diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-03-12 09:13:00 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-03-16 09:58:26 +0000 |
commit | 03561cae90f1d99b5c54b1ef3be69f10e882b25e (patch) | |
tree | cc5f0958e823c044e7ae51cc0117fe51432abe5e /chromium/sandbox | |
parent | fa98118a45f7e169f8846086dc2c22c49a8ba310 (diff) | |
download | qtwebengine-chromium-03561cae90f1d99b5c54b1ef3be69f10e882b25e.tar.gz |
BASELINE: Update Chromium to 88.0.4324.208
Change-Id: I3ae87d23e4eff4b4a469685658740a213600c667
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/sandbox')
43 files changed, 343 insertions, 120 deletions
diff --git a/chromium/sandbox/BUILD.gn b/chromium/sandbox/BUILD.gn index fff8f927aa3..5bfd4d5aef9 100644 --- a/chromium/sandbox/BUILD.gn +++ b/chromium/sandbox/BUILD.gn @@ -46,7 +46,6 @@ buildflag_header("sandbox_buildflags") { # Although the code is Windows-based, the fuzzer is designed to work on Linux, # so do not disable this fuzzer on non-Windows platforms. fuzzer_test("sandbox_ipc_fuzzer") { - set_sources_assignment_filter([]) sources = [ "win/fuzzer/fuzzer_types.h", "win/fuzzer/sandbox_ipc_fuzzer.cc", diff --git a/chromium/sandbox/DIR_METADATA b/chromium/sandbox/DIR_METADATA new file mode 100644 index 00000000000..12ec3393f96 --- /dev/null +++ b/chromium/sandbox/DIR_METADATA @@ -0,0 +1,12 @@ +# Metadata information for this directory. +# +# For more information on DIR_METADATA files, see: +# https://source.chromium.org/chromium/infra/infra/+/master:go/src/infra/tools/dirmd/README.md +# +# For the schema of this file, see Metadata message: +# https://source.chromium.org/chromium/infra/infra/+/master:go/src/infra/tools/dirmd/proto/dir_metadata.proto + +monorail { + component: "Internals>Sandbox" +} +team_email: "security-dev@chromium.org"
\ No newline at end of file diff --git a/chromium/sandbox/OWNERS b/chromium/sandbox/OWNERS index a52767f0e7f..f10fedc1c19 100644 --- a/chromium/sandbox/OWNERS +++ b/chromium/sandbox/OWNERS @@ -4,6 +4,3 @@ palmer@chromium.org rsesek@chromium.org tsepez@chromium.org wfh@chromium.org - -# TEAM: security-dev@chromium.org -# COMPONENT: Internals>Sandbox diff --git a/chromium/sandbox/linux/BUILD.gn b/chromium/sandbox/linux/BUILD.gn index 4fd639fd0fa..e9a94b46125 100644 --- a/chromium/sandbox/linux/BUILD.gn +++ b/chromium/sandbox/linux/BUILD.gn @@ -11,13 +11,6 @@ if (is_android) { import("//build/config/android/rules.gni") } -# This file depends on the legacy global sources assignment filter. It should -# be converted to check target platform before assigning source files to the -# sources variable. Remove this import and set_sources_assignment_filter call -# when the file has been converted. See https://crbug.com/1018739 for details. -import("//build/config/deprecated_default_sources_assignment_filter.gni") -set_sources_assignment_filter(deprecated_default_sources_assignment_filter) - declare_args() { compile_suid_client = is_linux || is_chromeos @@ -117,6 +110,7 @@ source_set("sandbox_linux_unittests_sources") { ":sandbox_linux_test_utils", "//base", "//base/third_party/dynamic_annotations", + "//build:chromeos_buildflags", "//testing/gtest", ] @@ -232,8 +226,6 @@ component("seccomp_bpf") { "bpf_dsl/trap_registry.h", "seccomp-bpf-helpers/baseline_policy.cc", "seccomp-bpf-helpers/baseline_policy.h", - "seccomp-bpf-helpers/baseline_policy_android.cc", - "seccomp-bpf-helpers/baseline_policy_android.h", "seccomp-bpf-helpers/sigsys_handlers.cc", "seccomp-bpf-helpers/sigsys_handlers.h", "seccomp-bpf-helpers/syscall_parameters_restrictions.cc", @@ -259,9 +251,17 @@ component("seccomp_bpf") { ":sandbox_services", "//base", "//base/third_party/dynamic_annotations", + "//build:chromeos_buildflags", "//sandbox:sandbox_buildflags", ] + if (is_android) { + sources += [ + "seccomp-bpf-helpers/baseline_policy_android.cc", + "seccomp-bpf-helpers/baseline_policy_android.h", + ] + } + if (is_nacl_nonsfi) { cflags = [ "-fgnu-inline-asm" ] sources -= [ @@ -434,6 +434,7 @@ source_set("sandbox_services_headers") { "system_headers/linux_filter.h", "system_headers/linux_futex.h", "system_headers/linux_prctl.h", + "system_headers/linux_ptrace.h", "system_headers/linux_seccomp.h", "system_headers/linux_signal.h", "system_headers/linux_syscalls.h", diff --git a/chromium/sandbox/linux/OWNERS b/chromium/sandbox/linux/OWNERS index e9a367b47e1..4f998b081a0 100644 --- a/chromium/sandbox/linux/OWNERS +++ b/chromium/sandbox/linux/OWNERS @@ -2,6 +2,3 @@ jorgelo@chromium.org mpdenton@chromium.org palmer@chromium.org rsesek@chromium.org - -# TEAM: security-dev@chromium.org -# COMPONENT: Internals>Sandbox diff --git a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc index ad607c61c71..bc03be124b7 100644 --- a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc +++ b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc @@ -32,6 +32,7 @@ #include "base/system/sys_info.h" #include "base/threading/thread.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/errorcode.h" #include "sandbox/linux/bpf_dsl/linux_syscall_ranges.h" @@ -2143,7 +2144,7 @@ SANDBOX_TEST(SandboxBPF, Tsync) { const bool supports_multi_threaded = SandboxBPF::SupportsSeccompSandbox( SandboxBPF::SeccompLevel::MULTI_THREADED); // On Chrome OS tsync is mandatory. -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) if (base::SysInfo::IsRunningOnChromeOS()) { BPF_ASSERT_EQ(true, supports_multi_threaded); } diff --git a/chromium/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc b/chromium/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc index fd6cd00bc67..9da9c689114 100644 --- a/chromium/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc +++ b/chromium/sandbox/linux/integration_tests/seccomp_broker_process_unittest.cc @@ -21,7 +21,7 @@ #include "base/logging.h" #include "base/macros.h" #include "base/posix/eintr_wrapper.h" -#include "base/test/bind_test_util.h" +#include "base/test/bind.h" #include "build/build_config.