defined(__NR_getgroups) --#define __NR_getgroups 115 -+# define __NR_getgroups 115 - #endif - - #if !defined(__NR_setgroups) --#define __NR_setgroups 116 -+# define __NR_setgroups 116 - #endif - - #if !defined(__NR_setresuid) --#define __NR_setresuid 117 -+# define __NR_setresuid 117 - #endif - - #if !defined(__NR_getresuid) --#define __NR_getresuid 118 -+# define __NR_getresuid 118 - #endif - - #if !defined(__NR_setresgid) --#define __NR_setresgid 119 -+# define __NR_setresgid 119 - #endif - - #if !defined(__NR_getresgid) --#define __NR_getresgid 120 -+# define __NR_getresgid 120 - #endif - - #if !defined(__NR_getpgid) --#define __NR_getpgid 121 -+# define __NR_getpgid 121 - #endif - - #if !defined(__NR_setfsuid) --#define __NR_setfsuid 122 -+# define __NR_setfsuid 122 - #endif - - #if !defined(__NR_setfsgid) --#define __NR_setfsgid 123 -+# define __NR_setfsgid 123 - #endif - - #if !defined(__NR_getsid) --#define __NR_getsid 124 -+# define __NR_getsid 124 - #endif - - #if !defined(__NR_capget) --#define __NR_capget 125 -+# define __NR_capget 125 - #endif - - #if !defined(__NR_capset) --#define __NR_capset 126 -+# define __NR_capset 126 - #endif - - #if !defined(__NR_rt_sigpending) --#define __NR_rt_sigpending 127 -+# define __NR_rt_sigpending 127 - #endif - - #if !defined(__NR_rt_sigtimedwait) --#define __NR_rt_sigtimedwait 128 -+# define __NR_rt_sigtimedwait 128 - #endif - - #if !defined(__NR_rt_sigqueueinfo) --#define __NR_rt_sigqueueinfo 129 -+# define __NR_rt_sigqueueinfo 129 - #endif - - #if !defined(__NR_rt_sigsuspend) --#define __NR_rt_sigsuspend 130 -+# define __NR_rt_sigsuspend 130 - #endif - - #if !defined(__NR_sigaltstack) --#define __NR_sigaltstack 131 -+# define __NR_sigaltstack 131 - #endif - - #if !defined(__NR_utime) --#define __NR_utime 132 -+# define __NR_utime 132 - #endif - - #if !defined(__NR_mknod) --#define __NR_mknod 133 -+# define __NR_mknod 133 - #endif - - #if !defined(__NR_uselib) --#define __NR_uselib 134 -+# define __NR_uselib 134 - #endif - - #if !defined(__NR_personality) --#define __NR_personality 135 -+# define __NR_personality 135 - #endif - - #if !defined(__NR_ustat) --#define __NR_ustat 136 -+# define __NR_ustat 136 - #endif - - #if !defined(__NR_statfs) --#define __NR_statfs 137 -+# define __NR_statfs 137 - #endif - - #if !defined(__NR_fstatfs) --#define __NR_fstatfs 138 -+# define __NR_fstatfs 138 - #endif - - #if !defined(__NR_sysfs) --#define __NR_sysfs 139 -+# define __NR_sysfs 139 - #endif - - #if !defined(__NR_getpriority) --#define __NR_getpriority 140 -+# define __NR_getpriority 140 - #endif - - #if !defined(__NR_setpriority) --#define __NR_setpriority 141 -+# define __NR_setpriority 141 - #endif - - #if !defined(__NR_sched_setparam) --#define __NR_sched_setparam 142 -+# define __NR_sched_setparam 142 - #endif - - #if !defined(__NR_sched_getparam) --#define __NR_sched_getparam 143 -+# define __NR_sched_getparam 143 - #endif - - #if !defined(__NR_sched_setscheduler) --#define __NR_sched_setscheduler 144 -+# define __NR_sched_setscheduler 144 - #endif - - #if !defined(__NR_sched_getscheduler) --#define __NR_sched_getscheduler 145 -+# define __NR_sched_getscheduler 145 - #endif - - #if !defined(__NR_sched_get_priority_max) --#define __NR_sched_get_priority_max 146 -+# define __NR_sched_get_priority_max 146 - #endif - - #if !defined(__NR_sched_get_priority_min) --#define __NR_sched_get_priority_min 147 -+# define __NR_sched_get_priority_min 147 - #endif - - #if !defined(__NR_sched_rr_get_interval) --#define __NR_sched_rr_get_interval 148 -+# define __NR_sched_rr_get_interval 148 - #endif - - #if !defined(__NR_mlock) --#define __NR_mlock 149 -+# define __NR_mlock 149 - #endif - - #if !defined(__NR_munlock) --#define __NR_munlock 150 -+# define __NR_munlock 150 - #endif - - #if !defined(__NR_mlockall) --#define __NR_mlockall 151 -+# define __NR_mlockall 151 - #endif - - #if !defined(__NR_munlockall) --#define __NR_munlockall 152 -+# define __NR_munlockall 152 - #endif - - #if !defined(__NR_vhangup) --#define __NR_vhangup 153 -+# define __NR_vhangup 153 - #endif - - #if !defined(__NR_modify_ldt) --#define __NR_modify_ldt 154 -+# define __NR_modify_ldt 154 - #endif - - #if !defined(__NR_pivot_root) --#define __NR_pivot_root 155 -+# define __NR_pivot_root 155 - #endif - - #if !defined(__NR__sysctl) --#define __NR__sysctl 156 -+# define __NR__sysctl 156 - #endif - - #if !defined(__NR_prctl) --#define __NR_prctl 157 -+# define __NR_prctl 157 - #endif - - #if !defined(__NR_arch_prctl) --#define __NR_arch_prctl 158 -+# define __NR_arch_prctl 158 - #endif - - #if !defined(__NR_adjtimex) --#define __NR_adjtimex 159 -+# define __NR_adjtimex 159 - #endif - - #if !defined(__NR_setrlimit) --#define __NR_setrlimit 160 -+# define __NR_setrlimit 160 - #endif - - #if !defined(__NR_chroot) --#define __NR_chroot 161 -+# define __NR_chroot 161 - #endif - - #if !defined(__NR_sync) --#define __NR_sync 162 -+# define __NR_sync 162 - #endif - - #if !defined(__NR_acct) --#define __NR_acct 163 -+# define __NR_acct 163 - #endif - - #if !defined(__NR_settimeofday) --#define __NR_settimeofday 164 -+# define __NR_settimeofday 164 - #endif - - #if !defined(__NR_mount) --#define __NR_mount 165 -+# define __NR_mount 165 - #endif - - #if !defined(__NR_umount2) --#define __NR_umount2 166 -+# define __NR_umount2 166 - #endif - - #if !defined(__NR_swapon) --#define __NR_swapon 167 -+# define __NR_swapon 167 - #endif - - #if !defined(__NR_swapoff) --#define __NR_swapoff 168 -+# define __NR_swapoff 168 - #endif - - #if !defined(__NR_reboot) --#define __NR_reboot 169 -+# define __NR_reboot 169 - #endif - - #if !defined(__NR_sethostname) --#define __NR_sethostname 170 -+# define __NR_sethostname 170 - #endif - - #if !defined(__NR_setdomainname) --#define __NR_setdomainname 171 -+# define __NR_setdomainname 171 - #endif - - #if !defined(__NR_iopl) --#define __NR_iopl 172 -+# define __NR_iopl 172 - #endif - - #if !defined(__NR_ioperm) --#define __NR_ioperm 173 -+# define __NR_ioperm 173 - #endif - - #if !defined(__NR_create_module) --#define __NR_create_module 174 -+# define __NR_create_module 174 - #endif - - #if !defined(__NR_init_module) --#define __NR_init_module 175 -+# define __NR_init_module 175 - #endif - - #if !defined(__NR_delete_module) --#define __NR_delete_module 176 -+# define __NR_delete_module 176 - #endif - - #if !defined(__NR_get_kernel_syms) --#define __NR_get_kernel_syms 177 -+# define __NR_get_kernel_syms 177 - #endif - - #if !defined(__NR_query_module) --#define __NR_query_module 178 -+# define __NR_query_module 178 - #endif - - #if !defined(__NR_quotactl) --#define __NR_quotactl 179 -+# define __NR_quotactl 179 - #endif - - #if !defined(__NR_nfsservctl) --#define __NR_nfsservctl 180 -+# define __NR_nfsservctl 180 - #endif - - #if !defined(__NR_getpmsg) --#define __NR_getpmsg 181 -+# define __NR_getpmsg 181 - #endif - - #if !defined(__NR_putpmsg) --#define __NR_putpmsg 182 -+# define __NR_putpmsg 182 - #endif - - #if !defined(__NR_afs_syscall) --#define __NR_afs_syscall 183 -+# define __NR_afs_syscall 183 - #endif - - #if !defined(__NR_tuxcall) --#define __NR_tuxcall 184 -+# define __NR_tuxcall 184 - #endif - - #if !defined(__NR_security) --#define __NR_security 185 -+# define __NR_security 185 - #endif - - #if !defined(__NR_gettid) --#define __NR_gettid 186 -+# define __NR_gettid 186 - #endif - - #if !defined(__NR_readahead) --#define __NR_readahead 187 -+# define __NR_readahead 187 - #endif - - #if !defined(__NR_setxattr) --#define __NR_setxattr 188 -+# define __NR_setxattr 188 - #endif - - #if !defined(__NR_lsetxattr) --#define __NR_lsetxattr 189 -+# define __NR_lsetxattr 189 - #endif - - #if !defined(__NR_fsetxattr) --#define __NR_fsetxattr 190 -+# define __NR_fsetxattr 190 - #endif - - #if !defined(__NR_getxattr) --#define __NR_getxattr 191 -+# define __NR_getxattr 191 - #endif - - #if !defined(__NR_lgetxattr) --#define __NR_lgetxattr 192 -+# define __NR_lgetxattr 192 - #endif - - #if !defined(__NR_fgetxattr) --#define __NR_fgetxattr 193 -+# define __NR_fgetxattr 193 - #endif - - #if !defined(__NR_listxattr) --#define __NR_listxattr 194 -+# define __NR_listxattr 194 - #endif - - #if !defined(__NR_llistxattr) --#define __NR_llistxattr 195 -+# define __NR_llistxattr 195 - #endif - - #if !defined(__NR_flistxattr) --#define __NR_flistxattr 196 -+# define __NR_flistxattr 196 - #endif - - #if !defined(__NR_removexattr) --#define __NR_removexattr 197 -+# define __NR_removexattr 197 - #endif - - #if !defined(__NR_lremovexattr) --#define __NR_lremovexattr 198 -+# define __NR_lremovexattr 198 - #endif - - #if !defined(__NR_fremovexattr) --#define __NR_fremovexattr 199 -+# define __NR_fremovexattr 199 - #endif - - #if !defined(__NR_tkill) --#define __NR_tkill 200 -+# define __NR_tkill 200 - #endif - - #if !defined(__NR_time) --#define __NR_time 201 -+# define __NR_time 201 - #endif - - #if !defined(__NR_futex) --#define __NR_futex 202 -+# define __NR_futex 202 - #endif - - #if !defined(__NR_sched_setaffinity) --#define __NR_sched_setaffinity 203 -+# define __NR_sched_setaffinity 203 - #endif - - #if !defined(__NR_sched_getaffinity) --#define __NR_sched_getaffinity 204 -+# define __NR_sched_getaffinity 204 - #endif - - #if !defined(__NR_set_thread_area) --#define __NR_set_thread_area 205 -+# define __NR_set_thread_area 205 - #endif - - #if !defined(__NR_io_setup) --#define __NR_io_setup 206 -+# define __NR_io_setup 206 - #endif - - #if !defined(__NR_io_destroy) --#define __NR_io_destroy 207 -+# define __NR_io_destroy 207 - #endif - - #if !defined(__NR_io_getevents) --#define __NR_io_getevents 208 -+# define __NR_io_getevents 208 - #endif - - #if !defined(__NR_io_submit) --#define __NR_io_submit 209 -+# define __NR_io_submit 209 - #endif - - #if !defined(__NR_io_cancel) --#define __NR_io_cancel 210 -+# define __NR_io_cancel 210 - #endif - - #if !defined(__NR_get_thread_area) --#define __NR_get_thread_area 211 -+# define __NR_get_thread_area 211 - #endif - - #if !defined(__NR_lookup_dcookie) --#define __NR_lookup_dcookie 212 -+# define __NR_lookup_dcookie 212 - #endif - - #if !defined(__NR_epoll_create) --#define __NR_epoll_create 213 -+# define __NR_epoll_create 213 - #endif - - #if !defined(__NR_epoll_ctl_old) --#define __NR_epoll_ctl_old 214 -+# define __NR_epoll_ctl_old 214 - #endif - - #if !defined(__NR_epoll_wait_old) --#define __NR_epoll_wait_old 215 -+# define __NR_epoll_wait_old 215 - #endif - - #if !defined(__NR_remap_file_pages) --#define __NR_remap_file_pages 216 -+# define __NR_remap_file_pages 216 - #endif - - #if !defined(__NR_getdents64) --#define __NR_getdents64 217 -+# define __NR_getdents64 217 - #endif - - #if !defined(__NR_set_tid_address) --#define __NR_set_tid_address 218 -+# define __NR_set_tid_address 218 - #endif - - #if !defined(__NR_restart_syscall) --#define __NR_restart_syscall 219 -+# define __NR_restart_syscall 219 - #endif - - #if !defined(__NR_semtimedop) --#define __NR_semtimedop 220 -+# define __NR_semtimedop 220 - #endif - - #if !defined(__NR_fadvise64) --#define __NR_fadvise64 221 -+# define __NR_fadvise64 221 - #endif - - #if !defined(__NR_timer_create) --#define __NR_timer_create 222 -+# define __NR_timer_create 222 - #endif - - #if !defined(__NR_timer_settime) --#define __NR_timer_settime 223 -+# define __NR_timer_settime 223 - #endif - - #if !defined(__NR_timer_gettime) --#define __NR_timer_gettime 224 -+# define __NR_timer_gettime 224 - #endif - - #if !defined(__NR_timer_getoverrun) --#define __NR_timer_getoverrun 225 -+# define __NR_timer_getoverrun 225 - #endif - - #if !defined(__NR_timer_delete) --#define __NR_timer_delete 226 -+# define __NR_timer_delete 226 - #endif - - #if !defined(__NR_clock_settime) --#define __NR_clock_settime 227 -+# define __NR_clock_settime 227 - #endif - - #if !defined(__NR_clock_gettime) --#define __NR_clock_gettime 228 -+# define __NR_clock_gettime 228 - #endif - - #if !defined(__NR_clock_getres) --#define __NR_clock_getres 229 -+# define __NR_clock_getres 229 - #endif - - #if !defined(__NR_clock_nanosleep) --#define __NR_clock_nanosleep 230 -+# define __NR_clock_nanosleep 230 - #endif - - #if !defined(__NR_exit_group) --#define __NR_exit_group 231 -+# define __NR_exit_group 231 - #endif - - #if !defined(__NR_epoll_wait) --#define __NR_epoll_wait 232 -+# define __NR_epoll_wait 232 - #endif - - #if !defined(__NR_epoll_ctl) --#define __NR_epoll_ctl 233 -+# define __NR_epoll_ctl 233 - #endif - - #if !defined(__NR_tgkill) --#define __NR_tgkill 234 -+# define __NR_tgkill 234 - #endif - - #if !defined(__NR_utimes) --#define __NR_utimes 235 -+# define __NR_utimes 235 - #endif - - #if !defined(__NR_vserver) --#define __NR_vserver 236 -+# define __NR_vserver 236 - #endif - - #if !defined(__NR_mbind) --#define __NR_mbind 237 -+# define __NR_mbind 237 - #endif - - #if !defined(__NR_set_mempolicy) --#define __NR_set_mempolicy 238 -+# define __NR_set_mempolicy 238 - #endif - - #if !defined(__NR_get_mempolicy) --#define __NR_get_mempolicy 239 -+# define __NR_get_mempolicy 239 - #endif - - #if !defined(__NR_mq_open) --#define __NR_mq_open 240 -+# define __NR_mq_open 240 - #endif - - #if !defined(__NR_mq_unlink) --#define __NR_mq_unlink 241 -+# define __NR_mq_unlink 241 - #endif - - #if !defined(__NR_mq_timedsend) --#define __NR_mq_timedsend 242 -+# define __NR_mq_timedsend 242 - #endif - - #if !defined(__NR_mq_timedreceive) --#define __NR_mq_timedreceive 243 -+# define __NR_mq_timedreceive 243 - #endif - - #if !defined(__NR_mq_notify) --#define __NR_mq_notify 244 -+# define __NR_mq_notify 244 - #endif - - #if !defined(__NR_mq_getsetattr) --#define __NR_mq_getsetattr 245 -+# define __NR_mq_getsetattr 245 - #endif - - #if !defined(__NR_kexec_load) --#define __NR_kexec_load 246 -+# define __NR_kexec_load 246 - #endif - - #if !defined(__NR_waitid) --#define __NR_waitid 247 -+# define __NR_waitid 247 - #endif - - #if !defined(__NR_add_key) --#define __NR_add_key 248 -+# define __NR_add_key 248 - #endif - - #if !defined(__NR_request_key) --#define __NR_request_key 249 -+# define __NR_request_key 249 - #endif - - #if !defined(__NR_keyctl) --#define __NR_keyctl 250 -+# define __NR_keyctl 250 - #endif - - #if !defined(__NR_ioprio_set) --#define __NR_ioprio_set 251 -+# define __NR_ioprio_set 251 - #endif - - #if !defined(__NR_ioprio_get) --#define __NR_ioprio_get 252 -+# define __NR_ioprio_get 252 - #endif - - #if !defined(__NR_inotify_init) --#define __NR_inotify_init 253 -+# define __NR_inotify_init 253 - #endif - - #if !defined(__NR_inotify_add_watch) --#define __NR_inotify_add_watch 254 -+# define __NR_inotify_add_watch 254 - #endif - - #if !defined(__NR_inotify_rm_watch) --#define __NR_inotify_rm_watch 255 -+# define __NR_inotify_rm_watch 255 - #endif - - #if !defined(__NR_migrate_pages) --#define __NR_migrate_pages 256 -+# define __NR_migrate_pages 256 - #endif - - #if !defined(__NR_openat) --#define __NR_openat 257 -+# define __NR_openat 257 - #endif - - #if !defined(__NR_mkdirat) --#define __NR_mkdirat 258 -+# define __NR_mkdirat 258 - #endif - - #if !defined(__NR_mknodat) --#define __NR_mknodat 259 -+# define __NR_mknodat 259 - #endif - - #if !defined(__NR_fchownat) --#define __NR_fchownat 260 -+# define __NR_fchownat 260 - #endif - - #if !defined(__NR_futimesat) --#define __NR_futimesat 261 -+# define __NR_futimesat 261 - #endif - - #if !defined(__NR_newfstatat) --#define __NR_newfstatat 262 -+# define __NR_newfstatat 262 - #endif - - #if !defined(__NR_unlinkat) --#define __NR_unlinkat 263 -+# define __NR_unlinkat 263 - #endif - - #if !defined(__NR_renameat) --#define __NR_renameat 264 -+# define __NR_renameat 264 - #endif - - #if !defined(__NR_linkat) --#define __NR_linkat 265 -+# define __NR_linkat 265 - #endif - - #if !defined(__NR_symlinkat) --#define __NR_symlinkat 266 -+# define __NR_symlinkat 266 - #endif - - #if !defined(__NR_readlinkat) --#define __NR_readlinkat 267 -+# define __NR_readlinkat 267 - #endif - - #if !defined(__NR_fchmodat) --#define __NR_fchmodat 268 -+# define __NR_fchmodat 268 - #endif - - #if !defined(__NR_faccessat) --#define __NR_faccessat 269 -+# define __NR_faccessat 269 - #endif - - #if !defined(__NR_pselect6) --#define __NR_pselect6 270 -+# define __NR_pselect6 270 - #endif - - #if !defined(__NR_ppoll) --#define __NR_ppoll 271 -+# define __NR_ppoll 271 - #endif - - #if !defined(__NR_unshare) --#define __NR_unshare 272 -+# define __NR_unshare 272 - #endif - - #if !defined(__NR_set_robust_list) --#define __NR_set_robust_list 273 -+# define __NR_set_robust_list 273 - #endif - - #if !defined(__NR_get_robust_list) --#define __NR_get_robust_list 274 -+# define __NR_get_robust_list 274 - #endif - - #if !defined(__NR_splice) --#define __NR_splice 275 -+# define __NR_splice 275 - #endif - - #if !defined(__NR_tee) --#define __NR_tee 276 -+# define __NR_tee 276 - #endif - - #if !defined(__NR_sync_file_range) --#define __NR_sync_file_range 277 -+# define __NR_sync_file_range 277 - #endif - - #if !defined(__NR_vmsplice) --#define __NR_vmsplice 278 -+# define __NR_vmsplice 278 - #endif - - #if !defined(__NR_move_pages) --#define __NR_move_pages 279 -+# define __NR_move_pages 279 - #endif - - #if !defined(__NR_utimensat) --#define __NR_utimensat 280 -+# define __NR_utimensat 280 - #endif - - #if !defined(__NR_epoll_pwait) --#define __NR_epoll_pwait 281 -+# define __NR_epoll_pwait 281 - #endif - - #if !defined(__NR_signalfd) --#define __NR_signalfd 282 -+# define __NR_signalfd 282 - #endif - - #if !defined(__NR_timerfd_create) --#define __NR_timerfd_create 283 -+# define __NR_timerfd_create 283 - #endif - - #if !defined(__NR_eventfd) --#define __NR_eventfd 284 -+# define __NR_eventfd 284 - #endif - - #if !defined(__NR_fallocate) --#define __NR_fallocate 285 -+# define __NR_fallocate 285 - #endif - - #if !defined(__NR_timerfd_settime) --#define __NR_timerfd_settime 286 -+# define __NR_timerfd_settime 286 - #endif - - #if !defined(__NR_timerfd_gettime) --#define __NR_timerfd_gettime 287 -+# define __NR_timerfd_gettime 287 - #endif - - #if !defined(__NR_accept4) --#define __NR_accept4 288 -+# define __NR_accept4 288 - #endif - - #if !defined(__NR_signalfd4) --#define __NR_signalfd4 289 -+# define __NR_signalfd4 289 - #endif - - #if !defined(__NR_eventfd2) --#define __NR_eventfd2 290 -+# define __NR_eventfd2 290 - #endif - - #if !defined(__NR_epoll_create1) --#define __NR_epoll_create1 291 -+# define __NR_epoll_create1 291 - #endif - - #if !defined(__NR_dup3) --#define __NR_dup3 292 -+# define __NR_dup3 292 - #endif - - #if !defined(__NR_pipe2) --#define __NR_pipe2 293 -+# define __NR_pipe2 293 - #endif - - #if !defined(__NR_inotify_init1) --#define __NR_inotify_init1 294 -+# define __NR_inotify_init1 294 - #endif - - #if !defined(__NR_preadv) --#define __NR_preadv 295 -+# define __NR_preadv 295 - #endif - - #if !defined(__NR_pwritev) --#define __NR_pwritev 296 -+# define __NR_pwritev 296 - #endif - - #if !defined(__NR_rt_tgsigqueueinfo) --#define __NR_rt_tgsigqueueinfo 297 -+# define __NR_rt_tgsigqueueinfo 297 - #endif - - #if !defined(__NR_perf_event_open) --#define __NR_perf_event_open 