Open Bug 1783669 Opened 2 years ago Updated 1 year ago

Use Less Privileged App Container (LPAC) for sandboxing

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Windows
Type:
enhancement

Tracking

()

People

(Reporter: gcp, Unassigned)

References

Details

From the Chromium docs:
"An extension of the App Container (see above) available on later versions of Windows 10 (RS2 and greater), the Less Privileged App Container (LPAC) runs at a lower privilege level than normal App Container, with access granted by default to only those kernel, filesystem and registry objects marked with the ALL RESTRICTED APPLICATION PACKAGES or a specific package SID. This is opposed to App Container which uses ALL APPLICATION PACKAGES."

See Also: → 1782336
Severity: -- → S3
Priority: -- → P3

I think Firefox could also use LPAC on content process, as same as Edge and IE with enhance protect mode.

Depends on: 1793966

I think Firefox could also use LPAC on content process

This is probably possible, but less of a priority compared to other hardening work. LPAC was more valuable for processes that couldn't tolerate the strictest sandbox (which is already used on content processes).

as same as Edge and IE with enhance protect mode.

IE "enhanced protected mode" predates LPAC, AFAIK, so that can't be it? And AFAIK, Edge "Enhanced Security Mode" is about disabling JIT (and then enabling everything like CFG/ACG that doesn't work with a JIT). Do you have a source that they're using LPAC for content in Edge right now?

(In reply to Gian-Carlo Pascutto [:gcp] from comment #2)

as same as Edge and IE with enhance protect mode.

IE "enhanced protected mode" predates LPAC, AFAIK, so that can't be it? And AFAIK, Edge "Enhanced Security Mode" is about disabling JIT (and then enabling everything like CFG/ACG that doesn't work with a JIT). Do you have a source that they're using LPAC for content in Edge right now?

On my computer (Windows 10 Enterprise LTSC 2021 x64), when IE disabled protected mode, content processes has "Medium" integrity, when it enabled, content processes has "AppContainer" integrity. And yes, Edge "Enhanced Security Mode" is not relevant about LPAC, and content processes always has "AppContainer" integrity.
In Process Explorer (By Sysinternals), enable "Integrity Level" column, you can know what integrity level process have.

content processes has "Medium" integrity, when it enabled, content processes has "AppContainer" integrity

We've been at "Low" integrity (which is a stricter sandbox) since bug 928062. That's why I said in comment 2 that this wasn't a priority for those processes, and more useful for those that don't tolerate "Low" (apparently IE did not get that working).

(In reply to Tom25519 from comment #3)
...

On my computer (Windows 10 Enterprise LTSC 2021 x64), when IE disabled protected mode, content processes has "Medium" integrity, when it enabled, content processes has "AppContainer" integrity. And yes, Edge "Enhanced Security Mode" is not relevant about LPAC, and content processes always has "AppContainer" integrity.
In Process Explorer (By Sysinternals), enable "Integrity Level" column, you can know what integrity level process have.

At the moment Edge appears to be using LowBox tokens for their renderer processes, this uses the older configuration in the chromium sandbox code, which I think was present before the AppContainer configuration, used by the other processes that are using LPAC, was added.
So I don't think it is using an LPAC.

You need to log in before you can comment on or make changes to this bug.