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/policy.h" diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc index 64ec1ce0bd2..01c046dda28 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc @@ -30,6 +30,7 @@ #include "base/posix/eintr_wrapper.h" #include "base/threading/thread.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" #include "sandbox/linux/seccomp-bpf/bpf_tests.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" @@ -307,7 +308,7 @@ TEST_BASELINE_SIGSYS(__NR_inotify_init) TEST_BASELINE_SIGSYS(__NR_vserver) #endif -#if defined(LIBC_GLIBC) && !defined(OS_CHROMEOS) +#if defined(LIBC_GLIBC) && !BUILDFLAG(IS_CHROMEOS_ASH) BPF_TEST_C(BaselinePolicy, FutexEINVAL, BaselinePolicy) { int ops[] = { FUTEX_CMP_REQUEUE_PI, FUTEX_CMP_REQUEUE_PI_PRIVATE, @@ -344,7 +345,7 @@ BPF_DEATH_TEST_C(BaselinePolicy, syscall(__NR_futex, nullptr, FUTEX_UNLOCK_PI_PRIVATE, 0, nullptr, nullptr, 0); _exit(1); } -#endif // defined(LIBC_GLIBC) && !defined(OS_CHROMEOS) +#endif // defined(LIBC_GLIBC) && !BUILDFLAG(IS_CHROMEOS_ASH) BPF_TEST_C(BaselinePolicy, PrctlDumpable, BaselinePolicy) { const int is_dumpable = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0); diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index a1002483d78..2a97d3916c8 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -23,12 +23,14 @@ #include "base/notreached.h" #include "base/synchronization/synchronization_buildflags.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/seccomp_macros.h" #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/system_headers/linux_futex.h" #include "sandbox/linux/system_headers/linux_prctl.h" +#include "sandbox/linux/system_headers/linux_ptrace.h" #include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/linux/system_headers/linux_time.h" @@ -36,8 +38,9 @@ #if !defined(OS_NACL_NONSFI) #include <sys/ioctl.h> #include <sys/ptrace.h> -#if defined(OS_LINUX) && !defined(OS_CHROMEOS) && !defined(__arm__) && \ - !defined(__aarch64__) && !defined(PTRACE_GET_THREAD_AREA) +#if (defined(OS_LINUX) || BUILDFLAG(IS_CHROMEOS_LACROS)) && \ + !defined(__arm__) && !defined(__aarch64__) && \ + !defined(PTRACE_GET_THREAD_AREA) // Also include asm/ptrace-abi.h since ptrace.h in older libc (for instance // the one in Ubuntu 16.04 LTS) is missing PTRACE_GET_THREAD_AREA. // asm/ptrace-abi.h doesn't exist on arm32 and PTRACE_GET_THREAD_AREA isn't @@ -100,7 +103,7 @@ inline bool IsArchitectureMips() { // to allow those futex(2) calls to fail with EINVAL, instead of crashing the // process. See crbug.com/598471. inline bool IsBuggyGlibcSemPost() { -#if defined(LIBC_GLIBC) && !defined(OS_CHROMEOS) +#if defined(LIBC_GLIBC) && !BUILDFLAG(IS_CHROMEOS_ASH) return true; #else return false; @@ -405,20 +408,26 @@ ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) { #if !defined(OS_NACL_NONSFI) ResultExpr RestrictPtrace() { const Arg<int> request(0); - return Switch(request).CASES(( +#if defined(__aarch64__) + const Arg<uintptr_t> addr(2); +#endif + return Switch(request) + .CASES(( #if !defined(__aarch64__) - PTRACE_GETREGS, - PTRACE_GETFPREGS, - PTRACE_GET_THREAD_AREA, + PTRACE_GETREGS, PTRACE_GETFPREGS, PTRACE_GET_THREAD_AREA, + PTRACE_GETREGSET, #endif #if defined(__arm__) - PTRACE_GETVFPREGS, + PTRACE_GETVFPREGS, +#endif + PTRACE_PEEKDATA, PTRACE_ATTACH, PTRACE_DETACH), + Allow()) +#if defined(__aarch64__) + .Case( + PTRACE_GETREGSET, + If(AllOf(addr != NT_ARM_PACA_KEYS, addr != NT_ARM_PACG_KEYS), Allow()) + .Else(CrashSIGSYSPtrace())) #endif - PTRACE_GETREGSET, - PTRACE_PEEKDATA, - PTRACE_ATTACH, - PTRACE_DETACH), - Allow()) .Default(CrashSIGSYSPtrace()); } #endif // defined(OS_NACL_NONSFI) diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc index b6c8c637746..4bbfc7e53b6 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc @@ -32,6 +32,7 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/seccomp-bpf/syscall.h" #include "sandbox/linux/services/syscall_wrappers.h" +#include "sandbox/linux/system_headers/linux_ptrace.h" #include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/linux/system_headers/linux_time.h" #include "sandbox/linux/tests/unit_tests.h" @@ -341,6 +342,36 @@ BPF_DEATH_TEST_C( &iov); } +#if defined(__aarch64__) +BPF_DEATH_TEST_C( + ParameterRestrictions, + ptrace_getregs_nt_arm_paca_keys_blocked, + DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()), + RestrictPtracePolicy) { + user_regs_struct regs{}; + iovec iov; + iov.iov_base = ®s; + iov.iov_len = sizeof(regs); + errno = 0; + ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACA_KEYS), + &iov); +} + +BPF_DEATH_TEST_C( + ParameterRestrictions, + ptrace_getregs_nt_arm_pacg_keys_blocked, + DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()), + RestrictPtracePolicy) { + user_regs_struct regs{}; + iovec iov; + iov.iov_base = ®s; + iov.iov_len = sizeof(regs); + errno = 0; + ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACG_KEYS), + &iov); +} +#endif + } // namespace } // namespace sandbox diff --git a/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc index 3d7bc172f79..85bbe65748a 100644 --- a/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc +++ b/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc @@ -145,7 +145,7 @@ bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) { return false; } -bool SandboxBPF::StartSandbox(SeccompLevel seccomp_level) { +bool SandboxBPF::StartSandbox(SeccompLevel seccomp_level, bool enable_ibpb) { DCHECK(policy_); CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED || seccomp_level == SeccompLevel::MULTI_THREADED); @@ -183,7 +183,7 @@ bool SandboxBPF::StartSandbox(SeccompLevel seccomp_level) { } // Install the filters. - InstallFilter(seccomp_level == SeccompLevel::MULTI_THREADED); + InstallFilter(seccomp_level == SeccompLevel::MULTI_THREADED, enable_ibpb); return true; } @@ -222,7 +222,7 @@ CodeGen::Program SandboxBPF::AssembleFilter() { return compiler.Compile(); } -void SandboxBPF::InstallFilter(bool must_sync_threads) { +void SandboxBPF::InstallFilter(bool must_sync_threads, bool enable_ibpb) { // We want to be very careful in not imposing any requirements on the // policies that are set with SetSandboxPolicy(). This means, as soon as // the sandbox is active, we shouldn't be relying on libraries that could @@ -267,7 +267,9 @@ void SandboxBPF::InstallFilter(bool must_sync_threads) { // opt-out SSBD when process is single-threaded and tsync is not necessary. } else if (KernelSupportSeccompSpecAllow()) { seccomp_filter_flags |= SECCOMP_FILTER_FLAG_SPEC_ALLOW; - DisableIBSpec(); + if (enable_ibpb) { + DisableIBSpec(); + } #endif } else { if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { diff --git a/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h index eb64d978859..f62e37fdcbe 100644 --- a/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h +++ b/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h @@ -62,7 +62,11 @@ class SANDBOX_EXPORT SandboxBPF { // disallowed. // Finally, stacking does add more kernel overhead than having a single // combined policy. So, it should only be used if there are no alternatives. - bool StartSandbox(SeccompLevel level) WARN_UNUSED_RESULT; + // + // |enable_ibpb| controls if the sandbox will forcibly enable indirect branch + // prediction barrier through prctl(2) to mitigate Spectre variant 2. + bool StartSandbox(SeccompLevel level, + bool enable_ibpb = true) WARN_UNUSED_RESULT; // The sandbox needs to be able to access files in "/proc/self/". If // this directory is not accessible when "StartSandbox()" gets called, the @@ -100,7 +104,7 @@ class SANDBOX_EXPORT SandboxBPF { // Assembles and installs a filter based on the policy that has previously // been configured with SetSandboxPolicy(). - void InstallFilter(bool must_sync_threads); + void InstallFilter(bool must_sync_threads, bool enable_ibpb); // Disable indirect branch speculation by prctl. This will be done by // seccomp if SECCOMP_FILTER_FLAG_SPEC_ALLOW is not set. Seccomp will diff --git a/chromium/sandbox/linux/services/scoped_process_unittest.cc b/chromium/sandbox/linux/services/scoped_process_unittest.cc index 2498bd3682f..6e2df5fdceb 100644 --- a/chromium/sandbox/linux/services/scoped_process_unittest.cc +++ b/chromium/sandbox/linux/services/scoped_process_unittest.cc @@ -12,8 +12,8 @@ #include <unistd.h> #include "base/bind.h" -#include "base/bind_helpers.h" #include "base/callback.h" +#include "base/callback_helpers.h" #include "base/check.h" #include "base/files/file_util.h" #include "base/files/scoped_file.h" diff --git a/chromium/sandbox/linux/services/yama_unittests.cc b/chromium/sandbox/linux/services/yama_unittests.cc index e693917c417..9f576abe2c1 100644 --- a/chromium/sandbox/linux/services/yama_unittests.cc +++ b/chromium/sandbox/linux/services/yama_unittests.cc @@ -10,7 +10,7 @@ #include <unistd.h> #include "base/bind.h" -#include "base/bind_helpers.h" +#include "base/callback_helpers.h" #include "base/compiler_specific.h" #include "base/posix/eintr_wrapper.h" #include "base/strings/string_util.h" diff --git a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc index 721617db22c..43359fb2ab9 100644 --- a/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc +++ b/chromium/sandbox/linux/syscall_broker/broker_simple_message_unittest.cc @@ -8,15 +8,15 @@ #include <unistd.h> #include "base/bind.h" -#include "base/bind_helpers.h" #include "base/callback_forward.h" +#include "base/callback_helpers.h" #include "base/files/scoped_file.h" #include "base/logging.h" #include "base/macros.h" #include "base/run_loop.h" #include "base/synchronization/waitable_event.h" #include "base/task/thread_pool.h" -#include "base/test/bind_test_util.h" +#include "base/test/bind.h" #include "base/test/task_environment.h" #include "base/test/test_timeouts.h" #include "base/threading/thread.h" diff --git a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc index c452d1d02d6..4c22bc44b3c 100644 --- a/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc +++ b/chromium/sandbox/linux/syscall_broker/remote_syscall_arg_handler_unittest.cc @@ -10,13 +10,13 @@ #include <cstring> #include "base/bind.h" -#include "base/bind_helpers.h" #include "base/callback_forward.h" +#include "base/callback_helpers.h" #include "base/files/scoped_file.h" #include "base/macros.h" #include "base/posix/unix_domain_socket.h" #include "base/process/process_metrics.h" -#include "base/test/bind_test_util.h" +#include "base/test/bind.h" #include "sandbox/linux/tests/unit_tests.h" #include "testing/gtest/include/gtest/gtest.h" diff --git a/chromium/sandbox/linux/system_headers/linux_ptrace.h b/chromium/sandbox/linux/system_headers/linux_ptrace.h new file mode 100644 index 00000000000..c7f47ac8fe6 --- /dev/null +++ b/chromium/sandbox/linux/system_headers/linux_ptrace.h @@ -0,0 +1,13 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_ +#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_ + +#if !defined(NT_ARM_PACA_KEYS) +#define NT_ARM_PACA_KEYS 0x407 /* Arm pointer authentication address keys */ +#define NT_ARM_PACG_KEYS 0x408 /* Arm pointer authentication generic key */ +#endif + +#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_ diff --git a/chromium/sandbox/mac/OWNERS b/chromium/sandbox/mac/OWNERS index 636437fd110..7a7568b080f 100644 --- a/chromium/sandbox/mac/OWNERS +++ b/chromium/sandbox/mac/OWNERS @@ -1,6 +1,3 @@ kerrnel@chromium.org mark@chromium.org rsesek@chromium.org - -# TEAM: security-dev@chromium.org -# COMPONENT: Internals>Sandbox diff --git a/chromium/sandbox/mac/sandbox_mac_compiler_unittest.mm b/chromium/sandbox/mac/sandbox_mac_compiler_unittest.mm index 87249e054e3..54866ab977c 100644 --- a/chromium/sandbox/mac/sandbox_mac_compiler_unittest.mm +++ b/chromium/sandbox/mac/sandbox_mac_compiler_unittest.mm @@ -7,7 +7,12 @@ #include <sys/stat.h> #include <unistd.h> +#include "base/files/file.h" +#include "base/files/scoped_temp_dir.h" +#include "base/mac/mac_util.h" +#include "base/posix/eintr_wrapper.h" #include "base/process/kill.h" +#include "base/strings/string_number_conversions.h" #include "base/test/multiprocess_test.h" #include "base/test/test_timeouts.h" #include "sandbox/mac/sandbox_compiler.h" @@ -183,4 +188,67 @@ TEST_F(SandboxMacCompilerTest, SandboxCheckTest) { EXPECT_EQ(exit_code, 0); } +MULTIPROCESS_TEST_MAIN(Ftruncate) { + std::string profile = "(version 1)" + "(deny default (with no-log))"; + SandboxCompiler compiler(profile); + std::string error; + CHECK(compiler.CompileAndApplyProfile(&error)) << error; + + std::unique_ptr<base::Environment> env = base::Environment::Create(); + + std::string fd_string; + CHECK(env->GetVar("FD_TO_TRUNCATE", &fd_string)); + + int fd; + CHECK(base::StringToInt(fd_string, &fd)); + + const char kTestBuf[] = "hello"; + CHECK_EQ(static_cast<ssize_t>(strlen(kTestBuf)), + HANDLE_EINTR(write(fd, kTestBuf, strlen(kTestBuf)))); + + return ftruncate(fd, 0) == 0 ? 0 : 15; +} + +// Tests ftruncate() behavior on an inherited, open, writable FD. Prior to +// macOS 10.15, the sandbox did not permit ftruncate (but it did permit regular +// writing) on such FDs. This verifies the behavior before, on, and after macOS +// 10.15. See https://crbug.com/1084565 for details. +TEST_F(SandboxMacCompilerTest, Ftruncate) { + base::ScopedTempDir temp_dir; + ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); + + base::File file( + temp_dir.GetPath().Append("file.txt"), + base::File::FLAG_CREATE | base::File::FLAG_READ | base::File::FLAG_WRITE); + ASSERT_TRUE(file.IsValid()); + + const std::string contents = + "Wouldn't it be nice to be able to use ftruncate?\n"; + EXPECT_EQ(static_cast<int>(contents.length()), + file.WriteAtCurrentPos(contents.data(), contents.length())); + EXPECT_EQ(static_cast<int64_t>(contents.length()), file.GetLength()); + + base::PlatformFile fd = file.GetPlatformFile(); + + base::LaunchOptions options; + options.fds_to_remap.emplace_back(fd, fd); + options.environment["FD_TO_TRUNCATE"] = base::NumberToString(fd); + + base::Process process = SpawnChildWithOptions("Ftruncate", options); + ASSERT_TRUE(process.IsValid()); + + int exit_code = 42; + EXPECT_TRUE(process.WaitForExitWithTimeout(TestTimeouts::action_max_timeout(), + &exit_code)); + + if (base::mac::IsAtLeastOS10_15()) { + EXPECT_EQ(0, exit_code); + EXPECT_EQ(0, file.GetLength()); + } else { + EXPECT_EQ(15, exit_code); + EXPECT_GT(file.GetLength(), static_cast<int64_t>(contents.length())); + } +} + } // namespace sandbox diff --git a/chromium/sandbox/policy/BUILD.gn b/chromium/sandbox/policy/BUILD.gn index ccb1bd1fd8d..ce756af562b 100644 --- a/chromium/sandbox/policy/BUILD.gn +++ b/chromium/sandbox/policy/BUILD.gn @@ -4,6 +4,7 @@ import("//build/buildflag_header.gni") import("//build/config/chromecast_build.gni") +import("//build/config/chromeos/ui_mode.gni") import("//build/config/sanitizers/sanitizers.gni") import("//testing/test.gni") @@ -24,6 +25,7 @@ component("policy") { deps = [ ":sanitizer_buildflags", "//base", + "//build:chromeos_buildflags", "//sandbox:common", ] public_deps = [] @@ -76,7 +78,7 @@ component("policy") { "//sandbox/linux:suid_sandbox_client", ] } - if (is_chromeos) { + if (is_chromeos_ash) { sources += [ "linux/bpf_ime_policy_linux.cc", "linux/bpf_ime_policy_linux.h", @@ -126,6 +128,7 @@ component("policy") { "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.intl", "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.logger", "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.mediacodec", + "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.memorypressure", "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.net", "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.netstack", "//third_party/fuchsia-sdk/sdk/fidl/fuchsia.sysmem", diff --git a/chromium/sandbox/policy/OWNERS b/chromium/sandbox/policy/OWNERS index e02183bdf41..70554b270ab 100644 --- a/chromium/sandbox/policy/OWNERS +++ b/chromium/sandbox/policy/OWNERS @@ -1,4 +1,2 @@ set noparent file://sandbox/OWNERS -# COMPONENT: Internals>Sandbox -# TEAM: security-dev@chromium.org diff --git a/chromium/sandbox/policy/features.cc b/chromium/sandbox/policy/features.cc index bbb78b3b23d..3badc333834 100644 --- a/chromium/sandbox/policy/features.cc +++ b/chromium/sandbox/policy/features.cc @@ -5,6 +5,7 @@ #include "sandbox/policy/features.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" namespace sandbox { namespace policy { @@ -36,6 +37,20 @@ const base::Feature kGpuLPAC{"GpuLPAC", base::FEATURE_ENABLED_BY_DEFAULT}; const base::Feature kXRSandbox{"XRSandbox", base::FEATURE_ENABLED_BY_DEFAULT}; #endif // !defined(OS_ANDROID) +#if BUILDFLAG(IS_CHROMEOS_ASH) +// Controls whether the Spectre variant 2 mitigation is enabled. We use a USE +// flag on some Chrome OS boards to disable the mitigation by disabling this +// feature in exchange for system performance. +const base::Feature kSpectreVariant2Mitigation{ + "SpectreVariant2Mitigation", base::FEATURE_ENABLED_BY_DEFAULT}; + +// An override for the Spectre variant 2 default behavior. Security sensitive +// users can enable this feature to ensure that the mitigation is always +// enabled. +const base::Feature kForceSpectreVariant2Mitigation{ + "ForceSpectreVariant2Mitigation", base::FEATURE_DISABLED_BY_DEFAULT}; +#endif // BUILDFLAG(IS_CHROMEOS_ASH) + } // namespace features } // namespace policy } // namespace sandbox diff --git a/chromium/sandbox/policy/features.h b/chromium/sandbox/policy/features.h index cc9b5e68162..979f003b46e 100644 --- a/chromium/sandbox/policy/features.h +++ b/chromium/sandbox/policy/features.h @@ -10,6 +10,7 @@ #include "base/feature_list.