Enable CIG (= Code Integrity Guard) in RDD process before process creation
Categories
(Firefox :: Launcher Process, enhancement, P3)
Tracking
()
People
(Reporter: toshi, Assigned: toshi)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
Currently we enable CIG in RDD (and Socket) process after process creation. This bug is to track a project to enable CIG before process creation.
|
Assignee | |
Comment 1•4 years ago
|
||
On top of Automatic CIG bypassing and Automatic entrypoint redirection (Bug 1659438),
we can enable CIG in the RDD process without breaking process launch.
This patch also excludes modules in the directory containing the executable
from CIG as the process needs to load our modules such as mozglue.dll.
Depends on D88359
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
This patch enables pre-spawn CIG in the RDD process.
If CIG prevents a module in the executable's Import Directory Table, Windows totally
fails to launch a process. So we add a policy rule of SUBSYS_SIGNED_BINARY for
all files under the directory containing the executable such as mozglue.dll, and
modules injected via Import Directory Table. The latter ones will be blocked by our
blocklist with REDIRECT_TO_NOOP_ENTRYPOINT.
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9df12e4b7a00 Enable pre-spawn CIG in RDD. r=bobowen
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
|
||
Comment 5•3 years ago
|
||
This was backed out from Beta85 in bug 1682834. It remains enabled for 86+ at this time.
https://hg.mozilla.org/releases/mozilla-beta/rev/7de611ce368d
Description
•