Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 523278 Implement Win32k Lockdown for PPAPI
Starred by 6 users Project Member Reported by forshaw@chromium.org, Aug 21 2015 Back to list
Status: Fixed
Owner:
Closed: Jan 26
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocked on:
issue 615154



Sign in to add a comment
This is a tracking bug for implementing Win32k lock down for PDFIUM PPAPI processes. 
 
Summary: Implement Win32k Lockdown for PPAPI (was: Implement Win32k Lockdown for PDFIUM)
Project Member Comment 2 by bugdroid1@chromium.org, Sep 15 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98e2c9d0ab8df5447042c4884dad40910d1c8aa2

commit 98e2c9d0ab8df5447042c4884dad40910d1c8aa2
Author: forshaw <forshaw@chromium.org>
Date: Tue Sep 15 00:05:40 2015

Moved render_font to a common location to share with other content.
This patch moves the render_font_warmup_win files into a common
location so that other content processes, especially PPAPI can
share the code. This is needed as a warmup to pushing win32k lockdown
to other content processes.

BUG= 523278 

Review URL: https://codereview.chromium.org/1326623002

Cr-Commit-Position: refs/heads/master@{#348779}

[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/common/DEPS
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/common/OWNERS
[rename] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/common/font_warmup_win.cc
[rename] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/common/font_warmup_win.h
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/content_common.gypi
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/content_renderer.gypi
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/renderer/OWNERS
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/renderer/renderer_main_platform_delegate_win.cc
[modify] http://crrev.com/98e2c9d0ab8df5447042c4884dad40910d1c8aa2/content/test/layouttest_support.cc

Project Member Comment 3 by bugdroid1@chromium.org, Sep 16 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/47161b3bd2e3291c3ee969efb21ab9ad74ca404b

commit 47161b3bd2e3291c3ee969efb21ab9ad74ca404b
Author: forshaw <forshaw@chromium.org>
Date: Wed Sep 16 21:31:30 2015

Added common check for USER32 and GDI32 API availability.
This CL adds a check function to base to allow code to check if the USER32
and GDI32 API calls are available. Windows 8 and above allow an application
to disable these API calls for security reasons and fallback when calling
the API isn't consistent (such as returning error codes instead of handles).
This can lead to undefined behaviour if code calls into these APIs while they
are disabled. This check can be used to guard calls to these APIs and fallback
if appropriate.

BUG= 523278 

Review URL: https://codereview.chromium.org/1351513002

Cr-Commit-Position: refs/heads/master@{#349237}

[modify] http://crrev.com/47161b3bd2e3291c3ee969efb21ab9ad74ca404b/base/win/win_util.cc
[modify] http://crrev.com/47161b3bd2e3291c3ee969efb21ab9ad74ca404b/base/win/win_util.h

Project Member Comment 4 by bugdroid1@chromium.org, Sep 18 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d35dca1768aa8bf44af0e3318664f224fd88acf4

commit d35dca1768aa8bf44af0e3318664f224fd88acf4
Author: forshaw <forshaw@chromium.org>
Date: Fri Sep 18 01:13:33 2015

Add command line option to enable PPAPI win32k lockdown.
This patch adds a command line option (enable-win32k-lockdown-mimetypes)
to selectively enable win32k lockdown on specific types of PPAPI content.
This will not currently allow any PPAPI process to work under lockdown
as further changes are necessary to remove usage of GDI.

BUG= 523278 

Review URL: https://codereview.chromium.org/1306243012

Cr-Commit-Position: refs/heads/master@{#349568}

[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/browser/ppapi_plugin_process_host.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/content_switches_internal.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/content_switches_internal.h
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/sandbox_win.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/sandbox_win.h
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/public/common/content_switches.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/public/common/content_switches.h

Project Member Comment 5 by bugdroid1@chromium.org, Sep 22 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/30ce0db09000893a6a44e9ade4912bbd3d45eccc

commit 30ce0db09000893a6a44e9ade4912bbd3d45eccc
Author: forshaw <forshaw@chromium.org>
Date: Tue Sep 22 18:08:56 2015

Added directwrite warmup for PPAPI processes.
This patch warms up the directwrite skia font code when running a PPAPI
process under win32k lockdown. This allows users of the Skia (such as the
PPAPI itself) to bypass GDI calls when dealing with fonts.

