diff options
author | Moonchild <mcwerewolf@gmail.com> | 2018-05-04 09:09:10 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-04 09:09:10 +0200 |
commit | 4a2aeb152e48c44efa57c140660e99792f4dd350 (patch) | |
tree | 7b786de2b175122814a53232268b1147a8bd0bfb /security/sandbox/win | |
parent | 20532e13937ab5fc8efcb2bfc4c0070dace40cd1 (diff) | |
parent | f265784e8cabaff17f4554cf2bd2c30217b6ec0f (diff) | |
download | UXP-4a2aeb152e48c44efa57c140660e99792f4dd350.tar UXP-4a2aeb152e48c44efa57c140660e99792f4dd350.tar.gz UXP-4a2aeb152e48c44efa57c140660e99792f4dd350.tar.lz UXP-4a2aeb152e48c44efa57c140660e99792f4dd350.tar.xz UXP-4a2aeb152e48c44efa57c140660e99792f4dd350.zip |
Merge pull request #323 from MoonchildProductions/nuke-sandbox
Nuke sandbox
Diffstat (limited to 'security/sandbox/win')
-rw-r--r-- | security/sandbox/win/SandboxInitialization.cpp | 81 | ||||
-rw-r--r-- | security/sandbox/win/SandboxInitialization.h | 47 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxbroker/moz.build | 33 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp | 595 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxbroker/sandboxBroker.h | 63 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxtarget/moz.build | 20 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp | 21 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxtarget/sandboxTarget.h | 83 | ||||
-rw-r--r-- | security/sandbox/win/wow_helper/Makefile.in | 47 | ||||
-rw-r--r-- | security/sandbox/win/wow_helper/moz.build | 30 |
10 files changed, 0 insertions, 1020 deletions
diff --git a/security/sandbox/win/SandboxInitialization.cpp b/security/sandbox/win/SandboxInitialization.cpp deleted file mode 100644 index e587c2598..000000000 --- a/security/sandbox/win/SandboxInitialization.cpp +++ /dev/null @@ -1,81 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "SandboxInitialization.h" - -#include "sandbox/win/src/sandbox_factory.h" - -namespace mozilla { -namespace sandboxing { - -static sandbox::TargetServices* -InitializeTargetServices() -{ - sandbox::TargetServices* targetServices = - sandbox::SandboxFactory::GetTargetServices(); - if (!targetServices) { - return nullptr; - } - - if (targetServices->Init() != sandbox::SBOX_ALL_OK) { - return nullptr; - } - - return targetServices; -} - -sandbox::TargetServices* -GetInitializedTargetServices() -{ - static sandbox::TargetServices* sInitializedTargetServices = - InitializeTargetServices(); - - return sInitializedTargetServices; -} - -void -LowerSandbox() -{ - GetInitializedTargetServices()->LowerToken(); -} - -static sandbox::BrokerServices* -InitializeBrokerServices() -{ - sandbox::BrokerServices* brokerServices = - sandbox::SandboxFactory::GetBrokerServices(); - if (!brokerServices) { - return nullptr; - } - - if (brokerServices->Init() != sandbox::SBOX_ALL_OK) { - return nullptr; - } - - // Comment below copied from Chromium code. - // Precreate the desktop and window station used by the renderers. - // IMPORTANT: This piece of code needs to run as early as possible in the - // process because it will initialize the sandbox broker, which requires - // the process to swap its window station. During this time all the UI - // will be broken. This has to run before threads and windows are created. - sandbox::TargetPolicy* policy = brokerServices->CreatePolicy(); - sandbox::ResultCode result = policy->CreateAlternateDesktop(true); - policy->Release(); - - return brokerServices; -} - -sandbox::BrokerServices* -GetInitializedBrokerServices() -{ - static sandbox::BrokerServices* sInitializedBrokerServices = - InitializeBrokerServices(); - - return sInitializedBrokerServices; -} - -} // sandboxing -} // mozilla diff --git a/security/sandbox/win/SandboxInitialization.h b/security/sandbox/win/SandboxInitialization.h deleted file mode 100644 index e5be08904..000000000 --- a/security/sandbox/win/SandboxInitialization.h +++ /dev/null @@ -1,47 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef mozilla_sandboxing_SandboxInitialization_h -#define mozilla_sandboxing_SandboxInitialization_h - -namespace sandbox { -class BrokerServices; -class TargetServices; -} - -// Things that use this file will probably want access to the IsSandboxedProcess -// function defined in one of