From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 19:32:43 +0200 Subject: Adding upstream version 1:115.7.0. Signed-off-by: Daniel Baumann --- .../chromium-shim/base/allocator/buildflags.h | 20 + .../allocator/partition_allocator/page_allocator.h | 21 + .../chromium-shim/base/debug/activity_tracker.h | 61 + .../chromium-shim/base/debug/crash_logging.cpp | 22 + .../base/debug/debugging_buildflags.h | 21 + .../sandbox/chromium-shim/base/debug/stack_trace.h | 30 + security/sandbox/chromium-shim/base/feature_list.h | 52 + .../chromium-shim/base/file_version_info_win.cpp | 90 + .../chromium-shim/base/file_version_info_win.h | 54 + .../sandbox/chromium-shim/base/files/file_path.cpp | 217 + .../sandbox/chromium-shim/base/files/file_util.h | 11 + .../sandbox/chromium-shim/base/gtest_prod_util.h | 22 + security/sandbox/chromium-shim/base/logging.cpp | 160 + .../chromium-shim/base/logging_buildflags.h | 20 + .../base/memory/shared_memory_tracker.h | 40 + .../base/metrics/histogram_functions.h | 20 + .../chromium-shim/base/metrics/histogram_macros.h | 16 + .../sandbox/chromium-shim/base/observer_list.h | 12 + .../sandbox/chromium-shim/base/process/launch.h | 25 + .../chromium-shim/base/process/memory_win.cpp | 17 + .../chromium-shim/base/scoped_native_library.h | 31 + .../synchronization/synchronization_buildflags.h | 17 + .../chromium-shim/base/third_party/nspr/prtime.h | 8 + .../chromium-shim/base/third_party/nspr/prtypes.h | 8 + .../base/threading/platform_thread_linux.cpp | 69 + .../base/threading/scoped_blocking_call.h | 47 + .../heap_profiler_allocation_context_tracker.h | 32 + .../sandbox/chromium-shim/base/tracked_objects.h | 23 + .../chromium-shim/base/win/base_win_buildflags.h | 17 + security/sandbox/chromium-shim/base/win/registry.h | 48 + security/sandbox/chromium-shim/base/win/sdkdecls.h | 368 ++ .../sandbox/chromium-shim/base/win/win_util.cpp | 42 + security/sandbox/chromium-shim/base/win/win_util.h | 26 + ...OW64_flags_to_allowed_registry_read_flags.patch | 34 + .../after_update/add_interception_logging.patch | 810 ++++ ...llow_ntpath_in_SignedPolicy_GenerateRules.patch | 82 + ...es_for_network_drive_and_non_file_devices.patch | 190 + .../after_update/arm64_set_LoaderThreads.patch | 99 + .../change_to_DCHECK_in_CloseHandleWrapper.patch | 38 + .../after_update/linux_32bit_arg_fixup.patch | 84 + ...d_memory_duplication_after_initialization.patch | 94 + .../patches/after_update/patch_order.txt | 8 + .../with_update/aarch64_control_flow_guard.patch | 65 + .../patches/with_update/add_CET_STRICT_MODE.patch | 94 + .../add_option_to_not_use_restricting_sids.patch | 281 ++ ...TraitsForNonCancellables_to_satisfy_build.patch | 29 + .../add_support_for_random_restricted_SID.patch | 461 ++ .../patches/with_update/allow_env_changes.patch | 217 + .../allow_read_only_all_paths_rule.patch | 142 + .../patches/with_update/allow_reparse_points.patch | 186 + .../with_update/broker_complex_line_breaks.patch | 502 ++ .../patches/with_update/derive_sid_from_name.patch | 74 + ...AppContainerProfileBase_testing_functions.patch | 79 + .../with_update/ifdef_out_FromStringInternal.patch | 52 + .../ifdef_out_SequenceChecker_code.patch | 36 + .../include_atomic_header_in_platform_thread.patch | 27 + .../lower_SDK_version_requirement.patch | 34 + .../patches/with_update/mingw_capitalization.patch | 74 + .../with_update/mingw_cast_getprocaddress.patch | 34 + .../patches/with_update/mingw_copy_s.patch | 34 + .../with_update/mingw_disable_one_try.patch | 51 + .../mingw_missing_windows_types_defines.patch | 37 + .../patches/with_update/mingw_offsetof.patch | 182 + .../patches/with_update/mingw_operator_new.patch | 58 + .../more_chromium_linux_x86_x64_syscalls.patch | 91 + .../patches/with_update/patch_order.txt | 32 + ...aneous_backslash_introduced_by_clang_tidy.patch | 34 + ...emove_include_delayimp_h_from_pe_image_cc.patch | 32 + ...emove_unused_functions_from_StrtodTrimmed.patch | 48 + ...ibrary_in_ApplyMitigationsToCurrentThread.patch | 59 + ...evert_TargetNtSetInformationThread_change.patch | 39 + ...t_Token_serialization_and_deserialization.patch | 100 + .../revert_removal_of_app_dir_for_DLL_load.patch | 74 + .../with_update/revert_remove_AddTargetPeer.patch | 310 ++ .../revert_remove_BrokerDuplicateHandle.patch | 743 +++ .../chromium-shim/sandbox/win/loggingCallbacks.h | 101 + .../chromium-shim/sandbox/win/loggingTypes.h | 27 + .../chromium-shim/sandbox/win/sandboxLogging.cpp | 89 + .../chromium-shim/sandbox/win/sandboxLogging.h | 50 + .../sandbox/win/src/line_break_common.h | 31 + .../sandbox/win/src/line_break_dispatcher.cc | 58 + .../sandbox/win/src/line_break_dispatcher.h | 38 + .../sandbox/win/src/line_break_interception.cc | 108 + .../sandbox/win/src/line_break_interception.h | 19 + .../sandbox/win/src/line_break_policy.cc | 66 + .../sandbox/win/src/line_break_policy.h | 35 + .../sandbox/win/src/sandbox_policy_diagnostic.h | 31 + .../sandbox/win/src/sidestep_resolver.h | 58 + security/sandbox/chromium/LICENSE | 27 + security/sandbox/chromium/base/at_exit.cc | 114 + security/sandbox/chromium/base/at_exit.h | 87 + security/sandbox/chromium/base/atomic_ref_count.h | 69 + .../sandbox/chromium/base/atomic_sequence_num.h | 33 + security/sandbox/chromium/base/atomicops.h | 150 + .../chromium/base/atomicops_internals_portable.h | 219 + .../chromium/base/atomicops_internals_x86_msvc.h | 179 + security/sandbox/chromium/base/base_export.h | 29 + security/sandbox/chromium/base/base_paths.h | 55 + security/sandbox/chromium/base/base_paths_win.h | 53 + security/sandbox/chromium/base/base_switches.cc | 149 + security/sandbox/chromium/base/base_switches.h | 60 + security/sandbox/chromium/base/bind.h | 470 ++ security/sandbox/chromium/base/bind_helpers.h | 69 + security/sandbox/chromium/base/bind_internal.h | 1050 +++++ security/sandbox/chromium/base/bit_cast.h | 77 + security/sandbox/chromium/base/bits.h | 209 + security/sandbox/chromium/base/callback.h | 149 + security/sandbox/chromium/base/callback_forward.h | 28 + .../sandbox/chromium/base/callback_internal.cc | 101 + security/sandbox/chromium/base/callback_internal.h | 194 + security/sandbox/chromium/base/compiler_specific.h | 298 ++ .../sandbox/chromium/base/containers/adapters.h | 55 + .../chromium/base/containers/buffer_iterator.h | 145 + .../chromium/base/containers/checked_iterators.h | 205 + .../chromium/base/containers/circular_deque.h | 1112 +++++ security/sandbox/chromium/base/containers/span.h | 530 +++ security/sandbox/chromium/base/containers/stack.h | 23 + security/sandbox/chromium/base/containers/util.h | 21 + .../chromium/base/containers/vector_buffer.h | 188 + security/sandbox/chromium/base/cpu.cc | 312 ++ security/sandbox/chromium/base/cpu.h | 104 + security/sandbox/chromium/base/debug/alias.cc | 16 + security/sandbox/chromium/base/debug/alias.h | 44 + .../sandbox/chromium/base/debug/crash_logging.h | 104 + security/sandbox/chromium/base/debug/debugger.h | 50 + .../sandbox/chromium/base/debug/leak_annotations.h | 46 + security/sandbox/chromium/base/debug/profiler.cc | 180 + security/sandbox/chromium/base/debug/profiler.h | 76 + security/sandbox/chromium/base/environment.cc | 123 + security/sandbox/chromium/base/environment.h | 61 + .../sandbox/chromium/base/file_descriptor_posix.h | 61 + security/sandbox/chromium/base/files/file_path.h | 484 ++ .../chromium/base/files/file_path_constants.cc | 25 + security/sandbox/chromium/base/format_macros.h | 97 + security/sandbox/chromium/base/guid.h | 46 + security/sandbox/chromium/base/hash/hash.cc | 167 + security/sandbox/chromium/base/hash/hash.h | 86 + security/sandbox/chromium/base/immediate_crash.h | 168 + security/sandbox/chromium/base/lazy_instance.h | 210 + .../sandbox/chromium/base/lazy_instance_helpers.cc | 64 + .../sandbox/chromium/base/lazy_instance_helpers.h | 101 + security/sandbox/chromium/base/location.cc | 96 + security/sandbox/chromium/base/location.h | 142 + security/sandbox/chromium/base/logging.h | 1077 +++++ security/sandbox/chromium/base/macros.h | 48 + .../sandbox/chromium/base/memory/aligned_memory.h | 60 + .../sandbox/chromium/base/memory/free_deleter.h | 25 + .../base/memory/platform_shared_memory_region.cc | 62 + .../base/memory/platform_shared_memory_region.h | 301 ++ .../memory/platform_shared_memory_region_win.cc | 343 ++ security/sandbox/chromium/base/memory/ptr_util.h | 23 + .../memory/raw_scoped_refptr_mismatch_checker.h | 52 + .../sandbox/chromium/base/memory/ref_counted.cc | 105 + .../sandbox/chromium/base/memory/ref_counted.h | 463 ++ .../sandbox/chromium/base/memory/scoped_refptr.h | 375 ++ .../chromium/base/memory/shared_memory_mapping.cc | 115 + .../chromium/base/memory/shared_memory_mapping.h | 252 + security/sandbox/chromium/base/memory/singleton.h | 279 ++ .../base/memory/unsafe_shared_memory_region.cc | 80 + .../base/memory/unsafe_shared_memory_region.h | 127 + security/sandbox/chromium/base/memory/weak_ptr.h | 395 ++ security/sandbox/chromium/base/no_destructor.h | 98 + .../sandbox/chromium/base/numerics/checked_math.h | 393 ++ .../chromium/base/numerics/checked_math_impl.h | 567 +++ .../sandbox/chromium/base/numerics/clamped_math.h | 264 ++ .../chromium/base/numerics/clamped_math_impl.h | 341 ++ .../chromium/base/numerics/safe_conversions.h | 358 ++ .../base/numerics/safe_conversions_arm_impl.h | 51 + .../chromium/base/numerics/safe_conversions_impl.h | 851 ++++ .../sandbox/chromium/base/numerics/safe_math.h | 12 + .../chromium/base/numerics/safe_math_arm_impl.h | 122 + .../base/numerics/safe_math_clang_gcc_impl.h | 157 + .../chromium/base/numerics/safe_math_shared_impl.h | 240 + security/sandbox/chromium/base/optional.h | 937 ++++ security/sandbox/chromium/base/os_compat_android.h | 21 + security/sandbox/chromium/base/path_service.h | 94 + .../chromium/base/posix/can_lower_nice_to.cc | 60 + .../chromium/base/posix/can_lower_nice_to.h | 19 + .../sandbox/chromium/base/posix/eintr_wrapper.h | 68 + .../sandbox/chromium/base/posix/safe_strerror.cc | 128 + .../sandbox/chromium/base/posix/safe_strerror.h | 44 + .../chromium/base/process/environment_internal.cc | 128 + .../chromium/base/process/environment_internal.h | 52 + security/sandbox/chromium/base/process/kill.h | 162 + security/sandbox/chromium/base/process/memory.h | 89 + security/sandbox/chromium/base/process/process.h | 223 + .../sandbox/chromium/base/process/process_handle.h | 142 + .../chromium/base/process/process_handle_win.cc | 52 + security/sandbox/chromium/base/rand_util.h | 78 + security/sandbox/chromium/base/rand_util_win.cc | 38 + .../chromium/base/scoped_clear_last_error.h | 58 + .../chromium/base/scoped_clear_last_error_win.cc | 22 + security/sandbox/chromium/base/sequence_checker.h | 143 + .../sandbox/chromium/base/sequence_checker_impl.h | 63 + security/sandbox/chromium/base/sequence_token.h | 115 + .../sandbox/chromium/base/sequenced_task_runner.h | 201 + .../chromium/base/sequenced_task_runner_helpers.h | 42 + .../chromium/base/single_thread_task_runner.h | 36 + security/sandbox/chromium/base/stl_util.h | 681 +++ .../sandbox/chromium/base/strings/char_traits.h | 92 + .../chromium/base/strings/nullable_string16.cc | 33 + .../chromium/base/strings/nullable_string16.h | 55 + .../sandbox/chromium/base/strings/safe_sprintf.cc | 682 +++ .../sandbox/chromium/base/strings/safe_sprintf.h | 246 + .../chromium/base/strings/safe_sprintf_unittest.cc | 765 ++++ security/sandbox/chromium/base/strings/string16.cc | 87 + security/sandbox/chromium/base/strings/string16.h | 229 + .../base/strings/string_number_conversions.cc | 545 +++ .../base/strings/string_number_conversions.h | 157 + .../sandbox/chromium/base/strings/string_piece.cc | 426 ++ .../sandbox/chromium/base/strings/string_piece.h | 513 +++ .../chromium/base/strings/string_piece_forward.h | 24 + .../sandbox/chromium/base/strings/string_split.cc | 254 ++ .../sandbox/chromium/base/strings/string_split.h | 169 + .../sandbox/chromium/base/strings/string_util.cc | 1157 +++++ .../sandbox/chromium/base/strings/string_util.h | 568 +++ .../chromium/base/strings/string_util_constants.cc | 54 + .../chromium/base/strings/string_util_posix.h | 37 + .../chromium/base/strings/string_util_win.h | 44 + .../sandbox/chromium/base/strings/stringprintf.cc | 225 + .../sandbox/chromium/base/strings/stringprintf.h | 74 + .../base/strings/utf_string_conversion_utils.cc | 155 + .../base/strings/utf_string_conversion_utils.h | 103 + .../base/strings/utf_string_conversions.cc | 342 ++ .../chromium/base/strings/utf_string_conversions.h | 54 + .../chromium/base/synchronization/atomic_flag.h | 50 + .../base/synchronization/condition_variable.h | 135 + .../synchronization/condition_variable_posix.cc | 149 + .../sandbox/chromium/base/synchronization/lock.cc | 38 + .../sandbox/chromium/base/synchronization/lock.h | 133 + .../chromium/base/synchronization/lock_impl.h | 175 + .../base/synchronization/lock_impl_posix.cc | 133 + .../chromium/base/synchronization/lock_impl_win.cc | 40 + .../chromium/base/synchronization/waitable_event.h | 291 ++ .../base/synchronization/waitable_event_posix.cc | 445 ++ security/sandbox/chromium/base/task_runner.h | 136 + security/sandbox/chromium/base/template_util.h | 188 + .../chromium/base/third_party/cityhash/COPYING | 19 + .../chromium/base/third_party/cityhash/city.cc | 532 +++ .../chromium/base/third_party/cityhash/city.h | 129 + .../base/third_party/double_conversion/LICENSE | 26 + .../double-conversion/bignum-dtoa.cc | 641 +++ .../double-conversion/bignum-dtoa.h | 84 + .../double_conversion/double-conversion/bignum.cc | 796 ++++ .../double_conversion/double-conversion/bignum.h | 152 + .../double-conversion/cached-powers.cc | 175 + .../double-conversion/cached-powers.h | 64 + .../double_conversion/double-conversion/diy-fp.h | 137 + .../double-conversion/double-conversion.h | 34 + .../double-conversion/double-to-string.cc | 428 ++ .../double-conversion/double-to-string.h | 396 ++ .../double-conversion/fast-dtoa.cc | 665 +++ .../double-conversion/fast-dtoa.h | 88 + .../double-conversion/fixed-dtoa.cc | 405 ++ .../double-conversion/fixed-dtoa.h | 56 + .../double_conversion/double-conversion/ieee.h | 402 ++ .../double-conversion/string-to-double.cc | 764 ++++ .../double-conversion/string-to-double.h | 226 + .../double_conversion/double-conversion/strtod.cc | 588 +++ .../double_conversion/double-conversion/strtod.h | 50 + .../double_conversion/double-conversion/utils.h | 364 ++ .../base/third_party/dynamic_annotations/LICENSE | 28 + .../dynamic_annotations/dynamic_annotations.h | 595 +++ .../sandbox/chromium/base/third_party/icu/LICENSE | 76 + .../chromium/base/third_party/icu/icu_utf.cc | 131 + .../chromium/base/third_party/icu/icu_utf.h | 442 ++ .../base/third_party/superfasthash/LICENSE | 27 + .../base/third_party/superfasthash/README.chromium | 29 + .../base/third_party/superfasthash/superfasthash.c | 84 + .../chromium/base/third_party/valgrind/LICENSE | 39 + .../chromium/base/third_party/valgrind/valgrind.h | 4792 ++++++++++++++++++++ .../sandbox/chromium/base/thread_annotations.h | 264 ++ .../chromium/base/threading/platform_thread.cc | 51 + .../chromium/base/threading/platform_thread.h | 259 ++ .../threading/platform_thread_internal_posix.cc | 39 + .../threading/platform_thread_internal_posix.h | 62 + .../base/threading/platform_thread_posix.cc | 361 ++ .../chromium/base/threading/platform_thread_win.cc | 463 ++ .../chromium/base/threading/platform_thread_win.h | 23 + .../chromium/base/threading/thread_checker_impl.h | 74 + .../base/threading/thread_collision_warner.cc | 64 + .../base/threading/thread_collision_warner.h | 252 + .../base/threading/thread_id_name_manager.cc | 147 + .../base/threading/thread_id_name_manager.h | 94 + .../sandbox/chromium/base/threading/thread_local.h | 136 + .../base/threading/thread_local_internal.h | 80 + .../base/threading/thread_local_storage.cc | 461 ++ .../chromium/base/threading/thread_local_storage.h | 175 + .../base/threading/thread_local_storage_posix.cc | 30 + .../base/threading/thread_local_storage_win.cc | 107 + .../chromium/base/threading/thread_restrictions.cc | 258 ++ .../chromium/base/threading/thread_restrictions.h | 680 +++ security/sandbox/chromium/base/time/time.cc | 433 ++ security/sandbox/chromium/base/time/time.h | 1077 +++++ .../chromium/base/time/time_exploded_posix.cc | 287 ++ .../sandbox/chromium/base/time/time_now_posix.cc | 122 + .../sandbox/chromium/base/time/time_override.h | 74 + security/sandbox/chromium/base/time/time_win.cc | 810 ++++ .../chromium/base/time/time_win_features.cc | 14 + .../sandbox/chromium/base/time/time_win_features.h | 20 + security/sandbox/chromium/base/token.cc | 28 + security/sandbox/chromium/base/token.h | 72 + security/sandbox/chromium/base/tuple.h | 112 + .../sandbox/chromium/base/unguessable_token.cc | 39 + security/sandbox/chromium/base/unguessable_token.h | 120 + security/sandbox/chromium/base/version.cc | 194 + security/sandbox/chromium/base/version.h | 77 + .../sandbox/chromium/base/win/current_module.h | 17 + security/sandbox/chromium/base/win/pe_image.cc | 652 +++ security/sandbox/chromium/base/win/pe_image.h | 308 ++ .../sandbox/chromium/base/win/scoped_handle.cc | 44 + security/sandbox/chromium/base/win/scoped_handle.h | 184 + .../chromium/base/win/scoped_handle_verifier.cc | 238 + .../chromium/base/win/scoped_handle_verifier.h | 88 + .../base/win/scoped_process_information.cc | 107 + .../chromium/base/win/scoped_process_information.h | 75 + .../chromium/base/win/startup_information.cc | 59 + .../chromium/base/win/startup_information.h | 53 + .../sandbox/chromium/base/win/static_constants.cc | 13 + .../sandbox/chromium/base/win/static_constants.h | 21 + security/sandbox/chromium/base/win/windows_types.h | 278 ++ .../sandbox/chromium/base/win/windows_version.cc | 313 ++ .../sandbox/chromium/base/win/windows_version.h | 187 + security/sandbox/chromium/build/build_config.h | 205 + security/sandbox/chromium/build/buildflag.h | 47 + .../chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc | 343 ++ .../chromium/sandbox/linux/bpf_dsl/bpf_dsl.h | 338 ++ .../sandbox/linux/bpf_dsl/bpf_dsl_forward.h | 37 + .../chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h | 67 + .../chromium/sandbox/linux/bpf_dsl/codegen.cc | 147 + .../chromium/sandbox/linux/bpf_dsl/codegen.h | 119 + .../sandbox/chromium/sandbox/linux/bpf_dsl/cons.h | 137 + .../chromium/sandbox/linux/bpf_dsl/dump_bpf.cc | 159 + .../chromium/sandbox/linux/bpf_dsl/dump_bpf.h | 29 + .../chromium/sandbox/linux/bpf_dsl/errorcode.h | 37 + .../sandbox/linux/bpf_dsl/linux_syscall_ranges.h | 63 + .../chromium/sandbox/linux/bpf_dsl/policy.cc | 19 + .../chromium/sandbox/linux/bpf_dsl/policy.h | 37 + .../sandbox/linux/bpf_dsl/policy_compiler.cc | 481 ++ .../sandbox/linux/bpf_dsl/policy_compiler.h | 155 + .../sandbox/linux/bpf_dsl/seccomp_macros.h | 354 ++ .../chromium/sandbox/linux/bpf_dsl/syscall_set.cc | 150 + .../chromium/sandbox/linux/bpf_dsl/syscall_set.h | 103 + .../chromium/sandbox/linux/bpf_dsl/trap_registry.h | 73 + .../bpf_tester_compatibility_delegate.h | 56 + .../chromium/sandbox/linux/seccomp-bpf/bpf_tests.h | 124 + .../linux/seccomp-bpf/bpf_tests_unittest.cc | 155 + .../chromium/sandbox/linux/seccomp-bpf/die.cc | 93 + .../chromium/sandbox/linux/seccomp-bpf/die.h | 68 + .../sandbox/linux/seccomp-bpf/sandbox_bpf.cc | 259 ++ .../sandbox/linux/seccomp-bpf/sandbox_bpf.h | 113 + .../linux/seccomp-bpf/sandbox_bpf_test_runner.cc | 66 + .../linux/seccomp-bpf/sandbox_bpf_test_runner.h | 62 + .../chromium/sandbox/linux/seccomp-bpf/syscall.cc | 481 ++ .../chromium/sandbox/linux/seccomp-bpf/syscall.h | 166 + .../sandbox/linux/seccomp-bpf/syscall_unittest.cc | 249 + .../chromium/sandbox/linux/seccomp-bpf/trap.cc | 394 ++ .../chromium/sandbox/linux/seccomp-bpf/trap.h | 86 + .../sandbox/linux/services/syscall_wrappers.cc | 264 ++ .../sandbox/linux/services/syscall_wrappers.h | 89 + .../linux/system_headers/arm64_linux_syscalls.h | 1197 +++++ .../linux/system_headers/arm_linux_syscalls.h | 1623 +++++++ .../linux/system_headers/arm_linux_ucontext.h | 60 + .../sandbox/linux/system_headers/capability.h | 42 + .../linux/system_headers/i386_linux_ucontext.h | 85 + .../sandbox/linux/system_headers/linux_filter.h | 140 + .../sandbox/linux/system_headers/linux_futex.h | 84 + .../sandbox/linux/system_headers/linux_seccomp.h | 110 + .../sandbox/linux/system_headers/linux_signal.h | 150 + .../sandbox/linux/system_headers/linux_syscalls.h | 39 + .../sandbox/linux/system_headers/linux_ucontext.h | 22 + .../linux/system_headers/x86_32_linux_syscalls.h | 1731 +++++++ .../linux/system_headers/x86_64_linux_syscalls.h | 1418 ++++++ security/sandbox/chromium/sandbox/sandbox_export.h | 26 + security/sandbox/chromium/sandbox/win/src/acl.cc | 171 + security/sandbox/chromium/sandbox/win/src/acl.h | 64 + .../sandbox/win/src/app_container_profile.h | 74 + .../sandbox/win/src/app_container_profile_base.cc | 337 ++ .../sandbox/win/src/app_container_profile_base.h | 94 + .../chromium/sandbox/win/src/app_container_test.cc | 342 ++ .../chromium/sandbox/win/src/broker_services.cc | 745 +++ .../chromium/sandbox/win/src/broker_services.h | 105 + .../chromium/sandbox/win/src/crosscall_client.h | 509 +++ .../chromium/sandbox/win/src/crosscall_params.h | 315 ++ .../chromium/sandbox/win/src/crosscall_server.cc | 345 ++ .../chromium/sandbox/win/src/crosscall_server.h | 261 ++ .../chromium/sandbox/win/src/eat_resolver.cc | 88 + .../chromium/sandbox/win/src/eat_resolver.h | 49 + .../chromium/sandbox/win/src/file_policy_test.cc | 705 +++ .../sandbox/win/src/filesystem_dispatcher.cc | 302 ++ .../sandbox/win/src/filesystem_dispatcher.h | 76 + .../sandbox/win/src/filesystem_interception.cc | 412 ++ .../sandbox/win/src/filesystem_interception.h | 67 + .../chromium/sandbox/win/src/filesystem_policy.cc | 443 ++ .../chromium/sandbox/win/src/filesystem_policy.h | 112 + .../chromium/sandbox/win/src/handle_closer.cc | 185 + .../chromium/sandbox/win/src/handle_closer.h | 76 + .../sandbox/win/src/handle_closer_agent.cc | 239 + .../chromium/sandbox/win/src/handle_closer_agent.h | 46 + .../chromium/sandbox/win/src/handle_closer_test.cc | 297 ++ .../chromium/sandbox/win/src/handle_dispatcher.cc | 93 + .../chromium/sandbox/win/src/handle_dispatcher.h | 41 + .../sandbox/win/src/handle_inheritance_test.cc | 49 + .../sandbox/win/src/handle_interception.cc | 48 + .../chromium/sandbox/win/src/handle_interception.h | 24 + .../chromium/sandbox/win/src/handle_policy.cc | 93 + .../chromium/sandbox/win/src/handle_policy.h | 39 + .../chromium/sandbox/win/src/handle_policy_test.cc | 114 + .../chromium/sandbox/win/src/heap_helper.cc | 124 + .../sandbox/chromium/sandbox/win/src/heap_helper.h | 26 + .../sandbox/win/src/integrity_level_test.cc | 118 + .../chromium/sandbox/win/src/interception.cc | 512 +++ .../chromium/sandbox/win/src/interception.h | 290 ++ .../chromium/sandbox/win/src/interception_agent.cc | 234 + .../chromium/sandbox/win/src/interception_agent.h | 87 + .../sandbox/win/src/interception_internal.h | 77 + .../sandbox/win/src/interception_unittest.cc | 263 ++ .../chromium/sandbox/win/src/interceptors.h | 73 + .../chromium/sandbox/win/src/interceptors_64.cc | 531 +++ .../chromium/sandbox/win/src/interceptors_64.h | 330 ++ .../chromium/sandbox/win/src/internal_types.h | 68 + .../sandbox/chromium/sandbox/win/src/ipc_args.cc | 96 + .../sandbox/chromium/sandbox/win/src/ipc_args.h | 24 + .../chromium/sandbox/win/src/ipc_ping_test.cc | 58 + .../sandbox/chromium/sandbox/win/src/ipc_tags.h | 59 + .../chromium/sandbox/win/src/ipc_unittest.cc | 632 +++ security/sandbox/chromium/sandbox/win/src/job.cc | 117 + security/sandbox/chromium/sandbox/win/src/job.h | 66 + .../chromium/sandbox/win/src/job_unittest.cc | 197 + .../sandbox/win/src/named_pipe_dispatcher.cc | 95 + .../sandbox/win/src/named_pipe_dispatcher.h | 46 + .../sandbox/win/src/named_pipe_interception.cc | 80 + .../sandbox/win/src/named_pipe_interception.h | 41 + .../chromium/sandbox/win/src/named_pipe_policy.cc | 89 + .../chromium/sandbox/win/src/named_pipe_policy.h | 43 + .../sandbox/win/src/named_pipe_policy_test.cc | 121 + .../chromium/sandbox/win/src/nt_internals.h | 983 ++++ .../chromium/sandbox/win/src/policy_broker.cc | 123 + .../chromium/sandbox/win/src/policy_broker.h | 27 + .../sandbox/win/src/policy_engine_opcodes.cc | 450 ++ .../sandbox/win/src/policy_engine_opcodes.h | 379 ++ .../sandbox/win/src/policy_engine_params.h | 190 + .../sandbox/win/src/policy_engine_processor.cc | 103 + .../sandbox/win/src/policy_engine_processor.h | 143 + .../sandbox/win/src/policy_engine_unittest.cc | 103 + .../chromium/sandbox/win/src/policy_low_level.cc | 355 ++ .../chromium/sandbox/win/src/policy_low_level.h | 189 + .../sandbox/win/src/policy_low_level_unittest.cc | 684 +++ .../sandbox/win/src/policy_opcodes_unittest.cc | 364 ++ .../chromium/sandbox/win/src/policy_params.h | 70 + .../chromium/sandbox/win/src/policy_target.cc | 138 + .../chromium/sandbox/win/src/policy_target.h | 46 + .../chromium/sandbox/win/src/policy_target_test.cc | 486 ++ .../sandbox/win/src/process_mitigations.cc | 622 +++ .../chromium/sandbox/win/src/process_mitigations.h | 56 + .../src/process_mitigations_win32k_dispatcher.cc | 592 +++ .../src/process_mitigations_win32k_dispatcher.h | 89 + .../src/process_mitigations_win32k_interception.cc | 523 +++ .../src/process_mitigations_win32k_interception.h | 151 + .../win/src/process_mitigations_win32k_policy.cc | 410 ++ .../win/src/process_mitigations_win32k_policy.h | 91 + .../sandbox/win/src/process_policy_test.cc | 548 +++ .../sandbox/win/src/process_thread_dispatcher.cc | 275 ++ .../sandbox/win/src/process_thread_dispatcher.h | 69 + .../sandbox/win/src/process_thread_interception.cc | 520 +++ .../sandbox/win/src/process_thread_interception.h | 101 + .../sandbox/win/src/process_thread_policy.cc | 269 ++ .../sandbox/win/src/process_thread_policy.h | 91 + .../sandbox/win/src/registry_dispatcher.cc | 167 + .../chromium/sandbox/win/src/registry_dispatcher.h | 51 + .../sandbox/win/src/registry_interception.cc | 261 ++ .../sandbox/win/src/registry_interception.h | 38 + .../chromium/sandbox/win/src/registry_policy.cc | 230 + .../chromium/sandbox/win/src/registry_policy.h | 56 + .../sandbox/win/src/registry_policy_test.cc | 322 ++ .../sandbox/chromium/sandbox/win/src/resolver.cc | 63 + .../sandbox/chromium/sandbox/win/src/resolver.h | 107 + .../chromium/sandbox/win/src/resolver_32.cc | 95 + .../chromium/sandbox/win/src/resolver_64.cc | 95 + .../chromium/sandbox/win/src/restricted_token.cc | 432 ++ .../chromium/sandbox/win/src/restricted_token.h | 207 + .../sandbox/win/src/restricted_token_unittest.cc | 829 ++++ .../sandbox/win/src/restricted_token_utils.cc | 480 ++ .../sandbox/win/src/restricted_token_utils.h | 105 + .../sandbox/chromium/sandbox/win/src/sandbox.cc | 47 + .../sandbox/chromium/sandbox/win/src/sandbox.h | 228 + .../chromium/sandbox/win/src/sandbox.vcproj | 648 +++ .../chromium/sandbox/win/src/sandbox_factory.h | 52 + .../chromium/sandbox/win/src/sandbox_globals.cc | 18 + .../chromium/sandbox/win/src/sandbox_nt_types.h | 47 + .../chromium/sandbox/win/src/sandbox_nt_util.cc | 755 +++ .../chromium/sandbox/win/src/sandbox_nt_util.h | 220 + .../chromium/sandbox/win/src/sandbox_policy.h | 296 ++ .../sandbox/win/src/sandbox_policy_base.cc | 832 ++++ .../chromium/sandbox/win/src/sandbox_policy_base.h | 198 + .../chromium/sandbox/win/src/sandbox_rand.cc | 22 + .../chromium/sandbox/win/src/sandbox_rand.h | 15 + .../chromium/sandbox/win/src/sandbox_types.h | 199 + .../chromium/sandbox/win/src/sandbox_utils.cc | 32 + .../chromium/sandbox/win/src/sandbox_utils.h | 24 + .../sandbox/win/src/security_capabilities.cc | 33 + .../sandbox/win/src/security_capabilities.h | 34 + .../chromium/sandbox/win/src/security_level.h | 300 ++ .../chromium/sandbox/win/src/service_resolver.cc | 47 + .../chromium/sandbox/win/src/service_resolver.h | 158 + .../sandbox/win/src/service_resolver_32.cc | 476 ++ .../sandbox/win/src/service_resolver_64.cc | 290 ++ .../sandbox/win/src/service_resolver_unittest.cc | 278 ++ .../sandbox/win/src/sharedmem_ipc_client.cc | 193 + .../sandbox/win/src/sharedmem_ipc_client.h | 140 + .../sandbox/win/src/sharedmem_ipc_server.cc | 346 ++ .../sandbox/win/src/sharedmem_ipc_server.h | 137 + security/sandbox/chromium/sandbox/win/src/sid.cc | 163 + security/sandbox/chromium/sandbox/win/src/sid.h | 74 + .../chromium/sandbox/win/src/sid_unittest.cc | 182 + .../chromium/sandbox/win/src/signed_dispatcher.cc | 68 + .../chromium/sandbox/win/src/signed_dispatcher.h | 37 + .../sandbox/win/src/signed_interception.cc | 97 + .../chromium/sandbox/win/src/signed_interception.h | 30 + .../chromium/sandbox/win/src/signed_policy.cc | 102 + .../chromium/sandbox/win/src/signed_policy.h | 39 + .../chromium/sandbox/win/src/sync_dispatcher.cc | 82 + .../chromium/sandbox/win/src/sync_dispatcher.h | 44 + .../chromium/sandbox/win/src/sync_interception.cc | 177 + .../chromium/sandbox/win/src/sync_interception.h | 46 + .../chromium/sandbox/win/src/sync_policy.cc | 243 + .../sandbox/chromium/sandbox/win/src/sync_policy.h | 49 + .../chromium/sandbox/win/src/sync_policy_test.cc | 145 + .../chromium/sandbox/win/src/sync_policy_test.h | 18 + .../sandbox/win/src/target_interceptions.cc | 136 + .../sandbox/win/src/target_interceptions.h | 43 + .../chromium/sandbox/win/src/target_process.cc | 393 ++ .../chromium/sandbox/win/src/target_process.h | 143 + .../chromium/sandbox/win/src/target_services.cc | 264 ++ .../chromium/sandbox/win/src/target_services.h | 73 + .../sandbox/win/src/threadpool_unittest.cc | 97 + .../sandbox/win/src/top_level_dispatcher.cc | 178 + .../sandbox/win/src/top_level_dispatcher.h | 54 + .../chromium/sandbox/win/src/unload_dll_test.cc | 100 + .../chromium/sandbox/win/src/win2k_threadpool.cc | 67 + .../chromium/sandbox/win/src/win2k_threadpool.h | 61 + .../sandbox/chromium/sandbox/win/src/win_utils.cc | 619 +++ .../sandbox/chromium/sandbox/win/src/win_utils.h | 156 + .../chromium/sandbox/win/src/win_utils_unittest.cc | 258 ++ .../sandbox/chromium/sandbox/win/src/window.cc | 147 + security/sandbox/chromium/sandbox/win/src/window.h | 37 + security/sandbox/common/SandboxSettings.cpp | 229 + security/sandbox/common/SandboxSettings.h | 47 + security/sandbox/common/components.conf | 23 + security/sandbox/common/moz.build | 54 + security/sandbox/common/mozISandboxSettings.idl | 32 + security/sandbox/common/test/PSandboxTesting.ipdl | 20 + security/sandbox/common/test/SandboxTest.cpp | 362 ++ security/sandbox/common/test/SandboxTest.h | 45 + .../sandbox/common/test/SandboxTestingChild.cpp | 194 + security/sandbox/common/test/SandboxTestingChild.h | 86 + .../sandbox/common/test/SandboxTestingChildTests.h | 876 ++++ .../sandbox/common/test/SandboxTestingParent.cpp | 125 + .../sandbox/common/test/SandboxTestingParent.h | 53 + .../sandbox/common/test/SandboxTestingThread.h | 53 + security/sandbox/common/test/mozISandboxTest.idl | 28 + security/sandbox/linux/LinuxSched.h | 35 + security/sandbox/linux/Sandbox.cpp | 771 ++++ security/sandbox/linux/Sandbox.h | 76 + security/sandbox/linux/SandboxBrokerClient.cpp | 274 ++ security/sandbox/linux/SandboxBrokerClient.h | 57 + security/sandbox/linux/SandboxChrootProto.h | 24 + security/sandbox/linux/SandboxFilter.cpp | 2101 +++++++++ security/sandbox/linux/SandboxFilter.h | 46 + security/sandbox/linux/SandboxFilterUtil.cpp | 142 + security/sandbox/linux/SandboxFilterUtil.h | 248 + security/sandbox/linux/SandboxHooks.cpp | 110 + security/sandbox/linux/SandboxInfo.cpp | 201 + security/sandbox/linux/SandboxInfo.h | 70 + security/sandbox/linux/SandboxInternal.h | 28 + security/sandbox/linux/SandboxLogging.cpp | 141 + security/sandbox/linux/SandboxLogging.h | 81 + security/sandbox/linux/SandboxOpenedFiles.cpp | 77 + security/sandbox/linux/SandboxOpenedFiles.h | 97 + security/sandbox/linux/SandboxReporterClient.cpp | 88 + security/sandbox/linux/SandboxReporterClient.h | 47 + security/sandbox/linux/broker/SandboxBroker.cpp | 1097 +++++ security/sandbox/linux/broker/SandboxBroker.h | 180 + .../sandbox/linux/broker/SandboxBrokerCommon.cpp | 155 + .../sandbox/linux/broker/SandboxBrokerCommon.h | 77 + .../linux/broker/SandboxBrokerPolicyFactory.cpp | 1017 +++++ .../linux/broker/SandboxBrokerPolicyFactory.h | 36 + .../sandbox/linux/broker/SandboxBrokerRealpath.cpp | 277 ++ security/sandbox/linux/broker/SandboxBrokerUtils.h | 32 + security/sandbox/linux/broker/moz.build | 37 + security/sandbox/linux/glue/SandboxCrash.cpp | 118 + security/sandbox/linux/glue/SandboxPrefBridge.cpp | 50 + security/sandbox/linux/glue/moz.build | 35 + security/sandbox/linux/gtest/TestBroker.cpp | 689 +++ security/sandbox/linux/gtest/TestBrokerPolicy.cpp | 95 + security/sandbox/linux/gtest/TestLogging.cpp | 56 + security/sandbox/linux/gtest/moz.build | 26 + security/sandbox/linux/interfaces/moz.build | 11 + .../linux/interfaces/mozISandboxReporter.idl | 65 + .../sandbox/linux/launch/LinuxCapabilities.cpp | 26 + security/sandbox/linux/launch/LinuxCapabilities.h | 122 + security/sandbox/linux/launch/SandboxLaunch.cpp | 715 +++ security/sandbox/linux/launch/SandboxLaunch.h | 29 + security/sandbox/linux/launch/moz.build | 33 + security/sandbox/linux/moz.build | 146 + .../sandbox/linux/reporter/SandboxReporter.cpp | 299 ++ security/sandbox/linux/reporter/SandboxReporter.h | 86 + .../sandbox/linux/reporter/SandboxReporterCommon.h | 66 + .../linux/reporter/SandboxReporterWrappers.cpp | 199 + security/sandbox/linux/reporter/components.conf | 13 + security/sandbox/linux/reporter/moz.build | 34 + security/sandbox/mac/Sandbox.h | 90 + security/sandbox/mac/Sandbox.mm | 802 ++++ security/sandbox/mac/SandboxPolicyContent.h | 399 ++ security/sandbox/mac/SandboxPolicyGMP.h | 101 + security/sandbox/mac/SandboxPolicyRDD.h | 199 + security/sandbox/mac/SandboxPolicySocket.h | 150 + security/sandbox/mac/SandboxPolicyUtility.h | 83 + security/sandbox/mac/moz.build | 19 + security/sandbox/moz.build | 215 + security/sandbox/test/browser.ini | 26 + security/sandbox/test/browser_bug1393259.js | 200 + .../test/browser_bug1717599_XDG-CONFIG-DIRS.ini | 9 + .../test/browser_bug1717599_XDG-CONFIG-HOME.ini | 9 + ...r_content_sandbox_bug1717599_XDG-CONFIG-DIRS.js | 11 + ...r_content_sandbox_bug1717599_XDG-CONFIG-HOME.js | 11 + .../sandbox/test/browser_content_sandbox_fs.js | 56 + .../test/browser_content_sandbox_fs_snap.js | 31 + .../test/browser_content_sandbox_fs_tests.js | 698 +++ .../sandbox/test/browser_content_sandbox_fs_xdg.js | 31 + .../test/browser_content_sandbox_syscalls.js | 436 ++ .../sandbox/test/browser_content_sandbox_utils.js | 464 ++ security/sandbox/test/browser_sandbox_test.js | 59 + security/sandbox/test/browser_snap.ini | 14 + security/sandbox/test/browser_xdg.ini | 14 + security/sandbox/test/bug1393259.html | 19 + security/sandbox/test/mac_register_font.py | 85 + security/sandbox/win/SandboxInitialization.cpp | 202 + security/sandbox/win/SandboxInitialization.h | 52 + .../remotesandboxbroker/PRemoteSandboxBroker.ipdl | 36 + .../RemoteSandboxBrokerChild.cpp | 97 + .../remotesandboxbroker/RemoteSandboxBrokerChild.h | 35 + .../RemoteSandboxBrokerParent.cpp | 83 + .../RemoteSandboxBrokerParent.h | 48 + .../RemoteSandboxBrokerProcessChild.cpp | 27 + .../RemoteSandboxBrokerProcessChild.h | 33 + .../RemoteSandboxBrokerProcessParent.cpp | 35 + .../RemoteSandboxBrokerProcessParent.h | 41 + .../sandbox/win/src/remotesandboxbroker/moz.build | 30 + .../remotesandboxbroker/remoteSandboxBroker.cpp | 170 + .../src/remotesandboxbroker/remoteSandboxBroker.h | 75 + security/sandbox/win/src/sandboxbroker/moz.build | 21 + .../win/src/sandboxbroker/sandboxBroker.cpp | 2029 +++++++++ .../sandbox/win/src/sandboxbroker/sandboxBroker.h | 137 + security/sandbox/win/src/sandboxtarget/moz.build | 22 + .../win/src/sandboxtarget/sandboxTarget.cpp | 64 + .../sandbox/win/src/sandboxtarget/sandboxTarget.h | 80 + 657 files changed, 128718 insertions(+) create mode 100644 security/sandbox/chromium-shim/base/allocator/buildflags.h create mode 100644 security/sandbox/chromium-shim/base/allocator/partition_allocator/page_allocator.h create mode 100644 security/sandbox/chromium-shim/base/debug/activity_tracker.h create mode 100644 security/sandbox/chromium-shim/base/debug/crash_logging.cpp create mode 100644 security/sandbox/chromium-shim/base/debug/debugging_buildflags.h create mode 100644 security/sandbox/chromium-shim/base/debug/stack_trace.h create mode 100644 security/sandbox/chromium-shim/base/feature_list.h create mode 100644 security/sandbox/chromium-shim/base/file_version_info_win.cpp create mode 100644 security/sandbox/chromium-shim/base/file_version_info_win.h create mode 100644 security/sandbox/chromium-shim/base/files/file_path.cpp create mode 100644 security/sandbox/chromium-shim/base/files/file_util.h create mode 100644 security/sandbox/chromium-shim/base/gtest_prod_util.h create mode 100644 security/sandbox/chromium-shim/base/logging.cpp create mode 100644 security/sandbox/chromium-shim/base/logging_buildflags.h create mode 100644 security/sandbox/chromium-shim/base/memory/shared_memory_tracker.h create mode 100644 security/sandbox/chromium-shim/base/metrics/histogram_functions.h create mode 100644 security/sandbox/chromium-shim/base/metrics/histogram_macros.h create mode 100644 security/sandbox/chromium-shim/base/observer_list.h create mode 100644 security/sandbox/chromium-shim/base/process/launch.h create mode 100644 security/sandbox/chromium-shim/base/process/memory_win.cpp create mode 100644 security/sandbox/chromium-shim/base/scoped_native_library.h create mode 100644 security/sandbox/chromium-shim/base/synchronization/synchronization_buildflags.h create mode 100644 security/sandbox/chromium-shim/base/third_party/nspr/prtime.h create mode 100644 security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h create mode 100644 security/sandbox/chromium-shim/base/threading/platform_thread_linux.cpp create mode 100644 security/sandbox/chromium-shim/base/threading/scoped_blocking_call.h create mode 100644 security/sandbox/chromium-shim/base/trace_event/heap_profiler_allocation_context_tracker.h create mode 100644 security/sandbox/chromium-shim/base/tracked_objects.h create mode 100644 security/sandbox/chromium-shim/base/win/base_win_buildflags.h create mode 100644 security/sandbox/chromium-shim/base/win/registry.h create mode 100644 security/sandbox/chromium-shim/base/win/sdkdecls.h create mode 100644 security/sandbox/chromium-shim/base/win/win_util.cpp create mode 100644 security/sandbox/chromium-shim/base/win/win_util.h create mode 100644 security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/allow_ntpath_in_SignedPolicy_GenerateRules.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/change_to_DCHECK_in_CloseHandleWrapper.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/linux_32bit_arg_fixup.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch create mode 100644 security/sandbox/chromium-shim/patches/after_update/patch_order.txt create mode 100644 security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/add_CET_STRICT_MODE.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/allow_reparse_points.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/broker_complex_line_breaks.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/derive_sid_from_name.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/ifdef_out_SequenceChecker_code.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/include_atomic_header_in_platform_thread.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_copy_s.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_disable_one_try.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_missing_windows_types_defines.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/mingw_operator_new.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch create mode 100755 security/sandbox/chromium-shim/patches/with_update/patch_order.txt create mode 100644 security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/revert_TargetNtSetInformationThread_change.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch create mode 100644 security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch create mode 100644 security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/loggingTypes.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp create mode 100644 security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_common.