New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Assigned
Owner:
Last visit 17 days ago
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment
[Windows Sandbox] Enable new process mitigations
Project Member Reported by penny...@chromium.org, Jul 31 Back to list
New ticket to track a chunk of mitigation updates.  I'll keep this description updated.

1) MITIGATION_FORCE_MS_SIGNED_BINS post-startup.
 
Project Member Comment 1 by bugdroid1@chromium.org, Aug 8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2

commit 9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2
Author: Penny MacNeil <pennymac@chromium.org>
Date: Tue Aug 08 01:35:38 2017

[Windows Sandbox] MS-signed binaries only, post-startup.

Enable MITIGATION_FORCE_MS_SIGNED_BINS post-startup (after warmup) on
all sandboxed child processes.  Any third-party modules must be loaded
at process startup.

Also includes a temporary emergency off switch. "WinSboxForceMsSigned" can be used on the command line to disable the block.

(Aside: this CL also removes the old emergency off switch around MITIGATION_EXTENSION_POINT_DISABLE - for child processes.)

TEST= sbox_integration_tests.exe, ProcessMitigationsTest.*
BUG=750886

Change-Id: I638aebade28ff42743b07d885dff8230a1e25c49
Reviewed-on: https://chromium-review.googlesource.com/596677
Commit-Queue: Penny MacNeil <pennymac@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#492495}
[modify] https://crrev.com/9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2/content/common/sandbox_win.cc
[modify] https://crrev.com/9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2/content/public/common/content_features.cc
[modify] https://crrev.com/9e9ae5c744fa28bd50a3e7bb18d4f51016e560a2/content/public/common/content_features.h

First hit canary in M62, branch 3180, 08 Aug 2017. (62.0.3180.x)
Here are the steps I used on Chrome Dev channel 62 since Beta was still on release 61. 

Start ZoomText 11.5.110.410 (64-bit) - I used Zoom Level 2.25
Start Google Chrome 62.0.3202.9 (Official Build) dev (64-bit) (cohort: Dev)
Fonts appear to be smooth, no anomalies seen. 
Note the following messages appeared. I didn't follow any of the instructions except opening ZoomText first for this specific test. 

https://screenshot.googleplex.com/DpyYfTXMJqd.png
https://screenshot.googleplex.com/ZQ66oHGEqKh.png
Sign in to add a comment