From 692f8a55324ddd6b06015dbe3058ea867fb18462 Mon Sep 17 00:00:00 2001 From: Bob Owen Date: Wed, 7 Sep 2022 09:42:04 +0000 Subject: [PATCH] Bug 1689136: Apply MITIGATION_HARDEN_TOKEN_IL_POLICY to main and launcher processes. r=handyman This also ensures that DEP without ATL thunk is enforced. Differential Revision: https://phabricator.services.mozilla.com/D156069 --- browser/app/winlauncher/LauncherProcessWin.cpp | 9 +++++++++ security/sandbox/win/SandboxInitialization.cpp | 12 ++++++++++++ security/sandbox/win/SandboxInitialization.h | 5 +++++ 3 files changed, 26 insertions(+) diff --git a/browser/app/winlauncher/LauncherProcessWin.cpp b/browser/app/winlauncher/LauncherProcessWin.cpp index 326ed6a0838e..16e8c466e00d 100644 --- a/browser/app/winlauncher/LauncherProcessWin.cpp +++ b/browser/app/winlauncher/LauncherProcessWin.cpp @@ -37,6 +37,10 @@ # include "SameBinary.h" #endif // defined(MOZ_LAUNCHER_PROCESS) +#if defined(MOZ_SANDBOX) +# include "mozilla/sandboxing/SandboxInitialization.h" +#endif + namespace mozilla { // "const" because nothing in this process modifies it. // "volatile" because something in another process may. @@ -320,6 +324,11 @@ Maybe LauncherMain(int& argc, wchar_t* argv[], } } +#if defined(MOZ_SANDBOX) + // Ensure the relevant mitigations are enforced. + mozilla::sandboxing::ApplyParentProcessMitigations(); +#endif + mozilla::UseParentConsole(); if (!SetArgv0ToFullBinaryPath(argv)) { diff --git a/security/sandbox/win/SandboxInitialization.cpp b/security/sandbox/win/SandboxInitialization.cpp index 17c1ae4f696e..352bd45a950c 100644 --- a/security/sandbox/win/SandboxInitialization.cpp +++ b/security/sandbox/win/SandboxInitialization.cpp @@ -8,6 +8,7 @@ #include "base/memory/ref_counted.h" #include "nsWindowsDllInterceptor.h" +#include "sandbox/win/src/process_mitigations.h" #include "sandbox/win/src/sandbox_factory.h" #include "mozilla/DebugOnly.h" #include "mozilla/sandboxing/permissionsService.h" @@ -177,6 +178,9 @@ static sandbox::BrokerServices* InitializeBrokerServices() { scoped_refptr policy = brokerServices->CreatePolicy(); policy->CreateAlternateDesktop(true); + // Ensure the relevant mitigations are enforced. + mozilla::sandboxing::ApplyParentProcessMitigations(); + return brokerServices; } @@ -191,5 +195,13 @@ PermissionsService* GetPermissionsService() { return PermissionsService::GetInstance(); } +void ApplyParentProcessMitigations() { + // The main reason for this call is for the token hardening, but chromium code + // also ensures DEP without ATL thunk so we do the same. + sandbox::ApplyProcessMitigationsToCurrentProcess( + sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK | + sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY); +} + } // namespace sandboxing } // namespace mozilla diff --git a/security/sandbox/win/SandboxInitialization.h b/security/sandbox/win/SandboxInitialization.h index 7e255caf68ad..feab5ce6f564 100644 --- a/security/sandbox/win/SandboxInitialization.h +++ b/security/sandbox/win/SandboxInitialization.h @@ -45,6 +45,11 @@ sandbox::BrokerServices* GetInitializedBrokerServices(); PermissionsService* GetPermissionsService(); +/** + * Apply mitigations for parent processes. + */ +void ApplyParentProcessMitigations(); + } // namespace sandboxing } // namespace mozilla