BUG= 523278 

Review URL: https://codereview.chromium.org/1325843002

Cr-Commit-Position: refs/heads/master@{#350191}

[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/browser/ppapi_plugin_process_host.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/font_warmup_win.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/font_warmup_win.h
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/sandbox_win.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/ppapi_plugin/ppapi_plugin_main.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/renderer/renderer_main_platform_delegate_win.cc

Project Member Comment 7 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a02265b4756ed4a7c70c8a595a4846740ed43306

commit a02265b4756ed4a7c70c8a595a4846740ed43306
Author: Nico Weber <thakis@chromium.org>
Date: Wed Sep 23 03:01:00 2015

Fix clang analysis errors.

BUG= 523278 
R=thakis@chromium.org
TBR=jochen

Review URL: https://codereview.chromium.org/1361903002 .

Cr-Commit-Position: refs/heads/master@{#350290}

[modify] http://crrev.com/a02265b4756ed4a7c70c8a595a4846740ed43306/content/common/font_warmup_win.cc

Project Member Comment 8 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/731e0ce568c52716b6040ad3317699f382f344a5

commit 731e0ce568c52716b6040ad3317699f382f344a5
Author: Nico Weber <thakis@chromium.org>
Date: Wed Sep 23 03:24:18 2015

Fix more clang/win plugin warnings after GDI font emulation CL.

BUG= 523278 
TBR=forshaw@chromium.org

Review URL: https://codereview.chromium.org/1363643003 .

Cr-Commit-Position: refs/heads/master@{#350293}

[modify] http://crrev.com/731e0ce568c52716b6040ad3317699f382f344a5/content/common/font_warmup_win_unittest.cc

Project Member Comment 9 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d35dca1768aa8bf44af0e3318664f224fd88acf4

commit d35dca1768aa8bf44af0e3318664f224fd88acf4
Author: forshaw <forshaw@chromium.org>
Date: Fri Sep 18 01:13:33 2015

Add command line option to enable PPAPI win32k lockdown.
This patch adds a command line option (enable-win32k-lockdown-mimetypes)
to selectively enable win32k lockdown on specific types of PPAPI content.
This will not currently allow any PPAPI process to work under lockdown
as further changes are necessary to remove usage of GDI.

BUG= 523278 

Review URL: https://codereview.chromium.org/1306243012

Cr-Commit-Position: refs/heads/master@{#349568}

[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/browser/ppapi_plugin_process_host.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/content_switches_internal.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/content_switches_internal.h
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/sandbox_win.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/common/sandbox_win.h
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/public/common/content_switches.cc
[modify] http://crrev.com/d35dca1768aa8bf44af0e3318664f224fd88acf4/content/public/common/content_switches.h

Project Member Comment 10 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/30ce0db09000893a6a44e9ade4912bbd3d45eccc

commit 30ce0db09000893a6a44e9ade4912bbd3d45eccc
Author: forshaw <forshaw@chromium.org>
Date: Tue Sep 22 18:08:56 2015

Added directwrite warmup for PPAPI processes.
This patch warms up the directwrite skia font code when running a PPAPI
process under win32k lockdown. This allows users of the Skia (such as the
PPAPI itself) to bypass GDI calls when dealing with fonts.

BUG= 523278 

Review URL: https://codereview.chromium.org/1325843002

Cr-Commit-Position: refs/heads/master@{#350191}

[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/browser/ppapi_plugin_process_host.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/font_warmup_win.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/font_warmup_win.h
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/common/sandbox_win.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/ppapi_plugin/ppapi_plugin_main.cc
[modify] http://crrev.com/30ce0db09000893a6a44e9ade4912bbd3d45eccc/content/renderer/renderer_main_platform_delegate_win.cc

Project Member Comment 12 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a02265b4756ed4a7c70c8a595a4846740ed43306

commit a02265b4756ed4a7c70c8a595a4846740ed43306
Author: Nico Weber <thakis@chromium.org>
Date: Wed Sep 23 03:01:00 2015

Fix clang analysis errors.

BUG= 523278 
R=thakis@chromium.org
TBR=jochen

Review URL: https://codereview.chromium.org/1361903002 .

Cr-Commit-Position: refs/heads/master@{#350290}

[modify] http://crrev.com/a02265b4756ed4a7c70c8a595a4846740ed43306/content/common/font_warmup_win.cc

Project Member Comment 13 by bugdroid1@chromium.org, Sep 23 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/731e0ce568c52716b6040ad3317699f382f344a5

commit 731e0ce568c52716b6040ad3317699f382f344a5
Author: Nico Weber <thakis@chromium.org>
Date: Wed Sep 23 03:24:18 2015

Fix more clang/win plugin warnings after GDI font emulation CL.

BUG= 523278 
TBR=forshaw@chromium.org

Review URL: https://codereview.chromium.org/1363643003 .