the Chromium sandbox cc files. -extern "C" bool IsSandboxedProcess(); - -namespace mozilla { -// Note the Chromium code just uses a bare sandbox namespace, which makes using -// sandbox for our namespace painful. -namespace sandboxing { - -/** - * Initializes (if required) and returns the Chromium sandbox TargetServices. - * - * @return the TargetServices or null if the creation or initialization failed. - */ -sandbox::TargetServices* GetInitializedTargetServices(); - -/** - * Lowers the permissions on the process sandbox. - * Provided because the GMP sandbox needs to be lowered from the executable. - */ -void LowerSandbox(); - -/** - * Initializes (if required) and returns the Chromium sandbox BrokerServices. - * - * @return the BrokerServices or null if the creation or initialization failed. - */ -sandbox::BrokerServices* GetInitializedBrokerServices(); - -} // sandboxing -} // mozilla - -#endif // mozilla_sandboxing_SandboxInitialization_h diff --git a/security/sandbox/win/src/sandboxbroker/moz.build b/security/sandbox/win/src/sandboxbroker/moz.build deleted file mode 100644 index 4a9d01cc5..000000000 --- a/security/sandbox/win/src/sandboxbroker/moz.build +++ /dev/null @@ -1,33 +0,0 @@ -# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -SOURCES += [ - 'sandboxBroker.cpp', -] - -EXPORTS += [ - 'sandboxBroker.h', -] - -for var in ('UNICODE', '_UNICODE', 'SANDBOX_EXPORTS'): - DEFINES[var] = True - -LOCAL_INCLUDES += [ - '/security/sandbox/chromium', -] - -DISABLE_STL_WRAPPING = True - -OS_LIBS += [ - 'dbghelp', -] - -if CONFIG['_MSC_VER']: - CXXFLAGS += [ - '-wd4275', # non dll-interface class exception used as base for dll-interface class - ] - -FINAL_LIBRARY = 'xul' diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp deleted file mode 100644 index 10b796268..000000000 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ /dev/null @@ -1,595 +0,0 @@ -/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "sandboxBroker.h" - -#include "base/win/windows_version.h" -#include "mozilla/Assertions.h" -#include "mozilla/Logging.h" -#include "sandbox/win/src/sandbox.h" -#include "sandbox/win/src/security_level.h" - -namespace mozilla -{ - -sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr; - -static LazyLogModule sSandboxBrokerLog("SandboxBroker"); - -#define LOG_E(...) MOZ_LOG(sSandboxBrokerLog, LogLevel::Error, (__VA_ARGS__)) - -/* static */ -void -SandboxBroker::Initialize(sandbox::BrokerServices* aBrokerServices) -{ - sBrokerService = aBrokerServices; -} - -SandboxBroker::SandboxBroker() -{ - if (sBrokerService) { - mPolicy = sBrokerService->CreatePolicy(); - } else { - mPolicy = nullptr; - } -} - -bool -SandboxBroker::LaunchApp(const wchar_t *aPath, - const wchar_t *aArguments, - const bool aEnableLogging, - void **aProcessHandle) -{ - if (!sBrokerService || !mPolicy) { - return false; - } - - // Set stdout and stderr, to allow inheritance for logging. - mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE)); - mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE)); - - // If logging enabled, set up the policy. - if (aEnableLogging) { - ApplyLoggingPolicy(); - } - -#if defined(DEBUG) - // Allow write access to TEMP directory in debug builds for logging purposes. - // The path from GetTempPathW can have a length up to MAX_PATH + 1, including - // the null, so we need MAX_PATH + 2, so we can add an * to the end. - wchar_t tempPath[MAX_PATH + 2]; - uint32_t pathLen = ::GetTempPathW(MAX_PATH + 1, tempPath); - if (pathLen > 0) { - // GetTempPath path ends with \ and returns the length without the null. - tempPath[pathLen] = L'*'; - tempPath[pathLen + 1] = L'\0'; - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, tempPath); - } -#endif - - // Ceate the sandboxed process - PROCESS_INFORMATION targetInfo = {0}; - sandbox::ResultCode result; - result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo); - if (sandbox::SBOX_ALL_OK != result) { - return false; - } - - // The sandboxed process is started in a suspended state, resume it now that - // we've set things up. - ResumeThread(targetInfo.hThread); - CloseHandle(targetInfo.hThread); - - // Return the process handle to the caller - *aProcessHandle = targetInfo.hProcess; - - return true; -} - -#if