Issue metadata
Sign in to add a comment
|
Security: Block GPU Process Opening Renderer Processes |
||||||||||||||||||||||
Issue descriptionThis is a tracking bug to block the route from GPU to privileged renderer being used in a chain to escape the Chrome sandbox. It's similar to 390785 but as my implementation won't block normal low-il processes felt was better to create a new issue. I'm aiming to at least block the GPU process (or any process with a restricted token without the user's SID) from accessing renderer processes. It would be possible to generically block all processes from accessing chrome processes but that would likely cause significant
,
Mar 22 2016
Description of the problem: The GPU process is created with the USER_LIMITED token level. This has the RESTRICTED SID as one of its restricted SIDs. In GetRestrictedToken this RESTRICTED SID is also added to the default DACL of the new token, which is the DACL used when creating the process and the initial thread. This means that as the User SID matches a full access ACE and so does a restricted SID it gives the GPU process full access to the process, even if it's a privileged renderer. In theory starting with Medium IL fixes the problem for the initial process and thread but once the IL is dropped all subsequent threads have Untrusted IL which means the GPU process can open them. It's not as nice as having process access but it would be exploitable. The fix I'm proposing is we remove the RESTRICTED SID addition to the default DACL for renderers. We also want to remove the Logon SID which is there by default as while that only gives read access that might be enough to leak something important like cookies which the GPU process might be able to abuse. We don't need to worry about the default OWNER rights (WRITE_DAC/READ_CONTROL) as that's also checked against the DACL.
,
Mar 22 2016
,
Apr 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfcbe0af3076ba9c23d65bbc92d63e74c7188759 commit cfcbe0af3076ba9c23d65bbc92d63e74c7188759 Author: forshaw <forshaw@chromium.org> Date: Fri Apr 01 08:45:18 2016 Added a policy option to restrict the default DACL for tokens. This patch modified the way the default DACL is calculated for new restricted tokens to remove certain rights. This blocks processes being able to open other processes at the same or lower security level. BUG= 596862 Review URL: https://codereview.chromium.org/1821193002 Cr-Commit-Position: refs/heads/master@{#384522} [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/BUILD.gn [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/sandbox_win.gypi [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/acl.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/acl.h [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token.h [add] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token_test.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token_unittest.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token_utils.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/restricted_token_utils.h [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/sandbox_policy.h [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/sandbox_policy_base.cc [modify] https://crrev.com/cfcbe0af3076ba9c23d65bbc92d63e74c7188759/sandbox/win/src/sandbox_policy_base.h
,
Apr 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/329ab2d697eb8b8968a5451728a75a8e1d85532a commit 329ab2d697eb8b8968a5451728a75a8e1d85532a Author: forshaw <forshaw@chromium.org> Date: Fri Apr 01 18:14:17 2016 Enable default DACL lockdown for sandboxed processes. This patch enables the default DACL lockdown when creating sandboxed processes. BUG= 596862 Review URL: https://codereview.chromium.org/1846813003 Cr-Commit-Position: refs/heads/master@{#384631} [modify] https://crrev.com/329ab2d697eb8b8968a5451728a75a8e1d85532a/content/common/sandbox_win.cc
,
Apr 1 2016
,
Apr 1 2016
,
Apr 18 2016
Issue 390785 has been merged into this issue.
,
Jul 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by forshaw@chromium.org
, Mar 22 2016