Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-23 12:51:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out 2 changesets (bug 1860062) for introducing a new crash and perf regressions.

Browse Source 
Backed out changeset 4a6ed4317438 (bug 1860062)
Backed out changeset 5bf048ef92b7 (bug 1860062)
This commit is contained in:
Cosmin Sabou 2023-11-21 18:29:05 +02:00
parent fc86bd50da
commit 6126aa6166
2 changed files with 76 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/libpref/init/StaticPrefList.yaml
View File

@ -13653,7 +13653,7 @@
- name: security.sandbox.gpu.level
type: int32_t
#if defined(XP_WIN)
value: 2
value: 1
#else
value: 0
#endif

121
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -46,12 +46,6 @@
#include "sandbox/win/src/security_level.h"
#include "WinUtils.h"
#define SANDBOX_SUCCEED_OR_CRASH(x) \
do { \
sandbox::ResultCode result = (x); \
MOZ_RELEASE_ASSERT(result == sandbox::SBOX_ALL_OK, #x " failed"); \
} while (0)
namespace mozilla {
constexpr wchar_t kLpacFirefoxInstallFiles[] = L"lpacFirefoxInstallFiles";
@ -1079,61 +1073,92 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
MOZ_RELEASE_ASSERT(aSandboxLevel >= 1);
sandbox::TokenLevel initialTokenLevel = sandbox::USER_RESTRICTED_SAME_ACCESS;
sandbox::TokenLevel lockdownTokenLevel =
(aSandboxLevel >= 2) ? sandbox::USER_LIMITED
: sandbox::USER_RESTRICTED_NON_ADMIN;
sandbox::TokenLevel accessTokenLevel;
sandbox::IntegrityLevel initialIntegrityLevel;
sandbox::IntegrityLevel delayedIntegrityLevel;
sandbox::IntegrityLevel initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
sandbox::IntegrityLevel delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
// The setting of these levels is pretty arbitrary, but they are a useful (if
// crude) tool while we are tightening the policy. Gaps are left to try and
// avoid changing their meaning.
if (aSandboxLevel >= 2) {
accessTokenLevel = sandbox::USER_LIMITED;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
} else {
MOZ_RELEASE_ASSERT(aSandboxLevel >= 1,
"Should not be called with aSandboxLevel < 1");
accessTokenLevel = sandbox::USER_RESTRICTED_NON_ADMIN;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
}
sandbox::JobLevel jobLevel = sandbox::JOB_LIMITED_USER;
uint32_t uiExceptions =
// We use JOB_LIMITED_USER for the setting that limits the job to one active
// process, which prevents the creation of child processes. For the moment
// the other restrictions are added as excpetions until we can assess them.
sandbox::ResultCode result = mPolicy->SetJobLevel(
sandbox::JOB_LIMITED_USER,
JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_DESKTOP |
JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;
JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"Setting job level failed, have you set memory limit when "
"jobLevel == JOB_NONE?");
sandbox::MitigationFlags initialMitigations =
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
accessTokenLevel);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"Lockdown level cannot be USER_UNPROTECTED or USER_LAST "
"if initial level was USER_RESTRICTED_SAME_ACCESS");
result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"SetIntegrityLevel should never fail, what happened?");
result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
MOZ_RELEASE_ASSERT(
sandbox::SBOX_ALL_OK == result,
"SetDelayedIntegrityLevel should never fail, what happened?");
mPolicy->SetLockdownDefaultDacl();
mPolicy->AddRestrictingRandomSid();
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_DEP;
if (StaticPrefs::security_sandbox_gpu_shadow_stack_enabled()) {
initialMitigations |= sandbox::MITIGATION_CET_COMPAT_MODE;
mitigations |= sandbox::MITIGATION_CET_COMPAT_MODE;
}
sandbox::MitigationFlags delayedMitigations =
sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
result = mPolicy->SetProcessMitigations(mitigations);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"Invalid flags for SetProcessMitigations.");
SANDBOX_SUCCEED_OR_CRASH(mPolicy->SetJobLevel(jobLevel, uiExceptions));
SANDBOX_SUCCEED_OR_CRASH(
mPolicy->SetTokenLevel(initialTokenLevel, lockdownTokenLevel));
SANDBOX_SUCCEED_OR_CRASH(mPolicy->SetIntegrityLevel(initialIntegrityLevel));
SANDBOX_SUCCEED_OR_CRASH(
mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel));
SANDBOX_SUCCEED_OR_CRASH(mPolicy->SetProcessMitigations(initialMitigations));
SANDBOX_SUCCEED_OR_CRASH(
mPolicy->SetDelayedProcessMitigations(delayedMitigations));
mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
mPolicy->SetLockdownDefaultDacl();
mPolicy->AddRestrictingRandomSid();
result = mPolicy->SetDelayedProcessMitigations(mitigations);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"Invalid flags for SetDelayedProcessMitigations.");
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
SANDBOX_SUCCEED_OR_CRASH(mPolicy->AddRule(
sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\chrome.*"));
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\chrome.*");
MOZ_RELEASE_ASSERT(
sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, what happened?");
// Add the policy for the client side of the crash server pipe.
SANDBOX_SUCCEED_OR_CRASH(
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\gecko-crash-server-pipe.*"));
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\gecko-crash-server-pipe.*");
MOZ_RELEASE_ASSERT(
sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, what happened?");
// The GPU process needs to write to a shader cache for performance reasons
if (sProfileDir) {
@ -1146,13 +1171,17 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
// The process needs to be able to duplicate shared memory handles,
// which are Section handles, to the broker process and other child processes.
SANDBOX_SUCCEED_OR_CRASH(
result =
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"Section"));
SANDBOX_SUCCEED_OR_CRASH(
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY, L"Section"));
sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"Section");
MOZ_RELEASE_ASSERT(
sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, what happened?");
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_ANY, L"Section");
MOZ_RELEASE_ASSERT(
sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, what happened?");
}
#define SANDBOX_ENSURE_SUCCESS(result, message) \