defined(MOZ_CONTENT_SANDBOX) -void -SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) -{ - MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call."); - - sandbox::JobLevel jobLevel; - sandbox::TokenLevel accessTokenLevel; - sandbox::IntegrityLevel initialIntegrityLevel; - sandbox::IntegrityLevel delayedIntegrityLevel; - - // The setting of these levels is pretty arbitrary, but they are a useful (if - // crude) tool while we are tightening the policy. Gaps are left to try and - // avoid changing their meaning. - MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1"); - if (aSandboxLevel >= 20) { - jobLevel = sandbox::JOB_LOCKDOWN; - accessTokenLevel = sandbox::USER_LOCKDOWN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED; - } else if (aSandboxLevel >= 10) { - jobLevel = sandbox::JOB_RESTRICTED; - accessTokenLevel = sandbox::USER_LIMITED; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel >= 2) { - jobLevel = sandbox::JOB_INTERACTIVE; - accessTokenLevel = sandbox::USER_INTERACTIVE; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel == 1) { - jobLevel = sandbox::JOB_NONE; - accessTokenLevel = sandbox::USER_NON_ADMIN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } - - sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, - 0 /* ui_exceptions */); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); - - // If the delayed access token is not restricted we don't want the initial one - // to be either, because it can interfere with running from a network drive. - sandbox::TokenLevel initialAccessTokenLevel = - (accessTokenLevel == sandbox::USER_UNPROTECTED || - accessTokenLevel == sandbox::USER_NON_ADMIN) - ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS; - - result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); - - result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetIntegrityLevel should never fail, what happened?"); - result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetDelayedIntegrityLevel should never fail, what happened?"); - - if (aSandboxLevel > 2) { - result = mPolicy->SetAlternateDesktop(true); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Failed to create alternate desktop for sandbox."); - } - - sandbox::MitigationFlags mitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | - sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; - - result = mPolicy->SetProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetProcessMitigations."); - - mitigations = - sandbox::MITIGATION_STRICT_HANDLE_CHECKS | - sandbox::MITIGATION_DLL_SEARCH_ORDER; - - result = mPolicy->SetDelayedProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetDelayedProcessMitigations."); - - // Add the policy for the client side of a pipe. It is just a file - // in the \pipe\ namespace. We restrict it to pipes that start with - // "chrome." so the sandboxed process cannot connect to system services. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\chrome.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // Add the policy for the client side of the crash server pipe. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\gecko-crash-server-pipe.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate named pipes back to the - // broker process, which are File type handles. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"File"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate shared memory handles, - // which are Section handles, to the broker process and other child processes. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_ANY, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); -} -#endif - -#define SANDBOX_ENSURE_SUCCESS(result, message) \ - do { \ - MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \ - if (sandbox::SBOX_ALL_OK != result) \ - return false; \ - } while (0) - -bool -SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) -{ - if (!mPolicy) { - return false; - } - - sandbox::JobLevel jobLevel; - sandbox::TokenLevel accessTokenLevel; - sandbox::IntegrityLevel initialIntegrityLevel; - sandbox::IntegrityLevel delayedIntegrityLevel; - - if (aSandboxLevel > 2) { - jobLevel = sandbox::JOB_UNPROTECTED; - accessTokenLevel = sandbox::USER_LIMITED; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel == 2) { - jobLevel = sandbox::JOB_UNPROTECTED; - accessTokenLevel = sandbox::USER_INTERACTIVE; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else { - jobLevel = sandbox::JOB_NONE; - accessTokenLevel = sandbox::USER_NON_ADMIN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM; - } - - sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, - 0 /* ui_exceptions */); - SANDBOX_ENSURE_SUCCESS(result, - "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); - - result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, - accessTokenLevel); - SANDBOX_ENSURE_SUCCESS(result, - "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); - - result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - SANDBOX_ENSURE_SUCCESS(result, - "SetIntegrityLevel should never fail, what happened?"); - - result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - SANDBOX_ENSURE_SUCCESS(result, - "SetDelayedIntegrityLevel should never fail, what happened?"); - - sandbox::MitigationFlags mitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | - sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; - - result = mPolicy->SetProcessMitigations(mitigations); - SANDBOX_ENSURE_SUCCESS(result, - "Invalid flags for SetProcessMitigations."); - - // Add the policy for the client side of a pipe. It is just a file - // in the \pipe\ namespace. We restrict it to pipes that start with - // "chrome." so the sandboxed process cannot connect to system services. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\chrome.*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // Add the policy for the client side of the crash server pipe. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\gecko-crash-server-pipe.*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // The NPAPI process needs to be able to duplicate shared memory to the - // content process and broker process, which are Section type handles. - // Content and broker are for e10s and non-e10s cases. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_ANY, - L"Section"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"Section"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // The following is required for the Java plugin. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\jpi2_pid*_pipe*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // These register keys are used by the file-browser dialog box. They - // remember the most-recently-used folders. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_ANY, - L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU\\*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_ANY, - L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRULegacy\\*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - return true; -} - -bool -SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) -{ - if (!mPolicy) { - return false; - } - - auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); - SANDBOX_ENSURE_SUCCESS(result, - "SetJobLevel should never fail with these arguments, what happened?"); - auto level = (aLevel == Restricted) ? - sandbox::USER_RESTRICTED : sandbox::USER_LOCKDOWN; - result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, level); - SANDBOX_ENSURE_SUCCESS(result, - "SetTokenLevel should never fail with these arguments, what happened?"); - - result = mPolicy->SetAlternateDesktop(true); - SANDBOX_ENSURE_SUCCESS(result, - "Failed to create alternate desktop for sandbox."); - - result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetIntegrityLevel should never fail with these arguments, what happened?"); - - result = - mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED); - SANDBOX_ENSURE_SUCCESS(result, - "SetIntegrityLevel should never fail with these arguments, what happened?"); - - sandbox::MitigationFlags mitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | - sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; - - result = mPolicy->SetProcessMitigations(mitigations); - SANDBOX_ENSURE_SUCCESS(result, - "Invalid flags for SetProcessMitigations."); - - mitigations = - sandbox::MITIGATION_STRICT_HANDLE_CHECKS | - sandbox::MITIGATION_DLL_SEARCH_ORDER; - - result = mPolicy->SetDelayedProcessMitigations(mitigations); - SANDBOX_ENSURE_SUCCESS(result, - "Invalid flags for SetDelayedProcessMitigations."); - - // Add the policy for the client side of a pipe. It is just a file - // in the \pipe\ namespace. We restrict it to pipes that start with - // "chrome." so the sandboxed process cannot connect to system services. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\chrome.*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // Add the policy for the client side of the crash server pipe. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\gecko-crash-server-pipe.*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - -#ifdef DEBUG - // The plugin process can't create named events, but we'll - // make an exception for the events used in logging. Removing - // this will break EME in debug builds. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC, - sandbox::TargetPolicy::EVENTS_ALLOW_ANY, - L"ChromeIPCLog.*"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); -#endif - - // The following rules were added because, during analysis of an EME - // plugin during development, these registry keys were accessed when - // loading the plugin. Commenting out these policy exceptions caused - // plugin loading to fail, so they are necessary for proper functioning - // of at least one EME plugin. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER\\Control Panel\\Desktop"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - - // The following rules were added because, during analysis of an EME - // plugin during development, these registry keys were accessed when - // loading the plugin. Commenting out these policy exceptions did not - // cause anything to break during initial testing, but might cause - // unforeseen issues down the road. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - // The following rules were added to allow a GMP to be loaded when any - // AppLocker DLL rules are specified. If the rules specifically block the DLL - // then it will not load. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - L"\\Device\\SrpDevice"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - // On certain Windows versions there is a double slash before GP in the path. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\\\GP\\"); - SANDBOX_ENSURE_SUCCESS(result, - "With these static arguments AddRule should never fail, what happened?"); - - - return true; -} -#undef SANDBOX_ENSURE_SUCCESS - -bool -SandboxBroker::AllowReadFile(wchar_t const *file) -{ - if (!mPolicy) { - return false; - } - - auto result = - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_READONLY, - file); - if (sandbox::SBOX_ALL_OK != result) { - LOG_E("Failed (ResultCode %d) to add read access to: %S", result, file); - return false; - } - - return true; -} - -bool -SandboxBroker::AllowReadWriteFile(wchar_t const *file) -{ - if (!mPolicy) { - return false; - } - - auto result = - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - file); - if (sandbox::SBOX_ALL_OK != result) { - LOG_E("Failed (ResultCode %d) to add read/write access to: %S", - result, file); - return false; - } - - return true; -} - -bool -SandboxBroker::AllowDirectory(wchar_t const *dir) -{ - if (!mPolicy) { - return false; - } - - auto result = - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY, - dir); - if (sandbox::SBOX_ALL_OK != result) { - LOG_E("Failed (ResultCode %d) to add directory access to: %S", result, dir); - return false; - } - - return true; -} - -bool -SandboxBroker::AddTargetPeer(HANDLE aPeerProcess) -{ - if (!sBrokerService) { - return false; - } - - sandbox::ResultCode result = sBrokerService->AddTargetPeer(aPeerProcess); - return (sandbox::SBOX_ALL_OK == result); -} - -void -SandboxBroker::ApplyLoggingPolicy() -{ - MOZ_ASSERT(mPolicy); - - // Add dummy rules, so that we can log in the interception code. - // We already have a file interception set up for the client side of pipes. - // Also, passing just "dummy" for file system policy causes win_utils.cc - // IsReparsePoint() to