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/policy/export.h" namespace sandbox { @@ -30,6 +31,12 @@ SANDBOX_POLICY_EXPORT extern const base::Feature kGpuLPAC; SANDBOX_POLICY_EXPORT extern const base::Feature kXRSandbox; #endif // !defined(OS_ANDROID) +#if BUILDFLAG(IS_CHROMEOS_ASH) +SANDBOX_POLICY_EXPORT extern const base::Feature kSpectreVariant2Mitigation; +SANDBOX_POLICY_EXPORT extern const base::Feature + kForceSpectreVariant2Mitigation; +#endif // BUILDFLAG(IS_CHROMEOS_ASH) + } // namespace features } // namespace policy } // namespace sandbox diff --git a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc index d3d3949bcba..68f413bd206 100644 --- a/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc +++ b/chromium/sandbox/policy/fuchsia/sandbox_policy_fuchsia.cc @@ -14,6 +14,7 @@ #include <fuchsia/intl/cpp/fidl.h> #include <fuchsia/logger/cpp/fidl.h> #include <fuchsia/mediacodec/cpp/fidl.h> +#include <fuchsia/memorypressure/cpp/fidl.h> #include <fuchsia/net/cpp/fidl.h> #include <fuchsia/netstack/cpp/fidl.h> #include <fuchsia/sysmem/cpp/fidl.h> @@ -100,6 +101,7 @@ constexpr SandboxConfig kRendererConfig = { base::make_span((const char* const[]){ fuchsia::fonts::Provider::Name_, fuchsia::mediacodec::CodecFactory::Name_, + fuchsia::memorypressure::Provider::Name_, fuchsia::sysmem::Allocator::Name_, }), kAmbientMarkVmoAsExecutable, diff --git a/chromium/sandbox/policy/linux/bpf_cros_amd_gpu_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_cros_amd_gpu_policy_linux.cc index 0506ef37d6b..4887d2779af 100644 --- a/chromium/sandbox/policy/linux/bpf_cros_amd_gpu_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_cros_amd_gpu_policy_linux.cc @@ -35,6 +35,7 @@ CrosAmdGpuProcessPolicy::~CrosAmdGpuProcessPolicy() {} ResultExpr CrosAmdGpuProcessPolicy::EvaluateSyscall(int sysno) const { switch (sysno) { case __NR_fstatfs: + case __NR_sched_setaffinity: case __NR_sched_setscheduler: case __NR_sysinfo: case __NR_uname: diff --git a/chromium/sandbox/policy/linux/bpf_gpu_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_gpu_policy_linux.cc index 24081195c4a..829efee8bef 100644 --- a/chromium/sandbox/policy/linux/bpf_gpu_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_gpu_policy_linux.cc @@ -13,6 +13,7 @@ #include "base/compiler_specific.h" #include "base/macros.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h" #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h" @@ -41,10 +42,10 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const { switch (sysno) { case __NR_kcmp: return Error(ENOSYS); -#if !defined(OS_CHROMEOS) +#if !BUILDFLAG(IS_CHROMEOS_ASH) case __NR_fallocate: return Allow(); -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) case __NR_fcntl: { // The Nvidia driver uses flags not in the baseline policy // fcntl(fd, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW) @@ -95,7 +96,7 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const { if (SyscallSets::IsEventFd(sysno)) return Allow(); -#if defined(OS_LINUX) && !defined(OS_CHROMEOS) && defined(USE_X11) +#if (defined(OS_LINUX) || BUILDFLAG(IS_CHROMEOS_LACROS)) && defined(USE_X11) if (SyscallSets::IsSystemVSharedMemory(sysno)) return Allow(); #endif diff --git a/chromium/sandbox/policy/linux/bpf_tts_policy_linux.cc b/chromium/sandbox/policy/linux/bpf_tts_policy_linux.cc index 07a80f18ad0..ccb495e53a2 100644 --- a/chromium/sandbox/policy/linux/bpf_tts_policy_linux.cc +++ b/chromium/sandbox/policy/linux/bpf_tts_policy_linux.cc @@ -26,6 +26,8 @@ TtsProcessPolicy::~TtsProcessPolicy() {} ResultExpr TtsProcessPolicy::EvaluateSyscall(int sysno) const { switch (sysno) { + case __NR_sysinfo: + return Allow(); case __NR_sched_setscheduler: return RestrictSchedTarget(GetPolicyPid(), sysno); default: diff --git a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc index cf9bd192105..16a436b926f 100644 --- a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc +++ b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.cc @@ -18,6 +18,7 @@ #include "base/macros.h" #include "base/notreached.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" #include "sandbox/linux/bpf_dsl/trap_registry.h" #include "sandbox/policy/sandbox_type.h" @@ -52,10 +53,11 @@ #include "sandbox/policy/chromecast_sandbox_allowlist_buildflags.h" #endif // !defined(OS_NACL_NONSFI) -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) +#include "sandbox/policy/features.h" #include "sandbox/policy/linux/bpf_ime_policy_linux.h" #include "sandbox/policy/linux/bpf_tts_policy_linux.h" -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) using sandbox::bpf_dsl::Allow; using sandbox::bpf_dsl::ResultExpr; @@ -82,7 +84,7 @@ namespace { // in its dependencies. Make sure to not link things that are not needed. #if !defined(IN_NACL_HELPER) inline bool IsChromeOS() { -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) return true; #else return false; @@ -181,12 +183,12 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType( return std::make_unique<SharingServiceProcessPolicy>(); case SandboxType::kSpeechRecognition: return std::make_unique<SpeechRecognitionProcessPolicy>(); -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: return std::make_unique<ImeProcessPolicy>(); case SandboxType::kTts: return std::make_unique<TtsProcessPolicy>(); -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kZygoteIntermediateSandbox: case SandboxType::kNoSandbox: case SandboxType::kVideoCapture: @@ -227,10 +229,10 @@ void SandboxSeccompBPF::RunSandboxSanityChecks( CHECK_EQ(EPERM, errno); #endif // !defined(NDEBUG) } break; -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kAudio: case SandboxType::kSharingService: case SandboxType::kSpeechRecognition: @@ -259,7 +261,14 @@ bool SandboxSeccompBPF::StartSandboxWithExternalPolicy( // doing so does not stop the sandbox. SandboxBPF sandbox(std::move(policy)); sandbox.SetProcFd(std::move(proc_fd)); - CHECK(sandbox.StartSandbox(seccomp_level)); + bool