Bug 1611290 - Windows sandbox for socket process. r=bobowen

Differential Revision: https://phabricator.services.mozilla.com/D62772

--HG--
extra : moz-landing-system : lando

ipc/glue/GeckoChildProcessHost.cpp

@@ -1439,7 +1439,12 @@ bool WindowsProcessLauncher::DoSetup() {
       }
       break;
     case GeckoProcessType_Socket:
-      // TODO - setup sandboxing for the socket process.
+      if (!PR_GetEnv("MOZ_DISABLE_SOCKET_PROCESS_SANDBOX")) {
+        if (!mResults.mSandboxBroker->SetSecurityLevelForSocketProcess()) {
+          return false;
+        }
+        mUseSandbox = true;
+      }
       break;
     case GeckoProcessType_RemoteSandboxBroker:
       // We don't sandbox the sandbox launcher...

modules/libpref/init/StaticPrefList.yaml

@@ -7823,6 +7823,13 @@
     type: RelaxedAtomicBool
     value: false
     mirror: always
+
+  # Whether win32k is disabled for socket processes.
+  # true means win32k system calls are not permitted.
+-   name: security.sandbox.socket.win32k-disable
+    type: RelaxedAtomicBool
+    value: true
+    mirror: always
 #endif
 
 # When comparing schemes, if this pref is set, view-source URIs are reachable

netwerk/ipc/SocketProcessImpl.cpp

@@ -12,6 +12,10 @@
 #include "mozilla/BackgroundHangMonitor.h"
 #include "mozilla/Preferences.h"
 
+#if defined(OS_WIN) && defined(MOZ_SANDBOX)
+#  include "mozilla/sandboxTarget.h"
+#endif
+
 using mozilla::ipc::IOThreadChild;
 
 namespace mozilla {
@@ -31,6 +35,12 @@ bool SocketProcessImpl::Init(int aArgc, char* aArgv[]) {
                   base::GetCurrentProcId());
     sleep(30);
   }
+#endif
+#if defined(MOZ_SANDBOX) && defined(OS_WIN)
+  LoadLibraryW(L"nss3.dll");
+  LoadLibraryW(L"softokn3.dll");
+  LoadLibraryW(L"freebl3.dll");
+  mozilla::SandboxTarget::Instance()->StartSandbox();
 #endif
   char* parentBuildID = nullptr;
   char* prefsHandle = nullptr;

security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.cpp

@@ -145,6 +145,11 @@ bool RemoteSandboxBroker::SetSecurityLevelForRDDProcess() {
       "RemoteSandboxBroker::SetSecurityLevelForRDDProcess not Implemented");
 }
 
+bool RemoteSandboxBroker::SetSecurityLevelForSocketProcess() {
+  MOZ_CRASH(
+      "RemoteSandboxBroker::SetSecurityLevelForSocketProcess not Implemented");
+}
+
 bool RemoteSandboxBroker::SetSecurityLevelForPluginProcess(
     int32_t aSandboxLevel) {
   MOZ_CRASH(

security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h

@@ -37,6 +37,7 @@ class RemoteSandboxBroker : public AbstractSandboxBroker {
                                          bool aIsFileProcess) override;
   void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) override;
   bool SetSecurityLevelForRDDProcess() override;
+  bool SetSecurityLevelForSocketProcess() override;
   bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) override;
   bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
                                    bool aIsRemoteLaunch = false) override;

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -902,6 +902,100 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
   return true;
 }
 
+bool SandboxBroker::SetSecurityLevelForSocketProcess() {
+  if (!mPolicy) {
+    return false;
+  }
+
+  auto result =
+      SetJobLevel(mPolicy, sandbox::JOB_LOCKDOWN, 0 /* ui_exceptions */);
+  SANDBOX_ENSURE_SUCCESS(
+      result,
+      "SetJobLevel should never fail with these arguments, what happened?");
+
+  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                  sandbox::USER_LIMITED);
+  SANDBOX_ENSURE_SUCCESS(
+      result,
+      "SetTokenLevel should never fail with these arguments, what happened?");
+
+  result = mPolicy->SetAlternateDesktop(true);
+  if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {
+    LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result,
+          ::GetLastError());
+  }
+
+  result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "SetIntegrityLevel should never fail with these "
+                         "arguments, what happened?");
+
+  result =
+      mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "SetDelayedIntegrityLevel should never fail with "
+                         "these arguments, what happened?");
+
+  sandbox::MitigationFlags mitigations =
+      sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
+      sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
+      sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
+      sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
+
+  // On Windows 7, where Win32k lockdown is not supported, the Chromium
+  // sandbox does something weird that breaks COM instantiation.
+  if (StaticPrefs::security_sandbox_socket_win32k_disable() &&
+      IsWin8OrLater()) {
+    mitigations |= sandbox::MITIGATION_WIN32K_DISABLE;
+    result =
+        mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
+                         sandbox::TargetPolicy::FAKE_USER_GDI_INIT, nullptr);
+    SANDBOX_ENSURE_SUCCESS(result, "Failed to set FAKE_USER_GDI_INIT policy.");
+  }
+
+  result = mPolicy->SetProcessMitigations(mitigations);
+  SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetProcessMitigations.");
+
+  mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
+                sandbox::MITIGATION_DYNAMIC_CODE_DISABLE |
+                sandbox::MITIGATION_DLL_SEARCH_ORDER |
+                sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
+
+  result = mPolicy->SetDelayedProcessMitigations(mitigations);
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "Invalid flags for SetDelayedProcessMitigations.");
+
+  // Add the policy for the client side of a pipe. It is just a file
+  // in the \pipe\ namespace. We restrict it to pipes that start with
+  // "chrome." so the sandboxed process cannot connect to system services.
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                            L"\\??\\pipe\\chrome.*");
+  SANDBOX_ENSURE_SUCCESS(
+      result,
+      "With these static arguments AddRule should never fail, what happened?");
+
+  // Add the policy for the client side of the crash server pipe.
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                            L"\\??\\pipe\\gecko-crash-server-pipe.*");
+  SANDBOX_ENSURE_SUCCESS(
+      result,
+      "With these static arguments AddRule should never fail, what happened?");
+
+  // This section is needed to avoid an assert during crash reporting code
+  // when running mochitests.  The assertion is here:
+  // toolkit/crashreporter/nsExceptionHandler.cpp:2041
+  result =
+      mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+                       sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"Section");
+  SANDBOX_ENSURE_SUCCESS(
+      result,
+      "With these static arguments AddRule should never fail, what happened?");
+
+  return true;
+}
+
 bool SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) {
   if (!mPolicy) {
     return false;

security/sandbox/win/src/sandboxbroker/sandboxBroker.h

@@ -40,6 +40,7 @@ class AbstractSandboxBroker {
 
   virtual void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) = 0;
   virtual bool SetSecurityLevelForRDDProcess() = 0;
+  virtual bool SetSecurityLevelForSocketProcess() = 0;
 
   virtual bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) = 0;
   enum SandboxLevel { LockDown, Restricted };
@@ -87,6 +88,7 @@ class SandboxBroker : public AbstractSandboxBroker {
 
   void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) override;
   bool SetSecurityLevelForRDDProcess() override;
+  bool SetSecurityLevelForSocketProcess() override;
 
   bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) override;
   bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,