loop. - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES, - sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"dummy"); - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS, - sandbox::TargetPolicy::PROCESS_MIN_EXEC, L"dummy"); - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, - sandbox::TargetPolicy::REG_ALLOW_READONLY, - L"HKEY_CURRENT_USER\\dummy"); - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC, - sandbox::TargetPolicy::EVENTS_ALLOW_READONLY, L"dummy"); - mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"dummy"); -} - -SandboxBroker::~SandboxBroker() -{ - if (mPolicy) { - mPolicy->Release(); - mPolicy = nullptr; - } -} - -} diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h deleted file mode 100644 index 3f73ec890..000000000 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h +++ /dev/null @@ -1,63 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__ -#define __SECURITY_SANDBOX_SANDBOXBROKER_H__ - -#include <stdint.h> -#include <windows.h> - -namespace sandbox { - class BrokerServices; - class TargetPolicy; -} - -namespace mozilla { - -class SandboxBroker -{ -public: - SandboxBroker(); - - static void Initialize(sandbox::BrokerServices* aBrokerServices); - - bool LaunchApp(const wchar_t *aPath, - const wchar_t *aArguments, - const bool aEnableLogging, - void **aProcessHandle); - virtual ~SandboxBroker(); - - // Security levels for different types of processes -#if defined(MOZ_CONTENT_SANDBOX) - void SetSecurityLevelForContentProcess(int32_t aSandboxLevel); -#endif - bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel); - enum SandboxLevel { - LockDown, - Restricted - }; - bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel); - - // File system permissions - bool AllowReadFile(wchar_t const *file); - bool AllowReadWriteFile(wchar_t const *file); - bool AllowDirectory(wchar_t const *dir); - - // Exposes AddTargetPeer from broker services, so that none sandboxed - // processes can be added as handle duplication targets. - bool AddTargetPeer(HANDLE aPeerProcess); - - // Set up dummy interceptions via the broker, so we can log calls. - void ApplyLoggingPolicy(); - -private: - static sandbox::BrokerServices *sBrokerService; - sandbox::TargetPolicy *mPolicy; -}; - -} // mozilla - -#endif diff --git a/security/sandbox/win/src/sandboxtarget/moz.build b/security/sandbox/win/src/sandboxtarget/moz.build deleted file mode 100644 index 7315a34ed..000000000 --- a/security/sandbox/win/src/sandboxtarget/moz.build +++ /dev/null @@ -1,20 +0,0 @@ -# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -EXPORTS.mozilla += [ - 'sandboxTarget.h', -] - -SOURCES += [ - 'sandboxTarget.cpp', -] - -LOCAL_INCLUDES += [ - '/security/sandbox/chromium', - '/security/sandbox/chromium-shim', -] - -FINAL_LIBRARY = 'xul' diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp b/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp deleted file mode 100644 index a989b3625..000000000 --- a/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp +++ /dev/null @@ -1,21 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#define TARGET_SANDBOX_EXPORTS -#include "sandboxTarget.h" - -namespace mozilla { - -// We need to define this function out of line so that clang-cl doesn't inline -// it. -/* static */ SandboxTarget* -SandboxTarget::Instance() -{ - static SandboxTarget sb; - return &sb; -} - -} diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.h b/security/sandbox/win/src/sandboxtarget/sandboxTarget.h deleted file mode 100644 index f46a2ce70..000000000 --- a/security/sandbox/win/src/sandboxtarget/sandboxTarget.h +++ /dev/null @@ -1,83 +0,0 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=8 sts=2 et sw=2 tw=80: */ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef __SECURITY_SANDBOX_SANDBOXTARGET_H__ -#define __SECURITY_SANDBOX_SANDBOXTARGET_H__ - -#include <windows.h> - -#include "mozilla/Assertions.h" -#include "base/MissingBasicTypes.h" -#include "sandbox/win/src/sandbox.h" - -namespace mozilla { - -class SandboxTarget -{ -public: - /** - * Obtains a pointer to the singleton instance - */ - static SandboxTarget* Instance(); - - /** - * Used by the application to pass in the target services that provide certain - * functions to the sandboxed code. - * The target services must already be initialized. - * - * @param aTargetServices The target services that will be used - */ - void SetTargetServices(sandbox::TargetServices* aTargetServices) - { - MOZ_ASSERT(aTargetServices); - MOZ_ASSERT(!mTargetServices, - "Sandbox