enable_ibpb = true; +#if BUILDFLAG(IS_CHROMEOS_ASH) + enable_ibpb = + base::FeatureList::IsEnabled( + features::kForceSpectreVariant2Mitigation) || + base::FeatureList::IsEnabled(features::kSpectreVariant2Mitigation); +#endif // BUILDFLAG(IS_CHROMEOS_ASH) + CHECK(sandbox.StartSandbox(seccomp_level, enable_ibpb)); return true; } #endif // BUILDFLAG(USE_SECCOMP_BPF) diff --git a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h index 46a985e7fae..870d5c45cdb 100644 --- a/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h +++ b/chromium/sandbox/policy/linux/sandbox_seccomp_bpf_linux.h @@ -26,8 +26,9 @@ namespace policy { class SANDBOX_POLICY_EXPORT SandboxSeccompBPF { public: struct Options { - bool use_amd_specific_policies = false; // For ChromiumOS. - bool use_intel_specific_policies = false; // For ChromiumOS. + bool use_amd_specific_policies = false; // For ChromiumOS. + bool use_intel_specific_policies = false; // For ChromiumOS. + bool use_nvidia_specific_policies = false; // For Linux. // Options for GPU's PreSandboxHook. bool accelerated_video_decode_enabled = false; diff --git a/chromium/sandbox/policy/mac/BUILD.gn b/chromium/sandbox/policy/mac/BUILD.gn index 373b7e0f7b0..bded685feec 100644 --- a/chromium/sandbox/policy/mac/BUILD.gn +++ b/chromium/sandbox/policy/mac/BUILD.gn @@ -2,7 +2,10 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -action_foreach("package_sb_files") { +import("//build/config/python.gni") + +# TODO(crbug.com/1112471): Get this to run cleanly under Python 3. +python2_action_foreach("package_sb_files") { script = "package_sb_file.py" sources = [ "audio.sb", diff --git a/chromium/sandbox/policy/mac/gpu_v2.sb b/chromium/sandbox/policy/mac/gpu_v2.sb index 4d7222c548d..1bb5edc34b0 100644 --- a/chromium/sandbox/policy/mac/gpu_v2.sb +++ b/chromium/sandbox/policy/mac/gpu_v2.sb @@ -4,6 +4,9 @@ ; --- The contents of common.sb implicitly included here. --- +(deny default (with partial-symbolication)) +(debug deny) + ; Allow cf prefs to work. (allow user-preference-read) @@ -11,6 +14,44 @@ (allow ipc-posix-shm) +; TODO(https://crbug.com/1126350): Remove this after debugging. These blocks +; enumerate known denials, while turning unknown denials into fatal crashes. +(define crash-on-unknown-denials #f) ; Single-line kill switch. +(if crash-on-unknown-denials + (begin + (deny mach-lookup (with no-report) + (global-name "com.apple.GameController.gamecontrollerd") + (global-name "com.apple.UsageTrackingAgent") + (global-name "com.apple.analyticsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.pasteboard.1") ; For tests only. + (global-name "com.apple.systemstats.analysis") ; https://crbug.com/1135413 + (global-name "com.apple.tccd.system") + ) + (deny mach-lookup (with send-signal SIGABRT)) + (deny iokit-open (with send-signal SIGTRAP)) + ; Added in 10.14, but only needed on 10.15+. Partial compatibility + ; definition. + (unless (defined? 'path-ancestors) (define (path-ancestors x) (path x))) + (deny file-read* (with no-report) + (path (param "PARENT_DIR")) + (path (param "PWD")) + (path-ancestors (param "PARENT_DIR")) ; libxpc.dylib`_xpc_bundle_resolve_sync walks the dir tree. + (subpath "/Library/Apple") + (subpath "/Library/Application Support/CrashReporter") + (subpath "/usr/share/locale") + (subpath (user-homedir-path "/Library/Containers")) + ) + (deny file-read* (with send-signal SIGFPE)) + (deny file-write-data (with no-report) + ; CoreServicesInternal`prepareValuesForBitmap() calls getattrlist(), which + ; results for some reason in a file-write-data evaluation in the kernel. + (subpath (param bundle-path)) + ) + (deny file-write* (with send-signal SIGSYS)) + ) +) + ; Allow communication between the GPU process and the UI server. (allow mach-lookup (global-name "com.apple.bsd.dirhelper") @@ -39,7 +80,10 @@ ; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936 (if (>= os-version 1016) - (allow mach-lookup (global-name "com.apple.trustd.agent")) + (begin + (allow mach-lookup (global-name "com.apple.trustd.agent")) + (allow file-read* (path "/Library/Preferences/com.apple.security.plist")) + ) ) ; Needed for WebGL - https://crbug.com/75343 @@ -82,6 +126,7 @@ )) (allow sysctl-read + (sysctl-name "hw.busfrequency_max") (sysctl-name "hw.cachelinesize") (sysctl-name "hw.logicalcpu_max") (sysctl-name "hw.memsize") @@ -91,10 +136,14 @@ (allow file-read-data (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") + (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") + (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist")) (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")) ) (allow file-read* + (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14. + (path (user-homedir-path "/Library/Preferences/ByHost")) (subpath "/Library/GPUBundles") (subpath "/Library/Video/Plug-Ins") (subpath "/System/Library/ColorSync/Profiles") diff --git a/chromium/sandbox/policy/sandbox_type.cc b/chromium/sandbox/policy/sandbox_type.cc index c96b8713198..709aba87cf8 100644 --- a/chromium/sandbox/policy/sandbox_type.cc +++ b/chromium/sandbox/policy/sandbox_type.cc @@ -10,6 +10,7 @@ #include "base/feature_list.h" #include "base/logging.h" #include "base/notreached.h" +#include "build/chromeos_buildflags.h" #include "sandbox/policy/features.h" #include "sandbox/policy/switches.h" @@ -57,7 +58,7 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) { #if defined(OS_MAC) case SandboxType::kNaClLoader: #endif -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: #endif @@ -122,10 +123,10 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line, case SandboxType::kIconReader: case SandboxType::kMediaFoundationCdm: #endif // defined(OS_WIN) -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: case SandboxType::kTts: -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) #if !defined(OS_MAC) case