1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/policy/features.h"
#include "base/feature_list.h"
#include "build/build_config.h"
#include "sandbox/features.h"
#if BUILDFLAG(IS_WIN)
#include "base/win/windows_version.h"
#endif
namespace sandbox::policy::features {
#if !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)
// Enables network service sandbox.
// (Only causes an effect when feature kNetworkServiceInProcess is disabled.)
BASE_FEATURE(kNetworkServiceSandbox,
"NetworkServiceSandbox",
base::FEATURE_DISABLED_BY_DEFAULT);
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// Enables a fine-grained seccomp-BPF syscall filter for the network service.
// Only has an effect if IsNetworkSandboxEnabled() returns true.
// If the network service sandbox is enabled and |kNetworkServiceSyscallFilter|
// is disabled, a seccomp-BPF filter will still be applied but it will not
// disallow any syscalls.
BASE_FEATURE(kNetworkServiceSyscallFilter,
"NetworkServiceSyscallFilter",
base::FEATURE_ENABLED_BY_DEFAULT);
// Enables a fine-grained file path allowlist for the network service.
// Only has an effect if IsNetworkSandboxEnabled() returns true.
// If the network service sandbox is enabled and |kNetworkServiceFileAllowlist|
// is disabled, a file path allowlist will still be applied, but the policy will
// allow everything.
BASE_FEATURE(kNetworkServiceFileAllowlist,
"NetworkServiceFileAllowlist",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#endif // !BUILDFLAG(IS_MAC) && !BUILDFLAG(IS_FUCHSIA)
#if BUILDFLAG(IS_WIN)
// Experiment for Windows sandbox security mitigation,
// sandbox::MITIGATION_EXTENSION_POINT_DISABLE.
BASE_FEATURE(kWinSboxDisableExtensionPoints,
"WinSboxDisableExtensionPoint",
base::FEATURE_DISABLED_BY_DEFAULT);
// Enables Print Compositor Low Privilege AppContainer. Note, this might be
// overridden and disabled by policy.
BASE_FEATURE(kPrintCompositorLPAC,
"PrintCompositorLPAC",
base::FEATURE_DISABLED_BY_DEFAULT);
// Enables Renderer AppContainer
BASE_FEATURE(kRendererAppContainer,
"RendererAppContainer",
base::FEATURE_DISABLED_BY_DEFAULT);
// If enabled, launch the network service within an LPAC sandbox. If disabled,
// the network service will run inside an App Container.
BASE_FEATURE(kWinSboxNetworkServiceSandboxIsLPAC,
"WinSboxNetworkServiceSandboxIsLPAC",
base::FEATURE_DISABLED_BY_DEFAULT);
// If enabled, always launch the renderer process with Code Integrity Guard
// enabled, regardless of the local policy configuration. If disabled, then
// policy is respected. This acts as an emergency "off switch" for the
// deprecation of the RendererCodeIntegrityEnabled policy.
BASE_FEATURE(kWinSboxForceRendererCodeIntegrity,
"WinSboxForceRendererCodeIntegrity",
base::FEATURE_ENABLED_BY_DEFAULT);
// If enabled, modifies the child's PEB to stop further application of
// appcompat in the child. Does not affect the browser or unsandboxed
// processes. The feature has no effect for WOW (32bit on 64bit) installs.
BASE_FEATURE(kWinSboxZeroAppShim,
"WinSboxZeroAppShim",
base::FEATURE_ENABLED_BY_DEFAULT);
// Enables pre-launch Code Integrity Guard (CIG) for Chrome network service
// process, when running on Windows 10 1511 and above. This has no effect if
// NetworkServiceSandbox feature is disabled, or if using a component or ASAN
// build. See https://blogs.windows.com/blog/tag/code-integrity-guard/.
BASE_FEATURE(kNetworkServiceCodeIntegrity,
"NetworkServiceCodeIntegrity",
base::FEATURE_DISABLED_BY_DEFAULT);
// Run win32k lockdown without applying the interceptions to fake out the
// dllmain of gdi32 and user32. With this feature enabled, processes with
// win32k lockdown policy will fail to load gdi32.dll and user32.dll.
// TODO(crbug.com/326277735) this feature is under development and not
// completely supported in every process type, may cause delayload failures.
BASE_FEATURE(kWinSboxNoFakeGdiInit,
"WinSboxNoFakeGdiInit",
base::FEATURE_DISABLED_BY_DEFAULT);
// Enables Restrict Core Sharing mitigation for the renderer process, when
// running Windows 11 Build 26100 (24H2) and above. See param definition of
// RestrictCoreSharing in
// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-
// process_mitigation_side_channel_isolation_policy
BASE_FEATURE(kWinSboxRestrictCoreSharingOnRenderer,
"WinSboxRestrictCoreSharingOnRenderer",
base::FEATURE_DISABLED_BY_DEFAULT);
// Enables parallel process launching using the thread pool. Flag retained
// as a kill-switch.