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.cc create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.cc create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.cc create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/sandbox_policy_diagnostic.h create mode 100644 security/sandbox/chromium-shim/sandbox/win/src/sidestep_resolver.h create mode 100644 security/sandbox/chromium/LICENSE create mode 100644 security/sandbox/chromium/base/at_exit.cc create mode 100644 security/sandbox/chromium/base/at_exit.h create mode 100644 security/sandbox/chromium/base/atomic_ref_count.h create mode 100644 security/sandbox/chromium/base/atomic_sequence_num.h create mode 100644 security/sandbox/chromium/base/atomicops.h create mode 100644 security/sandbox/chromium/base/atomicops_internals_portable.h create mode 100644 security/sandbox/chromium/base/atomicops_internals_x86_msvc.h create mode 100644 security/sandbox/chromium/base/base_export.h create mode 100644 security/sandbox/chromium/base/base_paths.h create mode 100644 security/sandbox/chromium/base/base_paths_win.h create mode 100644 security/sandbox/chromium/base/base_switches.cc create mode 100644 security/sandbox/chromium/base/base_switches.h create mode 100644 security/sandbox/chromium/base/bind.h create mode 100644 security/sandbox/chromium/base/bind_helpers.h create mode 100644 security/sandbox/chromium/base/bind_internal.h create mode 100644 security/sandbox/chromium/base/bit_cast.h create mode 100644 security/sandbox/chromium/base/bits.h create mode 100644 security/sandbox/chromium/base/callback.h create mode 100644 security/sandbox/chromium/base/callback_forward.h create mode 100644 security/sandbox/chromium/base/callback_internal.cc create mode 100644 security/sandbox/chromium/base/callback_internal.h create mode 100644 security/sandbox/chromium/base/compiler_specific.h create mode 100644 security/sandbox/chromium/base/containers/adapters.h create mode 100644 security/sandbox/chromium/base/containers/buffer_iterator.h create mode 100644 security/sandbox/chromium/base/containers/checked_iterators.h create mode 100644 security/sandbox/chromium/base/containers/circular_deque.h create mode 100644 security/sandbox/chromium/base/containers/span.h create mode 100644 security/sandbox/chromium/base/containers/stack.h create mode 100644 security/sandbox/chromium/base/containers/util.h create mode 100644 security/sandbox/chromium/base/containers/vector_buffer.h create mode 100644 security/sandbox/chromium/base/cpu.cc create mode 100644 security/sandbox/chromium/base/cpu.h create mode 100644 security/sandbox/chromium/base/debug/alias.cc create mode 100644 security/sandbox/chromium/base/debug/alias.h create mode 100644 security/sandbox/chromium/base/debug/crash_logging.h create mode 100644 security/sandbox/chromium/base/debug/debugger.h create mode 100644 security/sandbox/chromium/base/debug/leak_annotations.h create mode 100644 security/sandbox/chromium/base/debug/profiler.cc create mode 100644 security/sandbox/chromium/base/debug/profiler.h create mode 100644 security/sandbox/chromium/base/environment.cc create mode 100644 security/sandbox/chromium/base/environment.h create mode 100644 security/sandbox/chromium/base/file_descriptor_posix.h create mode 100644 security/sandbox/chromium/base/files/file_path.h create mode 100644 security/sandbox/chromium/base/files/file_path_constants.cc create mode 100644 security/sandbox/chromium/base/format_macros.h create mode 100644 security/sandbox/chromium/base/guid.h create mode 100644 security/sandbox/chromium/base/hash/hash.cc create mode 100644 security/sandbox/chromium/base/hash/hash.h create mode 100644 security/sandbox/chromium/base/immediate_crash.h create mode 100644 security/sandbox/chromium/base/lazy_instance.h create mode 100644 security/sandbox/chromium/base/lazy_instance_helpers.cc create mode 100644 security/sandbox/chromium/base/lazy_instance_helpers.h create mode 100644 security/sandbox/chromium/base/location.cc create mode 100644 security/sandbox/chromium/base/location.h create mode 100644 security/sandbox/chromium/base/logging.h create mode 100644 security/sandbox/chromium/base/macros.h create mode 100644 security/sandbox/chromium/base/memory/aligned_memory.h create mode 100644 security/sandbox/chromium/base/memory/free_deleter.h create mode 100644 security/sandbox/chromium/base/memory/platform_shared_memory_region.cc create mode 100644 security/sandbox/chromium/base/memory/platform_shared_memory_region.h create mode 100644 security/sandbox/chromium/base/memory/platform_shared_memory_region_win.cc create mode 100644 security/sandbox/chromium/base/memory/ptr_util.h create mode 100644 security/sandbox/chromium/base/memory/raw_scoped_refptr_mismatch_checker.h create mode 100644 security/sandbox/chromium/base/memory/ref_counted.cc create mode 100644 security/sandbox/chromium/base/memory/ref_counted.h create mode 100644 security/sandbox/chromium/base/memory/scoped_refptr.h create mode 100644 security/sandbox/chromium/base/memory/shared_memory_mapping.cc create mode 100644 security/sandbox/chromium/base/memory/shared_memory_mapping.h create mode 100644 security/sandbox/chromium/base/memory/singleton.h create mode 100644 security/sandbox/chromium/base/memory/unsafe_shared_memory_region.cc create mode 100644 security/sandbox/chromium/base/memory/unsafe_shared_memory_region.h create mode 100644 security/sandbox/chromium/base/memory/weak_ptr.h create mode 100644 security/sandbox/chromium/base/no_destructor.h create mode 100644 security/sandbox/chromium/base/numerics/checked_math.h create mode 100644 security/sandbox/chromium/base/numerics/checked_math_impl.h create mode 100644 security/sandbox/chromium/base/numerics/clamped_math.h create mode 100644 security/sandbox/chromium/base/numerics/clamped_math_impl.h create mode 100644 security/sandbox/chromium/base/numerics/safe_conversions.h create mode 100644 security/sandbox/chromium/base/numerics/safe_conversions_arm_impl.h create mode 100644 security/sandbox/chromium/base/numerics/safe_conversions_impl.h create mode 100644 security/sandbox/chromium/base/numerics/safe_math.h create mode 100644 security/sandbox/chromium/base/numerics/safe_math_arm_impl.h create mode 100644 security/sandbox/chromium/base/numerics/safe_math_clang_gcc_impl.h create mode 100644 security/sandbox/chromium/base/numerics/safe_math_shared_impl.h create mode 100644 security/sandbox/chromium/base/optional.h create mode 100644 security/sandbox/chromium/base/os_compat_android.h create mode 100644 security/sandbox/chromium/base/path_service.h create mode 100644 security/sandbox/chromium/base/posix/can_lower_nice_to.cc create mode 100644 security/sandbox/chromium/base/posix/can_lower_nice_to.h create mode 100644 security/sandbox/chromium/base/posix/eintr_wrapper.h create mode 100644 security/sandbox/chromium/base/posix/safe_strerror.cc create mode 100644 security/sandbox/chromium/base/posix/safe_strerror.h create mode 100644 security/sandbox/chromium/base/process/environment_internal.cc create mode 100644 security/sandbox/chromium/base/process/environment_internal.h create mode 100644 security/sandbox/chromium/base/process/kill.h create mode 100644 security/sandbox/chromium/base/process/memory.h create mode 100644 security/sandbox/chromium/base/process/process.h create mode 100644 security/sandbox/chromium/base/process/process_handle.h create mode 100644 security/sandbox/chromium/base/process/process_handle_win.cc create mode 100644 security/sandbox/chromium/base/rand_util.h create mode 100644 security/sandbox/chromium/base/rand_util_win.cc create mode 100644 security/sandbox/chromium/base/scoped_clear_last_error.h create mode 100644 security/sandbox/chromium/base/scoped_clear_last_error_win.cc create mode 100644 security/sandbox/chromium/base/sequence_checker.h create mode 100644 security/sandbox/chromium/base/sequence_checker_impl.h create mode 100644 security/sandbox/chromium/base/sequence_token.h create mode 100644 security/sandbox/chromium/base/sequenced_task_runner.h create mode 100644 security/sandbox/chromium/base/sequenced_task_runner_helpers.h create mode 100644 security/sandbox/chromium/base/single_thread_task_runner.h create mode 100644 security/sandbox/chromium/base/stl_util.h create mode 100644 security/sandbox/chromium/base/strings/char_traits.h create mode 100644 security/sandbox/chromium/base/strings/nullable_string16.cc create mode 100644 security/sandbox/chromium/base/strings/nullable_string16.h create mode 100644 security/sandbox/chromium/base/strings/safe_sprintf.cc create mode 100644 security/sandbox/chromium/base/strings/safe_sprintf.h create mode 100644 security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc create mode 100644 security/sandbox/chromium/base/strings/string16.cc create mode 100644 security/sandbox/chromium/base/strings/string16.h create mode 100644 security/sandbox/chromium/base/strings/string_number_conversions.cc create mode 100644 security/sandbox/chromium/base/strings/string_number_conversions.h create mode 100644 security/sandbox/chromium/base/strings/string_piece.cc create mode 100644 security/sandbox/chromium/base/strings/string_piece.h create mode 100644 security/sandbox/chromium/base/strings/string_piece_forward.h create mode 100644 security/sandbox/chromium/base/strings/string_split.cc create mode 100644 security/sandbox/chromium/base/strings/string_split.h create mode 100644 security/sandbox/chromium/base/strings/string_util.cc create mode 100644 security/sandbox/chromium/base/strings/string_util.h create mode 100644 security/sandbox/chromium/base/strings/string_util_constants.cc create mode 100644 security/sandbox/chromium/base/strings/string_util_posix.h create mode 100644 security/sandbox/chromium/base/strings/string_util_win.h create mode 100644 security/sandbox/chromium/base/strings/stringprintf.cc create mode 100644 security/sandbox/chromium/base/strings/stringprintf.h create mode 100644 security/sandbox/chromium/base/strings/utf_string_conversion_utils.cc create mode 100644 security/sandbox/chromium/base/strings/utf_string_conversion_utils.h create mode 100644 security/sandbox/chromium/base/strings/utf_string_conversions.cc create mode 100644 security/sandbox/chromium/base/strings/utf_string_conversions.h create mode 100644 security/sandbox/chromium/base/synchronization/atomic_flag.h create mode 100644 security/sandbox/chromium/base/synchronization/condition_variable.h create mode 100644 security/sandbox/chromium/base/synchronization/condition_variable_posix.cc create mode 100644 security/sandbox/chromium/base/synchronization/lock.cc create mode 100644 security/sandbox/chromium/base/synchronization/lock.h create mode 100644 security/sandbox/chromium/base/synchronization/lock_impl.h create mode 100644 security/sandbox/chromium/base/synchronization/lock_impl_posix.cc create mode 100644 security/sandbox/chromium/base/synchronization/lock_impl_win.cc create mode 100644 security/sandbox/chromium/base/synchronization/waitable_event.h create mode 100644 security/sandbox/chromium/base/synchronization/waitable_event_posix.cc create mode 100644 security/sandbox/chromium/base/task_runner.h create mode 100644 security/sandbox/chromium/base/template_util.h create mode 100644 security/sandbox/chromium/base/third_party/cityhash/COPYING create mode 100644 security/sandbox/chromium/base/third_party/cityhash/city.cc create mode 100644 security/sandbox/chromium/base/third_party/cityhash/city.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/LICENSE create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/bignum-dtoa.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/bignum-dtoa.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/bignum.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/bignum.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/cached-powers.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/cached-powers.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/diy-fp.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/double-conversion.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/double-to-string.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/double-to-string.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/fast-dtoa.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/fast-dtoa.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/fixed-dtoa.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/fixed-dtoa.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/ieee.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/string-to-double.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/string-to-double.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.h create mode 100644 security/sandbox/chromium/base/third_party/double_conversion/double-conversion/utils.h create mode 100644 security/sandbox/chromium/base/third_party/dynamic_annotations/LICENSE create mode 100644 security/sandbox/chromium/base/third_party/dynamic_annotations/dynamic_annotations.h create mode 100644 security/sandbox/chromium/base/third_party/icu/LICENSE create mode 100644 security/sandbox/chromium/base/third_party/icu/icu_utf.cc create mode 100644 security/sandbox/chromium/base/third_party/icu/icu_utf.h create mode 100644 security/sandbox/chromium/base/third_party/superfasthash/LICENSE create mode 100644 security/sandbox/chromium/base/third_party/superfasthash/README.chromium create mode 100644 security/sandbox/chromium/base/third_party/superfasthash/superfasthash.c create mode 100644 security/sandbox/chromium/base/third_party/valgrind/LICENSE create mode 100644 security/sandbox/chromium/base/third_party/valgrind/valgrind.h create mode 100644 security/sandbox/chromium/base/thread_annotations.h create mode 100644 security/sandbox/chromium/base/threading/platform_thread.cc create mode 100644 security/sandbox/chromium/base/threading/platform_thread.h create mode 100644 security/sandbox/chromium/base/threading/platform_thread_internal_posix.cc create mode 100644 security/sandbox/chromium/base/threading/platform_thread_internal_posix.h create mode 100644 security/sandbox/chromium/base/threading/platform_thread_posix.cc create mode 100644 security/sandbox/chromium/base/threading/platform_thread_win.cc create mode 100644 security/sandbox/chromium/base/threading/platform_thread_win.h create mode 100644 security/sandbox/chromium/base/threading/thread_checker_impl.h create mode 100644 security/sandbox/chromium/base/threading/thread_collision_warner.cc create mode 100644 security/sandbox/chromium/base/threading/thread_collision_warner.h create mode 100644 security/sandbox/chromium/base/threading/thread_id_name_manager.cc create mode 100644 security/sandbox/chromium/base/threading/thread_id_name_manager.h create mode 100644 security/sandbox/chromium/base/threading/thread_local.h create mode 100644 security/sandbox/chromium/base/threading/thread_local_internal.h create mode 100644 security/sandbox/chromium/base/threading/thread_local_storage.cc create mode 100644 security/sandbox/chromium/base/threading/thread_local_storage.h create mode 100644 security/sandbox/chromium/base/threading/thread_local_storage_posix.cc create mode 100644 security/sandbox/chromium/base/threading/thread_local_storage_win.cc create mode 100644 security/sandbox/chromium/base/threading/thread_restrictions.cc create mode 100644 security/sandbox/chromium/base/threading/thread_restrictions.h create mode 100644 security/sandbox/chromium/base/time/time.cc create mode 100644 security/sandbox/chromium/base/time/time.h create mode 100644 security/sandbox/chromium/base/time/time_exploded_posix.cc create mode 100644 security/sandbox/chromium/base/time/time_now_posix.cc create mode 100644 security/sandbox/chromium/base/time/time_override.h create mode 100644 security/sandbox/chromium/base/time/time_win.cc create mode 100644 security/sandbox/chromium/base/time/time_win_features.cc create mode 100644 security/sandbox/chromium/base/time/time_win_features.h create mode 100644 security/sandbox/chromium/base/token.cc create mode 100644 security/sandbox/chromium/base/token.h create mode 100644 security/sandbox/chromium/base/tuple.h create mode 100644 security/sandbox/chromium/base/unguessable_token.cc create mode 100644 security/sandbox/chromium/base/unguessable_token.h create mode 100644 security/sandbox/chromium/base/version.cc create mode 100644 security/sandbox/chromium/base/version.h create mode 100644 security/sandbox/chromium/base/win/current_module.h create mode 100644 security/sandbox/chromium/base/win/pe_image.cc create mode 100644 security/sandbox/chromium/base/win/pe_image.h create mode 100644 security/sandbox/chromium/base/win/scoped_handle.cc create mode 100644 security/sandbox/chromium/base/win/scoped_handle.h create mode 100644 security/sandbox/chromium/base/win/scoped_handle_verifier.cc create mode 100644 security/sandbox/chromium/base/win/scoped_handle_verifier.h create mode 100644 security/sandbox/chromium/base/win/scoped_process_information.cc create mode 100644 security/sandbox/chromium/base/win/scoped_process_information.h create mode 100644 security/sandbox/chromium/base/win/startup_information.cc create mode 100644 security/sandbox/chromium/base/win/startup_information.h create mode 100644 security/sandbox/chromium/base/win/static_constants.cc create mode 100644 security/sandbox/chromium/base/win/static_constants.h create mode 100644 security/sandbox/chromium/base/win/windows_types.h create mode 100644 security/sandbox/chromium/base/win/windows_version.cc create mode 100644 security/sandbox/chromium/base/win/windows_version.h create mode 100644 security/sandbox/chromium/build/build_config.h create mode 100644 security/sandbox/chromium/build/buildflag.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_forward.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/cons.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/errorcode.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/seccomp_macros.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.cc create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.h create mode 100644 security/sandbox/chromium/sandbox/linux/bpf_dsl/trap_registry.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.h create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc create mode 100644 security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.h create mode 100644 security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.cc create mode 100644 security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/arm64_linux_syscalls.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_ucontext.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/capability.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_filter.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_futex.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_seccomp.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_signal.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/linux_ucontext.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h create mode 100644 security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h create mode 100644 security/sandbox/chromium/sandbox/sandbox_export.h create mode 100644 security/sandbox/chromium/sandbox/win/src/acl.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/acl.h create mode 100644 security/sandbox/chromium/sandbox/win/src/app_container_profile.h create mode 100644 security/sandbox/chromium/sandbox/win/src/app_container_profile_base.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/app_container_profile_base.h create mode 100644 security/sandbox/chromium/sandbox/win/src/app_container_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/broker_services.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/broker_services.h create mode 100644 security/sandbox/chromium/sandbox/win/src/crosscall_client.h create mode 100644 security/sandbox/chromium/sandbox/win/src/crosscall_params.h create mode 100644 security/sandbox/chromium/sandbox/win/src/crosscall_server.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/crosscall_server.h create mode 100644 security/sandbox/chromium/sandbox/win/src/eat_resolver.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/eat_resolver.h create mode 100644 security/sandbox/chromium/sandbox/win/src/file_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/filesystem_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_closer.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_closer.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_closer_agent.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_closer_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_inheritance_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/heap_helper.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/heap_helper.h create mode 100644 security/sandbox/chromium/sandbox/win/src/integrity_level_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/interception_agent.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/interception_agent.h create mode 100644 security/sandbox/chromium/sandbox/win/src/interception_internal.h create mode 100644 security/sandbox/chromium/sandbox/win/src/interception_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/interceptors.h create mode 100644 security/sandbox/chromium/sandbox/win/src/interceptors_64.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/interceptors_64.h create mode 100644 security/sandbox/chromium/sandbox/win/src/internal_types.h create mode 100644 security/sandbox/chromium/sandbox/win/src/ipc_args.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/ipc_args.h create mode 100644 security/sandbox/chromium/sandbox/win/src/ipc_ping_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/ipc_tags.h create mode 100644 security/sandbox/chromium/sandbox/win/src/ipc_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/job.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/job.h create mode 100644 security/sandbox/chromium/sandbox/win/src/job_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/named_pipe_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/nt_internals.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_broker.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_broker.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_params.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_processor.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_low_level.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_low_level.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_low_level_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_opcodes_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_params.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_target.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_target.h create mode 100644 security/sandbox/chromium/sandbox/win/src/policy_target_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/process_thread_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/registry_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/resolver.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/resolver.h create mode 100644 security/sandbox/chromium/sandbox/win/src/resolver_32.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/resolver_64.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/restricted_token.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/restricted_token.h create mode 100644 security/sandbox/chromium/sandbox/win/src/restricted_token_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox.vcproj create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_factory.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_globals.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_nt_types.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_rand.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_types.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_utils.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sandbox_utils.h create mode 100644 security/sandbox/chromium/sandbox/win/src/security_capabilities.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/security_capabilities.h create mode 100644 security/sandbox/chromium/sandbox/win/src/security_level.h create mode 100644 security/sandbox/chromium/sandbox/win/src/service_resolver.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/service_resolver.h create mode 100644 security/sandbox/chromium/sandbox/win/src/service_resolver_32.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/service_resolver_64.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/service_resolver_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sid.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sid.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sid_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/signed_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_interception.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_interception.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_policy.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_policy.h create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_policy_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/sync_policy_test.h create mode 100644 security/sandbox/chromium/sandbox/win/src/target_interceptions.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/target_interceptions.h create mode 100644 security/sandbox/chromium/sandbox/win/src/target_process.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/target_process.h create mode 100644 security/sandbox/chromium/sandbox/win/src/target_services.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/target_services.h create mode 100644 security/sandbox/chromium/sandbox/win/src/threadpool_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h create mode 100644 security/sandbox/chromium/sandbox/win/src/unload_dll_test.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/win2k_threadpool.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/win2k_threadpool.h create mode 100644 security/sandbox/chromium/sandbox/win/src/win_utils.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/win_utils.h create mode 100644 security/sandbox/chromium/sandbox/win/src/win_utils_unittest.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/window.cc create mode 100644 security/sandbox/chromium/sandbox/win/src/window.h create mode 100644 security/sandbox/common/SandboxSettings.cpp create mode 100644 security/sandbox/common/SandboxSettings.h create mode 100644 security/sandbox/common/components.conf create mode 100644 security/sandbox/common/moz.build create mode 100644 security/sandbox/common/mozISandboxSettings.idl create mode 100644 security/sandbox/common/test/PSandboxTesting.ipdl create mode 100644 security/sandbox/common/test/SandboxTest.cpp create mode 100644 security/sandbox/common/test/SandboxTest.h create mode 100644 security/sandbox/common/test/SandboxTestingChild.cpp create mode 100644 security/sandbox/common/test/SandboxTestingChild.h create mode 100644 security/sandbox/common/test/SandboxTestingChildTests.h create mode 100644 security/sandbox/common/test/SandboxTestingParent.cpp create mode 100644 security/sandbox/common/test/SandboxTestingParent.h create mode 100644 security/sandbox/common/test/SandboxTestingThread.h create mode 100644 security/sandbox/common/test/mozISandboxTest.idl create mode 100644 security/sandbox/linux/LinuxSched.h create mode 100644 security/sandbox/linux/Sandbox.cpp create mode 100644 security/sandbox/linux/Sandbox.h create mode 100644 security/sandbox/linux/SandboxBrokerClient.cpp create mode 100644 security/sandbox/linux/SandboxBrokerClient.h create mode 100644 security/sandbox/linux/SandboxChrootProto.h create mode 100644 security/sandbox/linux/SandboxFilter.cpp create mode 100644 security/sandbox/linux/SandboxFilter.h create mode 100644 security/sandbox/linux/SandboxFilterUtil.cpp create mode 100644 security/sandbox/linux/SandboxFilterUtil.h create mode 100644 security/sandbox/linux/SandboxHooks.cpp create mode 100644 security/sandbox/linux/SandboxInfo.cpp create mode 100644 security/sandbox/linux/SandboxInfo.h create mode 100644 security/sandbox/linux/SandboxInternal.h create mode 100644 security/sandbox/linux/SandboxLogging.cpp create mode 100644 security/sandbox/linux/SandboxLogging.h create mode 100644 security/sandbox/linux/SandboxOpenedFiles.cpp create mode 100644 security/sandbox/linux/SandboxOpenedFiles.h create mode 100644 security/sandbox/linux/SandboxReporterClient.cpp create mode 100644 security/sandbox/linux/SandboxReporterClient.h create mode 100644 security/sandbox/linux/broker/SandboxBroker.cpp create mode 100644 security/sandbox/linux/broker/SandboxBroker.h create mode 100644 security/sandbox/linux/broker/SandboxBrokerCommon.cpp create mode 100644 security/sandbox/linux/broker/SandboxBrokerCommon.h create mode 100644 security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp create mode 100644 security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h create mode 100644 security/sandbox/linux/broker/SandboxBrokerRealpath.cpp create mode 100644 security/sandbox/linux/broker/SandboxBrokerUtils.h create mode 100644 security/sandbox/linux/broker/moz.build create mode 100644 security/sandbox/linux/glue/SandboxCrash.cpp create mode 100644 security/sandbox/linux/glue/SandboxPrefBridge.cpp create mode 100644 security/sandbox/linux/glue/moz.build create mode 100644 security/sandbox/linux/gtest/TestBroker.cpp create mode 100644 security/sandbox/linux/gtest/TestBrokerPolicy.cpp create mode 100644 security/sandbox/linux/gtest/TestLogging.cpp create mode 100644 security/sandbox/linux/gtest/moz.build create mode 100644 security/sandbox/linux/interfaces/moz.build create mode 100644 security/sandbox/linux/interfaces/mozISandboxReporter.idl create mode 100644 security/sandbox/linux/launch/LinuxCapabilities.cpp create mode 100644 security/sandbox/linux/launch/LinuxCapabilities.h create mode 100644 security/sandbox/linux/launch/SandboxLaunch.cpp create mode 100644 security/sandbox/linux/launch/SandboxLaunch.h create mode 100644 security/sandbox/linux/launch/moz.build create mode 100644 security/sandbox/linux/moz.build create mode 100644 security/sandbox/linux/reporter/SandboxReporter.cpp create mode 100644 security/sandbox/linux/reporter/SandboxReporter.h create mode 100644 security/sandbox/linux/reporter/SandboxReporterCommon.h create mode 100644 security/sandbox/linux/reporter/SandboxReporterWrappers.cpp create mode 100644 security/sandbox/linux/reporter/components.conf create mode 100644 security/sandbox/linux/reporter/moz.build create mode 100644 security/sandbox/mac/Sandbox.h create mode 100644 security/sandbox/mac/Sandbox.mm create mode 100644 security/sandbox/mac/SandboxPolicyContent.h create mode 100644 security/sandbox/mac/SandboxPolicyGMP.h create mode 100644 security/sandbox/mac/SandboxPolicyRDD.h create mode 100644 security/sandbox/mac/SandboxPolicySocket.h create mode 100644 security/sandbox/mac/SandboxPolicyUtility.h create mode 100644 security/sandbox/mac/moz.build create mode 100644 security/sandbox/moz.build create mode 100644 security/sandbox/test/browser.ini create mode 100644 security/sandbox/test/browser_bug1393259.js create mode 100644 security/sandbox/test/browser_bug1717599_XDG-CONFIG-DIRS.ini create mode 100644 security/sandbox/test/browser_bug1717599_XDG-CONFIG-HOME.ini create mode 100644 security/sandbox/test/browser_content_sandbox_bug1717599_XDG-CONFIG-DIRS.js create mode 100644 security/sandbox/test/browser_content_sandbox_bug1717599_XDG-CONFIG-HOME.js create mode 100644 security/sandbox/test/browser_content_sandbox_fs.js create mode 100644 security/sandbox/test/browser_content_sandbox_fs_snap.js create mode 100644 security/sandbox/test/browser_content_sandbox_fs_tests.js create mode 100644 security/sandbox/test/browser_content_sandbox_fs_xdg.js create mode 100644 security/sandbox/test/browser_content_sandbox_syscalls.js create mode 100644 security/sandbox/test/browser_content_sandbox_utils.js create mode 100644 security/sandbox/test/browser_sandbox_test.js create mode 100644 security/sandbox/test/browser_snap.ini create mode 100644 security/sandbox/test/browser_xdg.ini create mode 100644 security/sandbox/test/bug1393259.html create mode 100755 security/sandbox/test/mac_register_font.py create mode 100644 security/sandbox/win/SandboxInitialization.cpp create mode 100644 security/sandbox/win/SandboxInitialization.h create mode 100644 security/sandbox/win/src/remotesandboxbroker/PRemoteSandboxBroker.ipdl create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerChild.cpp create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerChild.h create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerParent.cpp create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerParent.h create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerProcessChild.cpp create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerProcessChild.h create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerProcessParent.cpp create mode 100644 security/sandbox/win/src/remotesandboxbroker/RemoteSandboxBrokerProcessParent.h create mode 100644 security/sandbox/win/src/remotesandboxbroker/moz.build create mode 100644 security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.cpp create mode 100644 security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h create mode 100644 security/sandbox/win/src/sandboxbroker/moz.build create mode 100644 security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp create mode 100644 security/sandbox/win/src/sandboxbroker/sandboxBroker.h create mode 100644 security/sandbox/win/src/sandboxtarget/moz.build create mode 100644 security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp create mode 100644 security/sandbox/win/src/sandboxtarget/sandboxTarget.h (limited to 'security/sandbox') diff --git a/security/sandbox/chromium-shim/base/allocator/buildflags.h b/security/sandbox/chromium-shim/base/allocator/buildflags.h new file mode 100644 index 0000000000..1799e64067 --- /dev/null +++ b/security/sandbox/chromium-shim/base/allocator/buildflags.h @@ -0,0 +1,20 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a copy of a file that is generated by the chromium build, with +// only the build flags we require. + +// Generated by build/write_buildflag_header.py +// From "//base/allocator:buildflags" + +#ifndef BASE_ALLOCATOR_BUILDFLAGS_H_ +#define BASE_ALLOCATOR_BUILDFLAGS_H_ + +#include "build/buildflag.h" + +#define BUILDFLAG_INTERNAL_USE_TCMALLOC() (0) + +#endif // BASE_ALLOCATOR_BUILDFLAGS_H_ diff --git a/security/sandbox/chromium-shim/base/allocator/partition_allocator/page_allocator.h b/security/sandbox/chromium-shim/base/allocator/partition_allocator/page_allocator.h new file mode 100644 index 0000000000..e3bb27d897 --- /dev/null +++ b/security/sandbox/chromium-shim/base/allocator/partition_allocator/page_allocator.h @@ -0,0 +1,21 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file +// base/allocator/partition_allocator/page_allocator.h. +// To provide to an empty ReleaseReservation function, because we never call +// ReserveAddressSpace. + +#ifndef BASE_ALLOCATOR_PARTITION_ALLOCATOR_PAGE_ALLOCATOR_H_ +#define BASE_ALLOCATOR_PARTITION_ALLOCATOR_PAGE_ALLOCATOR_H_ + +namespace base { + +BASE_EXPORT void ReleaseReservation() {} + +} // namespace base + +#endif // BASE_ALLOCATOR_PARTITION_ALLOCATOR_PAGE_ALLOCATOR_H_ diff --git a/security/sandbox/chromium-shim/base/debug/activity_tracker.h b/security/sandbox/chromium-shim/base/debug/activity_tracker.h new file mode 100644 index 0000000000..b59cd12cc0 --- /dev/null +++ b/security/sandbox/chromium-shim/base/debug/activity_tracker.h @@ -0,0 +1,61 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/debug/activity_tracker.h. +// To provide a class required in base/synchronization/lock_impl_win.cc +// ScopedLockAcquireActivity. We don't use activity tracking. + +#ifndef BASE_DEBUG_ACTIVITY_TRACKER_H_ +#define BASE_DEBUG_ACTIVITY_TRACKER_H_ + +#include "base/base_export.h" +#include "base/compiler_specific.h" +#include "base/macros.h" + +namespace base { +class PlatformThreadHandle; +class WaitableEvent; + +namespace internal { +class LockImpl; +} + +namespace debug { + +class BASE_EXPORT GlobalActivityTracker { + public: + static bool IsEnabled() { return false; } + DISALLOW_COPY_AND_ASSIGN(GlobalActivityTracker); +}; + +class BASE_EXPORT ScopedLockAcquireActivity +{ + public: + ALWAYS_INLINE + explicit ScopedLockAcquireActivity(const base::internal::LockImpl* lock) {} + DISALLOW_COPY_AND_ASSIGN(ScopedLockAcquireActivity); +}; + +class BASE_EXPORT ScopedEventWaitActivity +{ + public: + ALWAYS_INLINE + explicit ScopedEventWaitActivity(const base::WaitableEvent* event) {} + DISALLOW_COPY_AND_ASSIGN(ScopedEventWaitActivity); +}; + +class BASE_EXPORT ScopedThreadJoinActivity +{ + public: + ALWAYS_INLINE + explicit ScopedThreadJoinActivity(const base::PlatformThreadHandle* thread) {} + DISALLOW_COPY_AND_ASSIGN(ScopedThreadJoinActivity); +}; + +} // namespace debug +} // namespace base + +#endif // BASE_DEBUG_ACTIVITY_TRACKER_H_ diff --git a/security/sandbox/chromium-shim/base/debug/crash_logging.cpp b/security/sandbox/chromium-shim/base/debug/crash_logging.cpp new file mode 100644 index 0000000000..b2c3f7afa2 --- /dev/null +++ b/security/sandbox/chromium-shim/base/debug/crash_logging.cpp @@ -0,0 +1,22 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of base/debug/crash_logging.cc + +#include "base/debug/crash_logging.h" + +namespace base { +namespace debug { + +CrashKeyString* AllocateCrashKeyString(const char name[], + CrashKeySize value_length) { + return nullptr; +} + +void SetCrashKeyString(CrashKeyString* crash_key, base::StringPiece value) {} + +} // namespace debug +} // namespace base diff --git a/security/sandbox/chromium-shim/base/debug/debugging_buildflags.h b/security/sandbox/chromium-shim/base/debug/debugging_buildflags.h new file mode 100644 index 0000000000..a2b89849a5 --- /dev/null +++ b/security/sandbox/chromium-shim/base/debug/debugging_buildflags.h @@ -0,0 +1,21 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a copy of a file that is generated by the chromium build, with +// only the build flags we require. + +// Generated by build/write_buildflag_header.py +// From "//base:debugging_buildflags" + +#ifndef BASE_DEBUG_DEBUGGING_BUILDFLAGS_H_ +#define BASE_DEBUG_DEBUGGING_BUILDFLAGS_H_ + +#include "build/buildflag.h" + +#define BUILDFLAG_INTERNAL_ENABLE_LOCATION_SOURCE() (1) +#define BUILDFLAG_INTERNAL_ENABLE_PROFILING() (0) + +#endif // BASE_DEBUG_DEBUGGING_BUILDFLAGS_H_ diff --git a/security/sandbox/chromium-shim/base/debug/stack_trace.h b/security/sandbox/chromium-shim/base/debug/stack_trace.h new file mode 100644 index 0000000000..2ab1485204 --- /dev/null +++ b/security/sandbox/chromium-shim/base/debug/stack_trace.h @@ -0,0 +1,30 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/debug/stack_trace.h +// to provide a dummy class StackTrace. + +#ifndef BASE_DEBUG_STACK_TRACE_H_ +#define BASE_DEBUG_STACK_TRACE_H_ + +#include + +namespace base { +namespace debug { + +class BASE_EXPORT StackTrace { + public: + StackTrace() {}; + +#if !defined(__UCLIBC__) & !defined(_AIX) + void OutputToStream(std::ostream*) const {} +#endif +}; + +} // namespace debug +} // namespace base + +#endif // BASE_DEBUG_STACK_TRACE_H_ diff --git a/security/sandbox/chromium-shim/base/feature_list.h b/security/sandbox/chromium-shim/base/feature_list.h new file mode 100644 index 0000000000..ada5c22f24 --- /dev/null +++ b/security/sandbox/chromium-shim/base/feature_list.h @@ -0,0 +1,52 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a cut down version of base/feature_list.h. +// This just returns the default state for a feature. + +#ifndef BASE_FEATURE_LIST_H_ +#define BASE_FEATURE_LIST_H_ + +#include "base/macros.h" + +namespace base { + +// Specifies whether a given feature is enabled or disabled by default. +enum FeatureState { + FEATURE_DISABLED_BY_DEFAULT, + FEATURE_ENABLED_BY_DEFAULT, +}; + +// The Feature struct is used to define the default state for a feature. See +// comment below for more details. There must only ever be one struct instance +// for a given feature name - generally defined as a constant global variable or +// file static. It should never be used as a constexpr as it breaks +// pointer-based identity lookup. +struct BASE_EXPORT Feature { + // The name of the feature. This should be unique to each feature and is used + // for enabling/disabling features via command line flags and experiments. + // It is strongly recommended to use CamelCase style for feature names, e.g. + // "MyGreatFeature". + const char* const name; + + // The default state (i.e. enabled or disabled) for this feature. + const FeatureState default_state; +}; + +class BASE_EXPORT FeatureList { + public: + static bool IsEnabled(const Feature& feature) { + return feature.default_state == FEATURE_ENABLED_BY_DEFAULT; + } + + static FeatureList* GetInstance() { return nullptr; } + + DISALLOW_COPY_AND_ASSIGN(FeatureList); +}; + +} // namespace base + +#endif // BASE_FEATURE_LIST_H_ diff --git a/security/sandbox/chromium-shim/base/file_version_info_win.cpp b/security/sandbox/chromium-shim/base/file_version_info_win.cpp new file mode 100644 index 0000000000..bc4d6a4fe0 --- /dev/null +++ b/security/sandbox/chromium-shim/base/file_version_info_win.cpp @@ -0,0 +1,90 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a partial implementation of Chromium's source file +// base/file_version_info_win.cc + +#include "base/file_version_info_win.h" + +#include "base/files/file_path.h" +#include "base/memory/ptr_util.h" +#include "base/threading/scoped_blocking_call.h" + +#include "mozilla/Unused.h" + +namespace { + +struct LanguageAndCodePage { + WORD language; + WORD code_page; +}; + +// Returns the \VarFileInfo\Translation value extracted from the +// VS_VERSION_INFO resource in |data|. +LanguageAndCodePage* GetTranslate(const void* data) { + static constexpr wchar_t kTranslation[] = L"\\VarFileInfo\\Translation"; + LPVOID translate = nullptr; + UINT dummy_size; + if (::VerQueryValue(data, kTranslation, &translate, &dummy_size)) + return static_cast(translate); + return nullptr; +} + +const VS_FIXEDFILEINFO& GetVsFixedFileInfo(const void* data) { + static constexpr wchar_t kRoot[] = L"\\"; + LPVOID fixed_file_info = nullptr; + UINT dummy_size; + CHECK(::VerQueryValue(data, kRoot, &fixed_file_info, &dummy_size)); + return *static_cast(fixed_file_info); +} + +} // namespace + +// static +std::unique_ptr +FileVersionInfoWin::CreateFileVersionInfoWin(const base::FilePath& file_path) { + base::ScopedBlockingCall scoped_blocking_call(FROM_HERE, + base::BlockingType::MAY_BLOCK); + + DWORD dummy; + const wchar_t* path = file_path.value().c_str(); + const DWORD length = ::GetFileVersionInfoSize(path, &dummy); + if (length == 0) + return nullptr; + + std::vector data(length, 0); + + if (!::GetFileVersionInfo(path, dummy, length, data.data())) + return nullptr; + + const LanguageAndCodePage* translate = GetTranslate(data.data()); + if (!translate) + return nullptr; + + return base::WrapUnique(new FileVersionInfoWin( + std::move(data), translate->language, translate->code_page)); +} + +base::Version FileVersionInfoWin::GetFileVersion() const { + return base::Version({HIWORD(fixed_file_info_.dwFileVersionMS), + LOWORD(fixed_file_info_.dwFileVersionMS), + HIWORD(fixed_file_info_.dwFileVersionLS), + LOWORD(fixed_file_info_.dwFileVersionLS)}); +} + +FileVersionInfoWin::FileVersionInfoWin(std::vector&& data, + WORD language, + WORD code_page) + : owned_data_(std::move(data)), + data_(owned_data_.data()), + language_(language), + code_page_(code_page), + fixed_file_info_(GetVsFixedFileInfo(data_)) { + DCHECK(!owned_data_.empty()); + + mozilla::Unused << language_; + mozilla::Unused << code_page_; +} diff --git a/security/sandbox/chromium-shim/base/file_version_info_win.h b/security/sandbox/chromium-shim/base/file_version_info_win.h new file mode 100644 index 0000000000..9f41901864 --- /dev/null +++ b/security/sandbox/chromium-shim/base/file_version_info_win.h @@ -0,0 +1,54 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a partial implementation of Chromium's source file +// base/file_version_info_win.h. + +#ifndef BASE_FILE_VERSION_INFO_WIN_H_ +#define BASE_FILE_VERSION_INFO_WIN_H_ + +#include +#include + +#include "base/macros.h" +#include "base/version.h" + +#include "mozilla/Assertions.h" + +struct tagVS_FIXEDFILEINFO; +typedef tagVS_FIXEDFILEINFO VS_FIXEDFILEINFO; + +namespace base { +class FilePath; +} + +class FileVersionInfoWin { + public: + static std::unique_ptr CreateFileVersionInfoWin( + const base::FilePath& file_path); + + // Get file version number in dotted version format. + base::Version GetFileVersion() const; + + private: + // |data| is a VS_VERSION_INFO resource. |language| and |code_page| are + // extracted from the \VarFileInfo\Translation value of |data|. + FileVersionInfoWin(std::vector&& data, + WORD language, + WORD code_page); + + const std::vector owned_data_; + const void* const data_; + const WORD language_; + const WORD code_page_; + + // This is a reference for a portion of |data_|. + const VS_FIXEDFILEINFO& fixed_file_info_; + + DISALLOW_COPY_AND_ASSIGN(FileVersionInfoWin); +}; + +#endif // BASE_FILE_VERSION_INFO_WIN_H_ diff --git a/security/sandbox/chromium-shim/base/files/file_path.cpp b/security/sandbox/chromium-shim/base/files/file_path.cpp new file mode 100644 index 0000000000..bcbfecab99 --- /dev/null +++ b/security/sandbox/chromium-shim/base/files/file_path.cpp @@ -0,0 +1,217 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This is a partial implementation of Chromium's source file +// base/file/file_path.cc. + +#include "base/files/file_path.h" + +namespace base { + +using StringType = FilePath::StringType; +using StringPieceType = FilePath::StringPieceType; + +namespace { + +const FilePath::CharType kStringTerminator = FILE_PATH_LITERAL('\0'); + +// If this FilePath contains a drive letter specification, returns the +// position of the last character of the drive letter specification, +// otherwise returns npos. This can only be true on Windows, when a pathname +// begins with a letter followed by a colon. On other platforms, this always +// returns npos. +StringPieceType::size_type FindDriveLetter(StringPieceType path) { +#if defined(FILE_PATH_USES_DRIVE_LETTERS) + // This is dependent on an ASCII-based character set, but that's a + // reasonable assumption. iswalpha can be too inclusive here. + if (path.length() >= 2 && path[1] == L':' && + ((path[0] >= L'A' && path[0] <= L'Z') || + (path[0] >= L'a' && path[0] <= L'z'))) { + return 1; + } +#endif // FILE_PATH_USES_DRIVE_LETTERS + return StringType::npos; +} + +bool IsPathAbsolute(StringPieceType path) { +#if defined(FILE_PATH_USES_DRIVE_LETTERS) + StringType::size_type letter = FindDriveLetter(path); + if (letter != StringType::npos) { + // Look for a separator right after the drive specification. + return path.length() > letter + 1 && + FilePath::IsSeparator(path[letter + 1]); + } + // Look for a pair of leading separators. + return path.length() > 1 && + FilePath::IsSeparator(path[0]) && FilePath::IsSeparator(path[1]); +#else // FILE_PATH_USES_DRIVE_LETTERS + // Look for a separator in the first position. + return path.length() > 0 && FilePath::IsSeparator(path[0]); +#endif // FILE_PATH_USES_DRIVE_LETTERS +} + +} // namespace + +FilePath::FilePath() = default; + +FilePath::FilePath(const FilePath& that) = default; +FilePath::FilePath(FilePath&& that) noexcept = default; + +FilePath::FilePath(StringPieceType path) : path_(path) { + StringType::size_type nul_pos = path_.find(kStringTerminator); + if (nul_pos != StringType::npos) + path_.erase(nul_pos, StringType::npos); +} + +FilePath::~FilePath() = default; + +FilePath& FilePath::operator=(const FilePath& that) = default; + +FilePath& FilePath::operator=(FilePath&& that) = default; + +// static +bool FilePath::IsSeparator(CharType character) { + for (size_t i = 0; i < kSeparatorsLength - 1; ++i) { + if (character == kSeparators[i]) { + return true; + } + } + + return false; +} + +// libgen's dirname and basename aren't guaranteed to be thread-safe and aren't +// guaranteed to not modify their input strings, and in fact are implemented +// differently in this regard on different platforms. Don't use them, but +// adhere to their behavior. +FilePath FilePath::DirName() const { + FilePath new_path(path_); + new_path.StripTrailingSeparatorsInternal(); + + // The drive letter, if any, always needs to remain in the output. If there + // is no drive letter, as will always be the case on platforms which do not + // support drive letters, letter will be npos, or -1, so the comparisons and + // resizes below using letter will still be valid. + StringType::size_type letter = FindDriveLetter(new_path.path_); + + StringType::size_type last_separator = + new_path.path_.find_last_of(kSeparators, StringType::npos, + kSeparatorsLength - 1); + if (last_separator == StringType::npos) { + // path_ is in the current directory. + new_path.path_.resize(letter + 1); + } else if (last_separator == letter + 1) { + // path_ is in the root directory. + new_path.path_.resize(letter + 2); + } else if (last_separator == letter + 2 && + IsSeparator(new_path.path_[letter + 1])) { + // path_ is in "//" (possibly with a drive letter); leave the double + // separator intact indicating alternate root. + new_path.path_.resize(letter + 3); + } else if (last_separator != 0) { + // path_ is somewhere else, trim the basename. + new_path.path_.resize(last_separator); + } + + new_path.StripTrailingSeparatorsInternal(); + if (!new_path.path_.length()) + new_path.path_ = kCurrentDirectory; + + return new_path; +} + +FilePath FilePath::BaseName() const { + FilePath new_path(path_); + new_path.StripTrailingSeparatorsInternal(); + + // The drive letter, if any, is always stripped. + StringType::size_type letter = FindDriveLetter(new_path.path_); + if (letter != StringType::npos) { + new_path.path_.erase(0, letter + 1); + } + + // Keep everything after the final separator, but if the pathname is only + // one character and it's a separator, leave it alone. + StringType::size_type last_separator = + new_path.path_.find_last_of(kSeparators, StringType::npos, + kSeparatorsLength - 1); + if (last_separator != StringType::npos && + last_separator < new_path.path_.length() - 1) { + new_path.path_.erase(0, last_separator + 1); + } + + return new_path; +} + +FilePath FilePath::Append(StringPieceType component) const { + StringPieceType appended = component; + StringType without_nuls; + + StringType::size_type nul_pos = component.find(kStringTerminator); + if (nul_pos != StringPieceType::npos) { + without_nuls = StringType(component.substr(0, nul_pos)); + appended = StringPieceType(without_nuls); + } + + DCHECK(!IsPathAbsolute(appended)); + + if (path_.compare(kCurrentDirectory) == 0 && !appended.empty()) { + // Append normally doesn't do any normalization, but as a special case, + // when appending to kCurrentDirectory, just return a new path for the + // component argument. Appending component to kCurrentDirectory would + // serve no purpose other than needlessly lengthening the path, and + // it's likely in practice to wind up with FilePath objects containing + // only kCurrentDirectory when calling DirName on a single relative path + // component. + return FilePath(appended); + } + + FilePath new_path(path_); + new_path.StripTrailingSeparatorsInternal(); + + // Don't append a separator if the path is empty (indicating the current + // directory) or if the path component is empty (indicating nothing to + // append). + if (!appended.empty() && !new_path.path_.empty()) { + // Don't append a separator if the path still ends with a trailing + // separator after stripping (indicating the root directory). + if (!IsSeparator(new_path.path_.back())) { + // Don't append a separator if the path is just a drive letter. + if (FindDriveLetter(new_path.path_) + 1 != new_path.path_.length()) { + new_path.path_.append(1, kSeparators[0]); + } + } + } + + new_path.path_.append(appended.data(), appended.size()); + return new_path; +} + +FilePath FilePath::Append(const FilePath& component) const { + return Append(component.value()); +} + +void FilePath::StripTrailingSeparatorsInternal() { + // If there is no drive letter, start will be 1, which will prevent stripping + // the leading separator if there is only one separator. If there is a drive + // letter, start will be set appropriately to prevent stripping the first + // separator following the drive letter, if a separator immediately follows + // the drive letter. + StringType::size_type start = FindDriveLetter(path_) + 2; + + StringType::size_type last_stripped = StringType::npos; + for (StringType::size_type pos = path_.length(); + pos > start && IsSeparator(path_[pos - 1]); + --pos) { + // If the string only has two separators and they're at the beginning, + // don't strip them, unless the string began with more than two separators. + if (pos != start + 1 || last_stripped == start + 2 || + !IsSeparator(path_[start - 1])) { + path_.resize(pos - 1); + last_stripped = pos; + } + } +} + +} // namespace base diff --git a/security/sandbox/chromium-shim/base/files/file_util.h b/security/sandbox/chromium-shim/base/files/file_util.h new file mode 100644 index 0000000000..bd6ce0c0a8 --- /dev/null +++ b/security/sandbox/chromium-shim/base/files/file_util.h @@ -0,0 +1,11 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a cut down version of Chromium source file base/files/file_util.h +// This is included in base/memory/shared_memory.h, but it only actually +// requires the include for base/files/file_path.h. + +#include "base/files/file_path.h" diff --git a/security/sandbox/chromium-shim/base/gtest_prod_util.h b/security/sandbox/chromium-shim/base/gtest_prod_util.h new file mode 100644 index 0000000000..b45a1586b0 --- /dev/null +++ b/security/sandbox/chromium-shim/base/gtest_prod_util.h @@ -0,0 +1,22 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef BASE_GTEST_PROD_UTIL_H_ +#define BASE_GTEST_PROD_UTIL_H_ + +#ifndef FRIEND_TEST +#define FRIEND_TEST(A, B) +#endif + +#ifndef FRIEND_TEST_ALL_PREFIXES +#define FRIEND_TEST_ALL_PREFIXES(test_case_name, test_name) +#endif + +#ifndef FORWARD_DECLARE_TEST +#define FORWARD_DECLARE_TEST(test_case_name, test_name) +#endif + +#endif // BASE_GTEST_PROD_UTIL_H_ diff --git a/security/sandbox/chromium-shim/base/logging.cpp b/security/sandbox/chromium-shim/base/logging.cpp new file mode 100644 index 0000000000..9ac163c0ea --- /dev/null +++ b/security/sandbox/chromium-shim/base/logging.cpp @@ -0,0 +1,160 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a stripped down version of the Chromium source file base/logging.cc +// This prevents dependency on the Chromium logging and dependency creep in +// general. +// At some point we should find a way to hook this into our own logging see +// bug 1013988. +// The formatting in this file matches the original Chromium file to aid future +// merging. + +#include "base/logging.h" + +#if defined(OS_WIN) +#include +#endif + +#if defined(OS_POSIX) +#include +#endif + +#if defined(OS_WIN) +#include "base/strings/utf_string_conversions.h" +#endif + +#include + +#include "mozilla/Assertions.h" +#include "mozilla/Unused.h" + +namespace logging { + +namespace { + +int g_min_log_level = 0; + +LoggingDestination g_logging_destination = LOG_DEFAULT; + +// For LOG_ERROR and above, always print to stderr. +const int kAlwaysPrintErrorLevel = LOG_ERROR; + +// A log message handler that gets notified of every log message we process. +LogMessageHandlerFunction log_message_handler = nullptr; + +} // namespace + +// This is never instantiated, it's just used for EAT_STREAM_PARAMETERS to have +// an object of the correct type on the LHS of the unused part of the ternary +// operator. +std::ostream* g_swallow_stream; + +void SetMinLogLevel(int level) { + g_min_log_level = std::min(LOG_FATAL, level); +} + +int GetMinLogLevel() { + return g_min_log_level; +} + +bool ShouldCreateLogMessage(int severity) { + if (severity < g_min_log_level) + return false; + + // Return true here unless we know ~LogMessage won't do anything. Note that + // ~LogMessage writes to stderr if severity_ >= kAlwaysPrintErrorLevel, even + // when g_logging_destination is LOG_NONE. + return g_logging_destination != LOG_NONE || log_message_handler || + severity >= kAlwaysPrintErrorLevel; +} + +int GetVlogLevelHelper(const char* file, size_t N) { + return 0; +} + +// Explicit instantiations for commonly used comparisons. +template std::string* MakeCheckOpString( + const int&, const int&, const char* names); +template std::string* MakeCheckOpString( + const unsigned long&, const unsigned long&, const char* names); +template std::string* MakeCheckOpString( + const unsigned long&, const unsigned int&, const char* names); +template std::string* MakeCheckOpString( + const unsigned int&, const unsigned long&, const char* names); +template std::string* MakeCheckOpString( + const std::string&, const std::string&, const char* name); + +LogMessage::LogMessage(const char* file, int line, LogSeverity severity) + : severity_(severity), file_(file), line_(line) { +} + +LogMessage::LogMessage(const char* file, int line, const char* condition) + : severity_(LOG_FATAL), file_(file), line_(line) { +} + +LogMessage::LogMessage(const char* file, int line, std::string* result) + : severity_(LOG_FATAL), file_(file), line_(line) { + delete result; +} + +LogMessage::LogMessage(const char* file, int line, LogSeverity severity, + std::string* result) + : severity_(severity), file_(file), line_(line) { + delete result; +} + +LogMessage::~LogMessage() { + if (severity_ == LOG_FATAL) { + MOZ_CRASH("Hit fatal chromium sandbox condition."); + } +} + +SystemErrorCode GetLastSystemErrorCode() { +#if defined(OS_WIN) + return ::GetLastError(); +#elif defined(OS_POSIX) + return errno; +#else +#error Not implemented +#endif +} + +#if defined(OS_WIN) +Win32ErrorLogMessage::Win32ErrorLogMessage(const char* file, + int line, + LogSeverity severity, + SystemErrorCode err) + : err_(err), + log_message_(file, line, severity) { + mozilla::Unused << err_; +} + +Win32ErrorLogMessage::~Win32ErrorLogMessage() { +} +#elif defined(OS_POSIX) +ErrnoLogMessage::ErrnoLogMessage(const char* file, + int line, + LogSeverity severity, + SystemErrorCode err) + : err_(err), + log_message_(file, line, severity) { + mozilla::Unused << err_; +} + +ErrnoLogMessage::~ErrnoLogMessage() { +} +#endif // OS_WIN + +void RawLog(int level, const char* message) { +} + +} // namespace logging + +#if defined(OS_WIN) +std::ostream& std::operator<<(std::ostream& out, const wchar_t* wstr) { + return out << base::WideToUTF8(std::wstring(wstr)); +} +#endif diff --git a/security/sandbox/chromium-shim/base/logging_buildflags.h b/security/sandbox/chromium-shim/base/logging_buildflags.h new file mode 100644 index 0000000000..4c7b5451a3 --- /dev/null +++ b/security/sandbox/chromium-shim/base/logging_buildflags.h @@ -0,0 +1,20 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a copy of a file that is generated by the chromium build, with +// only the build flags we require. + +// Generated by build/write_buildflag_header.py +// From "//base:logging_buildflags" + +#ifndef BASE_LOGGING_BUILDFLAGS_H_ +#define BASE_LOGGING_BUILDFLAGS_H_ + +#include "build/buildflag.h" + +#define BUILDFLAG_INTERNAL_ENABLE_LOG_ERROR_NOT_REACHED() (0) + +#endif // BASE_LOGGING_BUILDFLAGS_H_ diff --git a/security/sandbox/chromium-shim/base/memory/shared_memory_tracker.h b/security/sandbox/chromium-shim/base/memory/shared_memory_tracker.h new file mode 100644 index 0000000000..0439410ebb --- /dev/null +++ b/security/sandbox/chromium-shim/base/memory/shared_memory_tracker.h @@ -0,0 +1,40 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public +* License, v. 2.0. If a copy of the MPL was not distributed with this +* file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/memory/shared_memory_tracker.h. +// To provide a class required in base/memory/shared_memory_win.cc. +// The class is used for memory tracking and dumping, which we don't use and +// has significant dependencies. + +#ifndef BASE_MEMORY_SHARED_MEMORY_TRACKER_H_ +#define BASE_MEMORY_SHARED_MEMORY_TRACKER_H_ + +namespace base { + +// SharedMemoryTracker tracks shared memory usage. +class BASE_EXPORT SharedMemoryTracker { + public: + // Returns a singleton instance. + static SharedMemoryTracker* GetInstance() + { + static SharedMemoryTracker* instance = new SharedMemoryTracker; + return instance; + } + + void IncrementMemoryUsage(const SharedMemoryMapping& mapping) {}; + + void DecrementMemoryUsage(const SharedMemoryMapping& mapping) {}; + + private: + SharedMemoryTracker() {}; + ~SharedMemoryTracker() = default; + + DISALLOW_COPY_AND_ASSIGN(SharedMemoryTracker); +}; + +} // namespace base + +#endif // BASE_MEMORY_SHARED_MEMORY_TRACKER_H_ diff --git a/security/sandbox/chromium-shim/base/metrics/histogram_functions.h b/security/sandbox/chromium-shim/base/metrics/histogram_functions.h new file mode 100644 index 0000000000..408e51b408 --- /dev/null +++ b/security/sandbox/chromium-shim/base/metrics/histogram_functions.h @@ -0,0 +1,20 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/metrics/histogram_functions.h. +// To provide to empty histogram functions required for compilation. +// We don't require Chromiums histogram collection code. + +#ifndef BASE_METRICS_HISTOGRAM_FUNCTIONS_H_ +#define BASE_METRICS_HISTOGRAM_FUNCTIONS_H_ + +namespace base { + +BASE_EXPORT void UmaHistogramSparse(const std::string& name, int sample) {} + +} // namespace base + +#endif // BASE_METRICS_HISTOGRAM_FUNCTIONS_H_ diff --git a/security/sandbox/chromium-shim/base/metrics/histogram_macros.h b/security/sandbox/chromium-shim/base/metrics/histogram_macros.h new file mode 100644 index 0000000000..725d7f8076 --- /dev/null +++ b/security/sandbox/chromium-shim/base/metrics/histogram_macros.h @@ -0,0 +1,16 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/metrics/histogram_macros.h. +// To provide empty histogram macros required for compilation. +// We don't require Chromiums histogram collection code. + +#ifndef BASE_METRICS_HISTOGRAM_MACROS_H_ +#define BASE_METRICS_HISTOGRAM_MACROS_H_ + +#define UMA_HISTOGRAM_ENUMERATION(name, sample) do { } while (0) + +#endif // BASE_METRICS_HISTOGRAM_MACROS_H_ diff --git a/security/sandbox/chromium-shim/base/observer_list.h b/security/sandbox/chromium-shim/base/observer_list.h new file mode 100644 index 0000000000..1d539dacb9 --- /dev/null +++ b/security/sandbox/chromium-shim/base/observer_list.h @@ -0,0 +1,12 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a cut down version of //base/observer_list.h + +#ifndef BASE_OBSERVER_LIST_H_ +#define BASE_OBSERVER_LIST_H_ + +#endif // BASE_OBSERVER_LIST_H_ diff --git a/security/sandbox/chromium-shim/base/process/launch.h b/security/sandbox/chromium-shim/base/process/launch.h new file mode 100644 index 0000000000..5ead4b40e9 --- /dev/null +++ b/security/sandbox/chromium-shim/base/process/launch.h @@ -0,0 +1,25 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a reduced version of Chromium's //base/process/launch.h +// to satisfy compiler. + +#ifndef BASE_PROCESS_LAUNCH_H_ +#define BASE_PROCESS_LAUNCH_H_ + +#include + +#include "base/environment.h" + +namespace base { + +#if defined(OS_WIN) +typedef std::vector HandlesToInheritVector; +#endif + +} // namespace base + +#endif // BASE_PROCESS_LAUNCH_H_ diff --git a/security/sandbox/chromium-shim/base/process/memory_win.cpp b/security/sandbox/chromium-shim/base/process/memory_win.cpp new file mode 100644 index 0000000000..26987fc410 --- /dev/null +++ b/security/sandbox/chromium-shim/base/process/memory_win.cpp @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "base/process/memory.h" + +#include "mozilla/Assertions.h" + +namespace base { + +void TerminateBecauseOutOfMemory(size_t size) { + MOZ_CRASH("Hit base::TerminateBecauseOutOfMemory"); +} + +} // namespace base diff --git a/security/sandbox/chromium-shim/base/scoped_native_library.h b/security/sandbox/chromium-shim/base/scoped_native_library.h new file mode 100644 index 0000000000..d6fdf478ec --- /dev/null +++ b/security/sandbox/chromium-shim/base/scoped_native_library.h @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a cut down version of Chromium source file base/scoped_native_library.h +// The chromium sandbox only requires ScopedNativeLibrary class to automatically +// unload the library, which we can achieve with UniquePtr. + +#ifndef BASE_SCOPED_NATIVE_LIBRARY_H_ +#define BASE_SCOPED_NATIVE_LIBRARY_H_ + +#include "mozilla/UniquePtr.h" + +namespace base { + +struct HModuleFreePolicy +{ + typedef HMODULE pointer; + void operator()(pointer hModule) + { + ::FreeLibrary(hModule); + } +}; + +typedef mozilla::UniquePtr ScopedNativeLibrary; + +} // namespace base + +#endif // BASE_SCOPED_NATIVE_LIBRARY_H_ diff --git a/security/sandbox/chromium-shim/base/synchronization/synchronization_buildflags.h b/security/sandbox/chromium-shim/base/synchronization/synchronization_buildflags.h new file mode 100644 index 0000000000..4b79551541 --- /dev/null +++ b/security/sandbox/chromium-shim/base/synchronization/synchronization_buildflags.h @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of a file that is generated by the chromium build +// from base/BUILD.gn. + +#ifndef BASE_SYNCHRONIZATION_SYNCHRONIZATION_BUILDFLAGS_H_ +#define BASE_SYNCHRONIZATION_SYNCHRONIZATION_BUILDFLAGS_H_ + +#include "build/buildflag.h" + +#define BUILDFLAG_INTERNAL_ENABLE_MUTEX_PRIORITY_INHERITANCE() (0) + +#endif // BASE_SYNCHRONIZATION_SYNCHRONIZATION_BUILDFLAGS_H_ diff --git a/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h b/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h new file mode 100644 index 0000000000..9a18a36376 --- /dev/null +++ b/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h @@ -0,0 +1,8 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Grab the copy from in our tree +#include "pr/include/prtime.h" diff --git a/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h b/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h new file mode 100644 index 0000000000..6aec5e08fb --- /dev/null +++ b/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h @@ -0,0 +1,8 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Grab the copy from in our tree +#include "pr/include/prtypes.h" diff --git a/security/sandbox/chromium-shim/base/threading/platform_thread_linux.cpp b/security/sandbox/chromium-shim/base/threading/platform_thread_linux.cpp new file mode 100644 index 0000000000..aed65a06bd --- /dev/null +++ b/security/sandbox/chromium-shim/base/threading/platform_thread_linux.cpp @@ -0,0 +1,69 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a cut down version of Chromium source file base/threading/platform_thread_linux.h +// with only the functions required. It also has a dummy implementation of +// SetCurrentThreadPriorityForPlatform, which should not be called. + +#include "base/threading/platform_thread.h" + +#include "base/threading/platform_thread_internal_posix.h" + +#include "mozilla/Assertions.h" + +namespace base { +namespace internal { + +namespace { +const struct sched_param kRealTimePrio = {8}; +} // namespace + +const ThreadPriorityToNiceValuePair kThreadPriorityToNiceValueMap[4] = { + {ThreadPriority::BACKGROUND, 10}, + {ThreadPriority::NORMAL, 0}, + {ThreadPriority::DISPLAY, -8}, + {ThreadPriority::REALTIME_AUDIO, -10}, +}; + + +Optional CanIncreaseCurrentThreadPriorityForPlatform( + ThreadPriority priority) { + MOZ_CRASH(); +} + +bool SetCurrentThreadPriorityForPlatform(ThreadPriority priority) { + MOZ_CRASH(); +} + +Optional GetCurrentThreadPriorityForPlatform() { + int maybe_sched_rr = 0; + struct sched_param maybe_realtime_prio = {0}; + if (pthread_getschedparam(pthread_self(), &maybe_sched_rr, + &maybe_realtime_prio) == 0 && + maybe_sched_rr == SCHED_RR && + maybe_realtime_prio.sched_priority == kRealTimePrio.sched_priority) { + return base::make_optional(ThreadPriority::REALTIME_AUDIO); + } + return base::nullopt; +} + +} // namespace internal + +void InitThreading() {} + +void TerminateOnThread() {} + +size_t GetDefaultThreadStackSize(const pthread_attr_t& attributes) { +#if !defined(THREAD_SANITIZER) + return 0; +#else + // ThreadSanitizer bloats the stack heavily. Evidence has been that the + // default stack size isn't enough for some browser tests. + return 2 * (1 << 23); // 2 times 8192K (the default stack size on Linux). +#endif +} + +} // namespace base diff --git a/security/sandbox/chromium-shim/base/threading/scoped_blocking_call.h b/security/sandbox/chromium-shim/base/threading/scoped_blocking_call.h new file mode 100644 index 0000000000..519850d34a --- /dev/null +++ b/security/sandbox/chromium-shim/base/threading/scoped_blocking_call.h @@ -0,0 +1,47 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file +// base/threading/scoped_blocking_call.h +// To provide to a dummy ScopedBlockingCall class. This prevents dependency +// creep and we don't use the rest of the blocking call checking. + +#ifndef BASE_THREADING_SCOPED_BLOCKING_CALL_H +#define BASE_THREADING_SCOPED_BLOCKING_CALL_H + +#include "base/base_export.h" +#include "base/location.h" + +namespace base { + +enum class BlockingType { + // The call might block (e.g. file I/O that might hit in memory cache). + MAY_BLOCK, + // The call will definitely block (e.g. cache already checked and now pinging + // server synchronously). + WILL_BLOCK +}; + +class BASE_EXPORT ScopedBlockingCall { + public: + ScopedBlockingCall(const Location& from_here, BlockingType blocking_type) {}; + ~ScopedBlockingCall() {}; +}; + +namespace internal { + +class BASE_EXPORT ScopedBlockingCallWithBaseSyncPrimitives { + public: + ScopedBlockingCallWithBaseSyncPrimitives(const Location& from_here, + BlockingType blocking_type) {} + ~ScopedBlockingCallWithBaseSyncPrimitives() {}; +}; + +} // namespace internal + +} // namespace base + +#endif // BASE_THREADING_SCOPED_BLOCKING_CALL_H diff --git a/security/sandbox/chromium-shim/base/trace_event/heap_profiler_allocation_context_tracker.h b/security/sandbox/chromium-shim/base/trace_event/heap_profiler_allocation_context_tracker.h new file mode 100644 index 0000000000..bb2cca0ec4 --- /dev/null +++ b/security/sandbox/chromium-shim/base/trace_event/heap_profiler_allocation_context_tracker.h @@ -0,0 +1,32 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of Chromium source file base/trace_event/heap_profiler_allocation_context_tracker.h. +// To provide a function required in base/threading/thread_id_name_manager.cc +// SetCurrentThreadName. We don't use the heap profiler. + +#ifndef BASE_TRACE_EVENT_HEAP_PROFILER_ALLOCATION_CONTEXT_TRACKER_H_ +#define BASE_TRACE_EVENT_HEAP_PROFILER_ALLOCATION_CONTEXT_TRACKER_H_ + +namespace base { +namespace trace_event { + +// The allocation context tracker keeps track of thread-local context for heap +// profiling. It includes a pseudo stack of trace events. On every allocation +// the tracker provides a snapshot of its context in the form of an +// |AllocationContext| that is to be stored together with the allocation +// details. +class BASE_EXPORT AllocationContextTracker { + public: + static void SetCurrentThreadName(const char* name) {} + + DISALLOW_COPY_AND_ASSIGN(AllocationContextTracker); +}; + +} // namespace trace_event +} // namespace base + +#endif // BASE_TRACE_EVENT_HEAP_PROFILER_ALLOCATION_CONTEXT_TRACKER_H_ diff --git a/security/sandbox/chromium-shim/base/tracked_objects.h b/security/sandbox/chromium-shim/base/tracked_objects.h new file mode 100644 index 0000000000..092c9533f6 --- /dev/null +++ b/security/sandbox/chromium-shim/base/tracked_objects.h @@ -0,0 +1,23 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SECURITY_SANDBOX_TRACKED_OBJECTS_H_ +#define _SECURITY_SANDBOX_TRACKED_OBJECTS_H_ + +#include "mozilla/Assertions.h" + +namespace tracked_objects +{ + class ThreadData + { + public: + static void InitializeThreadContext(const std::string& name) + { + MOZ_CRASH(); + } + }; +} +#endif diff --git a/security/sandbox/chromium-shim/base/win/base_win_buildflags.h b/security/sandbox/chromium-shim/base/win/base_win_buildflags.h new file mode 100644 index 0000000000..93d3e11a45 --- /dev/null +++ b/security/sandbox/chromium-shim/base/win/base_win_buildflags.h @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of a file that is generated by the chromium build +// from base/win/BUILD.gn. + +#ifndef BASE_WIN_BASE_WIN_BUILDFLAGS_H_ +#define BASE_WIN_BASE_WIN_BUILDFLAGS_H_ + +#include "build/buildflag.h" + +#define BUILDFLAG_INTERNAL_SINGLE_MODULE_MODE_HANDLE_VERIFIER() (0) + +#endif // BASE_WIN_BASE_WIN_BUILDFLAGS_H_ diff --git a/security/sandbox/chromium-shim/base/win/registry.h b/security/sandbox/chromium-shim/base/win/registry.h new file mode 100644 index 0000000000..e5d0f26ed2 --- /dev/null +++ b/security/sandbox/chromium-shim/base/win/registry.h @@ -0,0 +1,48 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a stripped down version of Chromium source file base/win/registry.h +// Within our copy of Chromium files this is only used in base/win/windows_version.cc +// in OSInfo::processor_model_name, which we don't use. +// It is also used in GetUBR, which is used as the VersionNumber.patch, which +// again is not needed by the sandbox. + +#ifndef BASE_WIN_REGISTRY_H_ +#define BASE_WIN_REGISTRY_H_ + +#include + +namespace base { +namespace win { + +class BASE_EXPORT RegKey { + public: + RegKey() {}; + RegKey(HKEY rootkey, const wchar_t* subkey, REGSAM access) {} + ~RegKey() {} + + LONG Open(HKEY rootkey, const wchar_t* subkey, REGSAM access) { + return ERROR_CANTOPEN; + } + + LONG ReadValueDW(const wchar_t* name, DWORD* out_value) const + { + return ERROR_CANTREAD; + } + + LONG ReadValue(const wchar_t* name, std::wstring* out_value) const + { + return ERROR_CANTREAD; + } + + private: + DISALLOW_COPY_AND_ASSIGN(RegKey); +}; + +} // namespace win +} // namespace base + +#endif // BASE_WIN_REGISTRY_H_ diff --git a/security/sandbox/chromium-shim/base/win/sdkdecls.h b/security/sandbox/chromium-shim/base/win/sdkdecls.h new file mode 100644 index 0000000000..b7aa855e62 --- /dev/null +++ b/security/sandbox/chromium-shim/base/win/sdkdecls.h @@ -0,0 +1,368 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_ +#define _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_ + +#include + +// This file contains definitions required for things dynamically loaded +// while building or targetting lower platform versions or lower SDKs. + +#if (_WIN32_WINNT < 0x0602) +#define ProcThreadAttributeSecurityCapabilities 9 +#define PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES \ + ProcThreadAttributeValue (ProcThreadAttributeSecurityCapabilities, FALSE, TRUE, FALSE) + +#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_MASK (0x00000003 << 8) +#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_DEFER (0x00000000 << 8) +#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000001 << 8) +#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_OFF (0x00000002 << 8) +#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS (0x00000003 << 8) +#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_MASK (0x00000003 << 12) +#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_DEFER (0x00000000 << 12) +#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON (0x00000001 << 12) +#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_OFF (0x00000002 << 12) +#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_RESERVED (0x00000003 << 12) +#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_MASK (0x00000003 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_DEFER (0x00000000 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00000001 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00000002 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_RESERVED (0x00000003 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_MASK (0x00000003 << 20) +#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_DEFER (0x00000000 << 20) +#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON (0x00000001 << 20) +#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_OFF (0x00000002 << 20) +#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_RESERVED (0x00000003 << 20) +#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_MASK (0x00000003 << 24) +#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_DEFER (0x00000000 << 24) +#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON (0x00000001 << 24) +#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_OFF (0x00000002 << 24) +#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_RESERVED (0x00000003 << 24) +#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_MASK (0x00000003 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_DEFER (0x00000000 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON (0x00000001 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_OFF (0x00000002 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_RESERVED (0x00000003 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_MASK (0x00000003uLL << 32) +#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_DEFER (0x00000000uLL << 32) +#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON (0x00000001uLL << 32) +#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_OFF (0x00000002uLL << 32) +#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_RESERVED (0x00000003uLL << 32) + +typedef struct _MEMORY_PRIORITY_INFORMATION { + ULONG MemoryPriority; +} MEMORY_PRIORITY_INFORMATION, *PMEMORY_PRIORITY_INFORMATION; + +WINBASEAPI +BOOL +WINAPI +GetThreadInformation( + _In_ HANDLE hThread, + _In_ THREAD_INFORMATION_CLASS ThreadInformationClass, + _Out_writes_bytes_(ThreadInformationSize) LPVOID ThreadInformation, + _In_ DWORD ThreadInformationSize + ); + +WINBASEAPI +BOOL +WINAPI +SetThreadInformation( + _In_ HANDLE hThread, + _In_ THREAD_INFORMATION_CLASS ThreadInformationClass, + _In_reads_bytes_(ThreadInformationSize) LPVOID ThreadInformation, + _In_ DWORD ThreadInformationSize +); + +// Check if we're including >= win8 winnt.h +#ifndef NTDDI_WIN8 + +typedef struct _SECURITY_CAPABILITIES { + PSID AppContainerSid; + PSID_AND_ATTRIBUTES Capabilities; + DWORD CapabilityCount; + DWORD Reserved; +} SECURITY_CAPABILITIES, *PSECURITY_CAPABILITIES, *LPSECURITY_CAPABILITIES; + +typedef enum _PROCESS_MITIGATION_POLICY { + ProcessDEPPolicy, + ProcessASLRPolicy, + ProcessReserved1MitigationPolicy, + ProcessStrictHandleCheckPolicy, + ProcessSystemCallDisablePolicy, + ProcessMitigationOptionsMask, + ProcessExtensionPointDisablePolicy, + MaxProcessMitigationPolicy +} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY; + +#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS 0x00001000 + +typedef struct _PROCESS_MITIGATION_ASLR_POLICY { + union { + DWORD Flags; + struct { + DWORD EnableBottomUpRandomization : 1; + DWORD EnableForceRelocateImages : 1; + DWORD EnableHighEntropy : 1; + DWORD DisallowStrippedImages : 1; + DWORD ReservedFlags : 28; + }; + }; +} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY; + +typedef struct _PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY { + union { + DWORD Flags; + struct { + DWORD RaiseExceptionOnInvalidHandleReference : 1; + DWORD HandleExceptionsPermanentlyEnabled : 1; + DWORD ReservedFlags : 30; + }; + }; +} PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY; + +typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY { + union { + DWORD Flags; + struct { + DWORD DisallowWin32kSystemCalls : 1; + DWORD ReservedFlags : 31; + }; + }; +} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY; + +typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY { + union { + DWORD Flags; + struct { + DWORD DisableExtensionPoints : 1; + DWORD ReservedFlags : 31; + }; + }; +} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY; + +#endif // NTDDI_WIN8 + +WINBASEAPI +BOOL +WINAPI +GetProcessMitigationPolicy( + _In_ HANDLE hProcess, + _In_ PROCESS_MITIGATION_POLICY MitigationPolicy, + _Out_writes_bytes_(dwLength) PVOID lpBuffer, + _In_ SIZE_T dwLength + ); + +WINBASEAPI +BOOL +WINAPI +SetProcessMitigationPolicy( + _In_ PROCESS_MITIGATION_POLICY MitigationPolicy, + _In_reads_bytes_(dwLength) PVOID lpBuffer, + _In_ SIZE_T dwLength + ); + +#if !defined(_USERENV_) +#define USERENVAPI DECLSPEC_IMPORT +#else +#define USERENVAPI +#endif + +USERENVAPI +HRESULT +WINAPI +CreateAppContainerProfile(_In_ PCWSTR pszAppContainerName, + _In_ PCWSTR pszDisplayName, + _In_ PCWSTR pszDescription, + _In_reads_opt_(dwCapabilityCount) + PSID_AND_ATTRIBUTES pCapabilities, + _In_ DWORD dwCapabilityCount, + _Outptr_ PSID* ppSidAppContainerSid); + +USERENVAPI +HRESULT +WINAPI +DeleteAppContainerProfile( + _In_ PCWSTR pszAppContainerName); + +USERENVAPI +HRESULT +WINAPI +GetAppContainerRegistryLocation( + _In_ REGSAM desiredAccess, + _Outptr_ PHKEY phAppContainerKey); + +USERENVAPI +HRESULT +WINAPI +GetAppContainerFolderPath( + _In_ PCWSTR pszAppContainerSid, + _Outptr_ PWSTR *ppszPath); + +USERENVAPI +HRESULT +WINAPI +DeriveAppContainerSidFromAppContainerName( + _In_ PCWSTR pszAppContainerName, + _Outptr_ PSID *ppsidAppContainerSid); + +#endif // (_WIN32_WINNT < 0x0602) + +#if (_WIN32_WINNT < 0x0603) +// +// Define dynamic code options. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_MASK (0x00000003uLL << 36) +#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_DEFER (0x00000000uLL << 36) +#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON (0x00000001uLL << 36) +#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_OFF (0x00000002uLL << 36) +#define PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON_ALLOW_OPT_OUT (0x00000003uLL << 36) + +// +// Define Control Flow Guard (CFG) mitigation policy options. Control Flow +// Guard allows indirect control transfers to be checked at runtime. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_MASK (0x00000003uLL << 40) +#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_DEFER (0x00000000uLL << 40) +#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON (0x00000001uLL << 40) +#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF (0x00000002uLL << 40) +#define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_EXPORT_SUPPRESSION (0x00000003uLL << 40) + +// +// Define module signature options. When enabled, this option will +// block mapping of non-microsoft binaries. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_MASK (0x00000003uLL << 44) +#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_DEFER (0x00000000uLL << 44) +#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON (0x00000001uLL << 44) +#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_OFF (0x00000002uLL << 44) +#define PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_RESERVED (0x00000003uLL << 44) +#endif + +#if (_WIN32_WINNT < 0x0A00) +// +// Define Font Disable Policy. When enabled, this option will +// block loading Non System Fonts. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_MASK (0x00000003uLL << 48) +#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_DEFER (0x00000000uLL << 48) +#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON (0x00000001uLL << 48) +#define PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_OFF (0x00000002uLL << 48) +#define PROCESS_CREATION_MITIGATION_POLICY_AUDIT_NONSYSTEM_FONTS (0x00000003uLL << 48) + +// +// Define remote image load options. When enabled, this option will +// block mapping of images from remote devices. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_MASK (0x00000003uLL << 52) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_DEFER (0x00000000uLL << 52) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON (0x00000001uLL << 52) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_OFF (0x00000002uLL << 52) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_RESERVED (0x00000003uLL << 52) + +// +// Define low IL image load options. When enabled, this option will +// block mapping of images that have the low mandatory label. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_MASK (0x00000003uLL << 56) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_DEFER (0x00000000uLL << 56) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON (0x00000001uLL << 56) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_OFF (0x00000002uLL << 56) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_RESERVED (0x00000003uLL << 56) + +// +// Define image load options to prefer System32 images compared to +// the same images in application directory. When enabled, this option +// will prefer loading images from system32 folder. +// + +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_MASK (0x00000003uLL << 60) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_DEFER (0x00000000uLL << 60) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON (0x00000001uLL << 60) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_OFF (0x00000002uLL << 60) +#define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_RESERVED (0x00000003uLL << 60) + +// +// Define the restricted indirect branch prediction mitigation policy options. +// + +#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_MASK (0x00000003ui64 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_DEFER (0x00000000ui64 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON (0x00000001ui64 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_OFF (0x00000002ui64 << 16) +#define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_RESERVED (0x00000003ui64 << 16) + +// +// Define the user-mode shadow stack mitigation policy options. +// + +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_MASK (0x00000003ui64 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_DEFER (0x00000000ui64 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON (0x00000001ui64 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_OFF (0x00000002ui64 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_RESERVED (0x00000003ui64 << 28) +#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE (0x00000003ui64 << 28) + +// +// Define Attribute to disable creation of child process +// + +#define PROCESS_CREATION_CHILD_PROCESS_RESTRICTED 0x01 +#define PROCESS_CREATION_CHILD_PROCESS_OVERRIDE 0x02 + +// +// Define Attribute for Desktop Appx Overide. +// + +#define PROCESS_CREATION_DESKTOP_APPX_OVERRIDE 0x04 + +#define ProcThreadAttributeChildProcessPolicy 14 + +#define PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY \ + ProcThreadAttributeValue (ProcThreadAttributeChildProcessPolicy, FALSE, TRUE, FALSE) + +// +// Define Attribute to opt out of matching All Application Packages +// + +#define PROCESS_CREATION_ALL_APPLICATION_PACKAGES_OPT_OUT 0x01 + +#define ProcThreadAttributeAllApplicationPackagesPolicy 15 + +#define PROC_THREAD_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \ + ProcThreadAttributeValue (ProcThreadAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) + +// +// Define functions declared only when _WIN32_WINNT >= 0x0A00 +// + +WINBASEAPI +BOOL +WINAPI +IsWow64Process2( + _In_ HANDLE hProcess, + _Out_ USHORT* pProcessMachine, + _Out_opt_ USHORT* pNativeMachine + ); + +WINBASEAPI +BOOL +WINAPI +IsUserCetAvailableInEnvironment( + _In_ DWORD UserCetEnvironment + ); + +#define USER_CET_ENVIRONMENT_WIN32_PROCESS 0x00000000 + +#endif // (_WIN32_WINNT < 0x0A00) + +#endif // _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_ diff --git a/security/sandbox/chromium-shim/base/win/win_util.cpp b/security/sandbox/chromium-shim/base/win/win_util.cpp new file mode 100644 index 0000000000..3ea789675d --- /dev/null +++ b/security/sandbox/chromium-shim/base/win/win_util.cpp @@ -0,0 +1,42 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a partial implementation of Chromium's source file +// base/win/win_util.cc + +#include "base/win/win_util.h" + +#include "base/logging.h" +#include "base/strings/string_util.h" + +namespace base { +namespace win { + +std::wstring GetWindowObjectName(HANDLE handle) { + // Get the size of the name. + std::wstring object_name; + + DWORD size = 0; + ::GetUserObjectInformation(handle, UOI_NAME, nullptr, 0, &size); + if (!size) { + DPCHECK(false); + return object_name; + } + + LOG_ASSERT(size % sizeof(wchar_t) == 0u); + + // Query the name of the object. + if (!::GetUserObjectInformation( + handle, UOI_NAME, WriteInto(&object_name, size / sizeof(wchar_t)), + size, &size)) { + DPCHECK(false); + } + + return object_name; +} + +} // namespace win +} // namespace base diff --git a/security/sandbox/chromium-shim/base/win/win_util.h b/security/sandbox/chromium-shim/base/win/win_util.h new file mode 100644 index 0000000000..3e91e63d59 --- /dev/null +++ b/security/sandbox/chromium-shim/base/win/win_util.h @@ -0,0 +1,26 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a partial implementation of Chromium's source file +// base/win/win_util.h + +#ifndef BASE_WIN_WIN_UTIL_H_ +#define BASE_WIN_WIN_UTIL_H_ + +#include + +#include "base/base_export.h" + +namespace base { +namespace win { + +// Returns the name of a desktop or a window station. +BASE_EXPORT std::wstring GetWindowObjectName(HANDLE handle); + +} // namespace win +} // namespace base + +#endif // BASE_WIN_WIN_UTIL_H_ diff --git a/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch b/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch new file mode 100644 index 0000000000..7eb643719e --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Bob Owen +# Date 1482405067 0 +# Thu Dec 22 11:11:07 2016 +0000 +# Node ID 43d0efc18f586e1ed90b95c4a52235c4648e96a9 +# Parent 266ef86795979f2ef9b6650d1bb35fb27d11ad86 +Add KEY_WOW64_64Key and KEY_WOW64_32KEY to the Chromium sandbox allowed registry read flags. r=aklotz + +Originally landed as changeset: +https://hg.mozilla.org/mozilla-central/rev/d24db55deb85 + +diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc +--- a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc ++++ b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc +@@ -15,17 +15,18 @@ + #include "sandbox/win/src/sandbox_types.h" + #include "sandbox/win/src/sandbox_utils.h" + #include "sandbox/win/src/win_utils.h" + + namespace { + + static const uint32_t kAllowedRegFlags = + KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_READ | +- GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL; ++ GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL | KEY_WOW64_64KEY | ++ KEY_WOW64_32KEY; + + // Opens the key referenced by |obj_attributes| with |access| and + // checks what permission was given. Remove the WRITE flags and update + // |access| with the new value. + NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes, + DWORD* access) { + NtOpenKeyFunction NtOpenKey = nullptr; + ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey); diff --git a/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch b/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch new file mode 100644 index 0000000000..344fd569d7 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch @@ -0,0 +1,810 @@ +# HG changeset patch +# User Bob Owen +# Date 1417281138 0 +# Sat Nov 29 17:12:18 2014 +0000 +# Node ID 4ea2e332affe4b74bd37fbf2fee8da0b1c94e115 +# Parent 5eec91873c96c2cbfc856ba86335fa068c89d6ce +Re-apply - Logging changes to the Chromium interception code. r=tabraldes + +Originally landed as changset: +https://hg.mozilla.org/mozilla-central/rev/0f763c186855 + +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +@@ -10,16 +10,17 @@ + #include "sandbox/win/src/filesystem_policy.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + // This status occurs when trying to access a network share on the machine from + // which it is shared. + #define STATUS_NETWORK_OPEN_RESTRICTION ((NTSTATUS)0xC0000201L) + + namespace sandbox { + + NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, +@@ -37,16 +38,20 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre + // Check if the process can open it first. + NTSTATUS status = orig_CreateFile( + file, desired_access, object_attributes, io_status, allocation_size, + file_attributes, sharing, disposition, options, ea_buffer, ea_length); + if (STATUS_ACCESS_DENIED != status && + STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + ++ mozilla::sandboxing::LogBlocked("NtCreateFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) + break; + if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) +@@ -96,16 +101,19 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre + + __try { + *file = answer.handle; + io_status->Status = answer.nt_status; + io_status->Information = answer.extended[0].ulong_ptr; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtCreateFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, + PHANDLE file, + ACCESS_MASK desired_access, +@@ -115,16 +123,20 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + ULONG options) { + // Check if the process can open it first. + NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes, + io_status, sharing, options); + if (STATUS_ACCESS_DENIED != status && + STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + ++ mozilla::sandboxing::LogBlocked("NtOpenFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) + break; + if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE)) +@@ -171,31 +183,38 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + + __try { + *file = answer.handle; + io_status->Status = answer.nt_status; + io_status->Information = answer.extended[0].ulong_ptr; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtOpenFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI + TargetNtQueryAttributesFile(NtQueryAttributesFileFunction orig_QueryAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_BASIC_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes); + if (STATUS_ACCESS_DENIED != status && + STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + ++ mozilla::sandboxing::LogBlocked("NtQueryAttributesFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) + break; + +@@ -227,32 +246,39 @@ TargetNtQueryAttributesFile(NtQueryAttri + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(), + attributes, file_info, &answer); + + if (SBOX_ALL_OK != code) + break; + + status = answer.nt_status; + ++ mozilla::sandboxing::LogAllowed("NtQueryAttributesFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI TargetNtQueryFullAttributesFile( + NtQueryFullAttributesFileFunction orig_QueryFullAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_NETWORK_OPEN_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = + orig_QueryFullAttributes(object_attributes, file_attributes); + if (STATUS_ACCESS_DENIED != status && + STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + ++ mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), + WRITE)) + break; +@@ -284,16 +310,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu + CrossCallReturn answer = {0}; + ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE, + name.get(), attributes, file_info, &answer); + + if (SBOX_ALL_OK != code) + break; + + status = answer.nt_status; ++ ++ mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI + TargetNtSetInformationFile(NtSetInformationFileFunction orig_SetInformationFile, + HANDLE file, +@@ -302,16 +332,18 @@ TargetNtSetInformationFile(NtSetInformat + ULONG length, + FILE_INFORMATION_CLASS file_info_class) { + // Check if the process can open it first. + NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length, + file_info_class); + if (STATUS_ACCESS_DENIED != status) + return status; + ++ mozilla::sandboxing::LogBlocked("NtSetInformationFile"); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + void* memory = GetGlobalIPCMemory(); + if (!memory) + break; +@@ -366,14 +398,15 @@ TargetNtSetInformationFile(NtSetInformat + ResultCode code = + CrossCall(ipc, IpcTag::NTSETINFO_RENAME, file, io_status_buffer, + file_info_buffer, length, file_info_class, &answer); + + if (SBOX_ALL_OK != code) + break; + + status = answer.nt_status; ++ mozilla::sandboxing::LogAllowed("NtSetInformationFile"); + } while (false); + + return status; + } + + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc +@@ -5,16 +5,17 @@ + #include "sandbox/win/src/handle_interception.h" + + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + ResultCode DuplicateHandleProxy(HANDLE source_handle, + DWORD target_process_id, + HANDLE* target_handle, + DWORD desired_access, + DWORD options) { +@@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s + ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY, + source_handle, target_process_id, + desired_access, options, &answer); + if (SBOX_ALL_OK != code) + return code; + + if (answer.win32_result) { + ::SetLastError(answer.win32_result); ++ mozilla::sandboxing::LogBlocked("DuplicateHandle"); + return SBOX_ERROR_GENERIC; + } + + *target_handle = answer.handle; ++ mozilla::sandboxing::LogAllowed("DuplicateHandle"); + return SBOX_ALL_OK; + } + + } // namespace sandbox + +diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc +@@ -7,16 +7,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + HANDLE WINAPI + TargetCreateNamedPipeW(CreateNamedPipeWFunction orig_CreateNamedPipeW, + LPCWSTR pipe_name, + DWORD open_mode, + DWORD pipe_mode, +@@ -26,16 +27,18 @@ TargetCreateNamedPipeW(CreateNamedPipeWF + DWORD default_timeout, + LPSECURITY_ATTRIBUTES security_attributes) { + HANDLE pipe = orig_CreateNamedPipeW( + pipe_name, open_mode, pipe_mode, max_instance, out_buffer_size, + in_buffer_size, default_timeout, security_attributes); + if (INVALID_HANDLE_VALUE != pipe) + return pipe; + ++ mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return INVALID_HANDLE_VALUE; + + DWORD original_error = ::GetLastError(); + + // We don't support specific Security Attributes. + if (security_attributes) +@@ -61,16 +64,17 @@ TargetCreateNamedPipeW(CreateNamedPipeWF + if (SBOX_ALL_OK != code) + break; + + ::SetLastError(answer.win32_result); + + if (ERROR_SUCCESS != answer.win32_result) + return INVALID_HANDLE_VALUE; + ++ mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name); + return answer.handle; + } while (false); + + ::SetLastError(original_error); + return INVALID_HANDLE_VALUE; + } + + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc +@@ -10,16 +10,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + SANDBOX_INTERCEPT NtExports g_nt; + + // Hooks NtOpenThread and proxy the call to the broker if it's trying to + // open a thread in the same process. + NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread, +@@ -27,16 +28,17 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpe + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + PCLIENT_ID client_id) { + NTSTATUS status = + orig_OpenThread(thread, desired_access, object_attributes, client_id); + if (NT_SUCCESS(status)) + return status; + ++ mozilla::sandboxing::LogBlocked("NtOpenThread"); + do { + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + break; + if (!client_id) + break; + + uint32_t thread_id = 0; + bool should_break = false; +@@ -91,16 +93,17 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpe + + __try { + // Write the output parameters. + *thread = answer.handle; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } + ++ mozilla::sandboxing::LogAllowed("NtOpenThread"); + return answer.nt_status; + } while (false); + + return status; + } + + // Hooks NtOpenProcess and proxy the call to the broker if it's trying to + // open the current process. +@@ -176,16 +179,17 @@ NTSTATUS WINAPI + TargetNtOpenProcessToken(NtOpenProcessTokenFunction orig_OpenProcessToken, + HANDLE process, + ACCESS_MASK desired_access, + PHANDLE token) { + NTSTATUS status = orig_OpenProcessToken(process, desired_access, token); + if (NT_SUCCESS(status)) + return status; + ++ mozilla::sandboxing::LogBlocked("NtOpenProcessToken"); + do { + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + break; + + if (CURRENT_PROCESS != process) + break; + + if (!ValidParameter(token, sizeof(HANDLE), WRITE)) +@@ -207,16 +211,17 @@ TargetNtOpenProcessToken(NtOpenProcessTo + + __try { + // Write the output parameters. + *token = answer.handle; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } + ++ mozilla::sandboxing::LogAllowed("NtOpenProcessToken"); + return answer.nt_status; + } while (false); + + return status; + } + + NTSTATUS WINAPI + TargetNtOpenProcessTokenEx(NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, +@@ -224,16 +229,17 @@ TargetNtOpenProcessTokenEx(NtOpenProcess + ACCESS_MASK desired_access, + ULONG handle_attributes, + PHANDLE token) { + NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access, + handle_attributes, token); + if (NT_SUCCESS(status)) + return status; + ++ mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx"); + do { + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + break; + + if (CURRENT_PROCESS != process) + break; + + if (!ValidParameter(token, sizeof(HANDLE), WRITE)) +@@ -255,16 +261,17 @@ TargetNtOpenProcessTokenEx(NtOpenProcess + + __try { + // Write the output parameters. + *token = answer.handle; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } + ++ mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx"); + return answer.nt_status; + } while (false); + + return status; + } + + BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW, + LPCWSTR application_name, +@@ -280,16 +287,18 @@ BOOL WINAPI TargetCreateProcessW(CreateP + if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() && + orig_CreateProcessW(application_name, command_line, process_attributes, + thread_attributes, inherit_handles, flags, + environment, current_directory, startup_info, + process_information)) { + return true; + } + ++ mozilla::sandboxing::LogBlocked("CreateProcessW", application_name); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return false; + + // Don't call GetLastError before InitCalled() succeeds because kernel32 may + // not be mapped yet. + DWORD original_error = ::GetLastError(); + +@@ -320,16 +329,17 @@ BOOL WINAPI TargetCreateProcessW(CreateP + cur_dir, current_directory, proc_info, &answer); + if (SBOX_ALL_OK != code) + break; + + ::SetLastError(answer.win32_result); + if (ERROR_SUCCESS != answer.win32_result) + return false; + ++ mozilla::sandboxing::LogAllowed("CreateProcessW", application_name); + return true; + } while (false); + + ::SetLastError(original_error); + return false; + } + + BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA, +@@ -346,16 +356,18 @@ BOOL WINAPI TargetCreateProcessA(CreateP + if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() && + orig_CreateProcessA(application_name, command_line, process_attributes, + thread_attributes, inherit_handles, flags, + environment, current_directory, startup_info, + process_information)) { + return true; + } + ++ mozilla::sandboxing::LogBlocked("CreateProcessA", application_name); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return false; + + // Don't call GetLastError before InitCalled() succeeds because kernel32 may + // not be mapped yet. + DWORD original_error = ::GetLastError(); + +@@ -420,16 +432,17 @@ BOOL WINAPI TargetCreateProcessA(CreateP + + if (SBOX_ALL_OK != code) + break; + + ::SetLastError(answer.win32_result); + if (ERROR_SUCCESS != answer.win32_result) + return false; + ++ mozilla::sandboxing::LogAllowed("CreateProcessA", application_name); + return true; + } while (false); + + ::SetLastError(original_error); + return false; + } + + HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread, +diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc +@@ -9,16 +9,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey, + PHANDLE key, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + ULONG title_index, +@@ -27,16 +28,22 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCrea + PULONG disposition) { + // Check if the process can create it first. + NTSTATUS status = + orig_CreateKey(key, desired_access, object_attributes, title_index, + class_name, create_options, disposition); + if (NT_SUCCESS(status)) + return status; + ++ if (STATUS_OBJECT_NAME_NOT_FOUND != status) { ++ mozilla::sandboxing::LogBlocked("NtCreateKey", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ } ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(key, sizeof(HANDLE), WRITE)) + break; + +@@ -114,16 +121,19 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCrea + + if (disposition) + *disposition = answer.extended[0].unsigned_int; + + status = answer.nt_status; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtCreateKey", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, + PHANDLE key, + ACCESS_MASK desired_access, +@@ -193,30 +203,39 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS + break; + + __try { + *key = answer.handle; + status = answer.nt_status; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, + PHANDLE key, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes) { + // Check if the process can open it first. + NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes); + if (NT_SUCCESS(status)) + return status; + ++ if (STATUS_OBJECT_NAME_NOT_FOUND != status) { ++ mozilla::sandboxing::LogBlocked("NtOpenKey", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ } ++ + return CommonNtOpenKey(status, key, desired_access, object_attributes); + } + + NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx, + PHANDLE key, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + ULONG open_options) { +@@ -225,12 +244,18 @@ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpen + orig_OpenKeyEx(key, desired_access, object_attributes, open_options); + + // We do not support open_options at this time. The 2 current known values + // are REG_OPTION_CREATE_LINK, to open a symbolic link, and + // REG_OPTION_BACKUP_RESTORE to open the key with special privileges. + if (NT_SUCCESS(status) || open_options != 0) + return status; + ++ if (STATUS_OBJECT_NAME_NOT_FOUND != status) { ++ mozilla::sandboxing::LogBlocked("NtOpenKeyEx", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ } ++ + return CommonNtOpenKey(status, key, desired_access, object_attributes); + } + + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/signed_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/signed_interception.cc +@@ -9,16 +9,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + NTSTATUS WINAPI + TargetNtCreateSection(NtCreateSectionFunction orig_CreateSection, + PHANDLE section_handle, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, +@@ -37,16 +38,18 @@ TargetNtCreateSection(NtCreateSectionFun + break; + if (maximum_size) + break; + if (section_page_protection != PAGE_EXECUTE) + break; + if (allocation_attributes != SEC_IMAGE) + break; + ++ mozilla::sandboxing::LogBlocked("NtCreateSection"); ++ + // IPC must be fully started. + void* memory = GetGlobalIPCMemory(); + if (!memory) + break; + + std::unique_ptr path; + + if (!NtGetPathFromHandle(file_handle, &path)) +@@ -73,16 +76,17 @@ TargetNtCreateSection(NtCreateSectionFun + if (code != SBOX_ALL_OK) + break; + + if (!NT_SUCCESS(answer.nt_status)) + break; + + __try { + *section_handle = answer.handle; ++ mozilla::sandboxing::LogAllowed("NtCreateSection"); + return answer.nt_status; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } + } while (false); + + // Fall back to the original API in all failure cases. + return orig_CreateSection(section_handle, desired_access, object_attributes, +diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc +@@ -9,16 +9,17 @@ + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" ++#include "mozilla/sandboxing/sandboxLogging.h" + + namespace sandbox { + + ResultCode ProxyCreateEvent(LPCWSTR name, + uint32_t initial_state, + EVENT_TYPE event_type, + void* ipc_memory, + CrossCallReturn* answer) { +@@ -59,16 +60,20 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr + EVENT_TYPE event_type, + BOOLEAN initial_state) { + NTSTATUS status = + orig_CreateEvent(event_handle, desired_access, object_attributes, + event_type, initial_state); + if (status != STATUS_ACCESS_DENIED || !object_attributes) + return status; + ++ mozilla::sandboxing::LogBlocked("NtCreatEvent", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE)) + break; + +@@ -97,30 +102,37 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr + break; + } + __try { + *event_handle = answer.handle; + status = STATUS_SUCCESS; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtCreateEvent", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent, + PHANDLE event_handle, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes) { + NTSTATUS status = + orig_OpenEvent(event_handle, desired_access, object_attributes); + if (status != STATUS_ACCESS_DENIED || !object_attributes) + return status; + ++ mozilla::sandboxing::LogBlocked("NtOpenEvent", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); ++ + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE)) + break; + +@@ -149,14 +161,17 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpen + break; + } + __try { + *event_handle = answer.handle; + status = STATUS_SUCCESS; + } __except (EXCEPTION_EXECUTE_HANDLER) { + break; + } ++ mozilla::sandboxing::LogAllowed("NtOpenEvent", ++ object_attributes->ObjectName->Buffer, ++ object_attributes->ObjectName->Length); + } while (false); + + return status; + } + + } // namespace sandbox diff --git a/security/sandbox/chromium-shim/patches/after_update/allow_ntpath_in_SignedPolicy_GenerateRules.patch b/security/sandbox/chromium-shim/patches/after_update/allow_ntpath_in_SignedPolicy_GenerateRules.patch new file mode 100644 index 0000000000..8e6a951467 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/allow_ntpath_in_SignedPolicy_GenerateRules.patch @@ -0,0 +1,82 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1605814807 28800 +# Thu Nov 19 11:40:07 2020 -0800 +# Node ID 29b049665db1f28ffdfce319ad48912d4a024e23 +# Parent 94435953fb89c1fe147c6b76a9ecb61f59625d30 +Bug 1620114 - Allow an NT path string to be passed to SignedPolicy::GenerateRules. r=bobowen +so that our SandboxBroker can add a policy rule with an NT path directly. + +diff --git a/security/sandbox/chromium/sandbox/win/src/signed_policy.cc b/security/sandbox/chromium/sandbox/win/src/signed_policy.cc +--- a/security/sandbox/chromium/sandbox/win/src/signed_policy.cc ++++ b/security/sandbox/chromium/sandbox/win/src/signed_policy.cc +@@ -7,39 +7,63 @@ + #include + + #include + + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_engine_opcodes.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/sandbox_policy.h" ++#include "sandbox/win/src/sandbox_utils.h" + #include "sandbox/win/src/win_utils.h" + ++namespace { ++ ++bool IsValidNtPath(const base::FilePath& name) { ++ UNICODE_STRING uni_name; ++ OBJECT_ATTRIBUTES obj_attr; ++ sandbox::InitObjectAttribs(name.value(), OBJ_CASE_INSENSITIVE, nullptr, ++ &obj_attr, &uni_name, nullptr); ++ ++ NtQueryAttributesFileFunction NtQueryAttributesFile = nullptr; ++ ResolveNTFunctionPtr("NtQueryAttributesFile", &NtQueryAttributesFile); ++ FILE_BASIC_INFORMATION file_info; ++ return NtQueryAttributesFile && ++ NT_SUCCESS(NtQueryAttributesFile(&obj_attr, &file_info)); ++} ++ ++} // namespace ++ + namespace sandbox { + + bool SignedPolicy::GenerateRules(const wchar_t* name, + TargetPolicy::Semantics semantics, + LowLevelPolicy* policy) { + // Only support one semantic. + if (TargetPolicy::SIGNED_ALLOW_LOAD != semantics) { + return false; + } + + base::FilePath file_path(name); ++ base::FilePath nt_filename; + std::wstring nt_path_name; +- if (!GetNtPathFromWin32Path(file_path.DirName().value().c_str(), +- &nt_path_name)) ++ if (GetNtPathFromWin32Path(file_path.DirName().value().c_str(), ++ &nt_path_name)) { ++ base::FilePath nt_path(nt_path_name); ++ nt_filename = nt_path.Append(file_path.BaseName()); ++ } else if (IsValidNtPath(file_path)) { ++ nt_filename = std::move(file_path); ++ } else { + return false; +- base::FilePath nt_path(nt_path_name); +- std::wstring nt_filename = nt_path.Append(file_path.BaseName()).value(); ++ } ++ + // Create a rule to ASK_BROKER if name matches. + PolicyRule signed_policy(ASK_BROKER); +- if (!signed_policy.AddStringMatch(IF, NameBased::NAME, nt_filename.c_str(), +- CASE_INSENSITIVE)) { ++ if (!signed_policy.AddStringMatch( ++ IF, NameBased::NAME, nt_filename.value().c_str(), CASE_INSENSITIVE)) { + return false; + } + if (!policy->AddRule(IpcTag::NTCREATESECTION, &signed_policy)) { + return false; + } + + return true; + } diff --git a/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch b/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch new file mode 100644 index 0000000000..8d497e1ff9 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch @@ -0,0 +1,190 @@ +# HG changeset patch +# User Bob Owen +# Date 1454317140 0 +# Mon Feb 01 08:59:00 2016 +0000 +# Node ID 9870a92ea5f352ab5a841003a30ab52c8deb589e +# Parent d62b6a3a0c58528a8bf864bb5ab6bb9faada972b +Change to allow network drives in sandbox rules with non-file device fix. r=aklotz + +Originally landed in changeset: +https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302 + +diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc +@@ -194,61 +194,66 @@ bool ResolveRegistryName(std::wstring na + + return false; + } + + // |full_path| can have any of the following forms: + // \??\c:\some\foo\bar + // \Device\HarddiskVolume0\some\foo\bar + // \??\HarddiskVolume0\some\foo\bar ++// \??\UNC\SERVER\Share\some\foo\bar + DWORD IsReparsePoint(const std::wstring& full_path) { + // Check if it's a pipe. We can't query the attributes of a pipe. + if (IsPipe(full_path)) + return ERROR_NOT_A_REPARSE_POINT; + + std::wstring path; + bool nt_path = IsNTPath(full_path, &path); + bool has_drive = StartsWithDriveLetter(path); + bool is_device_path = IsDevicePath(path, &path); + + if (!has_drive && !is_device_path && !nt_path) + return ERROR_INVALID_NAME; + +- bool added_implied_device = false; + if (!has_drive) { +- path = std::wstring(kNTDotPrefix) + path; +- added_implied_device = true; ++ // Add Win32 device namespace prefix, required for some Windows APIs. ++ path.insert(0, kNTDotPrefix); + } + +- std::wstring::size_type last_pos = std::wstring::npos; +- bool passed_once = false; ++ // Ensure that volume path matches start of path. ++ wchar_t vol_path[MAX_PATH]; ++ if (!::GetVolumePathNameW(path.c_str(), vol_path, MAX_PATH)) { ++ // This will fail if this is a device that isn't volume related, which can't ++ // then be a reparse point. ++ return is_device_path ? ERROR_NOT_A_REPARSE_POINT : ERROR_INVALID_NAME; ++ } ++ ++ // vol_path includes a trailing slash, so reduce size for path and loop check. ++ size_t vol_path_len = wcslen(vol_path) - 1; ++ if (!EqualPath(path, vol_path, vol_path_len)) { ++ return ERROR_INVALID_NAME; ++ } + + do { +- path = path.substr(0, last_pos); +- + DWORD attributes = ::GetFileAttributes(path.c_str()); + if (INVALID_FILE_ATTRIBUTES == attributes) { + DWORD error = ::GetLastError(); + if (error != ERROR_FILE_NOT_FOUND && error != ERROR_PATH_NOT_FOUND && ++ error != ERROR_INVALID_FUNCTION && + error != ERROR_INVALID_NAME) { + // Unexpected error. +- if (passed_once && added_implied_device && +- (path.rfind(L'\\') == kNTDotPrefixLen - 1)) { +- break; +- } + return error; + } + } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) { + // This is a reparse point. + return ERROR_SUCCESS; + } + +- passed_once = true; +- last_pos = path.rfind(L'\\'); +- } while (last_pos > 2); // Skip root dir. ++ path.resize(path.rfind(L'\\')); ++ } while (path.size() > vol_path_len); // Skip root dir. + + return ERROR_NOT_A_REPARSE_POINT; + } + + // We get a |full_path| of the forms accepted by IsReparsePoint(), and the name + // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar. + bool SameObject(HANDLE handle, const wchar_t* full_path) { + // Check if it's a pipe. +@@ -258,63 +263,67 @@ bool SameObject(HANDLE handle, const wch + std::wstring actual_path; + if (!GetPathFromHandle(handle, &actual_path)) + return false; + + std::wstring path(full_path); + DCHECK_NT(!path.empty()); + + // This may end with a backslash. +- const wchar_t kBackslash = '\\'; +- if (path.back() == kBackslash) +- path = path.substr(0, path.length() - 1); ++ if (path.back() == L'\\') { ++ path.pop_back(); ++ } + +- // Perfect match (case-insesitive check). ++ // Perfect match (case-insensitive check). + if (EqualPath(actual_path, path)) + return true; + + bool nt_path = IsNTPath(path, &path); + bool has_drive = StartsWithDriveLetter(path); + + if (!has_drive && nt_path) { + std::wstring simple_actual_path; +- if (!IsDevicePath(actual_path, &simple_actual_path)) +- return false; +- +- // Perfect match (case-insesitive check). +- return (EqualPath(simple_actual_path, path)); ++ if (IsDevicePath(path, &path)) { ++ if (IsDevicePath(actual_path, &simple_actual_path)) { ++ // Perfect match (case-insensitive check). ++ return (EqualPath(simple_actual_path, path)); ++ } else { ++ return false; ++ } ++ } else { ++ // Add Win32 device namespace for GetVolumePathName. ++ path.insert(0, kNTDotPrefix); ++ } + } + +- if (!has_drive) ++ // Get the volume path in the same format as actual_path. ++ wchar_t vol_path[MAX_PATH]; ++ if (!::GetVolumePathName(path.c_str(), vol_path, MAX_PATH)) { + return false; +- +- // We only need 3 chars, but let's alloc a buffer for four. +- wchar_t drive[4] = {0}; +- wchar_t vol_name[MAX_PATH]; +- memcpy(drive, &path[0], 2 * sizeof(*drive)); +- +- // We'll get a double null terminated string. +- DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH); +- if (vol_length < 2 || vol_length == MAX_PATH) ++ } ++ size_t vol_path_len = wcslen(vol_path); ++ base::string16 nt_vol; ++ if (!GetNtPathFromWin32Path(vol_path, &nt_vol)) { + return false; +- +- // Ignore the nulls at the end. +- vol_length = static_cast(wcslen(vol_name)); ++ } + + // The two paths should be the same length. +- if (vol_length + path.size() - 2 != actual_path.size()) ++ if (nt_vol.size() + path.size() - vol_path_len != actual_path.size()) { + return false; ++ } + +- // Check up to the drive letter. +- if (!EqualPath(actual_path, vol_name, vol_length)) ++ // Check the volume matches. ++ if (!EqualPath(actual_path, nt_vol.c_str(), nt_vol.size())) { + return false; ++ } + +- // Check the path after the drive letter. +- if (!EqualPath(actual_path, vol_length, path, 2)) ++ // Check the path after the volume matches. ++ if (!EqualPath(actual_path, nt_vol.size(), path, vol_path_len)) { + return false; ++ } + + return true; + } + + // Just make a best effort here. There are lots of corner cases that we're + // not expecting - and will fail to make long. + bool ConvertToLongPath(std::wstring* native_path, + const std::wstring* drive_letter) { diff --git a/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch b/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch new file mode 100644 index 0000000000..4d1817db17 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/arm64_set_LoaderThreads.patch @@ -0,0 +1,99 @@ +# HG changeset patch +# User Bob Owen +# Date 1549645620 0 +# Fri Feb 08 17:07:00 2019 +0000 +# Node ID fb5e7c1090a7ddfde22fd2fb5f8a957ccc61fa64 +# Parent 5ef34aa8c8918649528048dd60907862a4355e29 +Bug 1515088 Part 2: Set LoaderThreads to 1 in the RTL_USER_PROCESS_PARAMETERS structure on child process start-up. r=aklotz + +diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc +@@ -456,20 +456,21 @@ bool GetNtPathFromWin32Path(const std::w + bool rv = GetPathFromHandle(file, nt_path); + ::CloseHandle(file); + return rv; + } + + bool WriteProtectedChildMemory(HANDLE child_process, + void* address, + const void* buffer, +- size_t length) { ++ size_t length, ++ DWORD writeProtection) { + // First, remove the protections. + DWORD old_protection; +- if (!::VirtualProtectEx(child_process, address, length, PAGE_WRITECOPY, ++ if (!::VirtualProtectEx(child_process, address, length, writeProtection, + &old_protection)) + return false; + + SIZE_T written; + bool ok = + ::WriteProcessMemory(child_process, address, buffer, length, &written) && + (length == written); + +@@ -544,16 +545,40 @@ void* GetProcessBaseAddress(HANDLE proce + &bytes_read) || + (sizeof(magic) != bytes_read)) { + return nullptr; + } + + if (magic[0] != 'M' || magic[1] != 'Z') + return nullptr; + ++#if defined(_M_ARM64) ++ // Windows 10 on ARM64 has multi-threaded DLL loading that does not work with ++ // the sandbox. (On x86 this gets disabled by hook detection code that was not ++ // ported to ARM64). This overwrites the LoaderThreads value in the process ++ // parameters part of the PEB, if it is set to the default of 0 (which ++ // actually means it defaults to 4 loading threads). This is an undocumented ++ // field so there is a, probably small, risk that it might change or move in ++ // the future. In order to slightly guard against that we only update if the ++ // value is currently 0. ++ auto processParameters = reinterpret_cast(peb.ProcessParameters); ++ const uint32_t loaderThreadsOffset = 0x40c; ++ uint32_t maxLoaderThreads = 0; ++ BOOL memoryRead = ::ReadProcessMemory( ++ process, processParameters + loaderThreadsOffset, &maxLoaderThreads, ++ sizeof(maxLoaderThreads), &bytes_read); ++ if (memoryRead && (sizeof(maxLoaderThreads) == bytes_read) && ++ (maxLoaderThreads == 0)) { ++ maxLoaderThreads = 1; ++ WriteProtectedChildMemory(process, processParameters + loaderThreadsOffset, ++ &maxLoaderThreads, sizeof(maxLoaderThreads), ++ PAGE_READWRITE); ++ } ++#endif ++ + return base_address; + } + + DWORD GetTokenInformation(HANDLE token, + TOKEN_INFORMATION_CLASS info_class, + std::unique_ptr* buffer) { + // Get the required buffer size. + DWORD size = 0; +diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sandbox/chromium/sandbox/win/src/win_utils.h +--- a/security/sandbox/chromium/sandbox/win/src/win_utils.h ++++ b/security/sandbox/chromium/sandbox/win/src/win_utils.h +@@ -111,17 +111,18 @@ HKEY GetReservedKeyFromName(const std::w + bool ResolveRegistryName(std::wstring name, std::wstring* resolved_name); + + // Writes |length| bytes from the provided |buffer| into the address space of + // |child_process|, at the specified |address|, preserving the original write + // protection attributes. Returns true on success. + bool WriteProtectedChildMemory(HANDLE child_process, + void* address, + const void* buffer, +- size_t length); ++ size_t length, ++ DWORD writeProtection = PAGE_WRITECOPY); + + // Allocates |buffer_bytes| in child (PAGE_READWRITE) and copies data + // from |local_buffer| in this process into |child|. |remote_buffer| + // contains the address in the chile. If a zero byte copy is + // requested |true| is returned and no allocation or copying is + // attempted. Returns false if allocation or copying fails. If + // copying fails, the allocation will be reversed. + bool CopyToChildMemory(HANDLE child, diff --git a/security/sandbox/chromium-shim/patches/after_update/change_to_DCHECK_in_CloseHandleWrapper.patch b/security/sandbox/chromium-shim/patches/after_update/change_to_DCHECK_in_CloseHandleWrapper.patch new file mode 100644 index 0000000000..3d6bfaa54f --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/change_to_DCHECK_in_CloseHandleWrapper.patch @@ -0,0 +1,38 @@ +# HG changeset patch +# User Bob Owen +# Date 1563194469 -3600 +# Mon Jul 15 13:41:09 2019 +0100 +# Node ID 6d4e1a08b36e4191bd5ba7a338965f42f09162a6 +# Parent 7d9b5d8c9b9b36b135237292785537fc13f40226 +Bug 1564899: Make CloseHandleWrapper CHECK a DCHECK on non-Nightly builds. r=handyman! + +This is because we are hitting it frequently during PolicyBase::OnJobEmpty and +currently we can't work out how this can happen. + +diff --git a/security/sandbox/chromium/base/win/scoped_handle_verifier.cc b/security/sandbox/chromium/base/win/scoped_handle_verifier.cc +--- a/security/sandbox/chromium/base/win/scoped_handle_verifier.cc ++++ b/security/sandbox/chromium/base/win/scoped_handle_verifier.cc +@@ -65,17 +65,23 @@ ScopedHandleVerifier* ScopedHandleVerifi + if (!g_active_verifier) + ScopedHandleVerifier::InstallVerifier(); + + return g_active_verifier; + } + + bool CloseHandleWrapper(HANDLE handle) { + if (!::CloseHandle(handle)) ++ // Making this DCHECK on non-Nighly as we are hitting this frequently, ++ // looks like we are closing handles twice somehow. See bug 1564899. ++#if defined(NIGHTLY_BUILD) + CHECK(false); // CloseHandle failed. ++#else ++ DCHECK(false); // CloseHandle failed. ++#endif + return true; + } + + // Assigns the g_active_verifier global within the GetLock() lock. + // If |existing_verifier| is non-null then |enabled| is ignored. + void ThreadSafeAssignOrCreateScopedHandleVerifier( + ScopedHandleVerifier* existing_verifier, + bool enabled) { diff --git a/security/sandbox/chromium-shim/patches/after_update/linux_32bit_arg_fixup.patch b/security/sandbox/chromium-shim/patches/after_update/linux_32bit_arg_fixup.patch new file mode 100644 index 0000000000..5cc66ad09b --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/linux_32bit_arg_fixup.patch @@ -0,0 +1,84 @@ +commit e0a00891b67ec162a17aa241a83b171b313de9fe +Author: Jed Davis +Date: Mon Apr 18 18:00:10 2022 -0600 + + Make the sandbox fix up non-extended 32-bit types. + +diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc +index 347304889eae4..b909fc37f6174 100644 +--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc ++++ b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc +@@ -19,6 +19,7 @@ + #include "sandbox/linux/bpf_dsl/policy.h" + #include "sandbox/linux/bpf_dsl/seccomp_macros.h" + #include "sandbox/linux/bpf_dsl/syscall_set.h" ++#include "sandbox/linux/seccomp-bpf/syscall.h" + #include "sandbox/linux/system_headers/linux_filter.h" + #include "sandbox/linux/system_headers/linux_seccomp.h" + #include "sandbox/linux/system_headers/linux_syscalls.h" +@@ -318,8 +319,7 @@ CodeGen::Node PolicyCompiler::MaskedEqualHalf(int argno, + // Special logic for sanity checking the upper 32-bits of 32-bit system + // call arguments. + +- // TODO(mdempsky): Compile Unexpected64bitArgument() just per program. +- CodeGen::Node invalid_64bit = Unexpected64bitArgument(); ++ CodeGen::Node invalid_64bit = Unexpected64bitArgument(argno); + + const uint32_t upper = SECCOMP_ARG_MSB_IDX(argno); + const uint32_t lower = SECCOMP_ARG_LSB_IDX(argno); +@@ -335,8 +335,13 @@ CodeGen::Node PolicyCompiler::MaskedEqualHalf(int argno, + BPF_JMP + BPF_JEQ + BPF_K, 0, passed, invalid_64bit)); + } + +- // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow +- // ~0 if the sign bit of the lower 32-bits is set too: ++ // On 64-bit platforms, the ABI (at least on x86_64) allows any value ++ // for the upper half, but to avoid potential vulnerabilties if an ++ // argument is incorrectly tested as a 32-bit type, we require it to be ++ // either zero-extended or sign-extended. That is, the upper 32-bits ++ // may be 0 or ~0; but we only allow ~0 if the sign bit of the lower ++ // 32-bits is set too: ++ // + // LDW [upper] + // JEQ 0, passed, (next) + // JEQ ~0, (next), invalid +@@ -424,8 +429,18 @@ CodeGen::Node PolicyCompiler::MaskedEqualHalf(int argno, + BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed))); + } + +-CodeGen::Node PolicyCompiler::Unexpected64bitArgument() { +- return CompileResult(panic_func_("Unexpected 64bit argument detected")); ++CodeGen::Node PolicyCompiler::Unexpected64bitArgument(int argno) { ++ // This situation is unlikely, but possible. Return to userspace, ++ // zero-extend the problematic argument, and re-issue the syscall. ++ return CompileResult(bpf_dsl::Trap( ++ [](const arch_seccomp_data& args_ref, void* aux) -> intptr_t { ++ arch_seccomp_data args = args_ref; ++ int argno = (int)(intptr_t)aux; ++ args.args[argno] &= 0xFFFFFFFF; ++ return Syscall::Call(args.nr, args.args[0], args.args[1], args.args[2], ++ args.args[3], args.args[4], args.args[5]); ++ }, ++ (void*)(intptr_t)argno)); + } + + CodeGen::Node PolicyCompiler::Return(uint32_t ret) { +diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h +index 48b1d780d956f..2acf878474a7d 100644 +--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h ++++ b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h +@@ -132,9 +132,11 @@ class SANDBOX_EXPORT PolicyCompiler { + CodeGen::Node passed, + CodeGen::Node failed); + +- // Returns the fatal CodeGen::Node that is used to indicate that somebody +- // attempted to pass a 64bit value in a 32bit system call argument. +- CodeGen::Node Unexpected64bitArgument(); ++ // Returns the CodeGen::Node that is used to handle the case where a ++ // system call argument was expected to be a 32-bit type, but the ++ // value in the 64-bit register doesn't correspond to a ++ // zero-extended or sign-extended 32-bit value. ++ CodeGen::Node Unexpected64bitArgument(int argno); + + const Policy* policy_; + TrapRegistry* registry_; diff --git a/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch b/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch new file mode 100644 index 0000000000..f8250b788d --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/move_shared_memory_duplication_after_initialization.patch @@ -0,0 +1,94 @@ +# HG changeset patch +# User Bob Owen +# Date 1577387989 0 +# Thu Dec 26 19:19:49 2019 +0000 +# Node ID 32adf437117bdca54be4959813acbb604f65137f +# Parent 214214029beb6cca606e11ba519d11cc7dbb37af +Bug 1605867: Don't duplicate IPC shared memory when we might fail to launch the process correctly. r=handyman + +Differential Revision: https://phabricator.services.mozilla.com/D58271 + +diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc +@@ -286,45 +286,28 @@ ResultCode TargetProcess::Init(Dispatche + shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, + PAGE_READWRITE | SEC_COMMIT, 0, + shared_mem_size, nullptr)); + if (!shared_section_.IsValid()) { + *win_error = ::GetLastError(); + return SBOX_ERROR_CREATE_FILE_MAPPING; + } + +- DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY; +- HANDLE target_shared_section; +- if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(), +- sandbox_process_info_.process_handle(), +- &target_shared_section, access, false, 0)) { +- *win_error = ::GetLastError(); +- return SBOX_ERROR_DUPLICATE_SHARED_SECTION; +- } +- + void* shared_memory = ::MapViewOfFile( + shared_section_.Get(), FILE_MAP_WRITE | FILE_MAP_READ, 0, 0, 0); + if (!shared_memory) { + *win_error = ::GetLastError(); + return SBOX_ERROR_MAP_VIEW_OF_SHARED_SECTION; + } + + CopyPolicyToTarget(policy, shared_policy_size, + reinterpret_cast(shared_memory) + shared_IPC_size); + + ResultCode ret; + // Set the global variables in the target. These are not used on the broker. +- g_shared_section = target_shared_section; +- ret = TransferVariable("g_shared_section", &g_shared_section, +- sizeof(g_shared_section)); +- g_shared_section = nullptr; +- if (SBOX_ALL_OK != ret) { +- *win_error = ::GetLastError(); +- return ret; +- } + g_shared_IPC_size = shared_IPC_size; + ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size, + sizeof(g_shared_IPC_size)); + g_shared_IPC_size = 0; + if (SBOX_ALL_OK != ret) { + *win_error = ::GetLastError(); + return ret; + } +@@ -339,16 +322,34 @@ ResultCode TargetProcess::Init(Dispatche + + ipc_server_.reset(new SharedMemIPCServer( + sandbox_process_info_.process_handle(), + sandbox_process_info_.process_id(), thread_pool_, ipc_dispatcher)); + + if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize)) + return SBOX_ERROR_NO_SPACE; + ++ DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY; ++ HANDLE target_shared_section; ++ if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(), ++ sandbox_process_info_.process_handle(), ++ &target_shared_section, access, false, 0)) { ++ *win_error = ::GetLastError(); ++ return SBOX_ERROR_DUPLICATE_SHARED_SECTION; ++ } ++ ++ g_shared_section = target_shared_section; ++ ret = TransferVariable("g_shared_section", &g_shared_section, ++ sizeof(g_shared_section)); ++ g_shared_section = nullptr; ++ if (SBOX_ALL_OK != ret) { ++ *win_error = ::GetLastError(); ++ return ret; ++ } ++ + // After this point we cannot use this handle anymore. + ::CloseHandle(sandbox_process_info_.TakeThreadHandle()); + + return SBOX_ALL_OK; + } + + void TargetProcess::Terminate() { + if (!sandbox_process_info_.IsValid()) diff --git a/security/sandbox/chromium-shim/patches/after_update/patch_order.txt b/security/sandbox/chromium-shim/patches/after_update/patch_order.txt new file mode 100644 index 0000000000..4266bee9c0 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/after_update/patch_order.txt @@ -0,0 +1,8 @@ +add_interception_logging.patch +allow_rules_for_network_drive_and_non_file_devices.patch +add_WOW64_flags_to_allowed_registry_read_flags.patch +arm64_set_LoaderThreads.patch +change_to_DCHECK_in_CloseHandleWrapper.patch +move_shared_memory_duplication_after_initialization.patch +allow_ntpath_in_SignedPolicy_GenerateRules.patch +linux_32bit_arg_fixup.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch b/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch new file mode 100644 index 0000000000..5a5c2f95de --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/aarch64_control_flow_guard.patch @@ -0,0 +1,65 @@ +# HG changeset patch +# User David Major +# Date 1560264749 -3600 +# Tue Jun 11 15:52:29 2019 +0100 +# Node ID 6acdba6bd34e773d5e2d6a8461e3679a33340f77 +# Parent a0adb2e7f668ed430948ae1ffaa42ec011ffde50 +Bug 1523526: Don't allow CFG on old releases of Windows for arm64 + +There's a bug in ole32.dll on arm64 versions of Windows prior to 1809, that crashes our content processes if we enable CFG. We've reported the issue, but even if it gets fixed, we can't assume users will have the update. + +This patch uses process mitigation policy flags to disable CFG on arm64 before 1809. Based on testing, we only need to do this in the sandbox for child processes, and it's not strictly necessary for the launcher stub to set the flag on the main process. But I've included that anyway as a guard against some yet-undiscovered scenario that might hit the issue and make the browser unusable. + +The effects of this patch won't be visible until we actually enable CFG in a subsequent landing. + +Differential Revision: https://phabricator.services.mozilla.com/D29474 + +diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +@@ -431,16 +431,21 @@ void ConvertProcessMitigationsToPolicy(M + + // Mitigations >= Win8.1: + //---------------------------------------------------------------------------- + if (version >= base::win::Version::WIN8_1) { + if (flags & MITIGATION_DYNAMIC_CODE_DISABLE) { + *policy_value_1 |= + PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON; + } ++ ++ if (flags & MITIGATION_CONTROL_FLOW_GUARD_DISABLE) { ++ *policy_value_1 |= ++ PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF; ++ } + } + + // Mitigations >= Win10: + //---------------------------------------------------------------------------- + if (version >= base::win::Version::WIN10) { + if (flags & MITIGATION_NONSYSTEM_FONT_DISABLE) { + *policy_value_1 |= + PROCESS_CREATION_MITIGATION_POLICY_FONT_DISABLE_ALWAYS_ON; +diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h +--- a/security/sandbox/chromium/sandbox/win/src/security_level.h ++++ b/security/sandbox/chromium/sandbox/win/src/security_level.h +@@ -282,11 +282,20 @@ const MitigationFlags MITIGATION_IMAGE_L + const MitigationFlags MITIGATION_IMAGE_LOAD_PREFER_SYS32 = 0x00100000; + + // Prevents hyperthreads from interfering with indirect branch predictions. + // (SPECTRE Variant 2 mitigation.) Corresponds to + // PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON. + const MitigationFlags MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION = + 0x00200000; + ++// Begin Mozilla-added flags. ++// Working down from the high bit to avoid conflict with new upstream flags. ++ ++// Disable Control Flow Guard. This may seem more like an anti-mitigation, but ++// this flag allows code to make targeted changes to CFG to avoid bugs, while ++// leaving it enabled in the common case. Corresponds to ++// PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON. ++const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000; ++ + } // namespace sandbox + + #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ diff --git a/security/sandbox/chromium-shim/patches/with_update/add_CET_STRICT_MODE.patch b/security/sandbox/chromium-shim/patches/with_update/add_CET_STRICT_MODE.patch new file mode 100644 index 0000000000..fc0dee5f36 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/add_CET_STRICT_MODE.patch @@ -0,0 +1,94 @@ +# HG changeset patch +# User Bob Owen +# Date 1611849321 0 +# Thu Jan 28 15:55:21 2021 +0000 +# Node ID c9195d88e6c67ef2c23c12e307bc16b94d696f50 +# Parent 37557864a6845bb8068904e44e8a7dd16746d211 +Bug 1716024 p1: Add MITIGATION_CET_COMPAT_MODE to chromium sandbox code. r=handyman! + +diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +@@ -80,16 +80,37 @@ bool IsRunning32bitEmulatedOnArm64() { + if (!retval) + return false; + if (native_machine == IMAGE_FILE_MACHINE_ARM64) + return true; + #endif // defined(ARCH_CPU_X86) + return false; + } + ++// Returns true if user-mode Hardware-enforced Stack Protection is available for ++// the Win32 environment. ++bool IsUserCetWin32Available() { ++ static bool cetAvailable = []() -> bool { ++ using IsUserCetAvailableInEnvironmentFunction = ++ decltype(&IsUserCetAvailableInEnvironment); ++ ++ IsUserCetAvailableInEnvironmentFunction is_user_cet_available = ++ reinterpret_cast( ++ ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), ++ "IsUserCetAvailableInEnvironment")); ++ if (!is_user_cet_available) { ++ return false; ++ } ++ ++ return is_user_cet_available(USER_CET_ENVIRONMENT_WIN32_PROCESS); ++ }(); ++ ++ return cetAvailable; ++} ++ + } // namespace + + namespace sandbox { + + bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) { + if (!CanSetProcessMitigationsPostStartup(flags)) + return false; + +@@ -487,16 +508,25 @@ void ConvertProcessMitigationsToPolicy(M + // the underlying hardware does not support the implementation. + // Windows just does its best under the hood for the given hardware. + if (flags & MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION) { + *policy_value_2 |= + PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON; + } + } + ++ // Mitigations >= Win10 20H1 ++ //---------------------------------------------------------------------------- ++ if (version >= base::win::Version::WIN10_20H1) { ++ if (flags & MITIGATION_CET_COMPAT_MODE && IsUserCetWin32Available()) { ++ *policy_value_2 |= ++ PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON; ++ } ++ } ++ + // When done setting policy flags, sanity check supported policies on this + // machine, and then update |size|. + + const ULONG64* supported = GetSupportedMitigations(); + + *policy_value_1 = *policy_value_1 & supported[0]; + *policy_value_2 = *policy_value_2 & supported[1]; + +diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h +--- a/security/sandbox/chromium/sandbox/win/src/security_level.h ++++ b/security/sandbox/chromium/sandbox/win/src/security_level.h +@@ -286,11 +286,15 @@ const MitigationFlags MITIGATION_RESTRIC + // Working down from the high bit to avoid conflict with new upstream flags. + + // Disable Control Flow Guard. This may seem more like an anti-mitigation, but + // this flag allows code to make targeted changes to CFG to avoid bugs, while + // leaving it enabled in the common case. Corresponds to + // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON. + const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000; + ++// This enables CET User Shadow Stack for compatible modules and corresponds to ++// PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON. ++const MitigationFlags MITIGATION_CET_COMPAT_MODE = 0x40000000; ++ + } // namespace sandbox + + #endif // SANDBOX_SRC_SECURITY_LEVEL_H_ diff --git a/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch b/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch new file mode 100644 index 0000000000..fb12534687 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch @@ -0,0 +1,281 @@ +# HG changeset patch +# User Bob Owen +# Date 1499762660 -3600 +# Tue Jul 11 09:44:20 2017 +0100 +# Node ID 4fb5bb81a2626a6262813bb556e2e059c2323562 +# Parent 45f3ef4037e040c820c0dd8eec6cff9d0745ae41 +Bug 1366701 - Add option to Windows chromium sandbox policy to not use restricting SIDs. r=jimm + +This originally landed in changeset: +https://hg.mozilla.org/mozilla-central/rev/14374cd9497a + +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +@@ -51,16 +51,17 @@ DWORD GetObjectSecurityDescriptor(HANDLE + + } // namespace + + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ bool use_restricting_sids, + base::win::ScopedHandle* token) { + RestrictedToken restricted_token; + restricted_token.Init(effective_token); + if (lockdown_default_dacl) + restricted_token.SetLockdownDefaultDacl(); + + std::vector privilege_exceptions; + std::vector sid_exceptions; +@@ -73,19 +74,22 @@ DWORD CreateRestrictedToken(HANDLE effec + deny_sids = false; + remove_privileges = false; + break; + } + case USER_RESTRICTED_SAME_ACCESS: { + deny_sids = false; + remove_privileges = false; + +- unsigned err_code = restricted_token.AddRestrictingSidAllSids(); +- if (ERROR_SUCCESS != err_code) +- return err_code; ++ if (use_restricting_sids) { ++ unsigned err_code = restricted_token.AddRestrictingSidAllSids(); ++ if (ERROR_SUCCESS != err_code) { ++ return err_code; ++ } ++ } + + break; + } + case USER_NON_ADMIN: { + sid_exceptions.push_back(WinBuiltinUsersSid); + sid_exceptions.push_back(WinWorldSid); + sid_exceptions.push_back(WinInteractiveSid); + sid_exceptions.push_back(WinAuthenticatedUserSid); +@@ -108,49 +112,57 @@ DWORD CreateRestrictedToken(HANDLE effec + break; + } + case USER_INTERACTIVE: { + sid_exceptions.push_back(WinBuiltinUsersSid); + sid_exceptions.push_back(WinWorldSid); + sid_exceptions.push_back(WinInteractiveSid); + sid_exceptions.push_back(WinAuthenticatedUserSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); +- restricted_token.AddRestrictingSid(WinBuiltinUsersSid); +- restricted_token.AddRestrictingSid(WinWorldSid); +- restricted_token.AddRestrictingSid(WinRestrictedCodeSid); +- restricted_token.AddRestrictingSidCurrentUser(); +- restricted_token.AddRestrictingSidLogonSession(); ++ if (use_restricting_sids) { ++ restricted_token.AddRestrictingSid(WinBuiltinUsersSid); ++ restricted_token.AddRestrictingSid(WinWorldSid); ++ restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ restricted_token.AddRestrictingSidCurrentUser(); ++ restricted_token.AddRestrictingSidLogonSession(); ++ } + break; + } + case USER_LIMITED: { + sid_exceptions.push_back(WinBuiltinUsersSid); + sid_exceptions.push_back(WinWorldSid); + sid_exceptions.push_back(WinInteractiveSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); +- restricted_token.AddRestrictingSid(WinBuiltinUsersSid); +- restricted_token.AddRestrictingSid(WinWorldSid); +- restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (use_restricting_sids) { ++ restricted_token.AddRestrictingSid(WinBuiltinUsersSid); ++ restricted_token.AddRestrictingSid(WinWorldSid); ++ restricted_token.AddRestrictingSid(WinRestrictedCodeSid); + +- // This token has to be able to create objects in BNO. +- // Unfortunately, on Vista+, it needs the current logon sid +- // in the token to achieve this. You should also set the process to be +- // low integrity level so it can't access object created by other +- // processes. +- restricted_token.AddRestrictingSidLogonSession(); ++ // This token has to be able to create objects in BNO. ++ // Unfortunately, on Vista+, it needs the current logon sid ++ // in the token to achieve this. You should also set the process to be ++ // low integrity level so it can't access object created by other ++ // processes. ++ restricted_token.AddRestrictingSidLogonSession(); ++ } + break; + } + case USER_RESTRICTED: { + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + restricted_token.AddUserSidForDenyOnly(); +- restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (use_restricting_sids) { ++ restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ } + break; + } + case USER_LOCKDOWN: { + restricted_token.AddUserSidForDenyOnly(); +- restricted_token.AddRestrictingSid(WinNullSid); ++ if (use_restricting_sids) { ++ restricted_token.AddRestrictingSid(WinNullSid); ++ } + break; + } + default: { return ERROR_BAD_ARGUMENTS; } + } + + DWORD err_code = ERROR_SUCCESS; + if (deny_sids) { + err_code = restricted_token.AddAllSidsForDenyOnly(&sid_exceptions); +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM + // If the function succeeds, the return value is ERROR_SUCCESS. If the + // function fails, the return value is the win32 error code corresponding to + // the error. + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ bool use_restricting_sids, + base::win::ScopedHandle* token); + + // Sets the integrity label on a object handle. + DWORD SetObjectIntegrityLabel(HANDLE handle, + SE_OBJECT_TYPE type, + const wchar_t* ace_access, + const wchar_t* integrity_level_sid); + +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +@@ -101,16 +101,21 @@ class TargetPolicy { + virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0; + + // Returns the initial token level. + virtual TokenLevel GetInitialTokenLevel() const = 0; + + // Returns the lockdown token level. + virtual TokenLevel GetLockdownTokenLevel() const = 0; + ++ // Sets that we should not use restricting SIDs in the access tokens. We need ++ // to do this in some circumstances even though it weakens the sandbox. ++ // The default is to use them. ++ virtual void SetDoNotUseRestrictingSIDs() = 0; ++ + // Sets the security level of the Job Object to which the target process will + // belong. This setting is permanent and cannot be changed once the target + // process is spawned. The job controls the global security settings which + // can not be specified in the token security profile. + // job_level: the security level for the job. See the explanation of each + // level in the JobLevel definition. + // ui_exceptions: specify what specific rights that are disabled in the + // chosen job_level that need to be granted. Use this parameter to avoid +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +@@ -152,16 +152,20 @@ ResultCode PolicyBase::SetTokenLevel(Tok + TokenLevel PolicyBase::GetInitialTokenLevel() const { + return initial_level_; + } + + TokenLevel PolicyBase::GetLockdownTokenLevel() const { + return lockdown_level_; + } + ++void PolicyBase::SetDoNotUseRestrictingSIDs() { ++ use_restricting_sids_ = false; ++} ++ + ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) { + if (memory_limit_ && job_level == JOB_NONE) { + return SBOX_ERROR_BAD_PARAMS; + } + job_level_ = job_level; + ui_exceptions_ = ui_exceptions; + return SBOX_ALL_OK; + } +@@ -413,17 +417,18 @@ ResultCode PolicyBase::MakeJobObject(bas + + ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, + base::win::ScopedHandle* lockdown, + base::win::ScopedHandle* lowbox) { + // Create the 'naked' token. This will be the permanent token associated + // with the process and therefore with any thread that is not impersonating. + DWORD result = + CreateRestrictedToken(effective_token_, lockdown_level_, integrity_level_, +- PRIMARY, lockdown_default_dacl_, lockdown); ++ PRIMARY, lockdown_default_dacl_, ++ use_restricting_sids_, lockdown); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; + + // If we're launching on the alternate desktop we need to make sure the + // integrity label on the object is no higher than the sandboxed process's + // integrity level. So, we lower the label on the desktop process if it's + // not already low enough for our process. + if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) { +@@ -482,17 +487,18 @@ ResultCode PolicyBase::MakeTokens(base:: + } + } + + // Create the 'better' token. We use this token as the one that the main + // thread uses when booting up the process. It should contain most of + // what we need (before reaching main( )) + result = + CreateRestrictedToken(effective_token_, initial_level_, integrity_level_, +- IMPERSONATION, lockdown_default_dacl_, initial); ++ IMPERSONATION, lockdown_default_dacl_, ++ use_restricting_sids_, initial); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN; + + return SBOX_ALL_OK; + } + + PSID PolicyBase::GetLowBoxSid() const { + return lowbox_sid_; +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +@@ -41,16 +41,17 @@ class PolicyBase final : public TargetPo + PolicyBase(); + + // TargetPolicy: + void AddRef() override; + void Release() override; + ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) override; + TokenLevel GetInitialTokenLevel() const override; + TokenLevel GetLockdownTokenLevel() const override; ++ void SetDoNotUseRestrictingSIDs() final; + ResultCode SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) override; + JobLevel GetJobLevel() const override; + ResultCode SetJobMemoryLimit(size_t memory_limit) override; + ResultCode SetAlternateDesktop(bool alternate_winstation) override; + std::wstring GetAlternateDesktop() const override; + ResultCode CreateAlternateDesktop(bool alternate_winstation) override; + void DestroyAlternateDesktop() override; + ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override; +@@ -134,16 +135,17 @@ class PolicyBase final : public TargetPo + // The policy takes ownership of them. + typedef std::list TargetSet; + TargetSet targets_; + // Standard object-lifetime reference counter. + volatile LONG ref_count; + // The user-defined global policy settings. + TokenLevel lockdown_level_; + TokenLevel initial_level_; ++ bool use_restricting_sids_ = true; + JobLevel job_level_; + uint32_t ui_exceptions_; + size_t memory_limit_; + bool use_alternate_desktop_; + bool use_alternate_winstation_; + // Helps the file system policy initialization. + bool file_system_init_; + bool relaxed_interceptions_; diff --git a/security/sandbox/chromium-shim/patches/with_update/add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch b/security/sandbox/chromium-shim/patches/with_update/add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch new file mode 100644 index 0000000000..c5ee583b01 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User Bob Owen +# Date 1560260462 -3600 +# Tue Jun 11 14:41:02 2019 +0100 +# Node ID cb6cbf2c60077e833f472c82c1f437a794ac5266 +# Parent 71ac3df6aadbce233034b169646b66160c5944dc +Bug 1552160: Add return after NOTREACHED() in QueryCancellationTraitsForNonCancellables to prevent build error. r=jld + +diff --git a/security/sandbox/chromium/base/callback_internal.cc b/security/sandbox/chromium/base/callback_internal.cc +--- a/security/sandbox/chromium/base/callback_internal.cc ++++ b/security/sandbox/chromium/base/callback_internal.cc +@@ -16,16 +16,17 @@ bool QueryCancellationTraitsForNonCancel + BindStateBase::CancellationQueryMode mode) { + switch (mode) { + case BindStateBase::IS_CANCELLED: + return false; + case BindStateBase::MAYBE_VALID: + return true; + } + NOTREACHED(); ++ return false; + } + + } // namespace + + void BindStateBaseRefCountTraits::Destruct(const BindStateBase* bind_state) { + bind_state->destructor_(bind_state); + } + diff --git a/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch b/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch new file mode 100644 index 0000000000..39f6b2538d --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/add_support_for_random_restricted_SID.patch @@ -0,0 +1,461 @@ +# HG changeset patch +# User Bob Owen +# Date 1584045580 0 +# Thu Mar 12 20:39:40 2020 +0000 +# Node ID c996dbc3e3663fb372feb8e171562e86b09583b6 +# Parent f96efa1d9f5c676c0ee8fd80044a494258eff3d3 +Bug 1557282 Part 1: Take chromium commit c1ce57ea5d31208af589b4839390a44ab20b0c8f. r=handyman,gcp + +This adds AddRestrictingRandomSid feature, which fixes our issues with +SetLockdownDefaultDacl, apart from when we are running from a network drive. + +Differential Revision: https://phabricator.services.mozilla.com/D66610 + +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc +@@ -141,16 +141,24 @@ DWORD RestrictedToken::GetRestrictedToke + } else { + // Modify the default dacl on the token to contain Restricted. + if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, + GRANT_ACCESS, GENERIC_ALL)) { + return ::GetLastError(); + } + } + ++ for (const auto& default_dacl_sid : sids_for_default_dacl_) { ++ if (!AddSidToDefaultDacl(new_token.Get(), std::get<0>(default_dacl_sid), ++ std::get<1>(default_dacl_sid), ++ std::get<2>(default_dacl_sid))) { ++ return ::GetLastError(); ++ } ++ } ++ + // Add user to default dacl. + if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL)) + return ::GetLastError(); + + DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_); + if (ERROR_SUCCESS != error) + return error; + +@@ -405,9 +413,20 @@ DWORD RestrictedToken::SetIntegrityLevel + integrity_level_ = integrity_level; + return ERROR_SUCCESS; + } + + void RestrictedToken::SetLockdownDefaultDacl() { + lockdown_default_dacl_ = true; + } + ++DWORD RestrictedToken::AddDefaultDaclSid(const Sid& sid, ++ ACCESS_MODE access_mode, ++ ACCESS_MASK access) { ++ DCHECK(init_); ++ if (!init_) ++ return ERROR_NO_TOKEN; ++ ++ sids_for_default_dacl_.push_back(std::make_tuple(sid, access_mode, access)); ++ return ERROR_SUCCESS; ++} ++ + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.h b/security/sandbox/chromium/sandbox/win/src/restricted_token.h +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.h +@@ -2,16 +2,17 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_ + #define SANDBOX_SRC_RESTRICTED_TOKEN_H_ + + #include + ++#include + #include + + #include + + #include "base/macros.h" + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/security_level.h" +@@ -169,23 +170,31 @@ class RestrictedToken { + // Sets the token integrity level. This is only valid on Vista. The integrity + // level cannot be higher than your current integrity level. + DWORD SetIntegrityLevel(IntegrityLevel integrity_level); + + // Set a flag which indicates the created token should have a locked down + // default DACL when created. + void SetLockdownDefaultDacl(); + ++ // Add a SID to the default DACL. These SIDs are added regardless of the ++ // SetLockdownDefaultDacl state. ++ DWORD AddDefaultDaclSid(const Sid& sid, ++ ACCESS_MODE access_mode, ++ ACCESS_MASK access); ++ + private: + // The list of restricting sids in the restricted token. + std::vector sids_to_restrict_; + // The list of privileges to remove in the restricted token. + std::vector privileges_to_disable_; + // The list of sids to mark as Deny Only in the restricted token. + std::vector sids_for_deny_only_; ++ // The list of sids to add to the default DACL of the restricted token. ++ std::vector> sids_for_default_dacl_; + // The token to restrict. Can only be set in a constructor. + base::win::ScopedHandle effective_token_; + // The token integrity level. Only valid on Vista. + IntegrityLevel integrity_level_; + // Tells if the object is initialized or not (if Init() has been called) + bool init_; + // Lockdown the default DACL when creating new tokens. + bool lockdown_default_dacl_; +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +@@ -51,22 +51,29 @@ DWORD GetObjectSecurityDescriptor(HANDLE + + } // namespace + + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ PSID unique_restricted_sid, + bool use_restricting_sids, + base::win::ScopedHandle* token) { + RestrictedToken restricted_token; + restricted_token.Init(effective_token); + if (lockdown_default_dacl) + restricted_token.SetLockdownDefaultDacl(); ++ if (unique_restricted_sid) { ++ restricted_token.AddDefaultDaclSid(Sid(unique_restricted_sid), GRANT_ACCESS, ++ GENERIC_ALL); ++ restricted_token.AddDefaultDaclSid(Sid(WinCreatorOwnerRightsSid), ++ GRANT_ACCESS, READ_CONTROL); ++ } + + std::vector privilege_exceptions; + std::vector sid_exceptions; + + bool deny_sids = true; + bool remove_privileges = true; + + switch (security_level) { +@@ -118,50 +125,60 @@ DWORD CreateRestrictedToken(HANDLE effec + sid_exceptions.push_back(WinAuthenticatedUserSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinBuiltinUsersSid); + restricted_token.AddRestrictingSid(WinWorldSid); + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); + restricted_token.AddRestrictingSidCurrentUser(); + restricted_token.AddRestrictingSidLogonSession(); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + case USER_LIMITED: { + sid_exceptions.push_back(WinBuiltinUsersSid); + sid_exceptions.push_back(WinWorldSid); + sid_exceptions.push_back(WinInteractiveSid); + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinBuiltinUsersSid); + restricted_token.AddRestrictingSid(WinWorldSid); + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + + // This token has to be able to create objects in BNO. + // Unfortunately, on Vista+, it needs the current logon sid + // in the token to achieve this. You should also set the process to be + // low integrity level so it can't access object created by other + // processes. + restricted_token.AddRestrictingSidLogonSession(); ++ } else { ++ restricted_token.AddUserSidForDenyOnly(); + } + break; + } + case USER_RESTRICTED: { + privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME); + restricted_token.AddUserSidForDenyOnly(); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinRestrictedCodeSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + case USER_LOCKDOWN: { + restricted_token.AddUserSidForDenyOnly(); + if (use_restricting_sids) { + restricted_token.AddRestrictingSid(WinNullSid); ++ if (unique_restricted_sid) ++ restricted_token.AddRestrictingSid(Sid(unique_restricted_sid)); + } + break; + } + default: { return ERROR_BAD_ARGUMENTS; } + } + + DWORD err_code = ERROR_SUCCESS; + if (deny_sids) { +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h +@@ -33,16 +33,17 @@ enum TokenType { IMPERSONATION = 0, PRIM + // If the function succeeds, the return value is ERROR_SUCCESS. If the + // function fails, the return value is the win32 error code corresponding to + // the error. + DWORD CreateRestrictedToken(HANDLE effective_token, + TokenLevel security_level, + IntegrityLevel integrity_level, + TokenType token_type, + bool lockdown_default_dacl, ++ PSID unique_restricted_sid, + bool use_restricting_sids, + base::win::ScopedHandle* token); + + // Sets the integrity label on a object handle. + DWORD SetObjectIntegrityLabel(HANDLE handle, + SE_OBJECT_TYPE type, + const wchar_t* ace_access, + const wchar_t* integrity_level_sid); +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +@@ -256,16 +256,20 @@ class TargetPolicy { + // ownership of the handle. + virtual void AddHandleToShare(HANDLE handle) = 0; + + // Locks down the default DACL of the created lockdown and initial tokens + // to restrict what other processes are allowed to access a process' kernel + // resources. + virtual void SetLockdownDefaultDacl() = 0; + ++ // Adds a restricting random SID to the restricted SIDs list as well as ++ // the default DACL. ++ virtual void AddRestrictingRandomSid() = 0; ++ + // Enable OPM API redirection when in Win32k lockdown. + virtual void SetEnableOPMRedirection() = 0; + // Enable OPM API emulation when in Win32k lockdown. + virtual bool GetEnableOPMRedirection() = 0; + + // Configure policy to use an AppContainer profile. |package_name| is the + // name of the profile to use. Specifying True for |create_profile| ensures + // the profile exists, if set to False process creation will fail if the +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +@@ -105,16 +105,17 @@ PolicyBase::PolicyBase() + delayed_integrity_level_(INTEGRITY_LEVEL_LAST), + mitigations_(0), + delayed_mitigations_(0), + is_csrss_connected_(true), + policy_maker_(nullptr), + policy_(nullptr), + lowbox_sid_(nullptr), + lockdown_default_dacl_(false), ++ add_restricting_random_sid_(false), + enable_opm_redirection_(false), + effective_token_(nullptr) { + ::InitializeCriticalSection(&lock_); + dispatcher_.reset(new TopLevelDispatcher(this)); + } + + PolicyBase::~PolicyBase() { + TargetSet::iterator it; +@@ -389,16 +390,20 @@ void PolicyBase::AddHandleToShare(HANDLE + + handles_to_share_.push_back(handle); + } + + void PolicyBase::SetLockdownDefaultDacl() { + lockdown_default_dacl_ = true; + } + ++void PolicyBase::AddRestrictingRandomSid() { ++ add_restricting_random_sid_ = true; ++} ++ + const base::HandlesToInheritVector& PolicyBase::GetHandlesBeingShared() { + return handles_to_share_; + } + + ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) { + if (job_level_ == JOB_NONE) { + job->Close(); + return SBOX_ALL_OK; +@@ -413,22 +418,26 @@ ResultCode PolicyBase::MakeJobObject(bas + + *job = job_obj.Take(); + return SBOX_ALL_OK; + } + + ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial, + base::win::ScopedHandle* lockdown, + base::win::ScopedHandle* lowbox) { ++ Sid random_sid = Sid::GenerateRandomSid(); ++ PSID random_sid_ptr = nullptr; ++ if (add_restricting_random_sid_) ++ random_sid_ptr = random_sid.GetPSID(); ++ + // Create the 'naked' token. This will be the permanent token associated + // with the process and therefore with any thread that is not impersonating. +- DWORD result = +- CreateRestrictedToken(effective_token_, lockdown_level_, integrity_level_, +- PRIMARY, lockdown_default_dacl_, +- use_restricting_sids_, lockdown); ++ DWORD result = CreateRestrictedToken( ++ effective_token_, lockdown_level_, integrity_level_, PRIMARY, ++ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, lockdown); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_TOKEN; + + // If we're launching on the alternate desktop we need to make sure the + // integrity label on the object is no higher than the sandboxed process's + // integrity level. So, we lower the label on the desktop process if it's + // not already low enough for our process. + if (use_alternate_desktop_ && integrity_level_ != INTEGRITY_LEVEL_LAST) { +@@ -485,20 +494,19 @@ ResultCode PolicyBase::MakeTokens(base:: + TOKEN_ALL_ACCESS)) { + return SBOX_ERROR_CANNOT_MODIFY_LOWBOX_TOKEN_DACL; + } + } + + // Create the 'better' token. We use this token as the one that the main + // thread uses when booting up the process. It should contain most of + // what we need (before reaching main( )) +- result = +- CreateRestrictedToken(effective_token_, initial_level_, integrity_level_, +- IMPERSONATION, lockdown_default_dacl_, +- use_restricting_sids_, initial); ++ result = CreateRestrictedToken( ++ effective_token_, initial_level_, integrity_level_, IMPERSONATION, ++ lockdown_default_dacl_, random_sid_ptr, use_restricting_sids_, initial); + if (ERROR_SUCCESS != result) + return SBOX_ERROR_CANNOT_CREATE_RESTRICTED_IMP_TOKEN; + + return SBOX_ALL_OK; + } + + PSID PolicyBase::GetLowBoxSid() const { + return lowbox_sid_; +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h +@@ -69,16 +69,17 @@ class PolicyBase final : public TargetPo + ResultCode AddRule(SubSystem subsystem, + Semantics semantics, + const wchar_t* pattern) override; + ResultCode AddDllToUnload(const wchar_t* dll_name) override; + ResultCode AddKernelObjectToClose(const wchar_t* handle_type, + const wchar_t* handle_name) override; + void AddHandleToShare(HANDLE handle) override; + void SetLockdownDefaultDacl() override; ++ void AddRestrictingRandomSid() override; + void SetEnableOPMRedirection() override; + bool GetEnableOPMRedirection() override; + ResultCode AddAppContainerProfile(const wchar_t* package_name, + bool create_profile) override; + scoped_refptr GetAppContainerProfile() override; + void SetEffectiveToken(HANDLE token) override; + + // Get the AppContainer profile as its internal type. +@@ -165,16 +166,17 @@ class PolicyBase final : public TargetPo + // This is a map of handle-types to names that we need to close in the + // target process. A null set means we need to close all handles of the + // given type. + HandleCloser handle_closer_; + PSID lowbox_sid_; + base::win::ScopedHandle lowbox_directory_; + std::unique_ptr dispatcher_; + bool lockdown_default_dacl_; ++ bool add_restricting_random_sid_; + + static HDESK alternate_desktop_handle_; + static HWINSTA alternate_winstation_handle_; + static HDESK alternate_desktop_local_winstation_handle_; + static IntegrityLevel alternate_desktop_integrity_level_label_; + static IntegrityLevel + alternate_desktop_local_winstation_integrity_level_label_; + +diff --git a/security/sandbox/chromium/sandbox/win/src/sid.cc b/security/sandbox/chromium/sandbox/win/src/sid.cc +--- a/security/sandbox/chromium/sandbox/win/src/sid.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sid.cc +@@ -2,18 +2,20 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "sandbox/win/src/sid.h" + + #include + + #include ++#include + + #include "base/logging.h" ++#include "base/rand_util.