298 -+# define __NR_perf_event_open 298 - #endif - - #if !defined(__NR_recvmmsg) --#define __NR_recvmmsg 299 -+# define __NR_recvmmsg 299 - #endif - - #if !defined(__NR_fanotify_init) --#define __NR_fanotify_init 300 -+# define __NR_fanotify_init 300 - #endif - - #if !defined(__NR_fanotify_mark) --#define __NR_fanotify_mark 301 -+# define __NR_fanotify_mark 301 - #endif - - #if !defined(__NR_prlimit64) --#define __NR_prlimit64 302 -+# define __NR_prlimit64 302 - #endif - - #if !defined(__NR_name_to_handle_at) --#define __NR_name_to_handle_at 303 -+# define __NR_name_to_handle_at 303 - #endif - - #if !defined(__NR_open_by_handle_at) --#define __NR_open_by_handle_at 304 -+# define __NR_open_by_handle_at 304 - #endif - - #if !defined(__NR_clock_adjtime) --#define __NR_clock_adjtime 305 -+# define __NR_clock_adjtime 305 - #endif - - #if !defined(__NR_syncfs) --#define __NR_syncfs 306 -+# define __NR_syncfs 306 - #endif - - #if !defined(__NR_sendmmsg) --#define __NR_sendmmsg 307 -+# define __NR_sendmmsg 307 - #endif - - #if !defined(__NR_setns) --#define __NR_setns 308 -+# define __NR_setns 308 - #endif - - #if !defined(__NR_getcpu) --#define __NR_getcpu 309 -+# define __NR_getcpu 309 - #endif - - #if !defined(__NR_process_vm_readv) --#define __NR_process_vm_readv 310 -+# define __NR_process_vm_readv 310 - #endif - - #if !defined(__NR_process_vm_writev) --#define __NR_process_vm_writev 311 -+# define __NR_process_vm_writev 311 - #endif - - #if !defined(__NR_kcmp) --#define __NR_kcmp 312 -+# define __NR_kcmp 312 - #endif - - #if !defined(__NR_finit_module) --#define __NR_finit_module 313 -+# define __NR_finit_module 313 - #endif - - #if !defined(__NR_sched_setattr) --#define __NR_sched_setattr 314 -+# define __NR_sched_setattr 314 - #endif - - #if !defined(__NR_sched_getattr) --#define __NR_sched_getattr 315 -+# define __NR_sched_getattr 315 - #endif - - #if !defined(__NR_renameat2) --#define __NR_renameat2 316 -+# define __NR_renameat2 316 - #endif - - #if !defined(__NR_seccomp) --#define __NR_seccomp 317 -+# define __NR_seccomp 317 - #endif - - #if !defined(__NR_getrandom) --#define __NR_getrandom 318 -+# define __NR_getrandom 318 - #endif - - #if !defined(__NR_memfd_create) --#define __NR_memfd_create 319 -+# define __NR_memfd_create 319 -+#endif -+ -+#if !defined(__NR_kexec_file_load) -+# define __NR_kexec_file_load 320 -+#endif -+ -+#if !defined(__NR_bpf) -+# define __NR_bpf 321 -+#endif -+ -+#if !defined(__NR_execveat) -+# define __NR_execveat 322 -+#endif -+ -+#if !defined(__NR_userfaultfd) -+# define __NR_userfaultfd 323 -+#endif -+ -+#if !defined(__NR_membarrier) -+# define __NR_membarrier 324 -+#endif -+ -+#if !defined(__NR_mlock2) -+# define __NR_mlock2 325 -+#endif -+ -+#if !defined(__NR_copy_file_range) -+# define __NR_copy_file_range 326 -+#endif -+ -+#if !defined(__NR_preadv2) -+# define __NR_preadv2 327 -+#endif -+ -+#if !defined(__NR_pwritev2) -+# define __NR_pwritev2 328 -+#endif -+ -+#if !defined(__NR_pkey_mprotect) -+# define __NR_pkey_mprotect 329 -+#endif -+ -+#if !defined(__NR_pkey_alloc) -+# define __NR_pkey_alloc 330 -+#endif -+ -+#if !defined(__NR_pkey_free) -+# define __NR_pkey_free 331 -+#endif -+ -+#if !defined(__NR_statx) -+# define __NR_statx 332 -+#endif -+ -+#if !defined(__NR_io_pgetevents) -+# define __NR_io_pgetevents 333 -+#endif -+ -+#if !defined(__NR_rseq) -+# define __NR_rseq 334 -+#endif -+ -+#if !defined(__NR_pidfd_send_signal) -+# define __NR_pidfd_send_signal 424 -+#endif -+ -+#if !defined(__NR_io_uring_setup) -+# define __NR_io_uring_setup 425 -+#endif -+ -+#if !defined(__NR_io_uring_enter) -+# define __NR_io_uring_enter 426 -+#endif -+ -+#if !defined(__NR_io_uring_register) -+# define __NR_io_uring_register 427 -+#endif -+ -+#if !defined(__NR_open_tree) -+# define __NR_open_tree 428 -+#endif -+ -+#if !defined(__NR_move_mount) -+# define __NR_move_mount 429 -+#endif -+ -+#if !defined(__NR_fsopen) -+# define __NR_fsopen 430 -+#endif -+ -+#if !defined(__NR_fsconfig) -+# define __NR_fsconfig 431 -+#endif -+ -+#if !defined(__NR_fsmount) -+# define __NR_fsmount 432 -+#endif -+ -+#if !defined(__NR_fspick) -+# define __NR_fspick 433 -+#endif -+ -+#if !defined(__NR_pidfd_open) -+# define __NR_pidfd_open 434 -+#endif -+ -+#if !defined(__NR_clone3) -+# define __NR_clone3 435 - #endif - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ - diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt index 13541f19f857..6996465e58ce 100755 --- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt +++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt @@ -1,28 +1,28 @@ -update_chromium_linux_x86_syscalls.patch revert_remove_AddTargetPeer.patch revert_remove_BrokerDuplicateHandle.patch -ifdef_out_ApplyMitigationsToCurrentThread.patch +replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch ifdef_out_FromStringInternal.patch add_option_to_not_use_restricting_sids.patch ifdef_out_SequenceChecker_code.patch allow_read_only_all_paths_rule.patch revert_TargetNtSetInformationThread_change.patch -mingw_base_win_get_caller.patch mingw_copy_s.patch mingw_operator_new.patch mingw_cast_getprocaddress.patch mingw_capitalization.patch mingw_disable_one_try.patch mingw_offsetof.patch -fix_incorrect_int_use_in_Kernel32BaseVersion.patch -revert_removal_of_AlterEnvironment_on_Windows.patch allow_env_changes.patch ifdef_out_AppContainerProfileBase_testing_functions.patch mingw_missing_windows_types_defines.patch -mingw_undefine_MemoryBarrier.patch add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch include_atomic_header_in_platform_thread.patch aarch64_control_flow_guard.patch revert_removal_of_app_dir_for_DLL_load.patch more_chromium_linux_x86_x64_syscalls.patch -public_siginfo_fields.patch +add_support_for_random_restricted_SID.patch +revert_Token_serialization_and_deserialization.patch +remove_unused_functions_from_StrtodTrimmed.patch +remove_extraneous_backslash_introduced_by_clang_tidy.patch +remove_include_delayimp_h_from_pe_image_cc.patch +lower_SDK_version_requirement.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/public_siginfo_fields.patch b/security/sandbox/chromium-shim/patches/with_update/public_siginfo_fields.patch deleted file mode 100644 index 02992a26d13c..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/public_siginfo_fields.patch +++ /dev/null @@ -1,52 +0,0 @@ -# HG changeset patch -# User Michael Forney -# Date 1581009438 0 -# Thu Feb 06 17:17:18 2020 +0000 -# Node ID 3ec8c96f4d53916de5223b2eda5e8d66fb6ca227 -# Parent 362056ef41086e1faf6ee088c1daef9c73e01370 -Bug 1611565 - Cherry-pick upstream patch to use public siginfo_t fields r=gcp - -Upstream patch: -https://chromium.googlesource.com/chromium/src.git/+/6bd491daaf28a8281136931133504c23a18f819f%5E%21/#F0 - -_sifields is a glibc-internal field, and is not available on musl -libc. Instead, use the public-facing fields si_call_addr, si_syscall, -and si_arch, if they are available. - -Differential Revision: https://phabricator.services.mozilla.com/D61051 - -diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc ---- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc -+++ b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc -@@ -159,21 +159,28 @@ void Trap::SigSys(int nr, LinuxSigInfo* - // See crbug.com/178166. - // TODO(jln): add a DCHECK or move back to FATAL. - RAW_LOG(ERROR, "Unexpected SIGSYS received."); - errno = old_errno; - return; - } - - -- // Obtain the siginfo information that is specific to SIGSYS. Unfortunately, -- // most versions of glibc don't include this information in siginfo_t. So, -- // we need to explicitly copy it into a arch_sigsys structure. -+ // Obtain the siginfo information that is specific to SIGSYS. - struct arch_sigsys sigsys; -+#if defined(si_call_addr) && !defined(__native_client_nonsfi__) -+ sigsys.ip = info->si_call_addr; -+ sigsys.nr = info->si_syscall; -+ sigsys.arch = info->si_arch; -+#else -+ // If the version of glibc doesn't include this information in -+ // siginfo_t (older than 2.17), we need to explicitly copy it -+ // into an arch_sigsys structure. - memcpy(&sigsys, &info->_sifields, sizeof(sigsys)); -+#endif - - #if defined(__mips__) - // When indirect syscall (syscall(__NR_foo, ...)) is made on Mips, the - // number in register SECCOMP_SYSCALL(ctx) is always __NR_syscall and the - // real number of a syscall (__NR_foo) is in SECCOMP_PARM1(ctx) - bool sigsys_nr_is_bad = sigsys.nr != static_cast(SECCOMP_SYSCALL(ctx)) && - sigsys.nr != static_cast(SECCOMP_PARM1(ctx)); - #else diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch b/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch new file mode 100644 index 000000000000..431a5e102c9a --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588867789 25200 +# Thu May 07 09:09:49 2020 -0700 +# Node ID 29fbfefe6f5f533fb5aa4339015cea4746ad6493 +# Parent 044c15e89ecca19afc1750c439f4e82879679462 +Remove Extraneous Backslash Introduced by clang-tidy in ScopedHandle. r=bobowen + +Need the following commit to compile with Mingw, which has not reached +the stable channel yet. +https://chromium.googlesource.com/chromium/src.git/+/1620fe70c299f1f18b2f2c652d16739f6e3c5f78 + +diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h +--- a/security/sandbox/chromium/base/win/scoped_handle.h ++++ b/security/sandbox/chromium/base/win/scoped_handle.h +@@ -15,17 +15,17 @@ + #include "base/macros.h" + + // TODO(rvargas): remove this with the rest of the verifier. + #if defined(COMPILER_MSVC) + #include + #define BASE_WIN_GET_CALLER _ReturnAddress() + #elif defined(COMPILER_GCC) + #define BASE_WIN_GET_CALLER \ +- __builtin_extract_return_addr(\ __builtin_return_address(0)) ++ __builtin_extract_return_addr(__builtin_return_address(0)) + #endif + + namespace base { + namespace win { + + // Generic wrapper for raw handles that takes care of closing handles + // automatically. The class interface follows the style of + // the ScopedFILE class with two additions: diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch b/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch new file mode 100644 index 000000000000..4f08f57011f8 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch @@ -0,0 +1,32 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588871424 25200 +# Thu May 07 10:10:24 2020 -0700 +# Node ID 2d5ee142bde533ba4f93afaae081a444eac0abe2 +# Parent 29fbfefe6f5f533fb5aa4339015cea4746ad6493 +Don't include delayimp.h twice from //base/win/pe_image.cc to compile with Mingw. r=bobowen + +The second include was introduced by +https://chromium.googlesource.com/chromium/src.git/+/5c23d46846111ea16aaf2a9b45355cca5ddbf6d8 + +diff --git a/security/sandbox/chromium/base/win/pe_image.cc b/security/sandbox/chromium/base/win/pe_image.cc +--- a/security/sandbox/chromium/base/win/pe_image.cc ++++ b/security/sandbox/chromium/base/win/pe_image.cc +@@ -2,17 +2,16 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + // This file implements PEImage, a generic class to manipulate PE files. + // This file was adapted from GreenBorder's Code. + + #include "base/win/pe_image.h" + +-#include + #include + #include + #include + + #include "base/no_destructor.h" + #include "base/win/current_module.h" + + namespace base { diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch b/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch new file mode 100644 index 000000000000..a097360ac595 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch @@ -0,0 +1,48 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588733379 25200 +# Tue May 05 19:49:39 2020 -0700 +# Node ID 044c15e89ecca19afc1750c439f4e82879679462 +# Parent a18431660425e41c26c716413aac0294987c985a +Remove unused functions from //base/third_party/double_conversion/double-conversion to compile. r=bobowen + +diff --git a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc +--- a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc ++++ b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc +@@ -445,36 +445,18 @@ static bool ComputeGuess(Vector& buffer) { +- for(int i = 0; i < buffer.length(); ++i) { +- if(!IsDigit(buffer[i])) { +- return false; +- } +- } +- return (buffer.length() == 0) || (IsNonZeroDigit(buffer[0]) && IsNonZeroDigit(buffer[buffer.length()-1])); +-} +- + double StrtodTrimmed(Vector trimmed, int exponent) { + DOUBLE_CONVERSION_ASSERT(trimmed.length() <= kMaxSignificantDecimalDigits); +- DOUBLE_CONVERSION_ASSERT(AssertTrimmedDigits(trimmed)); + double guess; + const bool is_correct = ComputeGuess(trimmed, exponent, &guess); + if (is_correct) { + return guess; + } + DiyFp upper_boundary = Double(guess).UpperBoundary(); + int comparison = CompareBufferWithDiyFp(trimmed, exponent, upper_boundary); + if (comparison < 0) { diff --git a/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch b/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch new file mode 100644 index 000000000000..47418009d603 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1589672273 25200 +# Sat May 16 16:37:53 2020 -0700 +# Node ID c14ef8304c36fdc2570b77b63b36114cff2d070d +# Parent 90b5f63770f52fab163adaed1d5812b2887b335a +Use GetModuleHandle/GetProcAddress in ApplyMitigationsToCurrentThread. r=bobowen + +This patch removes the use of base::ScopedNativeLibrary from +sandbox::ApplyMitigationsToCurrentThread because to avoid +new dependencies. + +diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +@@ -5,18 +5,16 @@ + #include "sandbox/win/src/process_mitigations.h" + + #include + #include + #include + + #include + +-#include "base/files/file_path.h" +-#include "base/scoped_native_library.h" + #include "base/win/windows_version.h" + #include "build/build_config.h" + #include "sandbox/win/src/nt_internals.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox_rand.h" + #include "sandbox/win/src/win_utils.h" + + namespace { +@@ -321,22 +319,19 @@ bool ApplyMitigationsToCurrentThread(Mit + return true; + + // Enable dynamic code per-thread policies. + if (flags & MITIGATION_DYNAMIC_CODE_OPT_OUT_THIS_THREAD) { + DWORD thread_policy = THREAD_DYNAMIC_CODE_ALLOW; + + // NOTE: SetThreadInformation API only exists on >= Win8. Dynamically + // get function handle. +- base::ScopedNativeLibrary dll(base::FilePath(L"kernel32.dll")); +- if (!dll.is_valid()) +- return false; + SetThreadInformationFunction set_thread_info_function = +- reinterpret_cast( +- dll.GetFunctionPointer("SetThreadInformation")); ++ reinterpret_cast(::GetProcAddress( ++ ::GetModuleHandleA("kernel32.dll"), "SetThreadInformation")); + if (!set_thread_info_function) + return false; + + // NOTE: Must use the pseudo-handle here, a thread HANDLE won't work. + if (!set_thread_info_function(::GetCurrentThread(), ThreadDynamicCodePolicy, + &thread_policy, sizeof(thread_policy))) { + return false; + } diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch b/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch new file mode 100644 index 000000000000..c2d96dda7841 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch @@ -0,0 +1,100 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588530677 25200 +# Sun May 03 11:31:17 2020 -0700 +# Node ID a18431660425e41c26c716413aac0294987c985a +# Parent e149b1937231ccc3c1c07f45acf0e7e71117854f +Revert chromium's ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee. r=bobowen + +Undoing the following commit as it brings more dependency but unused in our code. +https://chromium.googlesource.com/chromium/src.git/+/ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee + +diff --git a/security/sandbox/chromium/base/token.cc b/security/sandbox/chromium/base/token.cc +--- a/security/sandbox/chromium/base/token.cc ++++ b/security/sandbox/chromium/base/token.cc +@@ -1,17 +1,16 @@ + // Copyright 2018 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "base/token.h" + + #include + +-#include "base/pickle.h" + #include "base/rand_util.h" + #include "base/strings/stringprintf.h" + + namespace base { + + // static + Token Token::CreateRandom() { + Token token; +@@ -21,26 +20,9 @@ Token Token::CreateRandom() { + base::RandBytes(&token, sizeof(token)); + return token; + } + + std::string Token::ToString() const { + return base::StringPrintf("%016" PRIX64 "%016" PRIX64, high_, low_); + } + +-void WriteTokenToPickle(Pickle* pickle, const Token& token) { +- pickle->WriteUInt64(token.high()); +- pickle->WriteUInt64(token.low()); +-} +- +-Optional ReadTokenFromPickle(PickleIterator* pickle_iterator) { +- uint64_t high; +- if (!pickle_iterator->ReadUInt64(&high)) +- return nullopt; +- +- uint64_t low; +- if (!pickle_iterator->ReadUInt64(&low)) +- return nullopt; +- +- return Token(high, low); +-} +- + } // namespace base +diff --git a/security/sandbox/chromium/base/token.h b/security/sandbox/chromium/base/token.h +--- a/security/sandbox/chromium/base/token.h ++++ b/security/sandbox/chromium/base/token.h +@@ -7,17 +7,16 @@ + + #include + + #include + #include + + #include "base/base_export.h" + #include "base/hash/hash.h" +-#include "base/optional.h" + + namespace base { + + // A Token is a randomly chosen 128-bit integer. This class supports generation + // from a cryptographically strong random source, or constexpr construction over + // fixed values (e.g. to store a pre-generated constant value). Tokens are + // similar in spirit and purpose to UUIDs, without many of the constraints and + // expectations (such as byte layout and string representation) clasically +@@ -63,19 +62,11 @@ class BASE_EXPORT Token { + + // For use in std::unordered_map. + struct TokenHash { + size_t operator()(const base::Token& token) const { + return base::HashInts64(token.high(), token.low()); + } + }; + +-class Pickle; +-class PickleIterator; +- +-// For serializing and deserializing Token values. +-BASE_EXPORT void WriteTokenToPickle(Pickle* pickle, const Token& token); +-BASE_EXPORT Optional ReadTokenFromPickle( +- PickleIterator* pickle_iterator); +- + } // namespace base + + #endif // BASE_TOKEN_H_ diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_AlterEnvironment_on_Windows.patch b/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_AlterEnvironment_on_Windows.patch deleted file mode 100644 index ce3b047434fe..