Cr-Commit-Position: refs/heads/master@{#350293}

[modify] http://crrev.com/731e0ce568c52716b6040ad3317699f382f344a5/content/common/font_warmup_win_unittest.cc

Labels: Hotlist-Recharge
This issue likely requires triage.  The current issue owner maybe inactive (i.e. hasn't fixed an issue in the last 30 days).  Thanks for helping out!

-Anthony
Labels: -Hotlist-Recharge
Status: Started
Project Member Comment 16 by bugdroid1@chromium.org, Sep 25 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e201ebab608f5ff0a12b3e1de96585bcafb28517

commit e201ebab608f5ff0a12b3e1de96585bcafb28517
Author: forshaw <forshaw@chromium.org>
Date: Fri Sep 25 15:09:27 2015

Modifed platform bitmap to support win32k lockdown.
This patch detects if the current process is under win32k lockdown
and instead of using the GDI route it maps the shared section directly.
This is done for supporting the introduction of win32k lockdown for
PPAPI processes. To minimize the chances of disruption when not under
win32k lockdown the code path is kept the same.

BUG= 523278 

Review URL: https://codereview.chromium.org/1321913002

Cr-Commit-Position: refs/heads/master@{#350828}

[modify] http://crrev.com/e201ebab608f5ff0a12b3e1de96585bcafb28517/skia/ext/bitmap_platform_device_win.cc

Project Member Comment 17 by bugdroid1@chromium.org, Sep 30 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9745511be6490f393f829aa8acb85e66aba26cb9

commit 9745511be6490f393f829aa8acb85e66aba26cb9
Author: forshaw <forshaw@chromium.org>
Date: Wed Sep 30 13:28:59 2015

Added PPAPI win32k lockdown options to chrome://flags.
This patch adds the PPAPI win32k lockdown command line to the flags
page along with necessary changes to ensure tests work correctly.

BUG= 523278 

Review URL: https://codereview.chromium.org/1373843004

Cr-Commit-Position: refs/heads/master@{#351542}

[modify] http://crrev.com/9745511be6490f393f829aa8acb85e66aba26cb9/chrome/app/generated_resources.grd
[modify] http://crrev.com/9745511be6490f393f829aa8acb85e66aba26cb9/chrome/browser/about_flags.cc
[modify] http://crrev.com/9745511be6490f393f829aa8acb85e66aba26cb9/content/common/content_switches_internal.cc
[modify] http://crrev.com/9745511be6490f393f829aa8acb85e66aba26cb9/tools/metrics/histograms/histograms.xml

Project Member Comment 18 by bugdroid1@chromium.org, Oct 6 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/70e55ac52701b7d43eb8c3a560ff546385e44e51

commit 70e55ac52701b7d43eb8c3a560ff546385e44e51
Author: thestig <thestig@chromium.org>
Date: Tue Oct 06 07:28:30 2015

Roll PDFium eda27bd..35902e7

https://pdfium.googlesource.com/pdfium.git/+log/eda27bd..35902e7

BUG= 539749 , 523278 
TBR=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1390433003

Cr-Commit-Position: refs/heads/master@{#352557}

[modify] http://crrev.com/70e55ac52701b7d43eb8c3a560ff546385e44e51/DEPS

Project Member Comment 19 by bugdroid1@chromium.org, Nov 2 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946

commit eca2b40dd6ffacdf9e1772e5d18c3623d71b2946
Author: xzhang <xzhang@adobe.com>
Date: Mon Nov 02 22:42:54 2015

Enable pp::flash::FontFile support on Windows

Part 1:
Added Windows implementation using Skia for PepperFlashFontFileHost.
This patch adds a simple Windows implementation of PepperFlashFontFileHost
using Skia to access the font data. By implementing this PepperFlash can
remove some use cases of GDI to support Win32k lockdown.

AUTHOR=forshaw@google.com

Part 2:
To support win32k lockdown, Pepper flash needs to switch Win GDI font calls
to pp::flash::FontFile PPAPI. This API was only supported on Linux, and it
is supported on Windows starting from M48.

Considering backward compatibility, we still need to fallback to GDI calls
for Chrome versions where Win32k lockdown is not available yet. We add a new
version of PB_Flash_FontFile interface: PPB_FLASH_FONTFILE_INTERFACE_0_2

This new version does not change any API, its availability shows that
pp::flash:FontFile is supported for Windows, and Pepper flash can use
it to decide whether it should call pp::flash:FontFile API or fall back
to Win GDI calls.