BASE_FEATURE(kWinSboxParallelProcessLaunch,
"WinSboxParallelProcessLaunch",
base::FEATURE_ENABLED_BY_DEFAULT);
// Enables Csrss lockdown in supported processes by closing all ALPC
// ports before sandbox lockdown. See crbug.com/40408399 for details.
BASE_FEATURE(kEnableCsrssLockdown,
"EnableCsrssLockdown",
base::FEATURE_DISABLED_BY_DEFAULT);
// Filters most environment variables out for kService and kServiceWithJit
// sandboxed processes. Flag retained as a kill-switch.
BASE_FEATURE(kWinSboxFilterServiceEnvironment,
"WinSboxFilterServiceEnvironment",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_CHROMEOS)
// Controls whether the Spectre variant 2 mitigation is enabled. We use a USE
// flag on some Chrome OS boards to disable the mitigation by disabling this
// feature in exchange for system performance.
BASE_FEATURE(kSpectreVariant2Mitigation,
"SpectreVariant2Mitigation",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// Increase the renderer sandbox memory limit. As of 2023, there are no limits
// on macOS, and a 1TiB limit on Windows. There are reports of users bumping
// into the limit. This increases the limit by 2x compared to the default
// state. We are not increasing it all the way as on Windows as Linux systems
// typically ship with overcommit, so there is no "commit limit" to save us
// from egregious cases as on Windows.
BASE_FEATURE(kHigherRendererMemoryLimit,
"HigherRendererMemoryLimit",
base::FEATURE_DISABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
#if BUILDFLAG(IS_MAC)
// Enables caching compiled sandbox profiles. Only some profiles support this,
// as controlled by CanCacheSandboxPolicy().
BASE_FEATURE(kCacheMacSandboxProfiles,
"CacheMacSandboxProfiles",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_ANDROID)
// Enables the experimental Android GPU sandbox using Landlock.
BASE_FEATURE(kAndroidGpuSandbox,
"AndroidGpuSandbox",
base::FEATURE_DISABLED_BY_DEFAULT);
// Enables the renderer on Android to use a separate seccomp policy.
BASE_FEATURE(kUseRendererProcessPolicy,
"UseRendererProcessPolicy",
base::FEATURE_ENABLED_BY_DEFAULT);
// When enabled, this features restricts a set of syscalls in
// BaselinePolicyAndroid that are used by RendererProcessPolicy.
BASE_FEATURE(kRestrictRendererPoliciesInBaseline,
"RestrictRendererPoliciesInBaseline",
base::FEATURE_ENABLED_BY_DEFAULT);
// When enabled, restrict clone to just flags used by fork and pthread_create on
// android.
BASE_FEATURE(kRestrictCloneParameters,
"RestrictCloneParameters",
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(IS_ANDROID)
#if BUILDFLAG(IS_WIN)
bool IsNetworkSandboxSupported() {
// Temporary fix to avoid using network sandbox on ARM64 until root cause for
// https://crbug.com/40223285 is diagnosed.
if (base::win::OSInfo::GetInstance()->GetArchitecture() ==
base::win::OSInfo::ARM64_ARCHITECTURE ||
base::win::OSInfo::GetInstance()->IsWowX86OnARM64() ||
base::win::OSInfo::GetInstance()->IsWowAMD64OnARM64()) {
return false;
}
// Network service sandbox uses GetNetworkConnectivityHint which is only
// supported on Windows 10 Build 19041 (20H1) so versions before that wouldn't
// have a working network change notifier when running in the sandbox.
// TODO(crbug.com/40915451): Move this to an API that works earlier than 20H1
// and also works in the LPAC sandbox.
static const bool supported =
base::win::GetVersion() >= base::win::Version::WIN10_20H1;
if (!supported) {
return false;
}
// App container must be already supported on 20H1, but double check it here.
CHECK(sandbox::features::IsAppContainerSandboxSupported());
return true;
}
#endif // BUILDFLAG(IS_WIN)
bool IsNetworkSandboxEnabled() {
#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA)
return true;
#else
#if BUILDFLAG(IS_WIN)
if (!IsNetworkSandboxSupported()) {
return false;
}
#endif // BUILDFLAG(IS_WIN)
// Check feature status.
return base::FeatureList::IsEnabled(kNetworkServiceSandbox);
#endif // BUILDFLAG(IS_MAC) || BUILDFLAG(IS_FUCHSIA)
}
#if BUILDFLAG(IS_WIN)
bool IsParallelLaunchEnabled() {
return base::FeatureList::IsEnabled(kWinSboxParallelProcessLaunch);
}
#endif // BUILDFLAG(IS_WIN)
} // namespace sandbox::policy::features
|
