Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 504006 Add New Process Mitigation Policies for Win10+
Starred by 6 users Project Member Reported by forshaw@chromium.org, Jun 24 2015 Back to list
Status: Fixed
Owner:
Closed: Feb 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocked on:
issue 584389

Blocking:
issue 586291



Sign in to add a comment
This is a place holder for disabling non-system fonts on Windows 10 for all processes using the new ProcessFontDisablePolicy mitigation policy. Some initial testing indicates it does what it says it does (namely blocking file based or memory based fonts being loaded into GDI) and has no obvious impact on rendering of Web Fonts, Flash with custom fonts or PDF with custom fonts, however more extensive testing will be necessary. 


 
Initial implementation at https://codereview.chromium.org/1208833003/
Labels: Hotlist-Recharge
This issue likely requires triage.  The current issue owner maybe inactive (i.e. hasn't fixed an issue in the last 30 days).  Thanks for helping out!

-Anthony
Labels: Cr-Internals-PlatformIntegration
Cc: jsc...@chromium.org
Summary: Add New Process Mitigation Policies for Win10+ (was: Implement The Disable Non-System Fonts Process Policy on Win10)
Changing this to be more generic as Windows 10 TH2 added a few more policies which we might want to implement:

PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON - Prevents mapping image sections from remote file systems (probably mainly for prevent current directory DLL loads off UNC from document readers etc.)
PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON - Prevents mapping image sections from a low IL file.

PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY - Restricts creation of child processes, works without a job object enforcing thing. Seems to block the condrv job breakout trick.
Cc: penny...@chromium.org
I guess I forgot this bug existed. pennymac@ was looking at doing this, now that the Win10 SDK is finally landed.
Welcome to let someone else worry about this, although with the SDK in place the changes should be minimal.
Cc: -penny...@chromium.org forshaw@chromium.org
Labels: M-49
Owner: penny...@chromium.org
Status: Started
I've started to add in

PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON
PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON
PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON
and
PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY -> PROCESS_CREATION_CHILD_PROCESS_RESTRICTED

Win10 SDK version 10586 (TH2) should be hitting trunk in the win_toolchain soon. 




https://codereview.chromium.org/1626623003/

Awaiting reviews and VS2015 (10586) to land as default on trunk.
Woohoo.  Bruce has landed the depot_tools hash change required for SDK 10586 with Visual Studio 2013.  No longer blocked on VS2015.

https://codereview.chromium.org/1616553002/

Thanks Bruce.

Project Member Comment 10 by bugdroid1@chromium.org, Feb 3 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/441d852dbcb7b9b31328393c7e31562b1e268399

commit 441d852dbcb7b9b31328393c7e31562b1e268399
Author: Penny MacNeil <pennymac@chromium.org>
Date: Wed Feb 03 17:33:31 2016

[Win10 sandbox mitigations]  Four new Win10 mitigations added.

1. Disable non-system font loading on >= WIN10 (MITIGATION_NONSYSTEM_FONT_DISABLE).
2. Disable image loads from remote devices on >= WIN10_TH2 (MITIGATION_IMAGE_LOAD_NO_REMOTE).
3. Disable loading images that are labelled low integrity mandatory on >= WIN10_TH2 (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL).
4. Extra disabling of child process creation on >= WIN10_TH2.  In BrokerServicesBase::SpawnTarget(), if JobLevel <= JOB_LIMITED_USER, set PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to PROCESS_CREATION_CHILD_PROCESS_RESTRICTED via UpdateProcThreadAttribute().

This CL enables all four mitigations on every Chrome process except for
browser.  sbox_integration_tests have also been updated appropriately.

base::win::VERSION_WIN10_TH2 has been added to identify
Threshold 2/1511/10586.

BUG= 504006 
R=jschuh@chromium.org, wfh@chromium.org

Review URL: https://codereview.chromium.org/1626623003 .