AUTHOR=xzhang@adobe.com

BUG= 523278 
R=bbudge@chromium.org, raymes@chromium.org, forshaw@google.com

Review URL: https://codereview.chromium.org/1416643002

Cr-Commit-Position: refs/heads/master@{#357457}

[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/chrome/renderer/pepper/pepper_flash_font_file_host.cc
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/chrome/renderer/pepper/pepper_flash_font_file_host.h
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/api/private/ppb_flash_font_file.idl
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/c/private/ppb_flash_font_file.h
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/cpp/private/flash_font_file.cc
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/cpp/private/flash_font_file.h
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/thunk/interfaces_ppb_private_flash.h
[modify] http://crrev.com/eca2b40dd6ffacdf9e1772e5d18c3623d71b2946/ppapi/thunk/ppb_flash_font_file_thunk.cc

Comment 20 by wfh@chromium.org, Jan 19 2016
Blocking: chromium:579223
Comment 22 by wfh@chromium.org, Jan 28 2016
Cc: forshaw@chromium.org
Labels: Merge-Request-49 Cr-Internals-Sandbox Cr-Internals-Plugins
Owner: wfh@chromium.org
Status: Assigned
Hello, I'd like to merge c91e967e98ace8db59aa9c29b0949603caa51050 to M-49. This would allow us to run the win32k lockdown study on a larger population. The functional part of the code has landed, this is just the ability for us to finch it. Thanks.
Comment 23 by tin...@google.com, Jan 28 2016
Labels: -Merge-Request-49 Merge-Review-49 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.
Labels: -Merge-Review-49 -Hotlist-Merge-Review Merge-Approved-49 Hotlist-Merge-Approved
Merge approved for M49 (branch 2623)
Please merge your change to M49 (branch: 2623) before 5:00 PM PST Tuesday [02/02/16], If you would like to make it to next week M49 Beta push on Wednesday [02/03/16].
Project Member Comment 26 by bugdroid1@chromium.org, Jan 28 2016
Labels: -Merge-Approved-49 merge-merged-2623
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/796f6dab549a5c883977bfa2f4fa38a7cd5858e9

commit 796f6dab549a5c883977bfa2f4fa38a7cd5858e9
Author: Will Harris <wfh@chromium.org>
Date: Thu Jan 28 23:10:26 2016

Merge M49: Change Win32k PPAPI lockdown to use finch params for mime type.

BUG= 523278 

Review URL: https://codereview.chromium.org/1609133002

Cr-Commit-Position: refs/heads/master@{#371651}
(cherry picked from commit c91e967e98ace8db59aa9c29b0949603caa51050)

Review URL: https://codereview.chromium.org/1645143003 .

Cr-Commit-Position: refs/branch-heads/2623@{#179}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/chrome/browser/chrome_content_browser_client.cc
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/chrome/browser/chrome_content_browser_client.h
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/content/browser/ppapi_plugin_process_host.cc
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/content/common/content_switches_internal.cc
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/content/common/content_switches_internal.h
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/content/public/browser/content_browser_client.cc
[modify] http://crrev.com/796f6dab549a5c883977bfa2f4fa38a7cd5858e9/content/public/browser/content_browser_client.h

Project Member Comment 27 by bugdroid1@chromium.org, Jan 29 2016
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/796f6dab549a5c883977bfa2f4fa38a7cd5858e9

commit 796f6dab549a5c883977bfa2f4fa38a7cd5858e9
Author: Will Harris <wfh@chromium.org>
Date: Thu Jan 28 23:10:26 2016

Blockedon: chromium:583037
Blockedon: chromium:583038
Comment 30 by wfh@chromium.org, Mar 18 2016
Labels: -merge-merged-2623 proj-win32k Merge-Merged-2623
Comment 31 Deleted
To support DRM/HDCP this is my design document for changes to the sandbox. https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jwJM/edit?usp=sharing
Project Member Comment 33 by bugdroid1@chromium.org, Apr 27 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ef755bb1a9e77e296b46a08e4cb61078e769609

commit 5ef755bb1a9e77e296b46a08e4cb61078e769609
Author: forshaw <forshaw@chromium.org>
Date: Wed Apr 27 12:34:13 2016

Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc: https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jwJM/edit?usp=sharing

BUG= 523278 
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng

Review URL: https://codereview.chromium.org/1856993003

Cr-Commit-Position: refs/heads/master@{#390051}

[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/BUILD.gn
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/sandbox_win.gypi
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/interceptors.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/interceptors_64.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/interceptors_64.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/ipc_tags.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/nt_internals.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/policy_low_level.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_test.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_dispatcher.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_dispatcher.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_interception.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_interception.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_policy.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/process_mitigations_win32k_policy.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/sandbox_policy.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/sandbox_policy_base.cc
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/sandbox_policy_base.h
[modify] https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609/sandbox/win/src/top_level_dispatcher.cc

Project Member Comment 34 by bugdroid1@chromium.org, Apr 27 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/24820e27b518d0deee6d75a803baa8a35880ff4d

commit 24820e27b518d0deee6d75a803baa8a35880ff4d
Author: forshaw <forshaw@chromium.org>
Date: Wed Apr 27 18:05:17 2016

Enabled OPM redirection policy for PPAPI processes.
This patch enables the OPM redirection policy for PPAPI processes to
support output protection when running in win32k lockdown mode.

