0

[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes.

This CL is part of a chain of CLs:
1) "MITIGATION_EXTENSION_POINT_DISABLE support for children" (https://codereview.chromium.org/1835003003)
2) "MITIGATION_EXTENSION_POINT_DISABLE emergency off finch" (https://codereview.chromium.org/1836523004/)
3) "New NT registry API" (https://codereview.chromium.org/1841573002)
4) "Early browser security support" (https://codereview.chromium.org/1656453002)
5) -> THIS
6) "Turn on MITIGATION_EXTENSION_POINT_DISABLE for browser process" (https://codereview.chromium.org/2223783003)

This CL only turns on the new mitigation (in all child processes, not the browser process yet).

BUG=557798
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng

Committed: https://crrev.com/df585142df9fd58299ef02b64da3381d8b733cb8
Review-Url: https://codereview.chromium.org/1854323002
Cr-Original-Commit-Position: refs/heads/master@{#409264}
Cr-Commit-Position: refs/heads/master@{#410508}
This commit is contained in:
pennymac
2016-08-08 17:13:33 -07:00
committed by Commit bot
parent b6be4d4a04
commit 3087cbe87c
5 changed files with 43 additions and 1 deletions
chrome/browser/win
components/nacl/broker
content

@ -18,6 +18,7 @@
#include "chrome_elf/dll_hash/dll_hash.h"
#include "components/variations/variations_associated_data.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/common/content_features.h"
const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
const char kBrowserBlacklistTrialDisabledGroupName[] = "NoBlacklist";
@ -109,6 +110,22 @@ void InitializeChromeElf() {
FROM_HERE,
base::Bind(&ReportSuccessfulBlocks),
base::TimeDelta::FromSeconds(kBlacklistReportingDelaySec));
// Make sure the early finch emergency "off switch" for
// sandbox::MITIGATION_EXTENSION_POINT_DISABLE is set properly in reg.
// Note: the very existence of this key signals elf to not enable
// this mitigation on browser next start.
base::win::RegKey finch_security_registry_key(
HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_READ);
if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) {
if (finch_security_registry_key.Valid())
finch_security_registry_key.DeleteKey(L"");
} else {
if (!finch_security_registry_key.Valid())
finch_security_registry_key.Create(
HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_WRITE);
}
}
void BrowserBlacklistBeaconSetup() {

@ -108,6 +108,7 @@ if (current_cpu == "x86") {
"//chrome:nacl64_exe_version",
"//components/crash/content/app:app_breakpad_mac_win_to_be_deleted",
"//components/nacl/loader:nacl_helper_win_64",
"//content/public/common:static_features",
"//content/public/common:static_switches",
"//ppapi/proxy:ipc",
"//sandbox",

@ -19,6 +19,9 @@ void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
sandbox::MITIGATION_DEP |
sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
// Note: these mitigations are "post-startup". Some mitigations that need
// to be enabled sooner (e.g. MITIGATION_EXTENSION_POINT_DISABLE) are done
// so in Chrome_ELF.
}
}

@ -31,6 +31,7 @@
#include "base/win/windows_version.h"
#include "content/common/content_switches_internal.h"
#include "content/public/common/content_client.h"
#include "content/public/common/content_features.h"
#include "content/public/common/content_switches.h"
#include "content/public/common/sandbox_init.h"
#include "content/public/common/sandboxed_process_launcher_delegate.h"
@ -724,8 +725,10 @@ sandbox::ResultCode StartSandboxedProcess(
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints))
mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE;
sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
result = policy->SetProcessMitigations(mitigations);
if (result != sandbox::SBOX_ALL_OK)

@ -68,6 +68,24 @@ source_set("static_switches") {
public_configs = [ ":static_switches_defines" ]
}
# This target allows you to use the content_features constants and statically
# link to it, without depending on the rest of content. This is only for use
# without content, or you will get multiply defined symbols.
source_set("static_features") {
public = [
"content_features.h",
]
sources = [
"//content/common/content_export.h",
"content_features.cc",
]
public_deps = [
"//base",
]
public_configs = [ ":static_switches_defines" ]
}
source_set("common_sources") {
# External code should depend on via ":common" above.
visibility = [ "//content/*" ]