TargetServices must only be set once."); - - mTargetServices = aTargetServices; - } - - /** - * Called by the library that wants to "start" the sandbox, i.e. change to the - * more secure delayed / lockdown policy. - */ - void StartSandbox() - { - if (mTargetServices) { - mTargetServices->LowerToken(); - } - } - - /** - * Used to duplicate handles via the broker process. The permission for the - * handle type and target process has to have been set on the sandbox policy. - */ - bool BrokerDuplicateHandle(HANDLE aSourceHandle, DWORD aTargetProcessId, - HANDLE* aTargetHandle, DWORD aDesiredAccess, - DWORD aOptions) - { - if (!mTargetServices) { - return false; - } - - sandbox::ResultCode result = - mTargetServices->DuplicateHandle(aSourceHandle, aTargetProcessId, - aTargetHandle, aDesiredAccess, aOptions); - return (sandbox::SBOX_ALL_OK == result); - } - -protected: - SandboxTarget() : - mTargetServices(nullptr) - { - } - - sandbox::TargetServices* mTargetServices; -}; - - -} // mozilla - -#endif diff --git a/security/sandbox/win/wow_helper/Makefile.in b/security/sandbox/win/wow_helper/Makefile.in deleted file mode 100644 index aee81f3fe..000000000 --- a/security/sandbox/win/wow_helper/Makefile.in +++ /dev/null @@ -1,47 +0,0 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# We need to build a 64-bits binary during a 32-bits build. This requires -# a different compiler and different library paths. Until the build system -# supports this natively. - -# Some Make magic to avoid CXX and LIB being evaluated when nothing -# is built in this directory -lazy = $(if $(___$(1)),,$(eval ___$(1) := $(2)))$(___$(1)) - -# We could use the `which` python module, but it needs more code to handle -# the situation where CXX points to an absolute path. But using the shell -# which returns a msys path, while we need a windows path. So force msys -# to do the conversion for us by calling python with an environment variable -# with the result of the call to `which`. Then munge that path to add the -# x64 cross-compiler path. -ifdef MOZ_USING_COMPILER_WRAPPER -ORIG_CXX := cl -else -ORIG_CXX := $(CXX) -endif -CXX = $(call lazy,CXX,"$$(subst amd64_x86/x86_amd64/,amd64/,$$(shell CL=`which "$(ORIG_CXX)"` $(PYTHON) -c 'import os; print os.path.dirname(os.environ["CL"])')/x86_amd64/cl.exe)") - -MOZ_WINCONSOLE = 0 - -include $(topsrcdir)/config/config.mk - -# Munge the LIB variable to contain paths to the x64 CRT and system libraries. -# Unconveniently, none of the paths have the same convention, including the -# compiler path above. -LIB = $(call lazy,LIB,$$(shell python -c 'import os; print ";".join(s.lower().replace(os.sep, "/").replace("/vc/lib", "/vc/lib/amd64").replace("/um/x86", "/um/x64").replace("/ucrt/x86", "/ucrt/x64") for s in os.environ["LIB"].split(";"))')) - -CXXFLAGS := $(filter-out -arch:%,$(CXXFLAGS)) - -# OS_COMPILE_CXXFLAGS includes mozilla-config.h, which contains x86-specific -# defines breaking the build. -OS_COMPILE_CXXFLAGS := - -# LNK1246: '/SAFESEH' not compatible with 'x64' target machine -LDFLAGS := $(filter-out -SAFESEH,$(LDFLAGS)) - -# When targetting x64, we need to specify a subsystem of at least 5.02, because -# the 5.01 value we inherit from the x86 parts is silently ignored, making the -# linker default to 6.00 (Vista) as of VS2013. -WIN32_GUI_EXE_LDFLAGS=-SUBSYSTEM:WINDOWS,5.02 diff --git a/security/sandbox/win/wow_helper/moz.build b/security/sandbox/win/wow_helper/moz.build deleted file mode 100644 index d9c307def..000000000 --- a/security/sandbox/win/wow_helper/moz.build +++ /dev/null @@ -1,30 +0,0 @@ -# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -Program('wow_helper') - -SOURCES += [ '../../chromium/sandbox/win/wow_helper/' + f for f in ( - 'service64_resolver.cc', - 'target_code.cc', - 'wow_helper.cc', -)] - -LOCAL_INCLUDES += [ - '../../', - '../../../', - '../../chromium/', -] - -DISABLE_STL_WRAPPING = True - -DEFINES['UNICODE'] = True - -USE_STATIC_LIBS = True - -# The rules in Makefile.in only force the use of the 64-bits compiler, not -# the 64-bits linker, and the 32-bits linker can't do 64-bits compilation for -# PGO, so disable PGO, which is not interesting for this small binary anyways. -NO_PGO = True |