SandboxType::kSharingService: #endif @@ -178,8 +179,6 @@ SandboxType SandboxTypeFromCommandLine(const base::CommandLine& command_line) { return SandboxType::kNoSandbox; return SandboxType::kGpu; } - if (process_type == switches::kPpapiBrokerProcess) - return SandboxType::kNoSandbox; if (process_type == switches::kPpapiPluginProcess) return SandboxType::kPpapi; @@ -248,12 +247,12 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) { case SandboxType::kMediaFoundationCdm: return switches::kMediaFoundationCdmSandbox; #endif // defined(OS_WIN) -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) case SandboxType::kIme: return switches::kImeSandbox; case SandboxType::kTts: return switches::kTtsSandbox; -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) // The following are not utility processes so should not occur. case SandboxType::kRenderer: case SandboxType::kGpu: @@ -310,12 +309,12 @@ SandboxType UtilitySandboxTypeFromString(const std::string& sandbox_string) { return SandboxType::kSpeechRecognition; if (sandbox_string == switches::kVideoCaptureSandbox) return SandboxType::kVideoCapture; -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) if (sandbox_string == switches::kImeSandbox) return SandboxType::kIme; if (sandbox_string == switches::kTtsSandbox) return SandboxType::kTts; -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) return SandboxType::kUtility; } diff --git a/chromium/sandbox/policy/sandbox_type.h b/chromium/sandbox/policy/sandbox_type.h index 00e23062366..abf1b013494 100644 --- a/chromium/sandbox/policy/sandbox_type.h +++ b/chromium/sandbox/policy/sandbox_type.h @@ -9,6 +9,7 @@ #include "base/command_line.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/policy/export.h" namespace sandbox { @@ -74,11 +75,11 @@ enum class SandboxType { // The audio service process. kAudio, -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) kIme, // Text-to-speech. kTts, -#endif // defined(OS_CHROMEOS) +#endif // BUILDFLAG(IS_CHROMEOS_ASH) #if defined(OS_LINUX) || defined(OS_CHROMEOS) // Indicates that a process is a zygote and will get a real sandbox later. diff --git a/chromium/sandbox/policy/sandbox_type_unittest.cc b/chromium/sandbox/policy/sandbox_type_unittest.cc index 363475740df..e6860da3694 100644 --- a/chromium/sandbox/policy/sandbox_type_unittest.cc +++ b/chromium/sandbox/policy/sandbox_type_unittest.cc @@ -134,19 +134,6 @@ TEST(SandboxTypeTest, GPU) { EXPECT_EQ(SandboxType::kNoSandbox, SandboxTypeFromCommandLine(command_line)); } -TEST(SandboxTypeTest, PPAPIBroker) { - base::CommandLine command_line(base::CommandLine::NO_PROGRAM); - command_line.AppendSwitchASCII(switches::kProcessType, - switches::kPpapiBrokerProcess); - EXPECT_EQ(SandboxType::kNoSandbox, SandboxTypeFromCommandLine(command_line)); - - command_line.AppendSwitchASCII(switches::kServiceSandboxType, "network"); - EXPECT_EQ(SandboxType::kNoSandbox, SandboxTypeFromCommandLine(command_line)); - - command_line.AppendSwitch(switches::kNoSandbox); - EXPECT_EQ(SandboxType::kNoSandbox, SandboxTypeFromCommandLine(command_line)); -} - TEST(SandboxTypeTest, PPAPIPlugin) { base::CommandLine command_line(base::CommandLine::NO_PROGRAM); command_line.AppendSwitchASCII(switches::kProcessType, diff --git a/chromium/sandbox/policy/switches.cc b/chromium/sandbox/policy/switches.cc index 3afb8768843..7530befede3 100644 --- a/chromium/sandbox/policy/switches.cc +++ b/chromium/sandbox/policy/switches.cc @@ -5,6 +5,7 @@ #include "sandbox/policy/switches.h" #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #if defined(OS_WIN) #include "base/command_line.h" @@ -41,10 +42,10 @@ const char kIconReaderSandbox[] = "icon_reader"; const char kMediaFoundationCdmSandbox[] = "mf_cdm"; #endif // OS_WIN -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) const char kImeSandbox[] = "ime"; const char kTtsSandbox[] = "tts"; -#endif // OS_CHROMEOS +#endif // BUILDFLAG(IS_CHROMEOS_ASH) // Flags owned by the service manager sandbox. @@ -114,7 +115,6 @@ const char kProcessType[] = "type"; const char kGpuProcess[] = "gpu-process"; const char kNaClBrokerProcess[] = "nacl-broker"; const char kNaClLoaderProcess[] = "nacl-loader"; -const char kPpapiBrokerProcess[] = "ppapi-broker"; const char kPpapiPluginProcess[] = "ppapi"; const char kRendererProcess[] = "renderer"; const char kUtilityProcess[] = "utility"; diff --git a/chromium/sandbox/policy/switches.h b/chromium/sandbox/policy/switches.h index e096e96308a..f5d88277ca1 100644 --- a/chromium/sandbox/policy/switches.h +++ b/chromium/sandbox/policy/switches.h @@ -6,6 +6,7 @@ #define SANDBOX_POLICY_SWITCHES_H_ #include "build/build_config.h" +#include "build/chromeos_buildflags.h" #include "sandbox/policy/export.h" namespace sandbox { @@ -38,10 +39,10 @@ SANDBOX_POLICY_EXPORT extern const char kIconReaderSandbox[]; SANDBOX_POLICY_EXPORT extern const char kMediaFoundationCdmSandbox[]; #endif // OS_WIN -#if defined(OS_CHROMEOS) +#if BUILDFLAG(IS_CHROMEOS_ASH) SANDBOX_POLICY_EXPORT extern const char kImeSandbox[]; SANDBOX_POLICY_EXPORT extern const char kTtsSandbox[]; -#endif // OS_CHROMEOS +#endif // BUILDFLAG(IS_CHROMEOS_ASH) // Flags owned by the service manager sandbox. SANDBOX_POLICY_EXPORT extern const char kAllowNoSandboxJob[]; @@ -71,7 +72,6 @@ SANDBOX_POLICY_EXPORT extern const char kProcessType[]; SANDBOX_POLICY_EXPORT extern const char kGpuProcess[]; SANDBOX_POLICY_EXPORT extern const char kNaClBrokerProcess[]; SANDBOX_POLICY_EXPORT extern const char kNaClLoaderProcess[]; -SANDBOX_POLICY_EXPORT extern const char kPpapiBrokerProcess[]; SANDBOX_POLICY_EXPORT extern const char kPpapiPluginProcess[]; SANDBOX_POLICY_EXPORT extern const char kRendererProcess[]; SANDBOX_POLICY_EXPORT extern const char kUtilityProcess[]; diff --git a/chromium/sandbox/policy/win/sandbox_win.cc b/chromium/sandbox/policy/win/sandbox_win.cc index 8c1e3aa58b6..eef1a60d348 100644 --- a/chromium/sandbox/policy/win/sandbox_win.cc +++ b/chromium/sandbox/policy/win/sandbox_win.cc @@ -577,8 +577,10 @@ bool IsAppContainerEnabled() { if (base::win::GetVersion() < base::win::Version::WIN8) return false; - return base::FeatureList::IsEnabled( - {"RendererAppContainer", base::FEATURE_DISABLED_BY_DEFAULT}); + static const base::Feature kRendererAppContainer{ + "RendererAppContainer", base::FEATURE_DISABLED_BY_DEFAULT}; + + return base::FeatureList::IsEnabled(kRendererAppContainer); } ResultCode SetJobMemoryLimit(const base::CommandLine& cmd_line, @@ -697,7 +699,7 @@ ResultCode SetupAppContainerProfile(AppContainerProfile* profile, !profile->AddCapability(L"lpacServicesManagement") || !profile->AddCapability(L"lpacSessionManagement") || !profile->AddCapability(L"lpacAppExperience") || - !profile->AddCapability(L"lpacAppServices") || + !profile->AddCapability(L"lpacInstrumentation") || !profile->AddCapability(L"lpacCryptoServices") || !profile->AddCapability(L"lpacEnterprisePolicyChangeNotifications")) { DLOG(ERROR) diff --git a/chromium/sandbox/win/BUILD.gn b/chromium/sandbox/win/BUILD.gn index 7ae9c8b6cc4..93322374fb7 100644 --- a/chromium/sandbox/win/BUILD.gn +++ b/chromium/sandbox/win/BUILD.gn @@ -239,8 +239,6 @@ test("sbox_integration_tests") { ":sbox_integration_test_win_proc", ] - # Overrides the globals set in testing/test.gni that disable CFG. - win_test_enable_cfi_linker = true libs = [ "dxva2.lib" ] } @@ -367,10 +365,9 @@ shared_library("pocdll") { defines = [ "POCDLL_EXPORTS" ] } -# This fuzzer will only work on Windows, add fuzz targets which could run on Linux -# to //sandbox/ directly. +# This fuzzer will only work on Windows, add fuzz targets which could run on +# Linux to //sandbox/ directly. fuzzer_test("sandbox_policy_rule_fuzzer") { - set_sources_assignment_filter([]) sources = [ "fuzzer/fuzzer_types.h", "fuzzer/sandbox_policy_rule_fuzzer.cc", diff --git a/chromium/sandbox/win/OWNERS b/chromium/sandbox/win/OWNERS index ac5f8853410..2fb3e5b1ffb 100644 --- a/chromium/sandbox/win/OWNERS +++ b/chromium/sandbox/win/OWNERS @@ -2,6 +2,3 @@ ajgo@chromium.org forshaw@chromium.org jschuh@chromium.org wfh@chromium.org - -# TEAM: security-dev@chromium.org -# COMPONENT: Internals>Sandbox diff --git a/chromium/sandbox/win/sandbox_poc/main_ui_window.cc b/chromium/sandbox/win/sandbox_poc/main_ui_window.cc index bd6a2b78a47..b5ebe760057 100644 --- a/chromium/sandbox/win/sandbox_poc/main_ui_window.cc +++ b/chromium/sandbox/win/sandbox_poc/main_ui_window.cc @@ -29,12 +29,11 @@ const wchar_t MainUIWindow::kDefaultEntryPoint_[] = L"Run"; const wchar_t MainUIWindow::kDefaultLogFile_[] = L""; MainUIWindow::MainUIWindow() - : broker_(NULL), + : broker_(nullptr), spawn_target_(L""), instance_handle_(NULL), dll_path_(L""), - entry_point_(L"") { -} + entry_point_(L"") {} MainUIWindow::~MainUIWindow() { } diff --git a/chromium/sandbox/win/sandbox_poc/pocdll/utils.h b/chromium/sandbox/win/sandbox_poc/pocdll/utils.h index 8ce228b01d8..d8fd31f7fe0 100644 --- a/chromium/sandbox/win/sandbox_poc/pocdll/utils.h +++ b/chromium/sandbox/win/sandbox_poc/pocdll/utils.h @@ -14,9 +14,7 @@ // object goes out of scope class HandleToFile { public: - HandleToFile() { - file_ = NULL; - } + HandleToFile() { file_ = nullptr; } // Note: c_file_handle_ does not need to be closed because fclose does it. ~HandleToFile() { diff --git a/chromium/sandbox/win/src/sandbox_nt_util.cc b/chromium/sandbox/win/src/sandbox_nt_util.cc index d7f6f032eab..8ba59ff7bf9 100644 --- a/chromium/sandbox/win/src/sandbox_nt_util.cc +++ b/chromium/sandbox/win/src/sandbox_nt_util.cc @@ -404,6 +404,21 @@ bool IsValidImageSection(HANDLE section, if (!(basic_info.Attributes & SEC_IMAGE)) return false; + // Windows 10 2009+ may open PEs as SEC_IMAGE_NO_EXECUTE in non-dll-loading + // paths which looks identical to dll-loading unless we check if the section + // handle has execute rights. + // Avoid memset inserted by -ftrivial-auto-var-init=pattern. + STACK_UNINITIALIZED OBJECT_BASIC_INFORMATION obj_info; + ULONG obj_size_returned; + ret = g_nt.QueryObject(section, ObjectBasicInformation, &obj_info, + sizeof(obj_info), &obj_size_returned); + + if (!NT_SUCCESS(ret) || sizeof(obj_info) != obj_size_returned) + return false; + + if (!(obj_info.GrantedAccess & SECTION_MAP_EXECUTE)) + return false; + return true; } diff --git a/chromium/sandbox/win/src/sync_policy.cc b/chromium/sandbox/win/src/sync_policy.cc index cdc34dd2418..fb1777cc960 100644 --- a/chromium/sandbox/win/src/sync_policy.cc +++ b/chromium/sandbox/win/src/sync_policy.cc @@ -64,21 +64,26 @@ NTSTATUS ResolveSymbolicLink(const std::wstring& directory_name, return status; UNICODE_STRING target_path = {}; - unsigned long target_length = 0; + unsigned long target_bytes = 0; status = - NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length); + NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_bytes); if (status != STATUS_BUFFER_TOO_SMALL) { CHECK(NT_SUCCESS(NtClose(symbolic_link))); return status; } + // NtQuerySymbolicLinkObject length and UNICODE_STRING lengths are bytes + // not characters. + size_t target_wchars = target_bytes / sizeof(wchar_t); target_path.Length = 0; - target_path.MaximumLength = static_cast<USHORT>(target_length); - target_path.Buffer = new wchar_t[target_path.MaximumLength + 1]; + target_path.MaximumLength = static_cast<USHORT>(target_bytes); + target_path.Buffer = new wchar_t[target_wchars + 1]; status = - NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_length); - if (NT_SUCCESS(status)) - target->assign(target_path.Buffer, target_length); + NtQuerySymbolicLinkObject(symbolic_link, &target_path, &target_bytes); + if (NT_SUCCESS(status)) { + DCHECK_EQ(target_bytes, sizeof(wchar_t) * target_wchars); + target->assign(target_path.Buffer, target_wchars); + } CHECK(NT_SUCCESS(NtClose(symbolic_link))); delete[] target_path.Buffer; |