Google Git
Sign in
chromium / chromium / src / sandbox / f3f872ac512e813655692dfad3a43eab17867b50
commitf3f872ac512e813655692dfad3a43eab17867b50[log] [tgz]
authorStefan Smolen <ssmole@microsoft.com>Wed Nov 03 22:39:39 2021
committerCopybara-Service <copybara-worker@google.com>Wed Nov 03 22:51:30 2021
treea74d924936f0cf8969b484ccded7c5fa0da8d280
parent896ad8cca627e913e5469c3d2463c1fa97bcd157 [diff]
Add null DACL test on desktop security descriptor when creating alt desktop

My investigation uncovered that the reason our utility processes fail to
load user32.dll (and crash) is because loading user32.dll requires
access to the desktop that the process is started on, and the sandbox
desktop's SD (security descriptor) does not allow access to anything.
The SD is based on the SD of the desktop the browser process is running
on, which can be a desktop created by third party software. If this
desktop's SD has a null DACL, it will have access to everything, but when
we create the sandbox desktop based it we combine the existing DACL with
the sandbox restrictions, which nets a DACL that only has restrictions
and doesn't allow access to anything.

This change detects the case where we are basing the sandbox desktop SD
on a null DACL, and adds an ACE that allows Everyone (WinWorldSid) and
all AppContainers (WinBuiltinAnyPackageSid) access to anything
(GENERIC_ALL) before the sandbox restrictions are applied.

Bug: 1252987
Change-Id: Id3409f3d1ddee8e4409f60d27fe3317ee499e97e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3258421
Commit-Queue: Stefan Smolen <ssmole@microsoft.com>
Reviewed-by: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/main@{#938045}
NOKEYCHECK=True
GitOrigin-RevId: b8cd461e6b01bb9fd813019efdf0ddc8a0356aff
2 files changed
tree: a74d924936f0cf8969b484ccded7c5fa0da8d280
  1. linux/
  2. mac/
  3. policy/
  4. win/
  5. BUILD.gn
  6. COMMON_METADATA
  7. constants.h
  8. DEPS
  9. DIR_METADATA
  10. features.gni
  11. ipc.dict
  12. OWNERS
  13. README.md
  14. sandbox_export.h
README.md

Sandbox Library

This directory contains platform-specific sandboxing libraries. Sandboxing is a technique that can improve the security of an application by separating untrustworthy code (or code that handles untrustworthy data) and restricting its privileges and capabilities.

Each platform relies on the operating system's process primitive to isolate code into distinct security principals, and platform-specific technologies are used to implement the privilege reduction. At a high-level:

  • mac/ uses the Seatbelt sandbox. See the detailed design for more.
  • linux/ uses namespaces and Seccomp-BPF. See the detailed design for more.
  • win/ uses a combination of restricted tokens, distinct job objects, alternate desktops, and integrity levels. See the detailed design for more.

Built on top of the low-level sandboxing library is the //sandbox/policy component, which provides concrete policies and helper utilities for sandboxing specific Chromium processes and services. The core sandbox library cannot depend on the policy component.