BUG= 523278 

Review-Url: https://codereview.chromium.org/1924723002
Cr-Commit-Position: refs/heads/master@{#390124}

[modify] https://crrev.com/24820e27b518d0deee6d75a803baa8a35880ff4d/content/browser/ppapi_plugin_process_host.cc
[modify] https://crrev.com/24820e27b518d0deee6d75a803baa8a35880ff4d/content/common/sandbox_win.cc
[modify] https://crrev.com/24820e27b518d0deee6d75a803baa8a35880ff4d/content/common/sandbox_win.h

Comment 35 by cpu@chromium.org, May 18 2016
Cc: cpu@chromium.org
Comment 36 by wfh@chromium.org, May 26 2016
Blockedon: 615154
I'm finding the the behavior/logic with the command line flags for this to be
backwards and potentially dangerous considering the security implications of
using this option.

What I'm referring to is the interaction of field trials combined with the
command line flag to enable this option.  I'm not sure why but what's specified
in field trials seems to override the command line flag (set from the command
line or through chrome://flags since they're both the same thing essentially).
So what you wind up with when you enable it through chrome://flags or on the
command line with the follow:
--enable-win32k-lockdown-mimetypes=*
Is that it's not actually doing anything which says to me that the logic behind
this flag is broken.  If I'm specifying it on the command line I actually expect
it to override any random field trails and actually enable the option which is
the ONLY way to reduce the kernel attack surface on Windows.

Instead to actually enable it you need something like this:
--force-fieldtrials="EnableWin32kLockDownMimeTypes/Default" ^
--enable-win32k-lockdown-mimetypes=*

For me the field trial defaulted to being enabled and the option was set to
something with Flash in the name but it still wasn't actually enabled for Flash
so I'm not sure what it was doing it that case.

I just find this logic to be backwards and I'm sort of thinking this may
actually be a bug in how the logic is being handled.  I wonder if this[1] commit
had anything to do with it or if the logic was broken even before that.

[1] https://chromium.googlesource.com/chromium/src.git/+/c91e967e98ace8db59aa9c2[9b0949603caa51050
Comment 38 by wfh@chromium.org, May 29 2016
Win32k lockdown for ppapi plugin is an experimental feature, this is why it's behind a flag. Once it's ready for prime time then it will be gradually enabled across all channels for all users.

Having the field trial control the parameters of lockdown allows us to measure accurately the stability of the feature, and this was a deliberate design decision.
Project Member Comment 39 by bugdroid1@chromium.org, Jun 29 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a6fc996adfc9a973536804fb1dcd28c24da84a80

commit a6fc996adfc9a973536804fb1dcd28c24da84a80
Author: forshaw <forshaw@chromium.org>
Date: Wed Jun 29 18:21:03 2016

Restrict PPAPI Win32k lockdown to Win10 and above.
This patch restricts enabling Win32k lockdown for PPAPI processes to
Windows 10 and above. It includes a change to the flag text to indicate
it only works on Windows 10.

BUG= 523278 

Review-Url: https://codereview.chromium.org/2103153003
Cr-Commit-Position: refs/heads/master@{#402872}

[modify] https://crrev.com/a6fc996adfc9a973536804fb1dcd28c24da84a80/chrome/app/generated_resources.grd
[modify] https://crrev.com/a6fc996adfc9a973536804fb1dcd28c24da84a80/chrome/browser/chrome_content_browser_client.cc

> Having the field trial control the parameters of lockdown allows us to measure accurately the stability of the feature, and this was a deliberate design decision.

Ok well I still think it's counter intuitive since there's a "Default" setting but I accept.

> Restrict PPAPI Win32k lockdown to Win10 and above.

It would be helpful if someone somewhere explained why (like in the commit message).

> This patch restricts enabling Win32k lockdown for PPAPI processes to Windows 10 and above.

This is just saying the same thing twice.  IMO it should instead tell me why that choice was made (e.g. doesn't work, security considerations, etc).
Cc: -cpu@chromium.org
Status: Fixed
Marking as fixed as M56 no longer provides a separate option to disable PPAPI Win32k lockdown.
Sign in to add a comment