Closed Bug 1511438 Opened 6 years ago Closed 5 years ago

add win32k lockdown to Win RDD sandbox

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: mjf, Assigned: bobowen)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Part 1: Replace ProcessTypeRequiresWinEventHook with XRE_Win32kCallsAllowed
3.58 KB, patch
froydnj
: review+
Details | Diff | Splinter Review
Part 2: Enable win32k lockdown on RDD process
8.53 KB, patch
jimm
: review+
Details | Diff | Splinter Review 
From comment 20 from Bug 1498624 [1]:
SUBSYS_WIN32K_LOCKDOWN (similar to GMP's sandbox) should be added to the Win RDD sandbox.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1498624#c20
Priority: -- → P3

First thing that strikes me is that using the child UI loop (same as GPU) is the first problem.

Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Priority: P3 → P1

Try push with just debug failures for broken COM initialization, that I don't think we need:
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=223579188&revision=f154121a3af0123f9c0db03e6ce61768c457d880

Another media test one with that COM initialization removed:
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=223579188&revision=1fde80cb5da233a6552e6628b26bc5133911c6db

ProcessTypeRequiresWinEventHook was added when attempting to turn on win32k
lockdown for GMP processes. Having a less specific, but globally accessible,
function will make it more useful while applying win32k lockdown to other
process types.
Attachment #9039102 - Flags: review?(nfroyd)
This stops the use of some win32k calls during start-up that will fail and in some cases cause a crash.

It also moves the MITIGATION_DYNAMIC_CODE_DISABLE to be enabled after start-up.
This is required because the hooks to fake the user32 and gdi32 initialization
are applied as the DLLs load and the dynamic code disable blocks that.
Attachment #9039103 - Flags: review?(jyavenard)
Attachment #9039103 - Flags: review?(jmathies)
Attachment #9039102 - Flags: review?(nfroyd) → review+
Attachment #9039103 - Flags: review?(jmathies) → review+
Comment on attachment 9039103 [details] [diff] [review]
Part 2: Enable win32k lockdown on RDD process

Review of attachment 9039103 [details] [diff] [review]:
-----------------------------------------------------------------

Don't know enough about this code to review it
Attachment #9039103 - Flags: review?(jyavenard)

(In reply to Jean-Yves Avenard [:jya] from comment #5)

Comment on attachment 9039103 [details] [diff] [review]
Part 2: Enable win32k lockdown on RDD process

Review of attachment 9039103 [details] [diff] [review]:

Don't know enough about this code to review it

Sorry, that's why I added in jimm as well to cover the Windows widget stuff.

I should have made it clear, basically I'm asking if you are OK for me to land this on Fx67 after the merge?

Flags: needinfo?(jyavenard)

Sure, as it doesn't impact usage and working of the RDD

Flags: needinfo?(jyavenard)
Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3a9c07fcc2eb
Part 1: Replace ProcessTypeRequiresWinEventHook with XRE_Win32kCallsAllowed. r=froydnj
https://hg.mozilla.org/integration/mozilla-inbound/rev/55a7c08b3b67
Part 2: Enable win32k lockdown on RDD process. r=jimm
Blocks: AV1

https://hg.mozilla.org/mozilla-central/rev/3a9c07fcc2eb
https://hg.mozilla.org/mozilla-central/rev/55a7c08b3b67

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: