1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "SandboxInitialization.h"
#include "base/memory/ref_counted.h"
#include "nsWindowsDllInterceptor.h"
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "mozilla/DebugOnly.h"
#include "mozilla/WindowsProcessMitigations.h"
namespace mozilla {
namespace sandboxing {
typedef BOOL(WINAPI* CloseHandle_func)(HANDLE hObject);
static WindowsDllInterceptor::FuncHookType<CloseHandle_func> stub_CloseHandle;
typedef BOOL(WINAPI* DuplicateHandle_func)(
HANDLE hSourceProcessHandle, HANDLE hSourceHandle,
HANDLE hTargetProcessHandle, LPHANDLE lpTargetHandle, DWORD dwDesiredAccess,
BOOL bInheritHandle, DWORD dwOptions);
static WindowsDllInterceptor::FuncHookType<DuplicateHandle_func>
stub_DuplicateHandle;
static BOOL WINAPI patched_CloseHandle(HANDLE hObject) {
// Check all handles being closed against the sandbox's tracked handles.
base::win::OnHandleBeingClosed(hObject,
base::win::HandleOperation::kCloseHandleHook);
return stub_CloseHandle(hObject);
}
static BOOL WINAPI patched_DuplicateHandle(
HANDLE hSourceProcessHandle, HANDLE hSourceHandle,
HANDLE hTargetProcessHandle, LPHANDLE lpTargetHandle, DWORD dwDesiredAccess,
BOOL bInheritHandle, DWORD dwOptions) {
// If closing a source handle from our process check it against the sandbox's
// tracked handles.
if ((dwOptions & DUPLICATE_CLOSE_SOURCE) &&
(GetProcessId(hSourceProcessHandle) == ::GetCurrentProcessId())) {
base::win::OnHandleBeingClosed(
hSourceHandle, base::win::HandleOperation::kDuplicateHandleHook);
}
return stub_DuplicateHandle(hSourceProcessHandle, hSourceHandle,
hTargetProcessHandle, lpTargetHandle,
dwDesiredAccess, bInheritHandle, dwOptions);
}
typedef BOOL(WINAPI* ApiSetQueryApiSetPresence_func)(PCUNICODE_STRING,
PBOOLEAN);
static WindowsDllInterceptor::FuncHookType<ApiSetQueryApiSetPresence_func>
stub_ApiSetQueryApiSetPresence;
static const WCHAR gApiSetNtUserWindowStation[] =
L"ext-ms-win-ntuser-windowstation-l1-1-0";
static BOOL WINAPI patched_ApiSetQueryApiSetPresence(
PCUNICODE_STRING aNamespace, PBOOLEAN aPresent) {
if (aNamespace && aPresent &&
!wcsncmp(aNamespace->Buffer, gApiSetNtUserWindowStation,
aNamespace->Length / sizeof(WCHAR))) {
*aPresent = FALSE;
return TRUE;
}
return stub_ApiSetQueryApiSetPresence(aNamespace, aPresent);
}
MOZ_RUNINIT static WindowsDllInterceptor Kernel32Intercept;
MOZ_RUNINIT static WindowsDllInterceptor gApiQueryIntercept;
static bool EnableHandleCloseMonitoring() {
Kernel32Intercept.Init("kernel32.dll");
bool hooked = stub_CloseHandle.Set(Kernel32Intercept, "CloseHandle",
&patched_CloseHandle);
if (!hooked) {
return false;
}
hooked = stub_DuplicateHandle.Set(Kernel32Intercept, "DuplicateHandle",
&patched_DuplicateHandle);
if (!hooked) {
return false;
}
return true;
}
/**
* There is a bug in COM that causes its initialization to fail when user32.dll
* is loaded but Win32k lockdown is enabled. COM uses ApiSetQueryApiSetPresence
* to make this check. When we are under Win32k lockdown, we hook
* ApiSetQueryApiSetPresence and force it to tell the caller that the DLL of
* interest is not present.
*/
static void EnableApiQueryInterception() {
if (!IsWin32kLockedDown()) {
return;
}
gApiQueryIntercept.Init(L"Api-ms-win-core-apiquery-l1-1-0.dll");
DebugOnly<bool> hookSetOk = stub_ApiSetQueryApiSetPresence.Set(
gApiQueryIntercept, "ApiSetQueryApiSetPresence",
&patched_ApiSetQueryApiSetPresence);
MOZ_ASSERT(hookSetOk);
}
static bool ShouldDisableHandleVerifier() {
#if defined(_X86_) && (defined(EARLY_BETA_OR_EARLIER) || defined(DEBUG))
// Chromium only has the verifier enabled for 32-bit and our close monitoring
// hooks cause debug assertions for 64-bit anyway.
// For x86 keep the verifier enabled by default only for Nightly or debug.
// The handle verifier uses thread local storage, which at least one gtest
// manipulates causing it to crash, so we have to disable.
return !!getenv("MOZ_RUN_GTEST");
#else
return !getenv("MOZ_ENABLE_HANDLE_VERIFIER");
#endif
}
static void InitializeHandleVerifier() {
// Disable the handle verifier if we don't want it or can't enable the close
// monitoring hooks.
if (ShouldDisableHandleVerifier() || !EnableHandleCloseMonitoring()) {
base::win::DisableHandleVerifier();
}
}
static sandbox::TargetServices* InitializeTargetServices() {
// This might disable the verifier, so we want to do it before it is used.
InitializeHandleVerifier();
EnableApiQueryInterception();
sandbox::TargetServices* targetServices =
sandbox::SandboxFactory::GetTargetServices();
if (!targetServices) {
return nullptr;
}
if (targetServices->Init() != sandbox::SBOX_ALL_OK) {
return nullptr;
}
return targetServices;
}
sandbox::TargetServices* GetInitializedTargetServices() {
static sandbox::TargetServices* sInitializedTargetServices =
InitializeTargetServices();
return sInitializedTargetServices;
}
void LowerSandbox() { GetInitializedTargetServices()->LowerToken(); }
static sandbox::BrokerServices* InitializeBrokerServices() {
// This might disable the verifier, so we want to do it before it is used.
InitializeHandleVerifier();
sandbox::BrokerServices* brokerServices =
sandbox::SandboxFactory::GetBrokerServices();
if (!brokerServices) {
return nullptr;
}
if (brokerServices->Init() != sandbox::SBOX_ALL_OK) {
return nullptr;
}
// Comment below copied from Chromium code.
// Precreate the desktop and window station used by the renderers.
// IMPORTANT: This piece of code needs to run as early as possible in the
// process because it will initialize the sandbox broker, which requires
// the process to swap its window station. During this time all the UI
// will be broken. This has to run before threads and windows are created.
(void)brokerServices->CreateAlternateDesktop(
sandbox::Desktop::kAlternateWinstation);
// Ensure the relevant mitigations are enforced.
mozilla::sandboxing::ApplyParentProcessMitigations();
return brokerServices;
}
sandbox::BrokerServices* GetInitializedBrokerServices() {
static sandbox::BrokerServices* sInitializedBrokerServices =
InitializeBrokerServices();
return sInitializedBrokerServices;
}
void ApplyParentProcessMitigations() {
// The main reason for this call is for the token hardening, but chromium code
// also ensures DEP without ATL thunk so we do the same.
sandbox::RatchetDownSecurityMitigations(
sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
}
} // namespace sandboxing
} // namespace mozilla
|
