Use of RELOCATE_IMAGE, RELOCATE_IMAGE_REQUIRED and WIN32K_DISABLE mitigations are unclear |
||
Issue descriptionSome of the mitigations described in sandbox_policy.h and security_level.h have extra constraints that aren't listed there, so if they're applied blindly then sandbox setup may fail. The extra steps needed should be documented: (1) MITIGATION_RELOCATE_IMAGE and MITIGATION_RELOCATE_IMAGE_REQUIRED don't work in debug builds. (If they are both set, SpawnTarget returns SBOX_ERROR_GENERIC. I haven't tried setting just one of the two.) process_mitigations_test.cc contains comments implying they shouldn't work in debug builds at all: #if defined(NDEBUG) // ASLR cannot be forced in debug builds. mitigations |= MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED; #endif But in my testing, there are no errors setting them with SetDelayedProcessMitigations in a debug build. To summarize: Release build: SetProcessMitigations: SpawnTarget succeeds SetProcessDelayedMitigations: SpawnTarget succeeds Debug build: SetProcessMitigations: SpawnTarget returns SBOX_ERROR_GENERIC SetProcessDelayedMitigations: SpawnTarget succeeds CanSetProcessMitigationsPostStartup lists RELOCATE_IMAGE and RELOCATE_IMAGE_REQUIRED as mitigations that can be applied post-startup, so it seems like adding it with SetDelayedProcessMitigations should work. But the comment in the test implies that in a debug build it shouldn't work at all, so I'm not sure if it's actually doing anything in this case. Also, wfh notes: "FWIW we don't seem to use either MITIGATION_RELOCATE_IMAGE or MITIGATION_RELOCATE_IMAGE_REQUIRED in the content sandbox right now. I'd have to dig in the history to work out why but my guess would be that they have been superceded by other mitigations we use instead, for example high entropy ASLR." So, we should do one or both of: (a) find out whether these two mitigations will actually work in a debug build if applied with SetProcessDelayedMitigations, and if so, add test this in the ProcessMitigationsTest.CheckWin8 unit test; or (b) decide that these two mitigations are deprecated and what should be used instead. And whatever is decided, document it in the header. (2) IF MITIGATION_WIN32K_DISABLE is used on a target process linked to user32.dll or gdi32.dll, ResumeThread will fail with an error message: "The application was unable to start correctly (0xc0000142)." The root cause and workaround are described in http://docs/document/u/1/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4/mobilebasic#h.ac29fdlvzgvf: policy->AddRule(sandbox::SUBSYS_WIN32K_LOCKDOWN, sandbox::FAKE_USER_GDI_INIT, nullptr); This should be documented in the header.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/861e256723897757ff2023c0755524d0b7bbfb3e commit 861e256723897757ff2023c0755524d0b7bbfb3e Author: joenotcharles <joenotcharles@chromium.org> Date: Wed Sep 28 01:12:20 2016 Add header comments documenting extra constraints for some sandbox mitigations: MITIGATION_RELOCATE_IMAGE and MITIGATION_RELOCATE_IMAGE_REQUIRED don't work in Debug builds, and MITIGATION_WIN32K_DISABLE often requires the FAKE_USER_GDI_INIT rule as well. BUG= 649827 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng Review-Url: https://codereview.chromium.org/2369563002 Cr-Commit-Position: refs/heads/master@{#421410} [modify] https://crrev.com/861e256723897757ff2023c0755524d0b7bbfb3e/sandbox/win/src/process_mitigations_test.cc [modify] https://crrev.com/861e256723897757ff2023c0755524d0b7bbfb3e/sandbox/win/src/security_level.h
,
Apr 19 2018
Hey Joe, is this ticket done? I'm going to close it down. Feel free to reopen or new ticket. |
||
►
Sign in to add a comment |
||
Comment 1 by penny...@chromium.org
, Sep 23 2016