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_AlterEnvironment_on_Windows.patch +++ /dev/null @@ -1,150 +0,0 @@ -# HG changeset patch -# User Bob Owen -# Date 1560256605 -3600 -# Tue Jun 11 13:36:45 2019 +0100 -# Node ID 686d4b711b65b7cd8692e92e9a7ae152a942b69e -# Parent 213d707af158b3d276c8cce56aba2e3c27abda82 -Bug 1552160: Revert removal of AlterEnvironment from chromium code on Windows. r=jld - -diff --git a/security/sandbox/chromium/base/environment.cc b/security/sandbox/chromium/base/environment.cc ---- a/security/sandbox/chromium/base/environment.cc -+++ b/security/sandbox/chromium/base/environment.cc -@@ -96,34 +96,32 @@ class EnvironmentImpl : public Environme - return !!SetEnvironmentVariable(UTF8ToWide(variable_name).c_str(), nullptr); - #elif defined(OS_POSIX) || defined(OS_FUCHSIA) - // On success, zero is returned. - return !unsetenv(variable_name.data()); - #endif - } - }; - --#if defined(OS_POSIX) || defined(OS_FUCHSIA) - // Parses a null-terminated input string of an environment block. The key is - // placed into the given string, and the total length of the line, including - // the terminating null, is returned. - size_t ParseEnvLine(const NativeEnvironmentString::value_type* input, - NativeEnvironmentString* key) { - // Skip to the equals or end of the string, this is the key. - size_t cur = 0; - while (input[cur] && input[cur] != '=') - cur++; - *key = NativeEnvironmentString(&input[0], cur); - - // Now just skip to the end of the string. - while (input[cur]) - cur++; - return cur + 1; - } --#endif - - } // namespace - - namespace env_vars { - - #if defined(OS_POSIX) || defined(OS_FUCHSIA) - // On Posix systems, this variable contains the location of the user's home - // directory. (e.g, /home/username/). -@@ -138,17 +136,57 @@ Environment::~Environment() = default; - std::unique_ptr Environment::Create() { - return std::make_unique(); - } - - bool Environment::HasVar(StringPiece variable_name) { - return GetVar(variable_name, nullptr); - } - --#if defined(OS_POSIX) || defined(OS_FUCHSIA) -+#if defined(OS_WIN) -+ -+string16 AlterEnvironment(const wchar_t* env, -+ const EnvironmentMap& changes) { -+ string16 result; -+ -+ // First copy all unmodified values to the output. -+ size_t cur_env = 0; -+ string16 key; -+ while (env[cur_env]) { -+ const wchar_t* line = &env[cur_env]; -+ size_t line_length = ParseEnvLine(line, &key); -+ -+ // Keep only values not specified in the change vector. -+ EnvironmentMap::const_iterator found_change = changes.find(key); -+ if (found_change == changes.end()) -+ result.append(line, line_length); -+ -+ cur_env += line_length; -+ } -+ -+ // Now append all modified and new values. -+ for (EnvironmentMap::const_iterator i = changes.begin(); -+ i != changes.end(); ++i) { -+ if (!i->second.empty()) { -+ result.append(i->first); -+ result.push_back('='); -+ result.append(i->second); -+ result.push_back(0); -+ } -+ } -+ -+ // An additional null marks the end of the list. We always need a double-null -+ // in case nothing was added above. -+ if (result.empty()) -+ result.push_back(0); -+ result.push_back(0); -+ return result; -+} -+ -+#elif defined(OS_POSIX) || defined(OS_FUCHSIA) - - std::unique_ptr AlterEnvironment(const char* const* const env, - const EnvironmentMap& changes) { - std::string value_storage; // Holds concatenated null-terminated strings. - std::vector result_indices; // Line indices into value_storage. - - // First build up all of the unchanged environment strings. These are - // null-terminated of the form "key=value". -diff --git a/security/sandbox/chromium/base/environment.h b/security/sandbox/chromium/base/environment.h ---- a/security/sandbox/chromium/base/environment.h -+++ b/security/sandbox/chromium/base/environment.h -@@ -48,27 +48,36 @@ class BASE_EXPORT Environment { - - - #if defined(OS_WIN) - - typedef string16 NativeEnvironmentString; - typedef std::map - EnvironmentMap; - -+// Returns a modified environment vector constructed from the given environment -+// and the list of changes given in |changes|. Each key in the environment is -+// matched against the first element of the pairs. In the event of a match, the -+// value is replaced by the second of the pair, unless the second is empty, in -+// which case the key-value is removed. -+// -+// This Windows version takes and returns a Windows-style environment block -+// which is a concatenated list of null-terminated 16-bit strings. The end is -+// marked by a double-null terminator. The size of the returned string will -+// include the terminators. -+BASE_EXPORT string16 AlterEnvironment(const wchar_t* env, -+ const EnvironmentMap& changes); -+ - #elif defined(OS_POSIX) || defined(OS_FUCHSIA) - - typedef std::string NativeEnvironmentString; - typedef std::map - EnvironmentMap; - --// Returns a modified environment vector constructed from the given environment --// and the list of changes given in |changes|. Each key in the environment is --// matched against the first element of the pairs. In the event of a match, the --// value is replaced by the second of the pair, unless the second is empty, in --// which case the key-value is removed. -+// See general comments for the Windows version above. - // - // This Posix version takes and returns a Posix-style environment block, which - // is a null-terminated list of pointers to null-terminated strings. The - // returned array will have appended to it the storage for the array itself so - // there is only one pointer to manage, but this means that you can't copy the - // array without keeping the original around. - BASE_EXPORT std::unique_ptr AlterEnvironment( - const char* const* env, diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch b/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch index f1e9dda12ffb..04020b60b7bf 100644 --- a/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch +++ b/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch @@ -1,88 +1,53 @@ # HG changeset patch -# User Bob Owen -# Date 1485985799 0 -# Wed Feb 01 21:49:59 2017 +0000 -# Node ID 8faee368c603dab03076d8900f01acfd776caaeb -# Parent dba4611d335189b9a3314f5dc57935f554c8b945 -Reinstate sandbox::BrokerServices::AddTargetPeer r=aklotz +# User Toshihito Kikuchi +# Date 1589671259 25200 +# Sat May 16 16:20:59 2020 -0700 +# Node ID 0b5183a01df78cc85264f2eae2c4d8e407bb1112 +# Parent d093cd9ccfcf06f4a1f0d7f1a4bd0f143ef92b4b +Add BrokerServicesBase::IsSafeDuplicationTarget. r=bobowen -This is basically a revert of chromium commit 996b42db5296bd3d11b3d7fde1a4602bbcefed2c. +This patch adds BrokerServicesBase::IsSafeDuplicationTarget and +BrokerServicesBase::AddTargetPeer using the new ProcessTracker introduced by +https://chromium.googlesource.com/chromium/src.git/+/3d8382cf9dd44cf9c05e43e42c500f4825e1fed8 +We need these methods for HandlePolicy which is added as a different patch. + +Chromium used to have AddTargetPeer and IsActiveTarget, but removed by +the following commits because they were no longer used in Chromium. +https://chromium.googlesource.com/chromium/src.git/+/996b42db5296bd3d11b3d7fde1a4602bbcefed2c +https://chromium.googlesource.com/chromium/src.git/+/e615a1152ac6e10f1a91f0629fb8b5ca223ffbdc diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc --- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc +++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc -@@ -41,16 +41,17 @@ sandbox::ResultCode SpawnCleanup(sandbox - delete target; - return sandbox::SBOX_ERROR_GENERIC; - } - - // the different commands that you can send to the worker thread that - // executes TargetEventsThread(). - enum { - THREAD_CTRL_NONE, -+ THREAD_CTRL_REMOVE_PEER, - THREAD_CTRL_QUIT, - THREAD_CTRL_LAST, - }; - - // Helper structure that allows the Broker to associate a job notification - // with a job object and with a policy. - struct JobTracker { - JobTracker(base::win::ScopedHandle job, -@@ -77,16 +78,37 @@ void JobTracker::FreeResources() { - HANDLE stale_job_handle = job.Get(); - job.Close(); - - // In OnJobEmpty() we don't actually use the job handle directly. - policy->OnJobEmpty(stale_job_handle); - policy = nullptr; - } - } -+ -+// Helper structure that allows the broker to track peer processes -+struct PeerTracker { -+ PeerTracker(DWORD process_id, HANDLE broker_job_port) -+ : wait_object(NULL), id(process_id), job_port(broker_job_port) { -+ } -+ -+ HANDLE wait_object; -+ base::win::ScopedHandle process; -+ DWORD id; -+ HANDLE job_port; -+}; -+ -+void DeregisterPeerTracker(PeerTracker* peer) { -+ // Deregistration shouldn't fail, but we leak rather than crash if it does. -+ if (::UnregisterWaitEx(peer->wait_object, INVALID_HANDLE_VALUE)) { -+ delete peer; -+ } else { -+ NOTREACHED(); -+ } -+} - - } // namespace - - namespace sandbox { - +@@ -154,16 +154,18 @@ namespace sandbox { BrokerServicesBase::BrokerServicesBase() {} // The broker uses a dedicated worker thread that services the job completion -@@ -132,16 +154,22 @@ BrokerServicesBase::~BrokerServicesBase( + // port to perform policy notifications and associated cleanup tasks. + ResultCode BrokerServicesBase::Init() { + if (job_port_.IsValid() || thread_pool_) + return SBOX_ERROR_UNEXPECTED_CALL; + ++ ::InitializeCriticalSection(&lock_); ++ + job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0)); + if (!job_port_.IsValid()) + return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; + + no_targets_.Set(::CreateEventW(nullptr, true, false, nullptr)); + + job_thread_.Set(::CreateThread(nullptr, 0, // Default security and stack. + TargetEventsThread, this, 0, nullptr)); +@@ -191,16 +193,17 @@ BrokerServicesBase::~BrokerServicesBase( + + if (job_thread_.IsValid() && + WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) { // Cannot clean broker services. NOTREACHED(); return; } - - tracker_list_.clear(); thread_pool_.reset(); - -+ // Cancel the wait events and delete remaining peer trackers. -+ for (PeerTrackerMap::iterator it = peer_map_.begin(); -+ it != peer_map_.end(); ++it) { -+ DeregisterPeerTracker(it->second); -+ } -+ - ::DeleteCriticalSection(&lock_); ++ ::DeleteCriticalSection(&lock_); } scoped_refptr BrokerServicesBase::CreatePolicy() { @@ -90,45 +55,99 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu // change the downcast to it in SpawnTarget(). scoped_refptr policy(new PolicyBase); // PolicyBase starts with refcount 1. -@@ -247,16 +275,23 @@ DWORD WINAPI BrokerServicesBase::TargetE + policy->Release(); +@@ -283,16 +286,21 @@ DWORD WINAPI BrokerServicesBase::TargetE + if (1 == target_counter) { + ::ResetEvent(no_targets); + } break; } - default: { - NOTREACHED(); - break; - } + case JOB_OBJECT_MSG_EXIT_PROCESS: + case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: { ++ { ++ AutoLock lock(&broker->lock_); ++ broker->active_targets_.erase( ++ static_cast(reinterpret_cast(ovl))); ++ } + size_t erase_result = child_process_ids.erase( + static_cast(reinterpret_cast(ovl))); + if (erase_result != 1U) { + // The process was untracked e.g. a child process of the target. + --untracked_target_counter; + DCHECK(untracked_target_counter >= 0); + } + --target_counter; +@@ -348,27 +356,31 @@ DWORD WINAPI BrokerServicesBase::TargetE + tracker->wait_handle = INVALID_HANDLE_VALUE; } -+ } else if (THREAD_CTRL_REMOVE_PEER == key) { -+ // Remove a process from our list of peers. -+ AutoLock lock(&broker->lock_); -+ PeerTrackerMap::iterator it = broker->peer_map_.find( -+ static_cast(reinterpret_cast(ovl))); -+ DeregisterPeerTracker(it->second); -+ broker->peer_map_.erase(it); - } else if (THREAD_CTRL_QUIT == key) { - // The broker object is being destroyed so the thread needs to exit. - return 0; - } else { - // We have not implemented more commands. - NOTREACHED(); - } - } -@@ -460,25 +495,70 @@ ResultCode BrokerServicesBase::SpawnTarg - // TODO(wfh): Find a way to make this have the correct lifetime. - policy_base->AddRef(); + processes.push_back(std::move(tracker)); - // We have to signal the event once here because the completion port will - // never get a message that this target is being terminated thus we should - // not block WaitForAllTargets until we have at least one target with job. - if (child_process_ids_.empty()) - ::SetEvent(no_targets_.Get()); -+ // We can not track the life time of such processes and it is responsibility -+ // of the host application to make sure that spawned targets without jobs -+ // are terminated when the main application don't need them anymore. -+ // Sandbox policy engine needs to know that these processes are valid -+ // targets for e.g. BrokerDuplicateHandle so track them as peer processes. -+ AddTargetPeer(process_info.process_handle()); + } else if (THREAD_CTRL_PROCESS_SIGNALLED == key) { + ProcessTracker* tracker = + static_cast(reinterpret_cast(ovl)); + ++ { ++ AutoLock lock(&broker->lock_); ++ broker->active_targets_.erase(tracker->process_id); ++ } ++ + ::UnregisterWait(tracker->wait_handle); + tracker->wait_handle = INVALID_HANDLE_VALUE; + + // PID is unique until the process handle is closed in dtor. + processes.erase(std::remove_if(processes.begin(), processes.end(), + [&](auto&& p) -> bool { + return p->process_id == + tracker->process_id; + }), + processes.end()); +- + } else if (THREAD_CTRL_GET_POLICY_INFO == key) { + // Clone the policies for sandbox diagnostics. + std::unique_ptr receiver; + receiver.reset(static_cast( + reinterpret_cast(ovl))); + // The PollicyInfo ctor copies essential information from the trackers. + auto policy_list = std::make_unique(); + for (auto&& process_tracker : processes) { +@@ -637,47 +649,79 @@ ResultCode BrokerServicesBase::SpawnTarg + // the tracker. The worker thread takes ownership of these objects. + CHECK(::PostQueuedCompletionStatus( + job_port_.Get(), 0, THREAD_CTRL_NEW_JOB_TRACKER, + reinterpret_cast(tracker))); + // There is no obvious recovery after failure here. Previous version with + // SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639 + CHECK( + AssociateCompletionPort(tracker->job.Get(), job_port_.Get(), tracker)); ++ ++ AutoLock lock(&lock_); ++ active_targets_.insert(process_info.process_id()); + } else { +- // Duplicate the process handle to give the tracking machinery +- // something valid to wait on in the tracking thread. +- HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; +- if (!::DuplicateHandle(::GetCurrentProcess(), process_info.process_handle(), +- ::GetCurrentProcess(), &tmp_process_handle, +- SYNCHRONIZE, false, 0 /*no options*/)) { +- *last_error = ::GetLastError(); ++ result = AddTargetPeerInternal(process_info.process_handle(), ++ process_info.process_id(), ++ policy_base, last_error); ++ if (result != SBOX_ALL_OK) { + // This may fail in the same way as Job associated processes. + // crbug.com/480639. + SpawnCleanup(target); +- return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; ++ return result; + } +- base::win::ScopedHandle dup_process_handle(tmp_process_handle); +- ProcessTracker* tracker = new ProcessTracker( +- policy_base, process_info.process_id(), std::move(dup_process_handle)); +- // The tracker and policy will leak if this call fails. +- ::PostQueuedCompletionStatus(job_port_.Get(), 0, +- THREAD_CTRL_NEW_PROCESS_TRACKER, +- reinterpret_cast(tracker)); } *target_info = process_info.Take(); @@ -140,74 +159,75 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/secu return SBOX_ALL_OK; } - bool BrokerServicesBase::IsActiveTarget(DWORD process_id) { - AutoLock lock(&lock_); -- return child_process_ids_.find(process_id) != child_process_ids_.end(); -+ return child_process_ids_.find(process_id) != child_process_ids_.end() || -+ peer_map_.find(process_id) != peer_map_.end(); ++bool BrokerServicesBase::IsSafeDuplicationTarget(DWORD process_id) { ++ AutoLock lock(&lock_); ++ return active_targets_.find(process_id) != active_targets_.end(); +} + -+VOID CALLBACK BrokerServicesBase::RemovePeer(PVOID parameter, BOOLEAN timeout) { -+ PeerTracker* peer = reinterpret_cast(parameter); -+ // Don't check the return code because we this may fail (safely) at shutdown. -+ ::PostQueuedCompletionStatus( -+ peer->job_port, 0, THREAD_CTRL_REMOVE_PEER, -+ reinterpret_cast(static_cast(peer->id))); ++ResultCode BrokerServicesBase::AddTargetPeerInternal( ++ HANDLE peer_process_handle, ++ DWORD peer_process_id, ++ scoped_refptr policy_base, ++ DWORD* last_error) { ++ // Duplicate the process handle to give the tracking machinery ++ // something valid to wait on in the tracking thread. ++ HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; ++ if (!::DuplicateHandle(::GetCurrentProcess(), peer_process_handle, ++ ::GetCurrentProcess(), &tmp_process_handle, ++ SYNCHRONIZE, false, 0 /*no options*/)) { ++ *last_error = ::GetLastError(); ++ return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; ++ } ++ base::win::ScopedHandle dup_process_handle(tmp_process_handle); ++ ProcessTracker* tracker = new ProcessTracker( ++ policy_base, peer_process_id, std::move(dup_process_handle)); ++ // The tracker and policy will leak if this call fails. ++ ::PostQueuedCompletionStatus(job_port_.Get(), 0, ++ THREAD_CTRL_NEW_PROCESS_TRACKER, ++ reinterpret_cast(tracker)); ++ ++ AutoLock lock(&lock_); ++ active_targets_.insert(peer_process_id); ++ ++ return SBOX_ALL_OK; +} + +ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) { -+ std::unique_ptr peer( -+ new PeerTracker(::GetProcessId(peer_process), job_port_.Get())); -+ if (!peer->id) -+ return SBOX_ERROR_GENERIC; ++ DWORD last_error; ++ return AddTargetPeerInternal(peer_process, ::GetProcessId(peer_process), ++ nullptr, &last_error); ++} + -+ HANDLE process_handle; -+ if (!::DuplicateHandle(::GetCurrentProcess(), peer_process, -+ ::GetCurrentProcess(), &process_handle, -+ SYNCHRONIZE, FALSE, 0)) { -+ return SBOX_ERROR_GENERIC; -+ } -+ peer->process.Set(process_handle); -+ -+ AutoLock lock(&lock_); -+ if (!peer_map_.insert(std::make_pair(peer->id, peer.get())).second) -+ return SBOX_ERROR_BAD_PARAMS; -+ -+ if (!::RegisterWaitForSingleObject( -+ &peer->wait_object, peer->process.Get(), RemovePeer, peer.get(), -+ INFINITE, WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD)) { -+ peer_map_.erase(peer->id); -+ return SBOX_ERROR_GENERIC; -+ } -+ -+ // Release the pointer since it will be cleaned up by the callback. -+ ignore_result(peer.release()); -+ return SBOX_ALL_OK; - } - - } // namespace sandbox + ResultCode BrokerServicesBase::GetPolicyDiagnostics( + std::unique_ptr receiver) { + CHECK(job_thread_.IsValid()); + // Post to the job thread. + if (!::PostQueuedCompletionStatus( + job_port_.Get(), 0, THREAD_CTRL_GET_POLICY_INFO, + reinterpret_cast(receiver.get()))) { + receiver->OnError(SBOX_ERROR_GENERIC); diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h --- a/security/sandbox/chromium/sandbox/win/src/broker_services.h +++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h -@@ -19,16 +19,17 @@ +@@ -13,16 +13,17 @@ + + #include "base/compiler_specific.h" + #include "base/macros.h" + #include "base/memory/scoped_refptr.h" + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/job.h" #include "sandbox/win/src/sandbox.h" ++#include "sandbox/win/src/sandbox_policy_base.h" #include "sandbox/win/src/sharedmem_ipc_server.h" #include "sandbox/win/src/win2k_threadpool.h" #include "sandbox/win/src/win_utils.h" - namespace { - - struct JobTracker; -+struct PeerTracker; - - } // namespace - namespace sandbox { // BrokerServicesBase --------------------------------------------------------- // Broker implementation version 0 - // -@@ -48,28 +49,35 @@ class BrokerServicesBase final : public +@@ -43,16 +44,24 @@ class BrokerServicesBase final : public scoped_refptr CreatePolicy() override; ResultCode SpawnTarget(const wchar_t* exe_path, const wchar_t* command_line, @@ -217,58 +237,53 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/secur PROCESS_INFORMATION* target) override; ResultCode WaitForAllTargets() override; + ResultCode