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/win_utils.h" + + namespace sandbox { + + namespace { + + DWORD WellKnownCapabilityToRid(WellKnownCapabilities capability) { +@@ -127,16 +129,24 @@ Sid Sid::FromSubAuthorities(PSID_IDENTIF + + Sid Sid::AllRestrictedApplicationPackages() { + SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_APP_PACKAGE_AUTHORITY}; + DWORD sub_authorities[] = {SECURITY_APP_PACKAGE_BASE_RID, + SECURITY_BUILTIN_PACKAGE_ANY_RESTRICTED_PACKAGE}; + return FromSubAuthorities(&package_authority, 2, sub_authorities); + } + ++Sid Sid::GenerateRandomSid() { ++ SID_IDENTIFIER_AUTHORITY package_authority = {SECURITY_NULL_SID_AUTHORITY}; ++ DWORD sub_authorities[4] = {}; ++ base::RandBytes(&sub_authorities, sizeof(sub_authorities)); ++ return FromSubAuthorities(&package_authority, _countof(sub_authorities), ++ sub_authorities); ++} ++ + PSID Sid::GetPSID() const { + return const_cast(sid_); + } + + bool Sid::IsValid() const { + return !!::IsValidSid(GetPSID()); + } + +diff --git a/security/sandbox/chromium/sandbox/win/src/sid.h b/security/sandbox/chromium/sandbox/win/src/sid.h +--- a/security/sandbox/chromium/sandbox/win/src/sid.h ++++ b/security/sandbox/chromium/sandbox/win/src/sid.h +@@ -47,16 +47,18 @@ class Sid { + // Create a Sid from a SDDL format string, such as S-1-1-0. + static Sid FromSddlString(const wchar_t* sddl_sid); + // Create a Sid from a set of sub authorities. + static Sid FromSubAuthorities(PSID_IDENTIFIER_AUTHORITY identifier_authority, + BYTE sub_authority_count, + PDWORD sub_authorities); + // Create the restricted all application packages sid. + static Sid AllRestrictedApplicationPackages(); ++ // Generate a random SID value. ++ static Sid GenerateRandomSid(); + + // Returns sid_. + PSID GetPSID() const; + + // Gets whether the sid is valid. + bool IsValid() const; + + // Converts the SID to a SDDL format string. diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch b/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch new file mode 100644 index 0000000000..99fe5e99bc --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/allow_env_changes.patch @@ -0,0 +1,217 @@ +# HG changeset patch +# User Gian-Carlo Pascutto +# Date 1515402436 -3600 +# Mon Jan 08 10:07:16 2018 +0100 +# Node ID 205e7ae2a6bc5ed1cdd1a982a12d99f52ce33258 +# Parent a89071894b4904a0130139a03147d4a6cb5c3bfc +Bug 1297740. + +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +@@ -414,16 +414,17 @@ DWORD WINAPI BrokerServicesBase::TargetE + NOTREACHED(); + return 0; + } + + // SpawnTarget does all the interesting sandbox setup and creates the target + // process inside the sandbox. + ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path, + const wchar_t* command_line, ++ base::EnvironmentMap& env_map, + scoped_refptr policy, + ResultCode* last_warning, + DWORD* last_error, + PROCESS_INFORMATION* target_info) { + if (!exe_path) + return SBOX_ERROR_BAD_PARAMS; + + if (!policy) +@@ -609,17 +610,17 @@ ResultCode BrokerServicesBase::SpawnTarg + // Brokerservices does not own the target object. It is owned by the Policy. + base::win::ScopedProcessInformation process_info; + TargetProcess* target = new TargetProcess( + std::move(initial_token), std::move(lockdown_token), job.Get(), + thread_pool_.get(), + profile ? profile->GetImpersonationCapabilities() : std::vector()); + + result = target->Create(exe_path, command_line, inherit_handles, startup_info, +- &process_info, last_error); ++ &process_info, env_map, last_error); + + if (result != SBOX_ALL_OK) { + SpawnCleanup(target); + return result; + } + + if (lowbox_token.IsValid()) { + *last_warning = target->AssignLowBoxToken(lowbox_token); +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h +@@ -7,16 +7,17 @@ + + #include + #include + #include + #include + #include + + #include "base/compiler_specific.h" ++#include "base/environment.h" + #include "base/macros.h" + #include "base/memory/scoped_refptr.h" + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/job.h" + #include "sandbox/win/src/sandbox.h" + #include "sandbox/win/src/sandbox_policy_base.h" + #include "sandbox/win/src/sharedmem_ipc_server.h" +@@ -39,16 +40,17 @@ class BrokerServicesBase final : public + + ~BrokerServicesBase(); + + // BrokerServices interface. + ResultCode Init() override; + scoped_refptr CreatePolicy() override; + ResultCode SpawnTarget(const wchar_t* exe_path, + const wchar_t* command_line, ++ base::EnvironmentMap& env_map, + scoped_refptr policy, + ResultCode* last_warning, + DWORD* last_error, + PROCESS_INFORMATION* target) override; + ResultCode WaitForAllTargets() override; + ResultCode AddTargetPeer(HANDLE peer_process) override; + + // Checks if the supplied process ID matches one of the broker's active +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h +@@ -84,16 +84,17 @@ class BrokerServices { + // parameter will hold the last Win32 error value. + // target: returns the resulting target process information such as process + // handle and PID just as if CreateProcess() had been called. The caller is + // responsible for closing the handles returned in this structure. + // Returns: + // ALL_OK if successful. All other return values imply failure. + virtual ResultCode SpawnTarget(const wchar_t* exe_path, + const wchar_t* command_line, ++ base::EnvironmentMap& env_map, + scoped_refptr policy, + ResultCode* last_warning, + DWORD* last_error, + PROCESS_INFORMATION* target) = 0; + + // This call blocks (waits) for all the targets to terminate. + // Returns: + // ALL_OK if successful. All other return values imply failure. +diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc +@@ -9,16 +9,17 @@ + + #include + #include + #include + + #include "base/macros.h" + #include "base/memory/free_deleter.h" + #include "base/numerics/safe_conversions.h" ++#include "base/process/environment_internal.h" + #include "base/win/startup_information.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/policy_low_level.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox_types.h" + #include "sandbox/win/src/security_capabilities.h" +@@ -137,16 +138,17 @@ TargetProcess::~TargetProcess() { + // Creates the target (child) process suspended and assigns it to the job + // object. + ResultCode TargetProcess::Create( + const wchar_t* exe_path, + const wchar_t* command_line, + bool inherit_handles, + const base::win::StartupInformation& startup_info, + base::win::ScopedProcessInformation* target_info, ++ base::EnvironmentMap& env_changes, + DWORD* win_error) { + exe_name_.reset(_wcsdup(exe_path)); + + // the command line needs to be writable by CreateProcess(). + std::unique_ptr cmd_line(_wcsdup(command_line)); + + // Start the target process suspended. + DWORD flags = +@@ -156,22 +158,29 @@ ResultCode TargetProcess::Create( + flags |= EXTENDED_STARTUPINFO_PRESENT; + + if (job_ && base::win::GetVersion() < base::win::Version::WIN8) { + // Windows 8 implements nested jobs, but for older systems we need to + // break out of any job we're in to enforce our restrictions. + flags |= CREATE_BREAKAWAY_FROM_JOB; + } + ++ LPTCH original_environment = GetEnvironmentStrings(); ++ base::NativeEnvironmentString new_environment = ++ base::internal::AlterEnvironment(original_environment, env_changes); ++ // Ignore return value? What can we do? ++ FreeEnvironmentStrings(original_environment); ++ LPVOID new_env_ptr = (void*)new_environment.data(); ++ + PROCESS_INFORMATION temp_process_info = {}; + if (!::CreateProcessAsUserW(lockdown_token_.Get(), exe_path, cmd_line.get(), + nullptr, // No security attribute. + nullptr, // No thread attribute. + inherit_handles, flags, +- nullptr, // Use the environment of the caller. ++ new_env_ptr, + nullptr, // Use current directory of the caller. + startup_info.startup_info(), + &temp_process_info)) { + *win_error = ::GetLastError(); + return SBOX_ERROR_CREATE_PROCESS; + } + base::win::ScopedProcessInformation process_info(temp_process_info); + +diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.h b/security/sandbox/chromium/sandbox/win/src/target_process.h +--- a/security/sandbox/chromium/sandbox/win/src/target_process.h ++++ b/security/sandbox/chromium/sandbox/win/src/target_process.h +@@ -9,16 +9,17 @@ + + #include + #include + + #include + #include + + #include "base/macros.h" ++#include "base/environment.h" + #include "base/memory/free_deleter.h" + #include "base/win/scoped_handle.h" + #include "base/win/scoped_process_information.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/sandbox_types.h" + + namespace base { + namespace win { +@@ -54,16 +55,17 @@ class TargetProcess { + void Release() {} + + // Creates the new target process. The process is created suspended. + ResultCode Create(const wchar_t* exe_path, + const wchar_t* command_line, + bool inherit_handles, + const base::win::StartupInformation& startup_info, + base::win::ScopedProcessInformation* target_info, ++ base::EnvironmentMap& env_map, + DWORD* win_error); + + // Assign a new lowbox token to the process post creation. The process + // must still be in its initial suspended state, however this still + // might fail in the presence of third-party software. + ResultCode AssignLowBoxToken(const base::win::ScopedHandle& token); + + // Destroys the target process. diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch new file mode 100644 index 0000000000..b147e5f9fe --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch @@ -0,0 +1,142 @@ +# HG changeset patch +# User Bob Owen +# Date 1490686576 -3600 +# Tue Mar 28 08:36:16 2017 +0100 +# Node ID 698d43688097e19ac64db71a094905035cac4891 +# Parent 96707276b26997ea2a8e9fd8fdacc0c863717e7b +Allow a special all paths rule in the Windows process sandbox when using semantics FILES_ALLOW_READONLY. r=jimm + +This also changes the read only related status checks in filesystem_interception.cc +to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in +some cases and fails because we never ask the broker. + +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +@@ -11,16 +11,20 @@ + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" + ++// This status occurs when trying to access a network share on the machine from ++// which it is shared. ++#define STATUS_NETWORK_OPEN_RESTRICTION ((NTSTATUS)0xC0000201L) ++ + namespace sandbox { + + NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, + PHANDLE file, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + PIO_STATUS_BLOCK io_status, + PLARGE_INTEGER allocation_size, +@@ -29,17 +33,18 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre + ULONG disposition, + ULONG options, + PVOID ea_buffer, + ULONG ea_length) { + // Check if the process can open it first. + NTSTATUS status = orig_CreateFile( + file, desired_access, object_attributes, io_status, allocation_size, + file_attributes, sharing, disposition, options, ea_buffer, ea_length); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) +@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + PIO_STATUS_BLOCK io_status, + ULONG sharing, + ULONG options) { + // Check if the process can open it first. + NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes, + io_status, sharing, options); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) +@@ -176,17 +182,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + } + + NTSTATUS WINAPI + TargetNtQueryAttributesFile(NtQueryAttributesFileFunction orig_QueryAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_BASIC_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) +@@ -232,17 +239,18 @@ TargetNtQueryAttributesFile(NtQueryAttri + + NTSTATUS WINAPI TargetNtQueryFullAttributesFile( + NtQueryFullAttributesFileFunction orig_QueryFullAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_NETWORK_OPEN_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = + orig_QueryFullAttributes(object_attributes, file_attributes); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +@@ -77,17 +77,21 @@ namespace sandbox { + bool FileSystemPolicy::GenerateRules(const wchar_t* name, + TargetPolicy::Semantics semantics, + LowLevelPolicy* policy) { + std::wstring mod_name(name); + if (mod_name.empty()) { + return false; + } + +- if (!PreProcessName(&mod_name)) { ++ // Don't pre-process the path name and check for reparse points if it is the ++ // special case of allowing read access to all paths. ++ if (!(semantics == TargetPolicy::FILES_ALLOW_READONLY ++ && mod_name.compare(L"*") == 0) ++ && !PreProcessName(&mod_name)) { + // The path to be added might contain a reparse point. + NOTREACHED(); + return false; + } + + // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the + // infrastructure to normalize names. In any case we need to escape the + // question marks. diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_reparse_points.patch b/security/sandbox/chromium-shim/patches/with_update/allow_reparse_points.patch new file mode 100644 index 0000000000..e3645d2cd7 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/allow_reparse_points.patch @@ -0,0 +1,186 @@ +# HG changeset patch +# User Bob Owen +# Date 1631294898 -3600 +# Fri Sep 10 18:28:18 2021 +0100 +# Node ID adbc9b3051ab7f3c9360f65fe0fc26bd9d9dd499 +# Parent 004b5bea4e78db7ecd665173ce4cf6aa0a1af199 +Bug 1695556 p1: Allow reparse points in chromium sandbox code. + +Differential Revision: https://phabricator.services.mozilla.com/D135692 + +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc +@@ -87,17 +87,16 @@ bool FilesystemDispatcher::NtCreateFile( + std::wstring* name, + uint32_t attributes, + uint32_t desired_access, + uint32_t file_attributes, + uint32_t share_access, + uint32_t create_disposition, + uint32_t create_options) { + if (!PreProcessName(name)) { +- // The path requested might contain a reparse point. + ipc->return_info.nt_status = STATUS_ACCESS_DENIED; + return true; + } + + const wchar_t* filename = name->c_str(); + + uint32_t broker = BROKER_TRUE; + CountedParameterSet params; +@@ -141,17 +140,16 @@ bool FilesystemDispatcher::NtCreateFile( + + bool FilesystemDispatcher::NtOpenFile(IPCInfo* ipc, + std::wstring* name, + uint32_t attributes, + uint32_t desired_access, + uint32_t share_access, + uint32_t open_options) { + if (!PreProcessName(name)) { +- // The path requested might contain a reparse point. + ipc->return_info.nt_status = STATUS_ACCESS_DENIED; + return true; + } + + const wchar_t* filename = name->c_str(); + + uint32_t broker = BROKER_TRUE; + uint32_t create_disposition = FILE_OPEN; +@@ -196,17 +194,16 @@ bool FilesystemDispatcher::NtOpenFile(IP + bool FilesystemDispatcher::NtQueryAttributesFile(IPCInfo* ipc, + std::wstring* name, + uint32_t attributes, + CountedBuffer* info) { + if (sizeof(FILE_BASIC_INFORMATION) != info->Size()) + return false; + + if (!PreProcessName(name)) { +- // The path requested might contain a reparse point. + ipc->return_info.nt_status = STATUS_ACCESS_DENIED; + return true; + } + + uint32_t broker = BROKER_TRUE; + const wchar_t* filename = name->c_str(); + CountedParameterSet params; + params[FileName::NAME] = ParamPickerMake(filename); +@@ -245,17 +242,16 @@ bool FilesystemDispatcher::NtQueryAttrib + bool FilesystemDispatcher::NtQueryFullAttributesFile(IPCInfo* ipc, + std::wstring* name, + uint32_t attributes, + CountedBuffer* info) { + if (sizeof(FILE_NETWORK_OPEN_INFORMATION) != info->Size()) + return false; + + if (!PreProcessName(name)) { +- // The path requested might contain a reparse point. + ipc->return_info.nt_status = STATUS_ACCESS_DENIED; + return true; + } + + uint32_t broker = BROKER_TRUE; + const wchar_t* filename = name->c_str(); + CountedParameterSet params; + params[FileName::NAME] = ParamPickerMake(filename); +@@ -307,17 +303,16 @@ bool FilesystemDispatcher::NtSetInformat + + if (!IsSupportedRenameCall(rename_info, length, info_class)) + return false; + + std::wstring name; + name.assign(rename_info->FileName, + rename_info->FileNameLength / sizeof(rename_info->FileName[0])); + if (!PreProcessName(&name)) { +- // The path requested might contain a reparse point. + ipc->return_info.nt_status = STATUS_ACCESS_DENIED; + return true; + } + + uint32_t broker = BROKER_TRUE; + const wchar_t* filename = name.c_str(); + CountedParameterSet params; + params[FileName::NAME] = ParamPickerMake(filename); +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +@@ -1,16 +1,17 @@ + // Copyright (c) 2011 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "sandbox/win/src/filesystem_policy.h" + + #include + ++#include + #include + + #include "base/logging.h" + #include "base/stl_util.h" + #include "base/win/scoped_handle.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_engine_opcodes.h" +@@ -39,22 +40,16 @@ NTSTATUS NtCreateFileInTarget(HANDLE* ta + NTSTATUS status = + NtCreateFile(&local_handle, desired_access, obj_attributes, + io_status_block, nullptr, file_attributes, share_access, + create_disposition, create_options, ea_buffer, ea_length); + if (!NT_SUCCESS(status)) { + return status; + } + +- if (!sandbox::SameObject(local_handle, obj_attributes->ObjectName->Buffer)) { +- // The handle points somewhere else. Fail the operation. +- ::CloseHandle(local_handle); +- return STATUS_ACCESS_DENIED; +- } +- + if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, target_process, + target_file_handle, 0, false, + DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { + return STATUS_ACCESS_DENIED; + } + return STATUS_SUCCESS; + } + +@@ -400,23 +395,32 @@ bool FileSystemPolicy::SetInformationFil + static_cast(info_class); + *nt_status = NtSetInformationFile(local_handle, io_block, file_info, length, + file_info_class); + + return true; + } + + bool PreProcessName(std::wstring* path) { +- ConvertToLongPath(path); ++ // We now allow symbolic links to be opened via the broker, so we can no ++ // longer rely on the same object check where we checked the path of the ++ // opened file against the original. We don't specify a root when creating ++ // OBJECT_ATTRIBUTES from file names for brokering so they must be fully ++ // qualified and we can just check for the parent directory double dot between ++ // two backslashes. NtCreateFile doesn't seem to allow it anyway, but this is ++ // just an extra precaution. It also doesn't seem to allow the forward slash, ++ // but this is also used for checking policy rules, so we just replace forward ++ // slashes with backslashes. ++ std::replace(path->begin(), path->end(), L'/', L'\\'); ++ if (path->find(L"\\..\\") != std::wstring::npos) { ++ return false; ++ } + +- if (ERROR_NOT_A_REPARSE_POINT == IsReparsePoint(*path)) +- return true; +- +- // We can't process a reparsed file. +- return false; ++ ConvertToLongPath(path); ++ return true; + } + + std::wstring FixNTPrefixForMatch(const std::wstring& name) { + std::wstring mod_name = name; + + // NT prefix escaped for rule matcher + const wchar_t kNTPrefixEscaped[] = L"\\/?/?\\"; + const int kNTPrefixEscapedLen = base::size(kNTPrefixEscaped) - 1; diff --git a/security/sandbox/chromium-shim/patches/with_update/broker_complex_line_breaks.patch b/security/sandbox/chromium-shim/patches/with_update/broker_complex_line_breaks.patch new file mode 100644 index 0000000000..4d350fa8bc --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/broker_complex_line_breaks.patch @@ -0,0 +1,502 @@ +# HG changeset patch +# User Bob Owen +# Date 1632737723 -3600 +# Mon Sep 27 11:15:23 2021 +0100 +# Node ID 096696bc1648dbacdfab881c4ed8fe770ebe58b1 +# Parent 254b1fc8768f67d208af199135276abae9aabc0c +Bug 1713973 p2: Add Uniscribe Line Breaking via chromium-sandbox IPC. r=toshi!,r=jfkthame! + +This adds a new cross call using the chromium shared memory IPC to proxy use of +the Uniscribe line breaker, because it cannot be used in the content process +with win32k lockdown enabled. + +If the text being processed is too long to fit into the IPC params then it is +processed in chunks. + +This change implements an INPTR_TYPE in the sandbox, which appears to have +been removed at some point. +It also fixes a bug in OpcodeFactory::MakeOpAction, so that a null param is +passed and we can use an empty parameter set. + +New files are in chromium-shim as these are most likely to require changes and +this means we will not have to update the main chromium patch. + +diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_client.h b/security/sandbox/chromium/sandbox/win/src/crosscall_client.h +--- a/security/sandbox/chromium/sandbox/win/src/crosscall_client.h ++++ b/security/sandbox/chromium/sandbox/win/src/crosscall_client.h +@@ -39,20 +39,16 @@ + // interpretation of the answer is private to client and server. + // + // The return value is ALL_OK if the IPC was delivered to the server, other + // return codes indicate that the IPC transport failed to deliver it. + namespace sandbox { + + enum class IpcTag; + +-// this is the assumed channel size. This can be overridden in a given +-// IPC implementation. +-const uint32_t kIPCChannelSize = 1024; +- + // The copy helper uses templates to deduce the appropriate copy function to + // copy the input parameters in the buffer that is going to be send across the + // IPC. These template facility can be made more sophisticated as need arises. + + // The default copy helper. It catches the general case where no other + // specialized template matches better. We set the type to UINT32_TYPE, so this + // only works with objects whose size is 32 bits. + template +@@ -207,16 +203,42 @@ class CopyHelper : pub + // parameters. + class InOutCountedBuffer : public CountedBuffer { + public: + InOutCountedBuffer(void* buffer, uint32_t size) + : CountedBuffer(buffer, size) {} + }; + + // This copy helper template specialization catches the cases where the ++// parameter is a an input buffer. ++template <> ++class CopyHelper { ++ public: ++ CopyHelper(const CountedBuffer t) : t_(t) {} ++ ++ // Returns the pointer to the start of the string. ++ const void* GetStart() const { return t_.Buffer(); } ++ ++ // Update not required so just return true; ++ bool Update(void* buffer) { return true; } ++ ++ // Returns the size of the string in bytes. We define a nullptr string to ++ // be of zero length. ++ uint32_t GetSize() const { return t_.Size(); } ++ ++ // Returns true if the current type is used as an In or InOut parameter. ++ bool IsInOut() { return false; } ++ ++ ArgType GetType() { return INPTR_TYPE; } ++ ++ private: ++ const CountedBuffer t_; ++}; ++ ++// This copy helper template specialization catches the cases where the + // parameter is a an input/output buffer. + template <> + class CopyHelper { + public: + CopyHelper(const InOutCountedBuffer t) : t_(t) {} + + // Returns the pointer to the start of the string. + const void* GetStart() const { return t_.Buffer(); } +diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h +--- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h ++++ b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h +@@ -41,16 +41,20 @@ + // them are not supported. + // + // Another limitation of CrossCall is that the return value and output + // parameters can only be uint32_t integers. Returning complex structures or + // strings is not supported. + + namespace sandbox { + ++// this is the assumed channel size. This can be overridden in a given ++// IPC implementation. ++const uint32_t kIPCChannelSize = 1024; ++ + // This is the list of all imported symbols from ntdll.dll. + SANDBOX_INTERCEPT NtExports g_nt; + + namespace { + + // Increases |value| until there is no need for padding given an int64_t + // alignment. Returns the increased value. + inline uint32_t Align(uint32_t value) { +@@ -216,16 +220,21 @@ class ActualCallParams : public CrossCal + // Testing-only constructor. Allows setting the |number_params| to a + // wrong value. + ActualCallParams(IpcTag tag, uint32_t number_params) + : CrossCallParams(tag, number_params) { + param_info_[0].offset_ = + static_cast(parameters_ - reinterpret_cast(this)); + } + ++ static constexpr size_t MaxParamsSize() { ++ return sizeof( ++ ActualCallParams::parameters_); ++ } ++ + // Testing-only method. Allows setting the apparent size to a wrong value. + // returns the previous size. + uint32_t OverrideSize(uint32_t new_size) { + uint32_t previous_size = param_info_[NUMBER_PARAMS].offset_; + param_info_[NUMBER_PARAMS].offset_ = new_size; + return previous_size; + } + +diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc +--- a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc ++++ b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc +@@ -301,17 +301,17 @@ bool CrossCallParamsEx::GetParameterStr( + + bool CrossCallParamsEx::GetParameterPtr(uint32_t index, + uint32_t expected_size, + void** pointer) { + uint32_t size = 0; + ArgType type; + void* start = GetRawParameter(index, &size, &type); + +- if ((size != expected_size) || (INOUTPTR_TYPE != type)) ++ if ((size != expected_size) || (INOUTPTR_TYPE != type && INPTR_TYPE != type)) + return false; + + if (!start) + return false; + + *pointer = start; + return true; + } +diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_args.cc b/security/sandbox/chromium/sandbox/win/src/ipc_args.cc +--- a/security/sandbox/chromium/sandbox/win/src/ipc_args.cc ++++ b/security/sandbox/chromium/sandbox/win/src/ipc_args.cc +@@ -15,16 +15,17 @@ namespace sandbox { + void ReleaseArgs(const IPCParams* ipc_params, void* args[kMaxIpcParams]) { + for (size_t i = 0; i < kMaxIpcParams; i++) { + switch (ipc_params->args[i]) { + case WCHAR_TYPE: { + delete reinterpret_cast(args[i]); + args[i] = nullptr; + break; + } ++ case INPTR_TYPE: + case INOUTPTR_TYPE: { + delete reinterpret_cast(args[i]); + args[i] = nullptr; + break; + } + default: + break; + } +@@ -69,16 +70,17 @@ bool GetArgs(CrossCallParamsEx* params, + void* data; + if (!params->GetParameterVoidPtr(i, &data)) { + ReleaseArgs(ipc_params, args); + return false; + } + args[i] = data; + break; + } ++ case INPTR_TYPE: + case INOUTPTR_TYPE: { + if (!args[i]) { + ReleaseArgs(ipc_params, args); + return false; + } + CountedBuffer* buffer = new CountedBuffer(args[i], size); + args[i] = buffer; + break; +diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +--- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h ++++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +@@ -41,16 +41,17 @@ enum class IpcTag { + GDI_GETCERTIFICATESIZE, + GDI_DESTROYOPMPROTECTEDOUTPUT, + GDI_CONFIGUREOPMPROTECTEDOUTPUT, + GDI_GETOPMINFORMATION, + GDI_GETOPMRANDOMNUMBER, + GDI_GETSUGGESTEDOPMPROTECTEDOUTPUTARRAYSIZE, + GDI_SETOPMSIGNINGKEYANDSEQUENCENUMBERS, + NTCREATESECTION, ++ GETCOMPLEXLINEBREAKS, + LAST + }; + + constexpr size_t kMaxServiceCount = 64; + constexpr size_t kMaxIpcTag = static_cast(IpcTag::LAST); + static_assert(kMaxIpcTag <= kMaxServiceCount, "kMaxServiceCount is too low"); + + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc b/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc +--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc ++++ b/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc +@@ -78,17 +78,17 @@ EvalResult OpcodeEval(Po + } + + ////////////////////////////////////////////////////////////////////////////// + // Opcode OpAction: + // Does not require input parameter. + // Argument 0 contains the actual action to return. + + PolicyOpcode* OpcodeFactory::MakeOpAction(EvalResult action, uint32_t options) { +- PolicyOpcode* opcode = MakeBase(OP_ACTION, options, 0); ++ PolicyOpcode* opcode = MakeBase(OP_ACTION, options, -1); + if (!opcode) + return nullptr; + opcode->SetArgument(0, action); + return opcode; + } + + template <> + EvalResult OpcodeEval(PolicyOpcode* opcode, +diff --git a/security/sandbox/chromium/sandbox/win/src/policy_params.h b/security/sandbox/chromium/sandbox/win/src/policy_params.h +--- a/security/sandbox/chromium/sandbox/win/src/policy_params.h ++++ b/security/sandbox/chromium/sandbox/win/src/policy_params.h +@@ -56,11 +56,15 @@ POLPARAMS_BEGIN(OpenKey) + POLPARAMS_END(OpenKey) + + // Policy parameter for name-based policies. + POLPARAMS_BEGIN(HandleTarget) + POLPARAM(NAME) + POLPARAM(TARGET) + POLPARAMS_END(HandleTarget) + ++// Policy parameters where no parameter based checks are done. ++POLPARAMS_BEGIN(EmptyParams) ++POLPARAMS_END(EmptyParams) ++ + } // namespace sandbox + + #endif // SANDBOX_SRC_POLICY_PARAMS_H__ +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h +@@ -176,16 +176,19 @@ class TargetServices { + // If the return is ERROR_GENERIC, you can call ::GetLastError() to get + // more information. + virtual ResultCode DuplicateHandle(HANDLE source_handle, + DWORD target_process_id, + HANDLE* target_handle, + DWORD desired_access, + DWORD options) = 0; + ++ virtual ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length, ++ uint8_t* break_before) = 0; ++ + protected: + ~TargetServices() {} + }; + + class PolicyInfo { + public: + // Returns a JSON representation of the policy snapshot. + // This pointer has the same lifetime as this PolicyInfo object. +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +@@ -27,17 +27,18 @@ class TargetPolicy { + enum SubSystem { + SUBSYS_FILES, // Creation and opening of files and pipes. + SUBSYS_NAMED_PIPES, // Creation of named pipes. + SUBSYS_PROCESS, // Creation of child processes. + SUBSYS_REGISTRY, // Creation and opening of registry keys. + SUBSYS_SYNC, // Creation of named sync objects. + SUBSYS_HANDLES, // Duplication of handles to other processes. + SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy. +- SUBSYS_SIGNED_BINARY // Signed binary policy. ++ SUBSYS_SIGNED_BINARY, // Signed binary policy. ++ SUBSYS_LINE_BREAK // Complex line break policy. + }; + + // Allowable semantics when a rule is matched. + enum Semantics { + FILES_ALLOW_ANY, // Allows open or create for any kind of access that + // the file system supports. + FILES_ALLOW_READONLY, // Allows open or create with read access only. + FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. +@@ -60,17 +61,18 @@ class TargetPolicy { + REG_ALLOW_READONLY, // Allows readonly access to a registry key. + REG_ALLOW_ANY, // Allows read and write access to a registry key. + FAKE_USER_GDI_INIT, // Fakes user32 and gdi32 initialization. This can + // be used to allow the DLLs to load and initialize + // even if the process cannot access that subsystem. + IMPLEMENT_OPM_APIS, // Implements FAKE_USER_GDI_INIT and also exposes + // IPC calls to handle Output Protection Manager + // APIs. +- SIGNED_ALLOW_LOAD // Allows loading the module when CIG is enabled. ++ SIGNED_ALLOW_LOAD, // Allows loading the module when CIG is enabled. ++ LINE_BREAK_ALLOW // Allow complex line break brokering. + }; + + // Increments the reference count of this object. The reference count must + // be incremented if this interface is given to another component. + virtual void AddRef() = 0; + + // Decrements the reference count of this object. When the reference count + // is zero the object is automatically destroyed. +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +@@ -15,16 +15,17 @@ + #include "base/strings/stringprintf.h" + #include "base/win/win_util.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/acl.h" + #include "sandbox/win/src/filesystem_policy.h" + #include "sandbox/win/src/handle_policy.h" + #include "sandbox/win/src/interception.h" + #include "sandbox/win/src/job.h" ++#include "sandbox/win/src/line_break_policy.h" + #include "sandbox/win/src/named_pipe_policy.h" + #include "sandbox/win/src/policy_broker.h" + #include "sandbox/win/src/policy_engine_processor.h" + #include "sandbox/win/src/policy_low_level.h" + #include "sandbox/win/src/process_mitigations.h" + #include "sandbox/win/src/process_mitigations_win32k_policy.h" + #include "sandbox/win/src/process_thread_policy.h" + #include "sandbox/win/src/registry_policy.h" +@@ -809,16 +810,23 @@ ResultCode PolicyBase::AddRuleInternal(S + "policy rules."; + if (!SignedPolicy::GenerateRules(pattern, semantics, policy_maker_)) { + NOTREACHED(); + return SBOX_ERROR_BAD_PARAMS; + } + } + break; + } ++ case SUBSYS_LINE_BREAK: { ++ if (!LineBreakPolicy::GenerateRules(pattern, semantics, policy_maker_)) { ++ NOTREACHED(); ++ return SBOX_ERROR_BAD_PARAMS; ++ } ++ break; ++ } + + default: { return SBOX_ERROR_UNSUPPORTED; } + } + + return SBOX_ALL_OK; + } + + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_services.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc +@@ -9,16 +9,17 @@ + #include + #include + + #include "base/win/windows_version.h" + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/handle_closer_agent.h" + #include "sandbox/win/src/handle_interception.h" + #include "sandbox/win/src/heap_helper.h" ++#include "sandbox/win/src/line_break_interception.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/process_mitigations.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sandbox_types.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + +@@ -240,19 +241,24 @@ void ProcessState::SetRevertedToSelf() { + if (process_state_ < ProcessStateInternal::REVERTED_TO_SELF) + process_state_ = ProcessStateInternal::REVERTED_TO_SELF; + } + + void ProcessState::SetCsrssConnected(bool csrss_connected) { + csrss_connected_ = csrss_connected; + } + +- + ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle, + DWORD target_process_id, + HANDLE* target_handle, + DWORD desired_access, + DWORD options) { + return sandbox::DuplicateHandleProxy(source_handle, target_process_id, + target_handle, desired_access, options); + } + ++ResultCode TargetServicesBase::GetComplexLineBreaks(const WCHAR* text, ++ uint32_t length, ++ uint8_t* break_before) { ++ return sandbox::GetComplexLineBreaksProxy(text, length, break_before); ++} ++ + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h +--- a/security/sandbox/chromium/sandbox/win/src/target_services.h ++++ b/security/sandbox/chromium/sandbox/win/src/target_services.h +@@ -45,16 +45,18 @@ class TargetServicesBase : public Target + ResultCode Init() override; + void LowerToken() override; + ProcessState* GetState() override; + ResultCode DuplicateHandle(HANDLE source_handle, + DWORD target_process_id, + HANDLE* target_handle, + DWORD desired_access, + DWORD options) override; ++ ResultCode GetComplexLineBreaks(const WCHAR* text, uint32_t length, ++ uint8_t* break_before) final; + + // Factory method. + static TargetServicesBase* GetInstance(); + + // Sends a simple IPC Message that has a well-known answer. Returns true + // if the IPC was successful and false otherwise. There are 2 versions of + // this test: 1 and 2. The first one send a simple message while the + // second one send a message with an in/out param. +diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc +--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc ++++ b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc +@@ -9,16 +9,17 @@ + + #include "base/logging.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/filesystem_dispatcher.h" + #include "sandbox/win/src/handle_dispatcher.h" + #include "sandbox/win/src/interception.h" + #include "sandbox/win/src/internal_types.h" + #include "sandbox/win/src/ipc_tags.h" ++#include "sandbox/win/src/line_break_dispatcher.h" + #include "sandbox/win/src/named_pipe_dispatcher.h" + #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h" + #include "sandbox/win/src/process_thread_dispatcher.h" + #include "sandbox/win/src/registry_dispatcher.h" + #include "sandbox/win/src/sandbox_policy_base.h" + #include "sandbox/win/src/signed_dispatcher.h" + #include "sandbox/win/src/sync_dispatcher.h" + +@@ -90,16 +91,20 @@ TopLevelDispatcher::TopLevelDispatcher(P + IpcTag::GDI_GETSUGGESTEDOPMPROTECTEDOUTPUTARRAYSIZE)] = dispatcher; + ipc_targets_[static_cast( + IpcTag::GDI_SETOPMSIGNINGKEYANDSEQUENCENUMBERS)] = dispatcher; + process_mitigations_win32k_dispatcher_.reset(dispatcher); + + dispatcher = new SignedDispatcher(policy_); + ipc_targets_[static_cast(IpcTag::NTCREATESECTION)] = dispatcher; + signed_dispatcher_.reset(dispatcher); ++ ++ dispatcher = new LineBreakDispatcher(policy_); ++ ipc_targets_[static_cast(IpcTag::GETCOMPLEXLINEBREAKS)] = dispatcher; ++ line_break_dispatcher_.reset(dispatcher); + } + + TopLevelDispatcher::~TopLevelDispatcher() {} + + // When an IPC is ready in any of the targets we get called. We manage an array + // of IPC dispatchers which are keyed on the IPC tag so we normally delegate + // to the appropriate dispatcher unless we can handle the IPC call ourselves. + Dispatcher* TopLevelDispatcher::OnMessageReady(IPCParams* ipc, +diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h +--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h ++++ b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h +@@ -38,16 +38,17 @@ class TopLevelDispatcher : public Dispat + std::unique_ptr filesystem_dispatcher_; + std::unique_ptr named_pipe_dispatcher_; + std::unique_ptr thread_process_dispatcher_; + std::unique_ptr sync_dispatcher_; + std::unique_ptr registry_dispatcher_; + std::unique_ptr handle_dispatcher_; + std::unique_ptr process_mitigations_win32k_dispatcher_; + std::unique_ptr signed_dispatcher_; ++ std::unique_ptr line_break_dispatcher_; + Dispatcher* ipc_targets_[kMaxIpcTag]; + + DISALLOW_COPY_AND_ASSIGN(TopLevelDispatcher); + }; + + } // namespace sandbox + + #endif // SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__ diff --git a/security/sandbox/chromium-shim/patches/with_update/derive_sid_from_name.patch b/security/sandbox/chromium-shim/patches/with_update/derive_sid_from_name.patch new file mode 100644 index 0000000000..e798262861 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/derive_sid_from_name.patch @@ -0,0 +1,74 @@ +# HG changeset patch +# User Bob Owen +# Date 1677499923 0 +# Mon Feb 27 12:12:03 2023 +0000 +Expose Sid::FromNamedCapability through broker services. + +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +@@ -730,9 +730,16 @@ ResultCode BrokerServicesBase::GetPolicy + return SBOX_ERROR_GENERIC; + } + + // Ownership has passed to tracker thread. + receiver.release(); + return SBOX_ALL_OK; + } + ++bool BrokerServicesBase::DeriveCapabilitySidFromName(const wchar_t* name, ++ PSID derived_sid, ++ DWORD sid_buffer_length) { ++ return ::CopySid(sid_buffer_length, derived_sid, ++ Sid::FromNamedCapability(name).GetPSID()); ++} ++ + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h +@@ -57,16 +57,19 @@ class BrokerServicesBase final : public + // target processes. We use this method for the specific purpose of + // checking if we can safely duplicate a handle to the supplied process + // in DuplicateHandleProxyAction. + bool IsSafeDuplicationTarget(DWORD process_id); + + ResultCode GetPolicyDiagnostics( + std::unique_ptr receiver) override; + ++ bool DeriveCapabilitySidFromName(const wchar_t* name, PSID derived_sid, ++ DWORD sid_buffer_length) override; ++ + private: + // The routine that the worker thread executes. It is in charge of + // notifications and cleanup-related tasks. + static DWORD WINAPI TargetEventsThread(PVOID param); + + // The completion port used by the job objects to communicate events to + // the worker thread. + base::win::ScopedHandle job_port_; +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h +@@ -117,16 +117,21 @@ class BrokerServices { + // called to accept the results of the call. + // Returns: + // ALL_OK if the request was dispatched. All other return values + // imply failure, and the responder will not receive its completion + // callback. + virtual ResultCode GetPolicyDiagnostics( + std::unique_ptr receiver) = 0; + ++ // Derive a capability PSID from the given string. ++ virtual bool DeriveCapabilitySidFromName(const wchar_t* name, ++ PSID derived_sid, ++ DWORD sid_buffer_length) = 0; ++ + protected: + ~BrokerServices() {} + }; + + // TargetServices models the current process from the perspective + // of a target process. To obtain a pointer to it use + // Sandbox::GetTargetServices(). Note that this call returns a non-null + // pointer only if this process is in fact a target. A process is a target diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch new file mode 100644 index 0000000000..325d23cc19 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_AppContainerProfileBase_testing_functions.patch @@ -0,0 +1,79 @@ +# HG changeset patch +# User Bob Owen +# Date 1560259052 -3600 +# Tue Jun 11 14:17:32 2019 +0100 +# Node ID ca1bafe49015cb6625648274f32959e4160a6ce9 +# Parent 3ec022faaf83642e3c1894d83ff99926bada990c +Hash if out testing functions that cause dependency creep. r=aklotz + +diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_profile_base.cc b/security/sandbox/chromium/sandbox/win/src/app_container_profile_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/app_container_profile_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/app_container_profile_base.cc +@@ -3,17 +3,19 @@ + // found in the LICENSE file. + + #include + + #include + #include + + #include "base/strings/stringprintf.h" ++#if !defined(MOZ_SANDBOX) + #include "base/win/scoped_co_mem.h" ++#endif + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/app_container_profile_base.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/win_utils.h" + + namespace sandbox { + + namespace { +@@ -167,39 +169,47 @@ bool AppContainerProfileBase::GetRegistr + HKEY key_handle; + if (FAILED(get_app_container_registry_location(desired_access, &key_handle))) + return false; + key->Set(key_handle); + return true; + } + + bool AppContainerProfileBase::GetFolderPath(base::FilePath* file_path) { ++#if defined(MOZ_SANDBOX) ++ IMMEDIATE_CRASH(); ++#else + static GetAppContainerFolderPathFunc* get_app_container_folder_path = + reinterpret_cast(GetProcAddress( + GetModuleHandle(L"userenv"), "GetAppContainerFolderPath")); + if (!get_app_container_folder_path) + return false; + std::wstring sddl_str; + if (!package_sid_.ToSddlString(&sddl_str)) + return false; + base::win::ScopedCoMem path_str; + if (FAILED(get_app_container_folder_path(sddl_str.c_str(), &path_str))) + return false; + *file_path = base::FilePath(path_str.get()); + return true; ++#endif + } + + bool AppContainerProfileBase::GetPipePath(const wchar_t* pipe_name, + base::FilePath* pipe_path) { ++#if defined(MOZ_SANDBOX) ++ IMMEDIATE_CRASH(); ++#else + std::wstring sddl_str; + if (!package_sid_.ToSddlString(&sddl_str)) + return false; + *pipe_path = base::FilePath(base::StringPrintf(L"\\\\.