Bug 928044 Part 3: Add logging changes back into the Chromium interception code. r=tabraldes

security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt

@@ -1,5 +1,5 @@
 Please add a link to the bugzilla bug and patch name that should be re-applied.
 Also, please update any existing links to their actual mozilla-central changeset.
 
-https://bugzilla.mozilla.org/show_bug.cgi?id=1041775 bug1041775part2.patch
 https://bugzilla.mozilla.org/show_bug.cgi?id=1041775 bug1041775part3.patch
+https://bugzilla.mozilla.org/show_bug.cgi?id=928044  bug928044part3.patch

security/sandbox/win/src/filesystem_interception.cc

@@ -12,6 +12,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -31,6 +32,10 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreateFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -86,6 +91,9 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
@@ -102,6 +110,10 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -154,6 +166,9 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
@@ -168,6 +183,10 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile(
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -208,6 +227,9 @@ NTSTATUS WINAPI TargetNtQueryAttributesFile(
     if (SBOX_ALL_OK != code)
       break;
 
+    mozilla::sandboxing::LogAllowed("NtQueryAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
     return answer.nt_status;
 
   } while (false);
@@ -225,6 +247,10 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -266,6 +292,9 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
     if (SBOX_ALL_OK != code)
       break;
 
+    mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
     return answer.nt_status;
   } while (false);
 
@@ -282,6 +311,8 @@ NTSTATUS WINAPI TargetNtSetInformationFile(
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtSetInformationFile");
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -343,6 +374,7 @@ NTSTATUS WINAPI TargetNtSetInformationFile(
       break;
 
     status = answer.nt_status;
+    mozilla::sandboxing::LogAllowed("NtSetInformationFile");
   } while (false);
 
   return status;

security/sandbox/win/src/handle_interception.cc

@@ -10,6 +10,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -34,10 +35,12 @@ ResultCode DuplicateHandleProxy(HANDLE source_handle,
 
   if (answer.win32_result) {
     ::SetLastError(answer.win32_result);
+    mozilla::sandboxing::LogBlocked("DuplicateHandle");
     return SBOX_ERROR_GENERIC;
   }
 
   *target_handle = answer.handle;
+  mozilla::sandboxing::LogAllowed("DuplicateHandle");
   return SBOX_ALL_OK;
 }
 

security/sandbox/win/src/named_pipe_interception.cc

@@ -12,6 +12,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -27,6 +28,8 @@ HANDLE WINAPI TargetCreateNamedPipeW(
   if (INVALID_HANDLE_VALUE != pipe)
     return pipe;
 
+  mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return INVALID_HANDLE_VALUE;
@@ -62,6 +65,7 @@ HANDLE WINAPI TargetCreateNamedPipeW(
     if (ERROR_SUCCESS != answer.win32_result)
       return INVALID_HANDLE_VALUE;
 
+    mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name);
     return answer.handle;
   } while (false);
 

security/sandbox/win/src/process_thread_interception.cc

@@ -12,6 +12,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -28,6 +29,7 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenThread");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
@@ -93,6 +95,7 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenThread");
     return answer.nt_status;
   } while (false);
 
@@ -177,6 +180,7 @@ NTSTATUS WINAPI TargetNtOpenProcessToken(
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessToken");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
@@ -208,6 +212,7 @@ NTSTATUS WINAPI TargetNtOpenProcessToken(
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessToken");
     return answer.nt_status;
   } while (false);
 
@@ -222,6 +227,7 @@ NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
@@ -253,6 +259,7 @@ NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx");
     return answer.nt_status;
   } while (false);
 
@@ -274,6 +281,8 @@ BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessW", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
@@ -311,6 +320,7 @@ BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessW", application_name);
     return TRUE;
   } while (false);
 
@@ -333,6 +343,8 @@ BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessA", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
@@ -393,6 +405,7 @@ BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessA", application_name);
     return TRUE;
   } while (false);
 

security/sandbox/win/src/registry_interception.cc

@@ -10,6 +10,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -25,6 +26,12 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -87,6 +94,9 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
@@ -140,6 +150,9 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
@@ -153,6 +166,12 @@ NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 
@@ -170,6 +189,12 @@ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
   if (NT_SUCCESS(status) || open_options != 0)
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKeyEx",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 

security/sandbox/win/src/sync_interception.cc

@@ -12,6 +12,7 @@
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
@@ -62,6 +63,10 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCreateEventFunction orig_CreateEvent,
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreatEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -101,6 +106,9 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCreateEventFunction orig_CreateEvent,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
@@ -115,6 +123,10 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+  //
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
@@ -153,6 +165,9 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;