AddTargetPeer(HANDLE peer_process) override; - - // Checks if the supplied process ID matches one of the broker's active - // target processes - // Returns: - // true if there is an active target process for this ID, otherwise false. - bool IsActiveTarget(DWORD process_id); ++ ++ // Checks if the supplied process ID matches one of the broker's active ++ // target processes. We use this method for the specific purpose of ++ // checking if we can safely duplicate a handle to the supplied process ++ // in DuplicateHandleProxyAction. ++ bool IsSafeDuplicationTarget(DWORD process_id); ++ + ResultCode GetPolicyDiagnostics( + std::unique_ptr receiver) override; private: -+ typedef std::list JobTrackerList; -+ typedef std::map PeerTrackerMap; -+ // The routine that the worker thread executes. It is in charge of // notifications and cleanup-related tasks. static DWORD WINAPI TargetEventsThread(PVOID param); -+ // Removes a target peer from the process list if it expires. -+ static VOID CALLBACK RemovePeer(PVOID parameter, BOOLEAN timeout); -+ - // The completion port used by the job objects to communicate events to - // the worker thread. - base::win::ScopedHandle job_port_; - - // Handle to a manual-reset event that is signaled when the total target - // process count reaches zero. +@@ -65,14 +74,27 @@ class BrokerServicesBase final : public base::win::ScopedHandle no_targets_; -@@ -81,16 +89,20 @@ class BrokerServicesBase final : public - CRITICAL_SECTION lock_; + // Handle to the worker thread that reacts to job notifications. + base::win::ScopedHandle job_thread_; // Provides a pool of threads that are used to wait on the IPC calls. std::unique_ptr thread_pool_; - // List of the trackers for closing and cleanup purposes. - std::list> tracker_list_; - -+ // Maps peer process IDs to the saved handle and wait event. -+ // Prevents peer callbacks from accessing the broker after destruction. -+ PeerTrackerMap peer_map_; ++ // The set representing the broker's active target processes including ++ // both sandboxed and unsandboxed peer processes. ++ std::set active_targets_; ++ ++ // Lock used to protect active_targets_ from being simultaneously accessed ++ // by multiple threads. ++ CRITICAL_SECTION lock_; ++ ++ ResultCode AddTargetPeerInternal(HANDLE peer_process_handle, ++ DWORD peer_process_id, ++ scoped_refptr policy_base, ++ DWORD* last_error); + - // Provides a fast lookup to identify sandboxed processes that belong to a - // job. Consult |jobless_process_handles_| for handles of processes without - // jobs. - std::set child_process_ids_; - DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase); }; + } // namespace sandbox + + #endif // SANDBOX_WIN_SRC_BROKER_SERVICES_H_ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h -@@ -86,16 +86,24 @@ class BrokerServices { - PROCESS_INFORMATION* target) = 0; +@@ -96,16 +96,24 @@ class BrokerServices { // This call blocks (waits) for all the targets to terminate. // Returns: @@ -276,7 +291,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand // If the return is ERROR_GENERIC, you can call ::GetLastError() to get // more information. virtual ResultCode WaitForAllTargets() = 0; -+ + + // Adds an unsandboxed process as a peer for policy decisions (e.g. + // HANDLES_DUP_ANY policy). + // Returns: @@ -284,11 +299,12 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand + // If the return is ERROR_GENERIC, you can call ::GetLastError() to get + // more information. + virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0; - - protected: - ~BrokerServices() {} - }; - - // TargetServices models the current process from the perspective - // of a target process. To obtain a pointer to it use - // Sandbox::GetTargetServices(). Note that this call returns a non-null ++ + // This call creates a snapshot of policies managed by the sandbox and + // returns them via a helper class. + // Parameters: + // receiver: The |PolicyDiagnosticsReceiver| implementation will be + // called to accept the results of the call. + // Returns: + // ALL_OK if the request was dispatched. All other return values + // imply failure, and the responder will not receive its completion diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch b/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch index 630bc90d0c44..970c0d1db274 100644 --- a/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch +++ b/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch @@ -1,18 +1,22 @@ # HG changeset patch -# User Bob Owen -# Date 1485985575 0 -# Wed Feb 01 21:46:15 2017 +0000 -# Node ID 9328428e5f863472f3702057b01d472b46b7b6a2 -# Parent 4c1880ac25a66dec6455dc88ba693096d65df704 -Reinstate sandbox::TargetServices::BrokerDuplicateHandle. r=aklotz +# User Toshihito Kikuchi +# Date 1589671733 25200 +# Sat May 16 16:28:53 2020 -0700 +# Node ID 91bb5c3807cfe657cc24c9a3c217dd1f57db6d5c +# Parent 22eb0bf7180801edf775be44cf299a50e01eb7bf +Reinstate sandbox::TargetServices::BrokerDuplicateHandle. r=bobowen -This basically reverts chromium commit 569193665184525ca366e65d0735f5c851106e43. +This patch reverts the commit removing sandbox::TargetServices::BrokerDuplicateHandle +and applies the new IpcTag type. + +https://chromium.googlesource.com/chromium/src.git/+/569193665184525ca366e65d0735f5c851106e43 +https://chromium.googlesource.com/chromium/src.git/+/c8cff7f9663ce6d1ef35e5c717f43c867c3906eb diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc new file mode 100644 --- /dev/null +++ b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc -@@ -0,0 +1,92 @@ +@@ -0,0 +1,93 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. @@ -37,7 +41,7 @@ new file mode 100644 +HandleDispatcher::HandleDispatcher(PolicyBase* policy_base) + : policy_base_(policy_base) { + static const IPCCall duplicate_handle_proxy = { -+ {IPC_DUPLICATEHANDLEPROXY_TAG, ++ {IpcTag::DUPLICATEHANDLEPROXY, + {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}}, + reinterpret_cast( + &HandleDispatcher::DuplicateHandleProxy)}; @@ -46,14 +50,15 @@ new file mode 100644 +} + +bool HandleDispatcher::SetupService(InterceptionManager* manager, -+ int service) { ++ IpcTag service) { + // We perform no interceptions for handles right now. + switch (service) { -+ case IPC_DUPLICATEHANDLEPROXY_TAG: -+ return true; -+ } ++ case IpcTag::DUPLICATEHANDLEPROXY: ++ return true; + -+ return false; ++ default: ++ return false; ++ } +} + +bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc, @@ -93,7 +98,7 @@ new file mode 100644 + params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer); + params[HandleTarget::TARGET] = ParamPickerMake(target_process_id); + -+ EvalResult eval = policy_base_->EvalPolicy(IPC_DUPLICATEHANDLEPROXY_TAG, ++ EvalResult eval = policy_base_->EvalPolicy(IpcTag::DUPLICATEHANDLEPROXY, + params.GetBase()); + ipc->return_info.win32_result = + HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(), @@ -132,7 +137,7 @@ new file mode 100644 + ~HandleDispatcher() override {} + + // Dispatcher interface. -+ bool SetupService(InterceptionManager* manager, int service) override; ++ bool SetupService(InterceptionManager* manager, IpcTag service) override; + + private: + // Processes IPC requests coming from calls to @@ -184,7 +189,7 @@ new file mode 100644 + + SharedMemIPCClient ipc(memory); + CrossCallReturn answer = {0}; -+ ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG, ++ ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY, + source_handle, target_process_id, + desired_access, options, &answer); + if (SBOX_ALL_OK != code) @@ -234,7 +239,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/securi new file mode 100644 --- /dev/null +++ b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc -@@ -0,0 +1,92 @@ +@@ -0,0 +1,93 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. @@ -282,7 +287,7 @@ new file mode 100644 + CASE_INSENSITIVE)) { + return false; + } -+ if (!policy->AddRule(IPC_DUPLICATEHANDLEPROXY_TAG, &duplicate_rule)) { ++ if (!policy->AddRule(IpcTag::DUPLICATEHANDLEPROXY, &duplicate_rule)) { + return false; + } + return true; @@ -302,7 +307,8 @@ new file mode 100644 + base::win::ScopedHandle remote_target_process; + if (target_process_id != ::GetCurrentProcessId()) { + // Sandboxed children are dynamic, so we check that manually. -+ if (!BrokerServicesBase::GetInstance()->IsActiveTarget(target_process_id)) { ++ if (!BrokerServicesBase::GetInstance()->IsSafeDuplicationTarget( ++ target_process_id)) { + return ERROR_ACCESS_DENIED; + } + @@ -493,29 +499,28 @@ new file mode 100644 diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h --- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h -@@ -23,16 +23,17 @@ enum { - IPC_NTOPENPROCESS_TAG, - IPC_NTOPENPROCESSTOKEN_TAG, - IPC_NTOPENPROCESSTOKENEX_TAG, - IPC_CREATEPROCESSW_TAG, - IPC_CREATEEVENT_TAG, - IPC_OPENEVENT_TAG, - IPC_NTCREATEKEY_TAG, - IPC_NTOPENKEY_TAG, -+ IPC_DUPLICATEHANDLEPROXY_TAG, - IPC_GDI_GDIDLLINITIALIZE_TAG, - IPC_GDI_GETSTOCKOBJECT_TAG, - IPC_USER_REGISTERCLASSW_TAG, - IPC_CREATETHREAD_TAG, - IPC_USER_ENUMDISPLAYMONITORS_TAG, - IPC_USER_ENUMDISPLAYDEVICES_TAG, - IPC_USER_GETMONITORINFO_TAG, - IPC_GDI_CREATEOPMPROTECTEDOUTPUTS_TAG, +@@ -23,16 +23,17 @@ enum class IpcTag { + NTOPENPROCESS, + NTOPENPROCESSTOKEN, + NTOPENPROCESSTOKENEX, + CREATEPROCESSW, + CREATEEVENT, + OPENEVENT, + NTCREATEKEY, + NTOPENKEY, ++ DUPLICATEHANDLEPROXY, + GDI_GDIDLLINITIALIZE, + GDI_GETSTOCKOBJECT, + USER_REGISTERCLASSW, + CREATETHREAD, + USER_ENUMDISPLAYMONITORS, + USER_ENUMDISPLAYDEVICES, + USER_GETMONITORINFO, + GDI_CREATEOPMPROTECTEDOUTPUTS, diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h -@@ -136,16 +136,30 @@ class TargetServices { - // processing any untrusted data or running third-party code. If this call +@@ -161,16 +161,30 @@ class TargetServices { // fails the current process could be terminated immediately. virtual void LowerToken() = 0; @@ -523,7 +528,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand // information about the current state of the process, such as whether // LowerToken has been called or not. virtual ProcessState* GetState() = 0; -+ + + // Requests the broker to duplicate the supplied handle into the target + // process. The target process must be an active sandbox child process + // and the source process must have a corresponding policy allowing @@ -537,28 +542,30 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sand + HANDLE* target_handle, + DWORD desired_access, + DWORD options) = 0; - ++ protected: ~TargetServices() {} }; - } // namespace sandbox - - + class PolicyInfo { + public: + // Returns a JSON representation of the policy snapshot. + // This pointer has the same lifetime as this PolicyInfo object. diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h -@@ -24,27 +24,31 @@ class TargetPolicy { +@@ -25,28 +25,32 @@ class TargetPolicy { // exactly like the CreateProcess API does. See the comment at the top of // process_thread_dispatcher.cc for more details. enum SubSystem { - SUBSYS_FILES, // Creation and opening of files and pipes. - SUBSYS_NAMED_PIPES, // Creation of named pipes. - SUBSYS_PROCESS, // Creation of child processes. - SUBSYS_REGISTRY, // Creation and opening of registry keys. - SUBSYS_SYNC, // Creation of named sync objects. -+ SUBSYS_HANDLES, // Duplication of handles to other processes. - SUBSYS_WIN32K_LOCKDOWN // Win32K Lockdown related policy. + SUBSYS_FILES, // Creation and opening of files and pipes. + SUBSYS_NAMED_PIPES, // Creation of named pipes. + SUBSYS_PROCESS, // Creation of child processes. + SUBSYS_REGISTRY, // Creation and opening of registry keys. + SUBSYS_SYNC, // Creation of named sync objects. ++ SUBSYS_HANDLES, // Duplication of handles to other processes. + SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy. + SUBSYS_SIGNED_BINARY // Signed binary policy. }; // Allowable semantics when a rule is matched. @@ -583,14 +590,14 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/securi diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc --- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc -@@ -10,16 +10,17 @@ - - #include "base/callback.h" +@@ -12,16 +12,17 @@ #include "base/logging.h" #include "base/macros.h" #include "base/stl_util.h" #include "base/strings/stringprintf.h" + #include "base/win/win_util.h" #include "base/win/windows_version.h" + #include "sandbox/win/src/acl.h" #include "sandbox/win/src/filesystem_policy.h" +#include "sandbox/win/src/handle_policy.h" #include "sandbox/win/src/interception.h" @@ -601,7 +608,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ #include "sandbox/win/src/policy_low_level.h" #include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/process_mitigations_win32k_policy.h" -@@ -733,16 +734,24 @@ ResultCode PolicyBase::AddRuleInternal(S +@@ -754,16 +755,24 @@ ResultCode PolicyBase::AddRuleInternal(S } case SUBSYS_REGISTRY: { if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { @@ -619,13 +626,13 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/ + } + case SUBSYS_WIN32K_LOCKDOWN: { - if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules( - pattern, semantics, policy_maker_)) { - NOTREACHED(); - return SBOX_ERROR_BAD_PARAMS; - } - break; - } + // Win32k intercept rules only supported on Windows 8 and above. This must + // match the version checks in process_mitigations.cc for consistency. + if (base::win::GetVersion() >= base::win::Version::WIN8) { + DCHECK_EQ(MITIGATION_WIN32K_DISABLE, + mitigations_ & MITIGATION_WIN32K_DISABLE) + << "Enable MITIGATION_WIN32K_DISABLE before adding win32k policy " + "rules."; diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc --- a/security/sandbox/chromium/sandbox/win/src/target_services.cc +++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc @@ -647,9 +654,9 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/secu #include "sandbox/win/src/sandbox_nt_util.h" #include "sandbox/win/src/sandbox_types.h" #include "sandbox/win/src/sharedmem_ipc_client.h" -@@ -259,9 +260,19 @@ void ProcessState::SetRevertedToSelf() { - if (process_state_ < 3) - process_state_ = 3; +@@ -239,9 +240,19 @@ void ProcessState::SetRevertedToSelf() { + if (process_state_ < ProcessStateInternal::REVERTED_TO_SELF) + process_state_ = ProcessStateInternal::REVERTED_TO_SELF; } void ProcessState::SetCsrssConnected(bool csrss_connected) { @@ -670,7 +677,7 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/secu diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h --- a/security/sandbox/chromium/sandbox/win/src/target_services.h +++ b/security/sandbox/chromium/sandbox/win/src/target_services.h -@@ -41,16 +41,21 @@ class ProcessState { +@@ -40,16 +40,21 @@ class ProcessState { class TargetServicesBase : public TargetServices { public: TargetServicesBase(); @@ -713,24 +720,24 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b #include "sandbox/win/src/process_thread_dispatcher.h" #include "sandbox/win/src/registry_dispatcher.h" #include "sandbox/win/src/sandbox_policy_base.h" -@@ -53,16 +54,20 @@ TopLevelDispatcher::TopLevelDispatcher(P - ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher; +@@ -55,16 +56,20 @@ TopLevelDispatcher::TopLevelDispatcher(P + ipc_targets_[static_cast(IpcTag::OPENEVENT)] = dispatcher; sync_dispatcher_.reset(dispatcher); dispatcher = new RegistryDispatcher(policy_); - ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher; - ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher; + ipc_targets_[static_cast(IpcTag::NTCREATEKEY)] = dispatcher; + ipc_targets_[static_cast(IpcTag::NTOPENKEY)] = dispatcher; registry_dispatcher_.reset(dispatcher); + dispatcher = new HandleDispatcher(policy_); -+ ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher; ++ ipc_targets_[static_cast(IpcTag::DUPLICATEHANDLEPROXY)] = dispatcher; + handle_dispatcher_.reset(dispatcher); + dispatcher = new ProcessMitigationsWin32KDispatcher(policy_); - ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher; - ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher; - ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher; - ipc_targets_[IPC_USER_ENUMDISPLAYMONITORS_TAG] = dispatcher; - ipc_targets_[IPC_USER_ENUMDISPLAYDEVICES_TAG] = dispatcher; - ipc_targets_[IPC_USER_GETMONITORINFO_TAG] = dispatcher; - ipc_targets_[IPC_GDI_CREATEOPMPROTECTEDOUTPUTS_TAG] = dispatcher; + ipc_targets_[static_cast(IpcTag::GDI_GDIDLLINITIALIZE)] = dispatcher; + ipc_targets_[static_cast(IpcTag::GDI_GETSTOCKOBJECT)] = dispatcher; + ipc_targets_[static_cast(IpcTag::USER_REGISTERCLASSW)] = dispatcher; + ipc_targets_[static_cast(IpcTag::USER_ENUMDISPLAYMONITORS)] = + dispatcher; + ipc_targets_[static_cast(IpcTag::USER_ENUMDISPLAYDEVICES)] = + dispatcher; diff --git a/security/sandbox/chromium-shim/patches/with_update/update_chromium_linux_x86_syscalls.patch b/security/sandbox/chromium-shim/patches/with_update/update_chromium_linux_x86_syscalls.patch deleted file mode 100644 index 0c0331cafc01..000000000000 --- a/security/sandbox/chromium-shim/patches/with_update/update_chromium_linux_x86_syscalls.patch +++ /dev/null @@ -1,93 +0,0 @@ -# HG changeset patch -# User Gian-Carlo Pascutto -# Date 1465410964 -7200 -# Wed Jun 08 20:36:04 2016 +0200 -# Node ID 37ac7119fe8df776c850624a9a95dd182ff469b0 -# Parent 5d0dab9cddb8410f891f22a1bead1c1975adb5bd -Update chromium's list of linux-x86-32 syscalls. r=jld - -Originally landed as changset: -https://hg.mozilla.org/mozilla-central/rev/adb1d2a92e0d - -diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h ---- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h -+++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h -@@ -1417,10 +1417,78 @@ - #if !defined(__NR_getrandom) - #define __NR_getrandom 355 - #endif - - #if !defined(__NR_memfd_create) - #define __NR_memfd_create 356 - #endif - -+#if !defined(__NR_bpf) -+#define __NR_bpf 357 -+#endif -+ -+#if !defined(__NR_execveat) -+#define __NR_execveat 358 -+#endif -+ -+#if !defined(__NR_socket) -+#define __NR_socket 359 -+#endif -+ -+#if !defined(__NR_socketpair) -+#define __NR_socketpair 360 -+#endif -+ -+#if !defined(__NR_bind) -+#define __NR_bind 361 -+#endif -+ -+#if !defined(__NR_connect) -+#define __NR_connect 362 -+#endif -+ -+#if !defined(__NR_listen) -+#define __NR_listen 363 -+#endif -+ -+#if !defined(__NR_accept4) -+#define __NR_accept4 364 -+#endif -+ -+#if !defined(__NR_getsockopt) -+#define __NR_getsockopt 365 -+#endif -+ -+#if !defined(__NR_setsockopt) -+#define __NR_setsockopt 366 -+#endif -+ -+#if !defined(__NR_getsockname) -+#define __NR_getsockname 367 -+#endif -+ -+#if !defined(__NR_getpeername) -+#define __NR_getpeername 368 -+#endif -+ -+#if !defined(__NR_sendto) -+#define __NR_sendto 369 -+#endif -+ -+#if !defined(__NR_sendmsg) -+#define __NR_sendmsg 370 -+#endif -+ -+#if !defined(__NR_recvfrom) -+#define __NR_recvfrom 371 -+#endif -+ -+#if !defined(__NR_recvmsg) -+#define __NR_recvmsg 372 -+#endif -+ -+#if !defined(__NR_shutdown) -+#define __NR_shutdown 373 -+#endif -+ - #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_ -