Add AC/LPAC documentation for Windows sandbox.
BUG=841001 Change-Id: I3ce92f4eedfd499726c1475ac2809e9295971744 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3319418 Reviewed-by: James Forshaw <forshaw@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/main@{#949005}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
cc6bd9bac3
commit
7dba881892
@ -328,23 +328,6 @@ policies on the target process for enforcing security characteristics.
|
|||||||
[here](https://docs.google.com/document/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4)
|
[here](https://docs.google.com/document/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4)
|
||||||
for more details.
|
for more details.
|
||||||
|
|
||||||
#### App Container (low box token):
|
|
||||||
|
|
||||||
* >= Win8
|
|
||||||
* In Windows this is implemented at the kernel level by a Low Box token which is
|
|
||||||
a stripped version of a normal token with limited privilege (normally just
|
|
||||||
`SeChangeNotifyPrivilege` and `SeIncreaseWorkingSetPrivilege`), running at Low
|
|
||||||
integrity level and an array of "Capabilities" which can be mapped to
|
|
||||||
allow/deny what the process is allowed to do (see
|
|
||||||
[MSDN](https://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx)
|
|
||||||
for a high level description). The capability most interesting from a sandbox
|
|
||||||
perspective is denying is access to the network, as it turns out network
|
|
||||||
checks are enforced if the token is a Low Box token and the `INTERNET_CLIENT`
|
|
||||||
Capability is not present.
|
|
||||||
* The sandbox therefore takes the existing restricted token and adds the Low Box
|
|
||||||
attributes, without granting any Capabilities, so as to gain the additional
|
|
||||||
protection of no network access from the sandboxed process.
|
|
||||||
|
|
||||||
#### Disable Extension Points (legacy hooking):
|
#### Disable Extension Points (legacy hooking):
|
||||||
|
|
||||||
* >= Win8
|
* >= Win8
|
||||||
@ -406,6 +389,65 @@ policies on the target process for enforcing security characteristics.
|
|||||||
[ticket](https://bugs.chromium.org/p/project-zero/issues/detail?id=213&redir=1),
|
[ticket](https://bugs.chromium.org/p/project-zero/issues/detail?id=213&redir=1),
|
||||||
[Project Zero blog](http://googleprojectzero.blogspot.co.uk/2015/05/in-console-able.html).
|
[Project Zero blog](http://googleprojectzero.blogspot.co.uk/2015/05/in-console-able.html).
|
||||||
|
|
||||||
|
### App Container (low box token):
|
||||||
|
|
||||||
|
* In Windows this is implemented at the kernel level by a Low Box token which is
|
||||||
|
a stripped version of a normal token with limited privilege (normally just
|
||||||
|
`SeChangeNotifyPrivilege` and `SeIncreaseWorkingSetPrivilege`), running at Low
|
||||||
|
integrity level and an array of "Capabilities" which can be mapped to
|
||||||
|
allow/deny what the process is allowed to do (see
|
||||||
|
[MSDN](https://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx)
|
||||||
|
for a high level description). The capability most interesting from a sandbox
|
||||||
|
perspective is denying is access to the network, as it turns out network
|
||||||
|
checks are enforced if the token is a Low Box token and the `INTERNET_CLIENT`
|
||||||
|
Capability is not present.
|
||||||
|
* The sandbox therefore takes the existing restricted token and adds the Low Box
|
||||||
|
attributes, without granting any Capabilities, so as to gain the additional
|
||||||
|
protection of no network access from the sandboxed process.
|
||||||
|
|
||||||
|
### Less Privileged App Container (LPAC)
|
||||||
|
|
||||||
|
* An extension of the App Container (see above) available on later versions of
|
||||||
|
Windows 10 (RS2 and greater), the Less Privileged App Container (LPAC) runs
|
||||||
|
at a lower privilege level than normal App Container, with access granted by
|
||||||
|
default to only those kernel, filesystem and registry objects marked with the
|
||||||
|
`ALL RESTRICTED APPLICATION PACKAGES` or a specific package SID. This is
|
||||||
|
opposed to App Container which uses `ALL APPLICATION PACKAGES`.
|
||||||
|
* A key characteristic of the LPAC is that specific named capabilities can be
|
||||||
|
added such as those based on well known SIDs (defined in
|
||||||
|
[`base/win/sid.h`](https://cs.chromium.org/chromium/src/base/win/sid.h)) or
|
||||||
|
via 'named capabilities' resolved through call to
|
||||||
|
[DeriveCapabilitySidsFromName](https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-derivecapabilitysidsfromname)
|
||||||
|
which are not really strictly defined anywhere but can be found in various
|
||||||
|
[places](https://social.technet.microsoft.com/Forums/scriptcenter/en-US/3e7d85e3-d0e1-4e79-8141-0bbf8faf3644/windows-10-anniversary-update-the-case-of-the-mysterious-account-sid-causing-the-flood-of-dcom?forum=win10itprosetup)
|
||||||
|
and include capabilities such as:
|
||||||
|
* `lpacCom`
|
||||||
|
* `registryRead`
|
||||||
|
* `lpacWebPlatform`
|
||||||
|
* `lpacClipboard`
|
||||||
|
* etc...
|
||||||
|
* Each LPAC process can have a process-specific SID created for it and this
|
||||||
|
can be used to protect files specific to that particular sandbox, and there
|
||||||
|
can be multiple different overlapping sets of access rights depending on
|
||||||
|
the interactions between services running in different sandboxes.
|
||||||
|
|
||||||
|
#### LPAC File System Permissions
|
||||||
|
* Importantly, all locations in the filesystem and registry that the LPAC
|
||||||
|
process will access during its lifetime need to have the right ACLs on
|
||||||
|
them. `registryRead` is important for registry read access, and Windows
|
||||||
|
system files have `ALL RESTRICTED APPLICATION PACKAGES` ACE on them already,
|
||||||
|
but other files that the sandbox process needs access to including the
|
||||||
|
binaries (e.g. chrome.exe, chrome.dll) and also any data files need ACLs to
|
||||||
|
be laid down. This is typically done by the installer, and also done
|
||||||
|
automatically for tests. However, if the LPAC sandbox is to be used in other
|
||||||
|
environments then these filesystem permissions need to be manually laid down
|
||||||
|
using `icacls`, the installer, or a similar tool. An example of a ACE that
|
||||||
|
could be used can be found in
|
||||||
|
[`testing/scripts/common.py`](https://cs.chromium.org/chromium/src/testing/scripts/common.py)
|
||||||
|
however in high security environments a more restrictive SID should be used
|
||||||
|
such as one from the
|
||||||
|
[installer](https://source.chromium.org/chromium/chromium/src/+/main:chrome/installer/setup/install_worker.cc;l=74).
|
||||||
|
|
||||||
### Other caveats
|
### Other caveats
|
||||||
|
|
||||||
The operating system might have bugs. Of interest are bugs in the Windows API
|
The operating system might have bugs. Of interest are bugs in the Windows API
|
||||||
|
Reference in New Issue
Block a user