Update TargetNtSetInformationThread to match chromium and hook NtImpersonateAnonymousToken to block before LowerToken
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox117 | --- | fixed |
People
(Reporter: bobowen, Assigned: bobowen)
References
Details
Attachments
(2 files)
We have an older version of the chromium process sandbox code for the NtSetInformationThread hook TargetNtSetInformationThread.
There is some suspicion that this older version might be causing us to have an incorrect impersonation token in some circumstances, which might be causing bug 1825290.
We have this older version because we use non-restricted tokens when we are running from a network drive, because they automatically block access and our DLLs fail to load.
This means that during CoInitializeSecurity a call to NtImpersonateAnonymousToken is not blocked like it is for restricted tokens and without the older TargetNtSetInformationThread code we block the call that sets our impersonation token back on the main thread.
This is all a bit fortunate, because the RevertToSelf call that is supposed to revert the anonymous logon token in CoInitializeSecurity fails and it is only because there is a later call to resume the impersonation further up the stack that saves us.
A better solution should be to block NtImpersonateAnonymousToken before LowerToken is called in the same way that it is with a restricted token.
We can then have the latest version of TargetNtSetInformationThread, which blocks all impersonation token sets.
|
Assignee | |
Comment 1•2 years ago
|
||
This also reverts the change to TargetNtSetInformationThread.
|
|
Assignee | |
Comment 2•2 years ago
|
||
Depends on D181611
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/429ad02d111c
https://hg.mozilla.org/mozilla-central/rev/3afcc1296ba1
Description
•