Cr-Commit-Position: refs/heads/master@{#373265}

[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/base/win/windows_version.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/base/win/windows_version.h
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/content/common/sandbox_win.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/broker_services.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/process_mitigations.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/process_mitigations.h
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/process_mitigations_test.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/sandbox_policy.h
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/sandbox_policy_base.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/sandbox_policy_base.h
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/src/security_level.h
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/tests/common/controller.cc
[modify] http://crrev.com/441d852dbcb7b9b31328393c7e31562b1e268399/sandbox/win/tests/common/controller.h

Project Member Comment 11 by bugdroid1@chromium.org, Feb 3 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57b8827f887030911545998cf25a4a23fb21b49b

commit 57b8827f887030911545998cf25a4a23fb21b49b
Author: Nico Weber <thakis@chromium.org>
Date: Wed Feb 03 21:00:17 2016

clang/win: Fix -Wmissing-braces warning.

No behavior change.

BUG=82385, 504006 
TBR=pennymac

Review URL: https://codereview.chromium.org/1660103005 .

Cr-Commit-Position: refs/heads/master@{#373336}

[modify] http://crrev.com/57b8827f887030911545998cf25a4a23fb21b49b/sandbox/win/src/process_mitigations.cc

Project Member Comment 12 by bugdroid1@chromium.org, Feb 3 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ce19b8ce692bf6c1b885a5e07e7737c485bf591

commit 4ce19b8ce692bf6c1b885a5e07e7737c485bf591
Author: pennymac <pennymac@chromium.org>
Date: Wed Feb 03 21:44:08 2016

[Win10 sandbox mitigations] Enable the 3 new mitigations.

Turning on 3 new mitigations for all child processes (pre-startup).
This CL follows https://codereview.chromium.org/1626623003/.

R=wfh@chromium.org
BUG= 504006 

Review URL: https://codereview.chromium.org/1666753002

Cr-Commit-Position: refs/heads/master@{#373346}

[modify] http://crrev.com/4ce19b8ce692bf6c1b885a5e07e7737c485bf591/content/common/sandbox_win.cc

Blockedon: chromium:584389
Labels: -Hotlist-Recharge -M-49 M-50
First started hitting canary with 50.0.2640.0.
A few win10 users reported web fonts are not working in recent canaries ( Bug 586291 ).
Also UMA timeline indicates a significant increase of web font load error since February 4: https://goo.gl/TfAYtn
Could this be caused by this mitigation changes?

I talked to pennymac. We probably want to switch MITIGATION_NONSYSTEM_FONT_DISABLE based on the directwrite flag status until all the fallback issues are resolved and we can drop GDI.
Blocking: 586291
Thanks for the heads up ksakamoto@!

I've got a patch under review: https://codereview.chromium.org/1720643002/.  It will definitely be in before M50 branches to beta (hopefully in the next couple days).


Project Member Comment 19 by bugdroid1@chromium.org, Feb 23 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/247218e258a2491967b63d5dddb63a1e90b9dc42

commit 247218e258a2491967b63d5dddb63a1e90b9dc42
Author: pennymac <pennymac@chromium.org>
Date: Tue Feb 23 23:15:51 2016

[Win10 sandbox mitigations] MITIGATION_NONSYSTEM_FONT_DISABLE adjustment.

Enable MITIGATION_NONSYSTEM_FONT_DISABLE mitigation
in child processes only when Direct Write is enabled (not for GDI).
This CL follows https://codereview.chromium.org/1666753002.

R=wfh@chromium.org,jschuh@chromium.org
BUG= 504006 , 586291 

Review URL: https://codereview.chromium.org/1720643002

Cr-Commit-Position: refs/heads/master@{#377110}

[modify] https://crrev.com/247218e258a2491967b63d5dddb63a1e90b9dc42/content/common/sandbox_win.cc

Status: Fixed
Small fix for GDI fonts started going out in 50.0.2658.0 canary (see  bug 586291 ).

Note that this fix was in for the M50 branch, so no merge needed.

Tentatively setting this ticket to fixed for now.
Sign in to add a comment