[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes.
This CL is part of a chain of CLs: 1) "MITIGATION_EXTENSION_POINT_DISABLE support for children" (https://codereview.chromium.org/1835003003) 2) "MITIGATION_EXTENSION_POINT_DISABLE emergency off finch" (https://codereview.chromium.org/1836523004/) 3) "New NT registry API" (https://codereview.chromium.org/1841573002) 4) "Early browser security support" (https://codereview.chromium.org/1656453002) 5) -> THIS 6) "Turn on MITIGATION_EXTENSION_POINT_DISABLE for browser process" (https://codereview.chromium.org/2223783003) This CL only turns on the new mitigation (in all child processes, not the browser process yet). BUG=557798 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng Committed: https://crrev.com/df585142df9fd58299ef02b64da3381d8b733cb8 Review-Url: https://codereview.chromium.org/1854323002 Cr-Original-Commit-Position: refs/heads/master@{#409264} Cr-Commit-Position: refs/heads/master@{#410508}
This commit is contained in:
chrome/browser/win
components/nacl/broker
content
@ -18,6 +18,7 @@
|
||||
#include "chrome_elf/dll_hash/dll_hash.h"
|
||||
#include "components/variations/variations_associated_data.h"
|
||||
#include "content/public/browser/browser_thread.h"
|
||||
#include "content/public/common/content_features.h"
|
||||
|
||||
const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
|
||||
const char kBrowserBlacklistTrialDisabledGroupName[] = "NoBlacklist";
|
||||
@ -109,6 +110,22 @@ void InitializeChromeElf() {
|
||||
FROM_HERE,
|
||||
base::Bind(&ReportSuccessfulBlocks),
|
||||
base::TimeDelta::FromSeconds(kBlacklistReportingDelaySec));
|
||||
|
||||
// Make sure the early finch emergency "off switch" for
|
||||
// sandbox::MITIGATION_EXTENSION_POINT_DISABLE is set properly in reg.
|
||||
// Note: the very existence of this key signals elf to not enable
|
||||
// this mitigation on browser next start.
|
||||
base::win::RegKey finch_security_registry_key(
|
||||
HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_READ);
|
||||
|
||||
if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) {
|
||||
if (finch_security_registry_key.Valid())
|
||||
finch_security_registry_key.DeleteKey(L"");
|
||||
} else {
|
||||
if (!finch_security_registry_key.Valid())
|
||||
finch_security_registry_key.Create(
|
||||
HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_WRITE);
|
||||
}
|
||||
}
|
||||
|
||||
void BrowserBlacklistBeaconSetup() {
|
||||
|
@ -108,6 +108,7 @@ if (current_cpu == "x86") {
|
||||
"//chrome:nacl64_exe_version",
|
||||
"//components/crash/content/app:app_breakpad_mac_win_to_be_deleted",
|
||||
"//components/nacl/loader:nacl_helper_win_64",
|
||||
"//content/public/common:static_features",
|
||||
"//content/public/common:static_switches",
|
||||
"//ppapi/proxy:ipc",
|
||||
"//sandbox",
|
||||
|
@ -19,6 +19,9 @@ void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
|
||||
sandbox::MITIGATION_DEP |
|
||||
sandbox::MITIGATION_DEP_NO_ATL_THUNK |
|
||||
sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
|
||||
// Note: these mitigations are "post-startup". Some mitigations that need
|
||||
// to be enabled sooner (e.g. MITIGATION_EXTENSION_POINT_DISABLE) are done
|
||||
// so in Chrome_ELF.
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -31,6 +31,7 @@
|
||||
#include "base/win/windows_version.h"
|
||||
#include "content/common/content_switches_internal.h"
|
||||
#include "content/public/common/content_client.h"
|
||||
#include "content/public/common/content_features.h"
|
||||
#include "content/public/common/content_switches.h"
|
||||
#include "content/public/common/sandbox_init.h"
|
||||
#include "content/public/common/sandboxed_process_launcher_delegate.h"
|
||||
@ -724,8 +725,10 @@ sandbox::ResultCode StartSandboxedProcess(
|
||||
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
|
||||
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
|
||||
|
||||
sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
|
||||
if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints))
|
||||
mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE;
|
||||
|
||||
sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
|
||||
result = policy->SetProcessMitigations(mitigations);
|
||||
|
||||
if (result != sandbox::SBOX_ALL_OK)
|
||||
|
@ -68,6 +68,24 @@ source_set("static_switches") {
|
||||
public_configs = [ ":static_switches_defines" ]
|
||||
}
|
||||
|
||||
# This target allows you to use the content_features constants and statically
|
||||
# link to it, without depending on the rest of content. This is only for use
|
||||
# without content, or you will get multiply defined symbols.
|
||||
source_set("static_features") {
|
||||
public = [
|
||||
"content_features.h",
|
||||
]
|
||||
sources = [
|
||||
"//content/common/content_export.h",
|
||||
"content_features.cc",
|
||||
]
|
||||
public_deps = [
|
||||
"//base",
|
||||
]
|
||||
|
||||
public_configs = [ ":static_switches_defines" ]
|
||||
}
|
||||
|
||||
source_set("common_sources") {
|
||||
# External code should depend on via ":common" above.
|
||||
visibility = [ "//content/*" ]
|
||||
|
Reference in New Issue
Block a user