\\pipe\\%ls\\%ls", + sddl_str.c_str(), pipe_name)); + return true; ++#endif + } + + bool AppContainerProfileBase::AccessCheck(const wchar_t* object_name, + SE_OBJECT_TYPE object_type, + DWORD desired_access, + DWORD* granted_access, + BOOL* access_status) { + GENERIC_MAPPING generic_mapping; diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch new file mode 100644 index 0000000000..411d896570 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_FromStringInternal.patch @@ -0,0 +1,52 @@ +# HG changeset patch +# User Bob Owen +# Date 1509027042 -3600 +# Thu Oct 26 15:10:42 2017 +0100 +# Node ID 34b1e1189bcbb3b8ecbfc4c9decc1c6dfc46c1e6 +# Parent c3dc5b64a97fe0526ab8826bdcb47740592472b7 +Don't compile base::Time::FromStringInternal. r=aklotz + +This has a dependency on nspr, which causes issues. + +Originally landed in changeset: +https://hg.mozilla.org/mozilla-central/rev/477b991bf6fa7b4511768649c9bf37c7275d30d9 + +diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chromium/base/time/time.cc +--- a/security/sandbox/chromium/base/time/time.cc ++++ b/security/sandbox/chromium/base/time/time.cc +@@ -281,16 +281,17 @@ Time Time::Midnight(bool is_local) const + if (FromExploded(is_local, exploded, &out_time)) + return out_time; + } + // This function must not fail. + NOTREACHED(); + return Time(); + } + ++#if !defined(MOZ_SANDBOX) + // static + bool Time::FromStringInternal(const char* time_string, + bool is_local, + Time* parsed_time) { + DCHECK((time_string != nullptr) && (parsed_time != nullptr)); + + if (time_string[0] == '\0') + return false; +@@ -301,16 +302,17 @@ bool Time::FromStringInternal(const char + &result_time); + if (PR_SUCCESS != result) + return false; + + result_time += kTimeTToMicrosecondsOffset; + *parsed_time = Time(result_time); + return true; + } ++#endif + + // static + bool Time::ExplodedMostlyEquals(const Exploded& lhs, const Exploded& rhs) { + return lhs.year == rhs.year && lhs.month == rhs.month && + lhs.day_of_month == rhs.day_of_month && lhs.hour == rhs.hour && + lhs.minute == rhs.minute && lhs.second == rhs.second && + lhs.millisecond == rhs.millisecond; + } diff --git a/security/sandbox/chromium-shim/patches/with_update/ifdef_out_SequenceChecker_code.patch b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_SequenceChecker_code.patch new file mode 100644 index 0000000000..62216e9af7 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/ifdef_out_SequenceChecker_code.patch @@ -0,0 +1,36 @@ +# HG changeset patch +# User Bob Owen +# Date 1509027043 -3600 +# Thu Oct 26 15:10:43 2017 +0100 +# Node ID cbe274e5b95c1c207597a0fbb4a80905d6d4dacc +# Parent bbbba04e693f3819bcb6dd70ea27d3cab194e4cb +This removes sequence checking on RefCountedBase in DEBUG builds. r=aklotz + +We don't currently make use of it and it brings in many dependencies. + +diff --git a/security/sandbox/chromium/base/memory/ref_counted.cc b/security/sandbox/chromium/base/memory/ref_counted.cc +--- a/security/sandbox/chromium/base/memory/ref_counted.cc ++++ b/security/sandbox/chromium/base/memory/ref_counted.cc +@@ -53,18 +53,22 @@ bool RefCountedThreadSafeBase::Release() + } + void RefCountedThreadSafeBase::AddRefWithCheck() const { + AddRefWithCheckImpl(); + } + #endif + + #if DCHECK_IS_ON() + bool RefCountedBase::CalledOnValidSequence() const { ++#if defined(MOZ_SANDBOX) ++ return true; ++#else + return sequence_checker_.CalledOnValidSequence() || + g_cross_thread_ref_count_access_allow_count.load() != 0; ++#endif + } + #endif + + } // namespace subtle + + #if DCHECK_IS_ON() + ScopedAllowCrossThreadRefCountAccess::ScopedAllowCrossThreadRefCountAccess() { + ++g_cross_thread_ref_count_access_allow_count; diff --git a/security/sandbox/chromium-shim/patches/with_update/include_atomic_header_in_platform_thread.patch b/security/sandbox/chromium-shim/patches/with_update/include_atomic_header_in_platform_thread.patch new file mode 100644 index 0000000000..e088e99680 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/include_atomic_header_in_platform_thread.patch @@ -0,0 +1,27 @@ +# HG changeset patch +# User Bob Owen +# Date 1560260570 -3600 +# Tue Jun 11 14:42:50 2019 +0100 +# Node ID 7baa38185938e45ab128ec3975ae139753c8ad67 +# Parent cb568f9b29f8c2c84c72c49b7a565d8081929f04 +Bug 1552160: Fix missing atomic include in chromium platform_thread.cc. r=jld + +diff --git a/security/sandbox/chromium/base/threading/platform_thread.cc b/security/sandbox/chromium/base/threading/platform_thread.cc +--- a/security/sandbox/chromium/base/threading/platform_thread.cc ++++ b/security/sandbox/chromium/base/threading/platform_thread.cc +@@ -1,14 +1,15 @@ + // Copyright 2018 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "base/threading/platform_thread.h" + ++#include + #include + + #include "base/feature_list.h" + + namespace base { + + namespace { + diff --git a/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch b/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch new file mode 100644 index 0000000000..185e128d83 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/lower_SDK_version_requirement.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588735588 25200 +# Tue May 05 20:26:28 2020 -0700 +# Node ID 8214c0253f550d73b5e79dfd825b09f5c1a06fbd +# Parent 2d5ee142bde533ba4f93afaae081a444eac0abe2 +Lower SDK version requirement from 19H1 to RS4. r=bobowen + +We still use 10.0.17134.0 SDK while Chromium requires 10.0.18362.0 or higher. + +diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc +--- a/security/sandbox/chromium/base/win/windows_version.cc ++++ b/security/sandbox/chromium/base/win/windows_version.cc +@@ -17,18 +17,18 @@ + #include "base/strings/string_util.h" + #include "base/strings/utf_string_conversions.h" + #include "base/win/registry.h" + + #if !defined(__clang__) && _MSC_FULL_VER < 191125507 + #error VS 2017 Update 3.2 or higher is required + #endif + +-#if !defined(NTDDI_WIN10_19H1) +-#error Windows 10.0.18362.0 SDK or higher required. ++#if !defined(NTDDI_WIN10_RS4) ++#error Windows 10.0.17134.0 SDK or higher required. + #endif + + namespace base { + namespace win { + + namespace { + + // The values under the CurrentVersion registry hive are mirrored under diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch new file mode 100644 index 0000000000..0c27032307 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_capitalization.patch @@ -0,0 +1,74 @@ +# HG changeset patch +# User Tom Ritter +# Date 1516825559 21600 +# Wed Jan 24 14:25:59 2018 -0600 +# Node ID 9ce534c9f572dfb5abd3e409d9cfec069ccee0cd +# Parent 6413cb580dccd986c61e6dbdc72fc370765b8f10 +Bug 1431797 Correct the capitalization of headers inside the chromium code so MinGW can compile + +diff --git a/security/sandbox/chromium/base/rand_util_win.cc b/security/sandbox/chromium/base/rand_util_win.cc +--- a/security/sandbox/chromium/base/rand_util_win.cc ++++ b/security/sandbox/chromium/base/rand_util_win.cc +@@ -7,17 +7,17 @@ + #include + #include + #include + + // #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the + // "Community Additions" comment on MSDN here: + // http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx + #define SystemFunction036 NTAPI SystemFunction036 +-#include ++#include + #undef SystemFunction036 + + #include + #include + + #include "base/logging.h" + + namespace base { +diff --git a/security/sandbox/chromium/base/win/pe_image.h b/security/sandbox/chromium/base/win/pe_image.h +--- a/security/sandbox/chromium/base/win/pe_image.h ++++ b/security/sandbox/chromium/base/win/pe_image.h +@@ -14,17 +14,17 @@ + #include + + #include + + #if defined(_WIN32_WINNT_WIN8) + // The Windows 8 SDK defines FACILITY_VISUALCPP in winerror.h. + #undef FACILITY_VISUALCPP + #endif +-#include ++#include + + namespace base { + namespace win { + + // This class is a wrapper for the Portable Executable File Format (PE). + // Its main purpose is to provide an easy way to work with imports and exports + // from a file, mapped in memory as image. + class PEImage { +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc +@@ -5,17 +5,17 @@ + #include "sandbox/win/src/sandbox_rand.h" + + #include + + // #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the + // "Community Additions" comment on MSDN here: + // http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx + #define SystemFunction036 NTAPI SystemFunction036 +-#include ++#include + #undef SystemFunction036 + + namespace sandbox { + + bool GetRandom(unsigned int* random_value) { + return RtlGenRandom(random_value, sizeof(unsigned int)) != false; + } + diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch new file mode 100644 index 0000000000..1251be114f --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_cast_getprocaddress.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Tom Ritter +# Date 1516720544 21600 +# Tue Jan 23 09:15:44 2018 -0600 +# Node ID 2b4556cb7407c196522e52cfd286ee88c3bb6e72 +# Parent 60aa47b111918d4e30f7e363359d1dcc3a3f277d +Bug 1432295 Cast GetProcAddress to (void*) r?bobowen + +error: invalid conversion from 'FARPROC {aka int (__attribute__((__stdcall__)) *)()}' to 'void*' [-fpermissive] + +According to http://stackoverflow.com/questions/13958081/, msvc does the fixup + +diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_process.cc +@@ -231,17 +231,17 @@ ResultCode TargetProcess::TransferVariab + + void* child_var = address; + + #if SANDBOX_EXPORTS + HMODULE module = ::LoadLibrary(exe_name_.get()); + if (!module) + return SBOX_ERROR_CANNOT_LOADLIBRARY_EXECUTABLE; + +- child_var = ::GetProcAddress(module, name); ++ child_var = reinterpret_cast(::GetProcAddress(module, name)); + ::FreeLibrary(module); + + if (!child_var) + return SBOX_ERROR_CANNOT_FIND_VARIABLE_ADDRESS; + + size_t offset = + reinterpret_cast(child_var) - reinterpret_cast(module); + child_var = reinterpret_cast(MainModule()) + offset; diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_copy_s.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_copy_s.patch new file mode 100644 index 0000000000..12e62e8b15 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_copy_s.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Tom Ritter +# Date 1516394893 21600 +# Fri Jan 19 14:48:13 2018 -0600 +# Node ID bd0817bb5b0c5681c4c49817363e6ddd6efac82c +# Parent c64ea5b2e26b203eff2f0b9d85fef99ae3a094f9 +Bug 1431825 Map _Copy_s to copy for basic_string compatibility on MinGW r?bobowen + +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_types.h b/security/sandbox/chromium/sandbox/win/src/sandbox_types.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_types.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_types.h +@@ -5,16 +5,22 @@ + #ifndef SANDBOX_WIN_SRC_SANDBOX_TYPES_H_ + #define SANDBOX_WIN_SRC_SANDBOX_TYPES_H_ + + #include "base/process/kill.h" + #include "base/process/launch.h" + + namespace sandbox { + ++#ifdef __MINGW32__ ++// Map Microsoft's proprietary more-safe version of copy() back to ++// the std::basic_string method ++#define _Copy_s copy ++#endif ++ + // Operation result codes returned by the sandbox API. + // + // Note: These codes are listed in a histogram and any new codes should be added + // at the end. If the underlying type is changed then the forward declaration in + // sandbox_init.h must be updated. + // + enum ResultCode : int { + SBOX_ALL_OK = 0, diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_disable_one_try.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_disable_one_try.patch new file mode 100644 index 0000000000..d5b700ea8f --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_disable_one_try.patch @@ -0,0 +1,51 @@ +# HG changeset patch +# User Tom Ritter +# Date 1516389982 21600 +# Fri Jan 19 13:26:22 2018 -0600 +# Node ID 3ca7306d73ebc1ce47ccdc62ee8cbb69a9bfbb2c +# Parent 6aa6c7d894609140ccde2e9e50eba8c25a9caeb5 +Bug 1431803 Disable a specific __try block on MinGW r?bobowen + +This function is a technique to name a thread for debugging purposes, +and it always throws an exception (and then continues). On MinGW +we don't want it to throw an exception, so we do nothing. + +This means on MinGW we won't get nice thread naming during debugging, +but we'll limp along. + +MozReview-Commit-ID: JRKY4wp7sdu + +diff --git a/security/sandbox/chromium/base/threading/platform_thread_win.cc b/security/sandbox/chromium/base/threading/platform_thread_win.cc +--- a/security/sandbox/chromium/base/threading/platform_thread_win.cc ++++ b/security/sandbox/chromium/base/threading/platform_thread_win.cc +@@ -32,27 +32,30 @@ typedef struct tagTHREADNAME_INFO { + } THREADNAME_INFO; + + // The SetThreadDescription API was brought in version 1607 of Windows 10. + typedef HRESULT(WINAPI* SetThreadDescription)(HANDLE hThread, + PCWSTR lpThreadDescription); + + // This function has try handling, so it is separated out of its caller. + void SetNameInternal(PlatformThreadId thread_id, const char* name) { ++ //This function is only used for debugging purposes, as you can find by its caller ++#ifndef __MINGW32__ + THREADNAME_INFO info; + info.dwType = 0x1000; + info.szName = name; + info.dwThreadID = thread_id; + info.dwFlags = 0; + + __try { + RaiseException(kVCThreadNameException, 0, sizeof(info)/sizeof(DWORD), + reinterpret_cast(&info)); + } __except(EXCEPTION_CONTINUE_EXECUTION) { + } ++#endif + } + + struct ThreadParams { + PlatformThread::Delegate* delegate; + bool joinable; + ThreadPriority priority; + }; + diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_missing_windows_types_defines.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_missing_windows_types_defines.patch new file mode 100644 index 0000000000..30220a0660 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_missing_windows_types_defines.patch @@ -0,0 +1,37 @@ +# HG changeset patch +# User Bob Owen +# Date 1558294860 -3600 +# Sun May 19 20:41:00 2019 +0100 +# Node ID 331daa6926b2d495959a0aebbf034958a9bc1e2a +# Parent e71e4e7a914c2d2515bf84be6ad045febabb6dfc +Bug 1552160: Add missing defines from concurrencysal.h and specstrings.h in windows_type.h on MinGW. + +diff --git a/security/sandbox/chromium/base/win/windows_types.h b/security/sandbox/chromium/base/win/windows_types.h +--- a/security/sandbox/chromium/base/win/windows_types.h ++++ b/security/sandbox/chromium/base/win/windows_types.h +@@ -4,17 +4,25 @@ + + // This file contains defines and typedefs that allow popular Windows types to + // be used without the overhead of including windows.h. + + #ifndef BASE_WIN_WINDOWS_TYPES_H + #define BASE_WIN_WINDOWS_TYPES_H + + // Needed for function prototypes. ++#if defined(__MINGW32__) ++// MinGW doesn't have this file yet, but we only need this define. ++// Bug 1552706 tracks removing this and the one below. ++#define _Releases_exclusive_lock_(lock) ++// MinGW doesn't appear to have this in specstrings.h either. ++#define _Post_equals_last_error_ ++#else + #include ++#endif + #include + #include + + #ifdef __cplusplus + extern "C" { + #endif + + // typedef and define the most commonly used Windows integer types. diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch new file mode 100644 index 0000000000..89072da69b --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_offsetof.patch @@ -0,0 +1,182 @@ +# HG changeset patch +# User Tom Ritter +# Date 1528394907 18000 +# Thu Jun 07 13:08:27 2018 -0500 +# Node ID ffb6c5c06905538fb887464e9553e7b47cdf7575 +# Parent 1987e062f1e5bf2998bb8e9d96353c5ccb0cc281 +Bug 1461421 Use OffsetOf to calculate the location of parameters_ rather than making assumptions about the parent class r?bobowen + +MozReview-Commit-ID: D7REZiAIMpN + +diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h +--- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h ++++ b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h +@@ -78,16 +78,17 @@ union MultiType { + ULONG_PTR ulong_ptr; + }; + + // Maximum number of IPC parameters currently supported. + // To increase this value, we have to: + // - Add another Callback typedef to Dispatcher. + // - Add another case to the switch on SharedMemIPCServer::InvokeCallback. + // - Add another case to the switch in GetActualAndMaxBufferSize ++// - Add another case to the switch in GetMinDeclaredActualCallParamsSize + const int kMaxIpcParams = 9; + + // Contains the information about a parameter in the ipc buffer. + struct ParamInfo { + ArgType type_; + uint32_t offset_; + uint32_t size_; + }; +@@ -287,16 +288,18 @@ class ActualCallParams : public CrossCal + protected: + ActualCallParams() : CrossCallParams(IpcTag::UNUSED, NUMBER_PARAMS) {} + + private: + ParamInfo param_info_[NUMBER_PARAMS + 1]; + char parameters_[BLOCK_SIZE - sizeof(CrossCallParams) - + sizeof(ParamInfo) * (NUMBER_PARAMS + 1)]; + DISALLOW_COPY_AND_ASSIGN(ActualCallParams); ++ ++ friend uint32_t GetMinDeclaredActualCallParamsSize(uint32_t param_count); + }; + + static_assert(sizeof(ActualCallParams<1, 1024>) == 1024, "bad size buffer"); + static_assert(sizeof(ActualCallParams<2, 1024>) == 1024, "bad size buffer"); + static_assert(sizeof(ActualCallParams<3, 1024>) == 1024, "bad size buffer"); + + } // namespace sandbox + +diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc +--- a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc ++++ b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc +@@ -28,30 +28,31 @@ namespace { + + // The buffer for a message must match the max channel size. + const size_t kMaxBufferSize = sandbox::kIPCChannelSize; + + } // namespace + + namespace sandbox { + ++// The template types are used to calculate the maximum expected size. ++typedef ActualCallParams<0, kMaxBufferSize> ActualCP0; ++typedef ActualCallParams<1, kMaxBufferSize> ActualCP1; ++typedef ActualCallParams<2, kMaxBufferSize> ActualCP2; ++typedef ActualCallParams<3, kMaxBufferSize> ActualCP3; ++typedef ActualCallParams<4, kMaxBufferSize> ActualCP4; ++typedef ActualCallParams<5, kMaxBufferSize> ActualCP5; ++typedef ActualCallParams<6, kMaxBufferSize> ActualCP6; ++typedef ActualCallParams<7, kMaxBufferSize> ActualCP7; ++typedef ActualCallParams<8, kMaxBufferSize> ActualCP8; ++typedef ActualCallParams<9, kMaxBufferSize> ActualCP9; ++ + // Returns the actual size for the parameters in an IPC buffer. Returns + // zero if the |param_count| is zero or too big. + uint32_t GetActualBufferSize(uint32_t param_count, void* buffer_base) { +- // The template types are used to calculate the maximum expected size. +- typedef ActualCallParams<1, kMaxBufferSize> ActualCP1; +- typedef ActualCallParams<2, kMaxBufferSize> ActualCP2; +- typedef ActualCallParams<3, kMaxBufferSize> ActualCP3; +- typedef ActualCallParams<4, kMaxBufferSize> ActualCP4; +- typedef ActualCallParams<5, kMaxBufferSize> ActualCP5; +- typedef ActualCallParams<6, kMaxBufferSize> ActualCP6; +- typedef ActualCallParams<7, kMaxBufferSize> ActualCP7; +- typedef ActualCallParams<8, kMaxBufferSize> ActualCP8; +- typedef ActualCallParams<9, kMaxBufferSize> ActualCP9; +- + // Retrieve the actual size and the maximum size of the params buffer. + switch (param_count) { + case 0: + return 0; + case 1: + return reinterpret_cast(buffer_base)->GetSize(); + case 2: + return reinterpret_cast(buffer_base)->GetSize(); +@@ -69,16 +70,45 @@ uint32_t GetActualBufferSize(uint32_t pa + return reinterpret_cast(buffer_base)->GetSize(); + case 9: + return reinterpret_cast(buffer_base)->GetSize(); + default: + return 0; + } + } + ++// Returns the minimum size for the parameters in an IPC buffer. Returns ++// zero if the |param_count| is less than zero or too big. ++uint32_t GetMinDeclaredActualCallParamsSize(uint32_t param_count) { ++ switch (param_count) { ++ case 0: ++ return offsetof(ActualCP0, parameters_); ++ case 1: ++ return offsetof(ActualCP1, parameters_); ++ case 2: ++ return offsetof(ActualCP2, parameters_); ++ case 3: ++ return offsetof(ActualCP3, parameters_); ++ case 4: ++ return offsetof(ActualCP4, parameters_); ++ case 5: ++ return offsetof(ActualCP5, parameters_); ++ case 6: ++ return offsetof(ActualCP6, parameters_); ++ case 7: ++ return offsetof(ActualCP7, parameters_); ++ case 8: ++ return offsetof(ActualCP8, parameters_); ++ case 9: ++ return offsetof(ActualCP9, parameters_); ++ default: ++ return 0; ++ } ++} ++ + // Verifies that the declared sizes of an IPC buffer are within range. + bool IsSizeWithinRange(uint32_t buffer_size, + uint32_t min_declared_size, + uint32_t declared_size) { + if ((buffer_size < min_declared_size) || + (sizeof(CrossCallParamsEx) > min_declared_size)) { + // Minimal computed size bigger than existing buffer or param_count + // integer overflow. +@@ -133,18 +163,17 @@ CrossCallParamsEx* CrossCallParamsEx::Cr + // will catch memory access violations so we don't crash. + __try { + CrossCallParams* call_params = + reinterpret_cast(buffer_base); + + // Check against the minimum size given the number of stated params + // if too small we bail out. + param_count = call_params->GetParamsCount(); +- min_declared_size = +- sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo)); ++ min_declared_size = GetMinDeclaredActualCallParamsSize(param_count); + + // Initial check for the buffer being big enough to determine the actual + // buffer size. + if (buffer_size < min_declared_size) + return nullptr; + + // Retrieve the declared size which if it fails returns 0. + declared_size = GetActualBufferSize(param_count, buffer_base); +@@ -158,18 +187,17 @@ CrossCallParamsEx* CrossCallParamsEx::Cr + copied_params = reinterpret_cast(backing_mem); + memcpy(backing_mem, call_params, declared_size); + + // Avoid compiler optimizations across this point. Any value stored in + // memory should be stored for real, and values previously read from memory + // should be actually read. + std::atomic_thread_fence(std::memory_order_seq_cst); + +- min_declared_size = +- sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo)); ++ min_declared_size = GetMinDeclaredActualCallParamsSize(param_count); + + // Check that the copied buffer is still valid. + if (copied_params->GetParamsCount() != param_count || + GetActualBufferSize(param_count, backing_mem) != declared_size || + !IsSizeWithinRange(buffer_size, min_declared_size, declared_size)) { + delete[] backing_mem; + return nullptr; + } diff --git a/security/sandbox/chromium-shim/patches/with_update/mingw_operator_new.patch b/security/sandbox/chromium-shim/patches/with_update/mingw_operator_new.patch new file mode 100644 index 0000000000..ab223901ed --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/mingw_operator_new.patch @@ -0,0 +1,58 @@ +# HG changeset patch +# User Tom Ritter +# Date 1489000606 0 +# Wed Mar 08 19:16:46 2017 +0000 +# Node ID 522c35c24e2a46d97430b5f15e7703bc1c33784c +# Parent a99512c712f6580537e3133e5fd1adc091583e95 +Bug 1230910 Declare operator new [](size_t, sandbox::AllocationType, void*) + +MozReview-Commit-ID: GCKj5Ao2Y2n + +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc +@@ -663,16 +663,21 @@ void* operator new(size_t size, sandbox: + + // TODO: Returning nullptr from operator new has undefined behavior, but + // the Allocate() functions called above can return nullptr. Consider checking + // for nullptr here and crashing or throwing. + + return result; + } + ++void* operator new [](size_t size, sandbox::AllocationType type, ++ void* near_to) { ++ return operator new(size, type, near_to); ++} ++ + void operator delete(void* memory, sandbox::AllocationType type) { + if (type == sandbox::NT_ALLOC) { + // Use default flags. + VERIFY(sandbox::g_nt.RtlFreeHeap(sandbox::g_heap, 0, memory)); + } else if (type == sandbox::NT_PAGE) { + void* base = memory; + SIZE_T size = 0; + VERIFY_SUCCESS(sandbox::g_nt.FreeVirtualMemory(NtCurrentProcess, &base, +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h +@@ -13,16 +13,19 @@ + #include "base/macros.h" + #include "sandbox/win/src/nt_internals.h" + #include "sandbox/win/src/sandbox_nt_types.h" + + // Placement new and delete to be used from ntdll interception code. + void* __cdecl operator new(size_t size, + sandbox::AllocationType type, + void* near_to = nullptr); ++void* __cdecl operator new[](size_t size, ++ sandbox::AllocationType type, ++ void* near_to = nullptr); + void __cdecl operator delete(void* memory, sandbox::AllocationType type); + // Add operator delete that matches the placement form of the operator new + // above. This is required by compiler to generate code to call operator delete + // in case the object's constructor throws an exception. + // See http://msdn.microsoft.com/en-us/library/cxdxz3x6.aspx + void __cdecl operator delete(void* memory, + sandbox::AllocationType type, + void* near_to); diff --git a/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch b/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch new file mode 100644 index 0000000000..4b32171d04 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/more_chromium_linux_x86_x64_syscalls.patch @@ -0,0 +1,91 @@ +# HG changeset patch +# User Gian-Carlo Pascutto +# Date 1573118511 0 +# Thu Nov 07 09:21:51 2019 +0000 +# Node ID a0be746532f437055e4190cc8db802ad1239405e +# Parent f5df610ae207f14f233874e2f1502c137b4f94ab +Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r=jld + +Differential Revision: https://phabricator.services.mozilla.com/D50623 + +diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h +--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h ++++ b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h +@@ -1,13 +1,17 @@ + // Copyright (c) 2012 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + +-// Generated from the Linux kernel's syscall_64.tbl. ++/* Constructed by running a vim macro over ++ linux-kernel/arch/x86/entry/syscalls/syscall_64.tbl ++ version 39a38bcba4ab6e5285b07675b0e42c96eec35e67 ++ which is close to Linux 5.4. ++*/ + #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ + #define SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ + + #if !defined(__x86_64__) + #error "Including header on wrong architecture" + #endif + + #if !defined(__NR_read) +@@ -1345,10 +1349,57 @@ + #if !defined(__NR_io_pgetevents) + #define __NR_io_pgetevents 333 + #endif + + #if !defined(__NR_rseq) + #define __NR_rseq 334 + #endif + ++#if !defined(__NR_pidfd_send_signal) ++#define __NR_pidfd_send_signal 424 ++#endif ++ ++#if !defined(__NR_io_uring_setup) ++#define __NR_io_uring_setup 425 ++#endif ++ ++#if !defined(__NR_io_uring_enter) ++#define __NR_io_uring_enter 426 ++#endif ++ ++#if !defined(__NR_io_uring_register) ++#define __NR_io_uring_register 427 ++#endif ++ ++#if !defined(__NR_open_tree) ++#define __NR_open_tree 428 ++#endif ++ ++#if !defined(__NR_move_mount) ++#define __NR_move_mount 429 ++#endif ++ ++#if !defined(__NR_fsopen) ++#define __NR_fsopen 430 ++#endif ++ ++#if !defined(__NR_fsconfig) ++#define __NR_fsconfig 431 ++#endif ++ ++#if !defined(__NR_fsmount) ++#define __NR_fsmount 432 ++#endif ++ ++#if !defined(__NR_fspick) ++#define __NR_fspick 433 ++#endif ++ ++#if !defined(__NR_pidfd_open) ++#define __NR_pidfd_open 434 ++#endif ++ ++#if !defined(__NR_clone3) ++#define __NR_clone3 435 ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_ +- diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt new file mode 100755 index 0000000000..6098ea5c2d --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt @@ -0,0 +1,32 @@ +revert_remove_AddTargetPeer.patch +revert_remove_BrokerDuplicateHandle.patch +replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch +ifdef_out_FromStringInternal.patch +add_option_to_not_use_restricting_sids.patch +ifdef_out_SequenceChecker_code.patch +allow_read_only_all_paths_rule.patch +revert_TargetNtSetInformationThread_change.patch +mingw_copy_s.patch +mingw_operator_new.patch +mingw_cast_getprocaddress.patch +mingw_capitalization.patch +mingw_disable_one_try.patch +mingw_offsetof.patch +allow_env_changes.patch +ifdef_out_AppContainerProfileBase_testing_functions.patch +mingw_missing_windows_types_defines.patch +add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch +include_atomic_header_in_platform_thread.patch +aarch64_control_flow_guard.patch +revert_removal_of_app_dir_for_DLL_load.patch +more_chromium_linux_x86_x64_syscalls.patch +add_support_for_random_restricted_SID.patch +revert_Token_serialization_and_deserialization.patch +remove_unused_functions_from_StrtodTrimmed.patch +remove_extraneous_backslash_introduced_by_clang_tidy.patch +remove_include_delayimp_h_from_pe_image_cc.patch +lower_SDK_version_requirement.patch +add_CET_STRICT_MODE.patch +broker_complex_line_breaks.patch +allow_reparse_points.patch +derive_sid_from_name.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch b/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch new file mode 100644 index 0000000000..431a5e102c --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_extraneous_backslash_introduced_by_clang_tidy.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588867789 25200 +# Thu May 07 09:09:49 2020 -0700 +# Node ID 29fbfefe6f5f533fb5aa4339015cea4746ad6493 +# Parent 044c15e89ecca19afc1750c439f4e82879679462 +Remove Extraneous Backslash Introduced by clang-tidy in ScopedHandle. r=bobowen + +Need the following commit to compile with Mingw, which has not reached +the stable channel yet. +https://chromium.googlesource.com/chromium/src.git/+/1620fe70c299f1f18b2f2c652d16739f6e3c5f78 + +diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h +--- a/security/sandbox/chromium/base/win/scoped_handle.h ++++ b/security/sandbox/chromium/base/win/scoped_handle.h +@@ -15,17 +15,17 @@ + #include "base/macros.h" + + // TODO(rvargas): remove this with the rest of the verifier. + #if defined(COMPILER_MSVC) + #include + #define BASE_WIN_GET_CALLER _ReturnAddress() + #elif defined(COMPILER_GCC) + #define BASE_WIN_GET_CALLER \ +- __builtin_extract_return_addr(\ __builtin_return_address(0)) ++ __builtin_extract_return_addr(__builtin_return_address(0)) + #endif + + namespace base { + namespace win { + + // Generic wrapper for raw handles that takes care of closing handles + // automatically. The class interface follows the style of + // the ScopedFILE class with two additions: diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch b/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch new file mode 100644 index 0000000000..4f08f57011 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_include_delayimp_h_from_pe_image_cc.patch @@ -0,0 +1,32 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588871424 25200 +# Thu May 07 10:10:24 2020 -0700 +# Node ID 2d5ee142bde533ba4f93afaae081a444eac0abe2 +# Parent 29fbfefe6f5f533fb5aa4339015cea4746ad6493 +Don't include delayimp.h twice from //base/win/pe_image.cc to compile with Mingw. r=bobowen + +The second include was introduced by +https://chromium.googlesource.com/chromium/src.git/+/5c23d46846111ea16aaf2a9b45355cca5ddbf6d8 + +diff --git a/security/sandbox/chromium/base/win/pe_image.cc b/security/sandbox/chromium/base/win/pe_image.cc +--- a/security/sandbox/chromium/base/win/pe_image.cc ++++ b/security/sandbox/chromium/base/win/pe_image.cc +@@ -2,17 +2,16 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + // This file implements PEImage, a generic class to manipulate PE files. + // This file was adapted from GreenBorder's Code. + + #include "base/win/pe_image.h" + +-#include + #include + #include + #include + + #include "base/no_destructor.h" + #include "base/win/current_module.h" + + namespace base { diff --git a/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch b/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch new file mode 100644 index 0000000000..a097360ac5 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/remove_unused_functions_from_StrtodTrimmed.patch @@ -0,0 +1,48 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588733379 25200 +# Tue May 05 19:49:39 2020 -0700 +# Node ID 044c15e89ecca19afc1750c439f4e82879679462 +# Parent a18431660425e41c26c716413aac0294987c985a +Remove unused functions from //base/third_party/double_conversion/double-conversion to compile. r=bobowen + +diff --git a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc +--- a/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc ++++ b/security/sandbox/chromium/base/third_party/double_conversion/double-conversion/strtod.cc +@@ -445,36 +445,18 @@ static bool ComputeGuess(Vector& buffer) { +- for(int i = 0; i < buffer.length(); ++i) { +- if(!IsDigit(buffer[i])) { +- return false; +- } +- } +- return (buffer.length() == 0) || (IsNonZeroDigit(buffer[0]) && IsNonZeroDigit(buffer[buffer.length()-1])); +-} +- + double StrtodTrimmed(Vector trimmed, int exponent) { + DOUBLE_CONVERSION_ASSERT(trimmed.length() <= kMaxSignificantDecimalDigits); +- DOUBLE_CONVERSION_ASSERT(AssertTrimmedDigits(trimmed)); + double guess; + const bool is_correct = ComputeGuess(trimmed, exponent, &guess); + if (is_correct) { + return guess; + } + DiyFp upper_boundary = Double(guess).UpperBoundary(); + int comparison = CompareBufferWithDiyFp(trimmed, exponent, upper_boundary); + if (comparison < 0) { diff --git a/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch b/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch new file mode 100644 index 0000000000..47418009d6 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/replace_ScopedNativeLibrary_in_ApplyMitigationsToCurrentThread.patch @@ -0,0 +1,59 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1589672273 25200 +# Sat May 16 16:37:53 2020 -0700 +# Node ID c14ef8304c36fdc2570b77b63b36114cff2d070d +# Parent 90b5f63770f52fab163adaed1d5812b2887b335a +Use GetModuleHandle/GetProcAddress in ApplyMitigationsToCurrentThread. r=bobowen + +This patch removes the use of base::ScopedNativeLibrary from +sandbox::ApplyMitigationsToCurrentThread because to avoid +new dependencies. + +diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +@@ -5,18 +5,16 @@ + #include "sandbox/win/src/process_mitigations.h" + + #include + #include + #include + + #include + +-#include "base/files/file_path.h" +-#include "base/scoped_native_library.h" + #include "base/win/windows_version.h" + #include "build/build_config.h" + #include "sandbox/win/src/nt_internals.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox_rand.h" + #include "sandbox/win/src/win_utils.h" + + namespace { +@@ -321,22 +319,19 @@ bool ApplyMitigationsToCurrentThread(Mit + return true; + + // Enable dynamic code per-thread policies. + if (flags & MITIGATION_DYNAMIC_CODE_OPT_OUT_THIS_THREAD) { + DWORD thread_policy = THREAD_DYNAMIC_CODE_ALLOW; + + // NOTE: SetThreadInformation API only exists on >= Win8. Dynamically + // get function handle. +- base::ScopedNativeLibrary dll(base::FilePath(L"kernel32.dll")); +- if (!dll.is_valid()) +- return false; + SetThreadInformationFunction set_thread_info_function = +- reinterpret_cast( +- dll.GetFunctionPointer("SetThreadInformation")); ++ reinterpret_cast(::GetProcAddress( ++ ::GetModuleHandleA("kernel32.dll"), "SetThreadInformation")); + if (!set_thread_info_function) + return false; + + // NOTE: Must use the pseudo-handle here, a thread HANDLE won't work. + if (!set_thread_info_function(::GetCurrentThread(), ThreadDynamicCodePolicy, + &thread_policy, sizeof(thread_policy))) { + return false; + } diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_TargetNtSetInformationThread_change.patch b/security/sandbox/chromium-shim/patches/with_update/revert_TargetNtSetInformationThread_change.patch new file mode 100644 index 0000000000..60bb45e3af --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_TargetNtSetInformationThread_change.patch @@ -0,0 +1,39 @@ +# HG changeset patch +# User Bob Owen +# Date 1510058662 0 +# Tue Nov 07 12:44:22 2017 +0000 +# Node ID 5b2b8b6c509a1025ef6d6ba208b093d4c4359186 +# Parent 2c3a28eab0bfcaa5a14771454f83703ae938da6c +Revert commit f7540af7428f4b146136ec19b781886693f8c03f changes to policy_target.cc for causing issues with CoInitializeSecurity. r=aklotz + +diff --git a/security/sandbox/chromium/sandbox/win/src/policy_target.cc b/security/sandbox/chromium/sandbox/win/src/policy_target.cc +--- a/security/sandbox/chromium/sandbox/win/src/policy_target.cc ++++ b/security/sandbox/chromium/sandbox/win/src/policy_target.cc +@@ -78,16 +78,26 @@ NTSTATUS WINAPI TargetNtSetInformationTh + NT_THREAD_INFORMATION_CLASS thread_info_class, + PVOID thread_information, + ULONG thread_information_bytes) { + do { + if (SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf()) + break; + if (ThreadImpersonationToken != thread_info_class) + break; ++ if (!thread_information) ++ break; ++ HANDLE token; ++ if (sizeof(token) > thread_information_bytes) ++ break; ++ ++ NTSTATUS ret = CopyData(&token, thread_information, sizeof(token)); ++ if (!NT_SUCCESS(ret) || NULL != token) ++ break; ++ + // This is a revert to self. + return STATUS_SUCCESS; + } while (false); + + return orig_SetInformationThread( + thread, thread_info_class, thread_information, thread_information_bytes); + } + + // Hooks NtOpenThreadToken to force the open_as_self parameter to be set to diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch b/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch new file mode 100644 index 0000000000..c2d96dda78 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_Token_serialization_and_deserialization.patch @@ -0,0 +1,100 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1588530677 25200 +# Sun May 03 11:31:17 2020 -0700 +# Node ID a18431660425e41c26c716413aac0294987c985a +# Parent e149b1937231ccc3c1c07f45acf0e7e71117854f +Revert chromium's ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee. r=bobowen + +Undoing the following commit as it brings more dependency but unused in our code. +https://chromium.googlesource.com/chromium/src.git/+/ffe1d0eb42d1d75f2b6a3b4145eff69f235a19ee + +diff --git a/security/sandbox/chromium/base/token.cc b/security/sandbox/chromium/base/token.cc +--- a/security/sandbox/chromium/base/token.cc ++++ b/security/sandbox/chromium/base/token.cc +@@ -1,17 +1,16 @@ + // Copyright 2018 The Chromium Authors. All rights reserved. + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + + #include "base/token.h" + + #include + +-#include "base/pickle.h" + #include "base/rand_util.h" + #include "base/strings/stringprintf.h" + + namespace base { + + // static + Token Token::CreateRandom() { + Token token; +@@ -21,26 +20,9 @@ Token Token::CreateRandom() { + base::RandBytes(&token, sizeof(token)); + return token; + } + + std::string Token::ToString() const { + return base::StringPrintf("%016" PRIX64 "%016" PRIX64, high_, low_); + } + +-void WriteTokenToPickle(Pickle* pickle, const Token& token) { +- pickle->WriteUInt64(token.high()); +- pickle->WriteUInt64(token.low()); +-} +- +-Optional ReadTokenFromPickle(PickleIterator* pickle_iterator) { +- uint64_t high; +- if (!pickle_iterator->ReadUInt64(&high)) +- return nullopt; +- +- uint64_t low; +- if (!pickle_iterator->ReadUInt64(&low)) +- return nullopt; +- +- return Token(high, low); +-} +- + } // namespace base +diff --git a/security/sandbox/chromium/base/token.h b/security/sandbox/chromium/base/token.h +--- a/security/sandbox/chromium/base/token.h ++++ b/security/sandbox/chromium/base/token.h +@@ -7,17 +7,16 @@ + + #include + + #include + #include + + #include "base/base_export.h" + #include "base/hash/hash.h" +-#include "base/optional.h" + + namespace base { + + // A Token is a randomly chosen 128-bit integer. This class supports generation + // from a cryptographically strong random source, or constexpr construction over + // fixed values (e.g. to store a pre-generated constant value). Tokens are + // similar in spirit and purpose to UUIDs, without many of the constraints and + // expectations (such as byte layout and string representation) clasically +@@ -63,19 +62,11 @@ class BASE_EXPORT Token { + + // For use in std::unordered_map. + struct TokenHash { + size_t operator()(const base::Token& token) const { + return base::HashInts64(token.high(), token.low()); + } + }; + +-class Pickle; +-class PickleIterator; +- +-// For serializing and deserializing Token values. +-BASE_EXPORT void WriteTokenToPickle(Pickle* pickle, const Token& token); +-BASE_EXPORT Optional ReadTokenFromPickle( +- PickleIterator* pickle_iterator); +- + } // namespace base + + #endif // BASE_TOKEN_H_ diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch b/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch new file mode 100644 index 0000000000..c5de8c9041 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch @@ -0,0 +1,74 @@ +# HG changeset patch +# User Bob Owen +# Date 1564062993 -3600 +# Thu Jul 25 14:56:33 2019 +0100 +# Node ID aa8f8da7b00f1f751bf4a7c8a2cc58b290a328e0 +# Parent 69ac304560c98a733d44a0245fe9782dc6a465e2 +Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=handyman! + +This is until any regressions can be fixed, see bug 1568850. + +diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc ++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc +@@ -72,26 +72,17 @@ bool ApplyProcessMitigationsToCurrentPro + + if (flags & MITIGATION_DLL_SEARCH_ORDER) { + SetDefaultDllDirectoriesFunction set_default_dll_directories = + reinterpret_cast( + ::GetProcAddress(module, "SetDefaultDllDirectories")); + + // Check for SetDefaultDllDirectories since it requires KB2533623. + if (set_default_dll_directories) { +-#if defined(COMPONENT_BUILD) +- const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS; +-#else +- // In a non-component build, all DLLs will be loaded manually, or via +- // manifest definition, so these flags can be stronger. This prevents DLL +- // planting in the application directory. +- const DWORD directory_flags = +- LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS; +-#endif +- if (!set_default_dll_directories(directory_flags) && ++ if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) && + ERROR_ACCESS_DENIED != ::GetLastError()) { + return false; + } + } + } + + // Set the heap to terminate on corruption + if (flags & MITIGATION_HEAP_TERMINATE) { +diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h +--- a/security/sandbox/chromium/sandbox/win/src/security_level.h ++++ b/security/sandbox/chromium/sandbox/win/src/security_level.h +@@ -192,25 +192,20 @@ const MitigationFlags MITIGATION_BOTTOM_ + // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON + const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080; + + // Immediately raises an exception on a bad handle reference. Must be + // enabled after startup. Corresponds to + // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON. + const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100; + +-// Strengthens the DLL search order. See +-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a +-// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing +-// additional directories to be added via Windows AddDllDirectory() function, +-// but preserving current load order. In a non-component build, all DLLs should +-// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 | +-// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR, +-// preventing DLLs being implicitly loaded from the application path. Must be +-// enabled after startup. ++// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional ++// directories can be added via the Windows AddDllDirectory() function. ++// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515 ++// Must be enabled after startup. + const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200; + + // Changes the mandatory integrity level policy on the current process' token + // to enable no-read and no-execute up. This prevents a lower IL process from + // opening the process token for impersonate/duplicate/assignment. + const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000400; + + // Prevents the process from making Win32k calls. Corresponds to diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch b/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch new file mode 100644 index 0000000000..04020b60b7 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_remove_AddTargetPeer.patch @@ -0,0 +1,310 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1589671259 25200 +# Sat May 16 16:20:59 2020 -0700 +# Node ID 0b5183a01df78cc85264f2eae2c4d8e407bb1112 +# Parent d093cd9ccfcf06f4a1f0d7f1a4bd0f143ef92b4b +Add BrokerServicesBase::IsSafeDuplicationTarget. r=bobowen + +This patch adds BrokerServicesBase::IsSafeDuplicationTarget and +BrokerServicesBase::AddTargetPeer using the new ProcessTracker introduced by +https://chromium.googlesource.com/chromium/src.git/+/3d8382cf9dd44cf9c05e43e42c500f4825e1fed8 +We need these methods for HandlePolicy which is added as a different patch. + +Chromium used to have AddTargetPeer and IsActiveTarget, but removed by +the following commits because they were no longer used in Chromium. +https://chromium.googlesource.com/chromium/src.git/+/996b42db5296bd3d11b3d7fde1a4602bbcefed2c +https://chromium.googlesource.com/chromium/src.git/+/e615a1152ac6e10f1a91f0629fb8b5ca223ffbdc + +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.cc +@@ -154,16 +154,18 @@ namespace sandbox { + BrokerServicesBase::BrokerServicesBase() {} + + // The broker uses a dedicated worker thread that services the job completion + // port to perform policy notifications and associated cleanup tasks. + ResultCode BrokerServicesBase::Init() { + if (job_port_.IsValid() || thread_pool_) + return SBOX_ERROR_UNEXPECTED_CALL; + ++ ::InitializeCriticalSection(&lock_); ++ + job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, nullptr, 0, 0)); + if (!job_port_.IsValid()) + return SBOX_ERROR_CANNOT_INIT_BROKERSERVICES; + + no_targets_.Set(::CreateEventW(nullptr, true, false, nullptr)); + + job_thread_.Set(::CreateThread(nullptr, 0, // Default security and stack. + TargetEventsThread, this, 0, nullptr)); +@@ -191,16 +193,17 @@ BrokerServicesBase::~BrokerServicesBase( + + if (job_thread_.IsValid() && + WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) { + // Cannot clean broker services. + NOTREACHED(); + return; + } + thread_pool_.reset(); ++ ::DeleteCriticalSection(&lock_); + } + + scoped_refptr BrokerServicesBase::CreatePolicy() { + // If you change the type of the object being created here you must also + // change the downcast to it in SpawnTarget(). + scoped_refptr policy(new PolicyBase); + // PolicyBase starts with refcount 1. + policy->Release(); +@@ -283,16 +286,21 @@ DWORD WINAPI BrokerServicesBase::TargetE + if (1 == target_counter) { + ::ResetEvent(no_targets); + } + break; + } + + case JOB_OBJECT_MSG_EXIT_PROCESS: + case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: { ++ { ++ AutoLock lock(&broker->lock_); ++ broker->active_targets_.erase( ++ static_cast(reinterpret_cast(ovl))); ++ } + size_t erase_result = child_process_ids.erase( + static_cast(reinterpret_cast(ovl))); + if (erase_result != 1U) { + // The process was untracked e.g. a child process of the target. + --untracked_target_counter; + DCHECK(untracked_target_counter >= 0); + } + --target_counter; +@@ -348,27 +356,31 @@ DWORD WINAPI BrokerServicesBase::TargetE + tracker->wait_handle = INVALID_HANDLE_VALUE; + } + processes.push_back(std::move(tracker)); + + } else if (THREAD_CTRL_PROCESS_SIGNALLED == key) { + ProcessTracker* tracker = + static_cast(reinterpret_cast(ovl)); + ++ { ++ AutoLock lock(&broker->lock_); ++ broker->active_targets_.erase(tracker->process_id); ++ } ++ + ::UnregisterWait(tracker->wait_handle); + tracker->wait_handle = INVALID_HANDLE_VALUE; + + // PID is unique until the process handle is closed in dtor. + processes.erase(std::remove_if(processes.begin(), processes.end(), + [&](auto&& p) -> bool { + return p->process_id == + tracker->process_id; + }), + processes.end()); +- + } else if (THREAD_CTRL_GET_POLICY_INFO == key) { + // Clone the policies for sandbox diagnostics. + std::unique_ptr receiver; + receiver.reset(static_cast( + reinterpret_cast(ovl))); + // The PollicyInfo ctor copies essential information from the trackers. + auto policy_list = std::make_unique(); + for (auto&& process_tracker : processes) { +@@ -637,47 +649,79 @@ ResultCode BrokerServicesBase::SpawnTarg + // the tracker. The worker thread takes ownership of these objects. + CHECK(::PostQueuedCompletionStatus( + job_port_.Get(), 0, THREAD_CTRL_NEW_JOB_TRACKER, + reinterpret_cast(tracker))); + // There is no obvious recovery after failure here. Previous version with + // SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639 + CHECK( + AssociateCompletionPort(tracker->job.Get(), job_port_.Get(), tracker)); ++ ++ AutoLock lock(&lock_); ++ active_targets_.insert(process_info.process_id()); + } else { +- // Duplicate the process handle to give the tracking machinery +- // something valid to wait on in the tracking thread. +- HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; +- if (!::DuplicateHandle(::GetCurrentProcess(), process_info.process_handle(), +- ::GetCurrentProcess(), &tmp_process_handle, +- SYNCHRONIZE, false, 0 /*no options*/)) { +- *last_error = ::GetLastError(); ++ result = AddTargetPeerInternal(process_info.process_handle(), ++ process_info.process_id(), ++ policy_base, last_error); ++ if (result != SBOX_ALL_OK) { + // This may fail in the same way as Job associated processes. + // crbug.com/480639. + SpawnCleanup(target); +- return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; ++ return result; + } +- base::win::ScopedHandle dup_process_handle(tmp_process_handle); +- ProcessTracker* tracker = new ProcessTracker( +- policy_base, process_info.process_id(), std::move(dup_process_handle)); +- // The tracker and policy will leak if this call fails. +- ::PostQueuedCompletionStatus(job_port_.Get(), 0, +- THREAD_CTRL_NEW_PROCESS_TRACKER, +- reinterpret_cast(tracker)); + } + + *target_info = process_info.Take(); + return result; + } + + ResultCode BrokerServicesBase::WaitForAllTargets() { + ::WaitForSingleObject(no_targets_.Get(), INFINITE); + return SBOX_ALL_OK; + } + ++bool BrokerServicesBase::IsSafeDuplicationTarget(DWORD process_id) { ++ AutoLock lock(&lock_); ++ return active_targets_.find(process_id) != active_targets_.end(); ++} ++ ++ResultCode BrokerServicesBase::AddTargetPeerInternal( ++ HANDLE peer_process_handle, ++ DWORD peer_process_id, ++ scoped_refptr policy_base, ++ DWORD* last_error) { ++ // Duplicate the process handle to give the tracking machinery ++ // something valid to wait on in the tracking thread. ++ HANDLE tmp_process_handle = INVALID_HANDLE_VALUE; ++ if (!::DuplicateHandle(::GetCurrentProcess(), peer_process_handle, ++ ::GetCurrentProcess(), &tmp_process_handle, ++ SYNCHRONIZE, false, 0 /*no options*/)) { ++ *last_error = ::GetLastError(); ++ return SBOX_ERROR_CANNOT_DUPLICATE_PROCESS_HANDLE; ++ } ++ base::win::ScopedHandle dup_process_handle(tmp_process_handle); ++ ProcessTracker* tracker = new ProcessTracker( ++ policy_base, peer_process_id, std::move(dup_process_handle)); ++ // The tracker and policy will leak if this call fails. ++ ::PostQueuedCompletionStatus(job_port_.Get(), 0, ++ THREAD_CTRL_NEW_PROCESS_TRACKER, ++ reinterpret_cast(tracker)); ++ ++ AutoLock lock(&lock_); ++ active_targets_.insert(peer_process_id); ++ ++ return SBOX_ALL_OK; ++} ++ ++ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) { ++ DWORD last_error; ++ return AddTargetPeerInternal(peer_process, ::GetProcessId(peer_process), ++ nullptr, &last_error); ++} ++ + ResultCode BrokerServicesBase::GetPolicyDiagnostics( + std::unique_ptr receiver) { + CHECK(job_thread_.IsValid()); + // Post to the job thread. + if (!::PostQueuedCompletionStatus( + job_port_.Get(), 0, THREAD_CTRL_GET_POLICY_INFO, + reinterpret_cast(receiver.get()))) { + receiver->OnError(SBOX_ERROR_GENERIC); +diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h +--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h ++++ b/security/sandbox/chromium/sandbox/win/src/broker_services.h +@@ -13,16 +13,17 @@ + + #include "base/compiler_specific.h" + #include "base/macros.h" + #include "base/memory/scoped_refptr.h" + #include "base/win/scoped_handle.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/job.h" + #include "sandbox/win/src/sandbox.h" ++#include "sandbox/win/src/sandbox_policy_base.h" + #include "sandbox/win/src/sharedmem_ipc_server.h" + #include "sandbox/win/src/win2k_threadpool.h" + #include "sandbox/win/src/win_utils.h" + + namespace sandbox { + + // BrokerServicesBase --------------------------------------------------------- + // Broker implementation version 0 +@@ -43,16 +44,24 @@ class BrokerServicesBase final : public + scoped_refptr CreatePolicy() override; + ResultCode SpawnTarget(const wchar_t* exe_path, + const wchar_t* command_line, + scoped_refptr policy, + ResultCode* last_warning, + DWORD* last_error, + PROCESS_INFORMATION* target) override; + ResultCode WaitForAllTargets() override; ++ ResultCode AddTargetPeer(HANDLE peer_process) override; ++ ++ // Checks if the supplied process ID matches one of the broker's active ++ // target processes. We use this method for the specific purpose of ++ // checking if we can safely duplicate a handle to the supplied process ++ // in DuplicateHandleProxyAction. ++ bool IsSafeDuplicationTarget(DWORD process_id); ++ + ResultCode GetPolicyDiagnostics( + std::unique_ptr receiver) override; + + private: + // The routine that the worker thread executes. It is in charge of + // notifications and cleanup-related tasks. + static DWORD WINAPI TargetEventsThread(PVOID param); + +@@ -65,14 +74,27 @@ class BrokerServicesBase final : public + base::win::ScopedHandle no_targets_; + + // Handle to the worker thread that reacts to job notifications. + base::win::ScopedHandle job_thread_; + + // Provides a pool of threads that are used to wait on the IPC calls. + std::unique_ptr thread_pool_; + ++ // The set representing the broker's active target processes including ++ // both sandboxed and unsandboxed peer processes. ++ std::set active_targets_; ++ ++ // Lock used to protect active_targets_ from being simultaneously accessed ++ // by multiple threads. ++ CRITICAL_SECTION lock_; ++ ++ ResultCode AddTargetPeerInternal(HANDLE peer_process_handle, ++ DWORD peer_process_id, ++ scoped_refptr policy_base, ++ DWORD* last_error); ++ + DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase); + }; + + } // namespace sandbox + + #endif // SANDBOX_WIN_SRC_BROKER_SERVICES_H_ +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h +@@ -96,16 +96,24 @@ class BrokerServices { + + // This call blocks (waits) for all the targets to terminate. + // Returns: + // ALL_OK if successful. All other return values imply failure. + // If the return is ERROR_GENERIC, you can call ::GetLastError() to get + // more information. + virtual ResultCode WaitForAllTargets() = 0; + ++ // Adds an unsandboxed process as a peer for policy decisions (e.g. ++ // HANDLES_DUP_ANY policy). ++ // Returns: ++ // ALL_OK if successful. All other return values imply failure. ++ // If the return is ERROR_GENERIC, you can call ::GetLastError() to get ++ // more information. ++ virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0; ++ + // This call creates a snapshot of policies managed by the sandbox and + // returns them via a helper class. + // Parameters: + // receiver: The |PolicyDiagnosticsReceiver| implementation will be + // called to accept the results of the call. + // Returns: + // ALL_OK if the request was dispatched. All other return values + // imply failure, and the responder will not receive its completion diff --git a/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch b/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch new file mode 100644 index 0000000000..970c0d1db2 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/revert_remove_BrokerDuplicateHandle.patch @@ -0,0 +1,743 @@ +# HG changeset patch +# User Toshihito Kikuchi +# Date 1589671733 25200 +# Sat May 16 16:28:53 2020 -0700 +# Node ID 91bb5c3807cfe657cc24c9a3c217dd1f57db6d5c +# Parent 22eb0bf7180801edf775be44cf299a50e01eb7bf +Reinstate sandbox::TargetServices::BrokerDuplicateHandle. r=bobowen + +This patch reverts the commit removing sandbox::TargetServices::BrokerDuplicateHandle +and applies the new IpcTag type. + +https://chromium.googlesource.com/chromium/src.git/+/569193665184525ca366e65d0735f5c851106e43 +https://chromium.googlesource.com/chromium/src.git/+/c8cff7f9663ce6d1ef35e5c717f43c867c3906eb + +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc +@@ -0,0 +1,93 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#include "sandbox/win/src/handle_dispatcher.h" ++ ++#include ++ ++#include "base/win/scoped_handle.h" ++#include "sandbox/win/src/handle_interception.h" ++#include "sandbox/win/src/handle_policy.h" ++#include "sandbox/win/src/ipc_tags.h" ++#include "sandbox/win/src/policy_broker.h" ++#include "sandbox/win/src/policy_params.h" ++#include "sandbox/win/src/sandbox.h" ++#include "sandbox/win/src/sandbox_nt_util.h" ++#include "sandbox/win/src/sandbox_types.h" ++#include "sandbox/win/src/sandbox_utils.h" ++ ++namespace sandbox { ++ ++HandleDispatcher::HandleDispatcher(PolicyBase* policy_base) ++ : policy_base_(policy_base) { ++ static const IPCCall duplicate_handle_proxy = { ++ {IpcTag::DUPLICATEHANDLEPROXY, ++ {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}}, ++ reinterpret_cast( ++ &HandleDispatcher::DuplicateHandleProxy)}; ++ ++ ipc_calls_.push_back(duplicate_handle_proxy); ++} ++ ++bool HandleDispatcher::SetupService(InterceptionManager* manager, ++ IpcTag service) { ++ // We perform no interceptions for handles right now. ++ switch (service) { ++ case IpcTag::DUPLICATEHANDLEPROXY: ++ return true; ++ ++ default: ++ return false; ++ } ++} ++ ++bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc, ++ HANDLE source_handle, ++ uint32_t target_process_id, ++ uint32_t desired_access, ++ uint32_t options) { ++ static NtQueryObject QueryObject = NULL; ++ if (!QueryObject) ++ ResolveNTFunctionPtr("NtQueryObject", &QueryObject); ++ ++ // Get a copy of the handle for use in the broker process. ++ HANDLE handle_temp; ++ if (!::DuplicateHandle(ipc->client_info->process, source_handle, ++ ::GetCurrentProcess(), &handle_temp, ++ 0, FALSE, DUPLICATE_SAME_ACCESS | options)) { ++ ipc->return_info.win32_result = ::GetLastError(); ++ return false; ++ } ++ options &= ~DUPLICATE_CLOSE_SOURCE; ++ base::win::ScopedHandle handle(handle_temp); ++ ++ // Get the object type (32 characters is safe; current max is 14). ++ BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)]; ++ OBJECT_TYPE_INFORMATION* type_info = ++ reinterpret_cast(buffer); ++ ULONG size = sizeof(buffer) - sizeof(wchar_t); ++ NTSTATUS error = ++ QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size); ++ if (!NT_SUCCESS(error)) { ++ ipc->return_info.nt_status = error; ++ return false; ++ } ++ type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0'; ++ ++ CountedParameterSet params; ++ params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer); ++ params[HandleTarget::TARGET] = ParamPickerMake(target_process_id); ++ ++ EvalResult eval = policy_base_->EvalPolicy(IpcTag::DUPLICATEHANDLEPROXY, ++ params.GetBase()); ++ ipc->return_info.win32_result = ++ HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(), ++ target_process_id, ++ &ipc->return_info.handle, ++ desired_access, options); ++ return true; ++} ++ ++} // namespace sandbox ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h +@@ -0,0 +1,41 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#ifndef SANDBOX_SRC_HANDLE_DISPATCHER_H_ ++#define SANDBOX_SRC_HANDLE_DISPATCHER_H_ ++ ++#include ++ ++#include "base/macros.h" ++#include "sandbox/win/src/crosscall_server.h" ++#include "sandbox/win/src/sandbox_policy_base.h" ++ ++namespace sandbox { ++ ++// This class handles handle-related IPC calls. ++class HandleDispatcher : public Dispatcher { ++ public: ++ explicit HandleDispatcher(PolicyBase* policy_base); ++ ~HandleDispatcher() override {} ++ ++ // Dispatcher interface. ++ bool SetupService(InterceptionManager* manager, IpcTag service) override; ++ ++ private: ++ // Processes IPC requests coming from calls to ++ // TargetServices::DuplicateHandle() in the target. ++ bool DuplicateHandleProxy(IPCInfo* ipc, ++ HANDLE source_handle, ++ uint32_t target_process_id, ++ uint32_t desired_access, ++ uint32_t options); ++ ++ PolicyBase* policy_base_; ++ DISALLOW_COPY_AND_ASSIGN(HandleDispatcher); ++}; ++ ++} // namespace sandbox ++ ++#endif // SANDBOX_SRC_HANDLE_DISPATCHER_H_ ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc +@@ -0,0 +1,45 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#include "sandbox/win/src/handle_interception.h" ++ ++#include "sandbox/win/src/crosscall_client.h" ++#include "sandbox/win/src/ipc_tags.h" ++#include "sandbox/win/src/sandbox_factory.h" ++#include "sandbox/win/src/sandbox_nt_util.h" ++#include "sandbox/win/src/sharedmem_ipc_client.h" ++#include "sandbox/win/src/target_services.h" ++ ++namespace sandbox { ++ ++ResultCode DuplicateHandleProxy(HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options) { ++ *target_handle = NULL; ++ ++ void* memory = GetGlobalIPCMemory(); ++ if (NULL == memory) ++ return SBOX_ERROR_NO_SPACE; ++ ++ SharedMemIPCClient ipc(memory); ++ CrossCallReturn answer = {0}; ++ ResultCode code = CrossCall(ipc, IpcTag::DUPLICATEHANDLEPROXY, ++ source_handle, target_process_id, ++ desired_access, options, &answer); ++ if (SBOX_ALL_OK != code) ++ return code; ++ ++ if (answer.win32_result) { ++ ::SetLastError(answer.win32_result); ++ return SBOX_ERROR_GENERIC; ++ } ++ ++ *target_handle = answer.handle; ++ return SBOX_ALL_OK; ++} ++ ++} // namespace sandbox ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.h b/security/sandbox/chromium/sandbox/win/src/handle_interception.h +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.h +@@ -0,0 +1,24 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#include "sandbox/win/src/nt_internals.h" ++#include "sandbox/win/src/sandbox_types.h" ++ ++#ifndef SANDBOX_SRC_HANDLE_INTERCEPTION_H_ ++#define SANDBOX_SRC_HANDLE_INTERCEPTION_H_ ++ ++namespace sandbox { ++ ++// TODO(jschuh) Add an interception to catch dangerous DuplicateHandle calls. ++ ++ResultCode DuplicateHandleProxy(HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options); ++ ++} // namespace sandbox ++ ++#endif // SANDBOX_SRC_HANDLE_INTERCEPTION_H_ ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc +@@ -0,0 +1,93 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#include "sandbox/win/src/handle_policy.h" ++ ++#include ++ ++#include "base/win/scoped_handle.h" ++#include "sandbox/win/src/broker_services.h" ++#include "sandbox/win/src/ipc_tags.h" ++#include "sandbox/win/src/policy_engine_opcodes.h" ++#include "sandbox/win/src/policy_params.h" ++#include "sandbox/win/src/sandbox_types.h" ++#include "sandbox/win/src/sandbox_utils.h" ++ ++namespace sandbox { ++ ++bool HandlePolicy::GenerateRules(const wchar_t* type_name, ++ TargetPolicy::Semantics semantics, ++ LowLevelPolicy* policy) { ++ PolicyRule duplicate_rule(ASK_BROKER); ++ ++ switch (semantics) { ++ case TargetPolicy::HANDLES_DUP_ANY: { ++ if (!duplicate_rule.AddNumberMatch(IF_NOT, HandleTarget::TARGET, ++ ::GetCurrentProcessId(), EQUAL)) { ++ return false; ++ } ++ break; ++ } ++ ++ case TargetPolicy::HANDLES_DUP_BROKER: { ++ if (!duplicate_rule.AddNumberMatch(IF, HandleTarget::TARGET, ++ ::GetCurrentProcessId(), EQUAL)) { ++ return false; ++ } ++ break; ++ } ++ ++ default: ++ return false; ++ } ++ if (!duplicate_rule.AddStringMatch(IF, HandleTarget::NAME, type_name, ++ CASE_INSENSITIVE)) { ++ return false; ++ } ++ if (!policy->AddRule(IpcTag::DUPLICATEHANDLEPROXY, &duplicate_rule)) { ++ return false; ++ } ++ return true; ++} ++ ++DWORD HandlePolicy::DuplicateHandleProxyAction(EvalResult eval_result, ++ HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options) { ++ // The only action supported is ASK_BROKER which means duplicate the handle. ++ if (ASK_BROKER != eval_result) { ++ return ERROR_ACCESS_DENIED; ++ } ++ ++ base::win::ScopedHandle remote_target_process; ++ if (target_process_id != ::GetCurrentProcessId()) { ++ // Sandboxed children are dynamic, so we check that manually. ++ if (!BrokerServicesBase::GetInstance()->IsSafeDuplicationTarget( ++ target_process_id)) { ++ return ERROR_ACCESS_DENIED; ++ } ++ ++ remote_target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE, ++ target_process_id)); ++ if (!remote_target_process.IsValid()) ++ return ::GetLastError(); ++ } ++ ++ // If the policy didn't block us and we have no valid target, then the broker ++ // (this process) is the valid target. ++ HANDLE target_process = remote_target_process.IsValid() ? ++ remote_target_process.Get() : ::GetCurrentProcess(); ++ if (!::DuplicateHandle(::GetCurrentProcess(), source_handle, target_process, ++ target_handle, desired_access, FALSE, ++ options)) { ++ return ::GetLastError(); ++ } ++ ++ return ERROR_SUCCESS; ++} ++ ++} // namespace sandbox ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.h b/security/sandbox/chromium/sandbox/win/src/handle_policy.h +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_policy.h +@@ -0,0 +1,39 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#ifndef SANDBOX_SRC_HANDLE_POLICY_H_ ++#define SANDBOX_SRC_HANDLE_POLICY_H_ ++ ++#include ++ ++#include "sandbox/win/src/crosscall_server.h" ++#include "sandbox/win/src/policy_low_level.h" ++#include "sandbox/win/src/sandbox_policy.h" ++ ++namespace sandbox { ++ ++enum EvalResult; ++ ++// This class centralizes most of the knowledge related to handle policy. ++class HandlePolicy { ++ public: ++ // Creates the required low-level policy rules to evaluate a high-level ++ // policy rule for handles, in particular duplicate action. ++ static bool GenerateRules(const wchar_t* type_name, ++ TargetPolicy::Semantics semantics, ++ LowLevelPolicy* policy); ++ ++ // Processes a 'TargetPolicy::DuplicateHandle()' request from the target. ++ static DWORD DuplicateHandleProxyAction(EvalResult eval_result, ++ HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options); ++}; ++ ++} // namespace sandbox ++ ++#endif // SANDBOX_SRC_HANDLE_POLICY_H_ ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc +new file mode 100644 +--- /dev/null ++++ b/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc +@@ -0,0 +1,114 @@ ++// Copyright (c) 2012 The Chromium Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++#include "base/strings/stringprintf.h" ++#include "sandbox/win/src/handle_policy.h" ++#include "sandbox/win/src/nt_internals.h" ++#include "sandbox/win/src/sandbox.h" ++#include "sandbox/win/src/sandbox_factory.h" ++#include "sandbox/win/src/sandbox_policy.h" ++#include "sandbox/win/src/win_utils.h" ++#include "sandbox/win/tests/common/controller.h" ++#include "testing/gtest/include/gtest/gtest.h" ++ ++namespace sandbox { ++ ++// Just waits for the supplied number of milliseconds. ++SBOX_TESTS_COMMAND int Handle_WaitProcess(int argc, wchar_t **argv) { ++ if (argc != 1) ++ return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; ++ ++ ::Sleep(::wcstoul(argv[0], NULL, 10)); ++ return SBOX_TEST_TIMED_OUT; ++} ++ ++// Attempts to duplicate an event handle into the target process. ++SBOX_TESTS_COMMAND int Handle_DuplicateEvent(int argc, wchar_t **argv) { ++ if (argc != 1) ++ return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND; ++ ++ // Create a test event to use as a handle. ++ base::win::ScopedHandle test_event; ++ test_event.Set(::CreateEvent(NULL, TRUE, TRUE, NULL)); ++ if (!test_event.IsValid()) ++ return SBOX_TEST_FIRST_ERROR; ++ ++ // Get the target process ID. ++ DWORD target_process_id = ::wcstoul(argv[0], NULL, 10); ++ ++ HANDLE handle = NULL; ++ ResultCode result = SandboxFactory::GetTargetServices()->DuplicateHandle( ++ test_event.Get(), target_process_id, &handle, 0, DUPLICATE_SAME_ACCESS); ++ ++ return (result == SBOX_ALL_OK) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED; ++} ++ ++// Tests that duplicating an object works only when the policy allows it. ++TEST(HandlePolicyTest, DuplicateHandle) { ++ TestRunner target; ++ TestRunner runner; ++ ++ // Kick off an asynchronous target process for testing. ++ target.SetAsynchronous(true); ++ EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000")); ++ ++ // First test that we fail to open the event. ++ base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", ++ target.process_id()); ++ EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); ++ ++ // Now successfully open the event after adding a duplicate handle rule. ++ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, ++ TargetPolicy::HANDLES_DUP_ANY, ++ L"Event")); ++ EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); ++} ++ ++// Tests that duplicating an object works only when the policy allows it. ++TEST(HandlePolicyTest, DuplicatePeerHandle) { ++ TestRunner target; ++ TestRunner runner; ++ ++ // Kick off an asynchronous target process for testing. ++ target.SetAsynchronous(true); ++ target.SetUnsandboxed(true); ++ EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000")); ++ ++ // First test that we fail to open the event. ++ base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", ++ target.process_id()); ++ EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); ++ ++ // Now successfully open the event after adding a duplicate handle rule. ++ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, ++ TargetPolicy::HANDLES_DUP_ANY, ++ L"Event")); ++ EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); ++} ++ ++// Tests that duplicating an object works only when the policy allows it. ++TEST(HandlePolicyTest, DuplicateBrokerHandle) { ++ TestRunner runner; ++ ++ // First test that we fail to open the event. ++ base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d", ++ ::GetCurrentProcessId()); ++ EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); ++ ++ // Add the peer rule and make sure we fail again. ++ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, ++ TargetPolicy::HANDLES_DUP_ANY, ++ L"Event")); ++ EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str())); ++ ++ ++ // Now successfully open the event after adding a broker handle rule. ++ EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES, ++ TargetPolicy::HANDLES_DUP_BROKER, ++ L"Event")); ++ EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str())); ++} ++ ++} // namespace sandbox ++ +diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +--- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h ++++ b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h +@@ -23,16 +23,17 @@ enum class IpcTag { + NTOPENPROCESS, + NTOPENPROCESSTOKEN, + NTOPENPROCESSTOKENEX, + CREATEPROCESSW, + CREATEEVENT, + OPENEVENT, + NTCREATEKEY, + NTOPENKEY, ++ DUPLICATEHANDLEPROXY, + GDI_GDIDLLINITIALIZE, + GDI_GETSTOCKOBJECT, + USER_REGISTERCLASSW, + CREATETHREAD, + USER_ENUMDISPLAYMONITORS, + USER_ENUMDISPLAYDEVICES, + USER_GETMONITORINFO, + GDI_CREATEOPMPROTECTEDOUTPUTS, +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox.h +@@ -161,16 +161,30 @@ class TargetServices { + // fails the current process could be terminated immediately. + virtual void LowerToken() = 0; + + // Returns the ProcessState object. Through that object it's possible to have + // information about the current state of the process, such as whether + // LowerToken has been called or not. + virtual ProcessState* GetState() = 0; + ++ // Requests the broker to duplicate the supplied handle into the target ++ // process. The target process must be an active sandbox child process ++ // and the source process must have a corresponding policy allowing ++ // handle duplication for this object type. ++ // Returns: ++ // ALL_OK if successful. All other return values imply failure. ++ // If the return is ERROR_GENERIC, you can call ::GetLastError() to get ++ // more information. ++ virtual ResultCode DuplicateHandle(HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options) = 0; ++ + protected: + ~TargetServices() {} + }; + + class PolicyInfo { + public: + // Returns a JSON representation of the policy snapshot. + // This pointer has the same lifetime as this PolicyInfo object. +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h +@@ -25,28 +25,32 @@ class TargetPolicy { + // exactly like the CreateProcess API does. See the comment at the top of + // process_thread_dispatcher.cc for more details. + enum SubSystem { + SUBSYS_FILES, // Creation and opening of files and pipes. + SUBSYS_NAMED_PIPES, // Creation of named pipes. + SUBSYS_PROCESS, // Creation of child processes. + SUBSYS_REGISTRY, // Creation and opening of registry keys. + SUBSYS_SYNC, // Creation of named sync objects. ++ SUBSYS_HANDLES, // Duplication of handles to other processes. + SUBSYS_WIN32K_LOCKDOWN, // Win32K Lockdown related policy. + SUBSYS_SIGNED_BINARY // Signed binary policy. + }; + + // Allowable semantics when a rule is matched. + enum Semantics { + FILES_ALLOW_ANY, // Allows open or create for any kind of access that + // the file system supports. + FILES_ALLOW_READONLY, // Allows open or create with read access only. + FILES_ALLOW_QUERY, // Allows access to query the attributes of a file. + FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics + // only. ++ HANDLES_DUP_ANY, // Allows duplicating handles opened with any ++ // access permissions. ++ HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process. + NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe. + PROCESS_MIN_EXEC, // Allows to create a process with minimal rights + // over the resulting process and thread handles. + // No other parameters besides the command line are + // passed to the child process. + PROCESS_ALL_EXEC, // Allows the creation of a process and return full + // access on the returned handles. + // This flag can be used only when the main token of +diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc ++++ b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc +@@ -12,16 +12,17 @@ + #include "base/logging.h" + #include "base/macros.h" + #include "base/stl_util.h" + #include "base/strings/stringprintf.h" + #include "base/win/win_util.h" + #include "base/win/windows_version.h" + #include "sandbox/win/src/acl.h" + #include "sandbox/win/src/filesystem_policy.h" ++#include "sandbox/win/src/handle_policy.h" + #include "sandbox/win/src/interception.h" + #include "sandbox/win/src/job.h" + #include "sandbox/win/src/named_pipe_policy.h" + #include "sandbox/win/src/policy_broker.h" + #include "sandbox/win/src/policy_engine_processor.h" + #include "sandbox/win/src/policy_low_level.h" + #include "sandbox/win/src/process_mitigations.h" + #include "sandbox/win/src/process_mitigations_win32k_policy.h" +@@ -754,16 +755,24 @@ ResultCode PolicyBase::AddRuleInternal(S + } + case SUBSYS_REGISTRY: { + if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) { + NOTREACHED(); + return SBOX_ERROR_BAD_PARAMS; + } + break; + } ++ case SUBSYS_HANDLES: { ++ if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) { ++ NOTREACHED(); ++ return SBOX_ERROR_BAD_PARAMS; ++ } ++ break; ++ } ++ + case SUBSYS_WIN32K_LOCKDOWN: { + // Win32k intercept rules only supported on Windows 8 and above. This must + // match the version checks in process_mitigations.cc for consistency. + if (base::win::GetVersion() >= base::win::Version::WIN8) { + DCHECK_EQ(MITIGATION_WIN32K_DISABLE, + mitigations_ & MITIGATION_WIN32K_DISABLE) + << "Enable MITIGATION_WIN32K_DISABLE before adding win32k policy " + "rules."; +diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc +--- a/security/sandbox/chromium/sandbox/win/src/target_services.cc ++++ b/security/sandbox/chromium/sandbox/win/src/target_services.cc +@@ -7,16 +7,17 @@ + #include + + #include + #include + + #include "base/win/windows_version.h" + #include "sandbox/win/src/crosscall_client.h" + #include "sandbox/win/src/handle_closer_agent.h" ++#include "sandbox/win/src/handle_interception.h" + #include "sandbox/win/src/heap_helper.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/process_mitigations.h" + #include "sandbox/win/src/restricted_token_utils.h" + #include "sandbox/win/src/sandbox.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sandbox_types.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" +@@ -239,9 +240,19 @@ void ProcessState::SetRevertedToSelf() { + if (process_state_ < ProcessStateInternal::REVERTED_TO_SELF) + process_state_ = ProcessStateInternal::REVERTED_TO_SELF; + } + + void ProcessState::SetCsrssConnected(bool csrss_connected) { + csrss_connected_ = csrss_connected; + } + ++ ++ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options) { ++ return sandbox::DuplicateHandleProxy(source_handle, target_process_id, ++ target_handle, desired_access, options); ++} ++ + } // namespace sandbox +diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h +--- a/security/sandbox/chromium/sandbox/win/src/target_services.h ++++ b/security/sandbox/chromium/sandbox/win/src/target_services.h +@@ -40,16 +40,21 @@ class ProcessState { + class TargetServicesBase : public TargetServices { + public: + TargetServicesBase(); + + // Public interface of TargetServices. + ResultCode Init() override; + void LowerToken() override; + ProcessState* GetState() override; ++ ResultCode DuplicateHandle(HANDLE source_handle, ++ DWORD target_process_id, ++ HANDLE* target_handle, ++ DWORD desired_access, ++ DWORD options) override; + + // Factory method. + static TargetServicesBase* GetInstance(); + + // Sends a simple IPC Message that has a well-known answer. Returns true + // if the IPC was successful and false otherwise. There are 2 versions of + // this test: 1 and 2. The first one send a simple message while the + // second one send a message with an in/out param. +diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc +--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc ++++ b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc +@@ -5,16 +5,17 @@ + #include "sandbox/win/src/top_level_dispatcher.h" + + #include + #include + + #include "base/logging.h" + #include "sandbox/win/src/crosscall_server.h" + #include "sandbox/win/src/filesystem_dispatcher.h" ++#include "sandbox/win/src/handle_dispatcher.h" + #include "sandbox/win/src/interception.h" + #include "sandbox/win/src/internal_types.h" + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/named_pipe_dispatcher.h" + #include "sandbox/win/src/process_mitigations_win32k_dispatcher.h" + #include "sandbox/win/src/process_thread_dispatcher.h" + #include "sandbox/win/src/registry_dispatcher.h" + #include "sandbox/win/src/sandbox_policy_base.h" +@@ -55,16 +56,20 @@ TopLevelDispatcher::TopLevelDispatcher(P + ipc_targets_[static_cast(IpcTag::OPENEVENT)] = dispatcher; + sync_dispatcher_.reset(dispatcher); + + dispatcher = new RegistryDispatcher(policy_); + ipc_targets_[static_cast(IpcTag::NTCREATEKEY)] = dispatcher; + ipc_targets_[static_cast(IpcTag::NTOPENKEY)] = dispatcher; + registry_dispatcher_.reset(dispatcher); + ++ dispatcher = new HandleDispatcher(policy_); ++ ipc_targets_[static_cast(IpcTag::DUPLICATEHANDLEPROXY)] = dispatcher; ++ handle_dispatcher_.reset(dispatcher); ++ + dispatcher = new ProcessMitigationsWin32KDispatcher(policy_); + ipc_targets_[static_cast(IpcTag::GDI_GDIDLLINITIALIZE)] = dispatcher; + ipc_targets_[static_cast(IpcTag::GDI_GETSTOCKOBJECT)] = dispatcher; + ipc_targets_[static_cast(IpcTag::USER_REGISTERCLASSW)] = dispatcher; + ipc_targets_[static_cast(IpcTag::USER_ENUMDISPLAYMONITORS)] = + dispatcher; + ipc_targets_[static_cast(IpcTag::USER_ENUMDISPLAYDEVICES)] = + dispatcher; diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h new file mode 100644 index 0000000000..3c5f8eea89 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h @@ -0,0 +1,101 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef security_sandbox_loggingCallbacks_h__ +#define security_sandbox_loggingCallbacks_h__ + +#include + +#include "mozilla/Logging.h" +#include "mozilla/Preferences.h" +#include "mozilla/StaticPrefs_security.h" +#include "mozilla/sandboxing/loggingTypes.h" +#include "nsContentUtils.h" + +#include "mozilla/StackWalk.h" + +namespace mozilla { + +static LazyLogModule sSandboxTargetLog("SandboxTarget"); + +#define LOG_D(...) MOZ_LOG(sSandboxTargetLog, LogLevel::Debug, (__VA_ARGS__)) + +namespace sandboxing { + +// NS_WalkStackCallback to write a formatted stack frame to an ostringstream. +static void +StackFrameToOStringStream(uint32_t aFrameNumber, void* aPC, void* aSP, + void* aClosure) +{ + std::ostringstream* stream = static_cast(aClosure); + MozCodeAddressDetails details; + char buf[1024]; + MozDescribeCodeAddress(aPC, &details); + MozFormatCodeAddressDetails(buf, sizeof(buf), aFrameNumber, aPC, &details); + *stream << std::endl << "--" << buf; + stream->flush(); +} + +// Log to the browser console and, if DEBUG build, stderr. +static void +Log(const char* aMessageType, + const char* aFunctionName, + const char* aContext, + const bool aShouldLogStackTrace = false, + const void* aFirstFramePC = nullptr) +{ + std::ostringstream msgStream; + msgStream << "Process Sandbox " << aMessageType << ": " << aFunctionName; + if (aContext) { + msgStream << " for : " << aContext; + } + +#if defined(MOZ_SANDBOX) + // We can only log the stack trace on process types where we know that the + // sandbox won't prevent it. + if (XRE_IsContentProcess() && aShouldLogStackTrace) { + auto stackTraceDepth = + StaticPrefs::security_sandbox_windows_log_stackTraceDepth(); + if (stackTraceDepth) { + msgStream << std::endl << "Stack Trace:"; + MozStackWalk(StackFrameToOStringStream, aFirstFramePC, stackTraceDepth, + &msgStream); + } + } +#endif + std::string msg = msgStream.str(); +#if defined(DEBUG) + // Use NS_DebugBreak directly as we want child process prefix, but not source + // file or line number. + NS_DebugBreak(NS_DEBUG_WARNING, nullptr, msg.c_str(), nullptr, -1); +#endif + + if (nsContentUtils::IsInitialized()) { + nsContentUtils::LogMessageToConsole(msg.c_str()); + } + + // As we don't always have the facility to log to console use MOZ_LOG as well. + LOG_D("%s", msg.c_str()); +} + +// Initialize sandbox logging if required. +static void +InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb) +{ + if (!aProvideLogFunctionCb) { + return; + } + + if (Preferences::GetBool("security.sandbox.logging.enabled") || + PR_GetEnv("MOZ_SANDBOX_LOGGING")) { + aProvideLogFunctionCb(Log); + } +} + +} // sandboxing +} // mozilla + +#endif // security_sandbox_loggingCallbacks_h__ diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h b/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h new file mode 100644 index 0000000000..7b75648fc9 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h @@ -0,0 +1,27 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef security_sandbox_loggingTypes_h__ +#define security_sandbox_loggingTypes_h__ + +#include + +namespace mozilla { +namespace sandboxing { + +// We are using callbacks here that are passed in from the core code to prevent +// a circular dependency in the linking during the build. +typedef void (*LogFunction) (const char* aMessageType, + const char* aFunctionName, + const char* aContext, + const bool aShouldLogStackTrace, + const void* aFirstFramePC); +typedef void (*ProvideLogFunctionCb) (LogFunction aLogFunction); + +} // sandboxing +} // mozilla + +#endif // security_sandbox_loggingTypes_h__ diff --git a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp new file mode 100644 index 0000000000..a556f9e772 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp @@ -0,0 +1,89 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "sandboxLogging.h" + +#include "base/strings/utf_string_conversions.h" +#include "sandbox/win/src/sandbox_policy.h" +#include "mozilla/Attributes.h" +#include "mozilla/StackWalk.h" + +namespace mozilla { +namespace sandboxing { + +static LogFunction sLogFunction = nullptr; + +void +ProvideLogFunction(LogFunction aLogFunction) +{ + sLogFunction = aLogFunction; +} + +static void +LogBlocked(const char* aFunctionName, const char* aContext, const void* aFirstFramePC) +{ + if (sLogFunction) { + sLogFunction("BLOCKED", aFunctionName, aContext, + /* aShouldLogStackTrace */ true, aFirstFramePC); + } +} + +MOZ_NEVER_INLINE void +LogBlocked(const char* aFunctionName, const char* aContext) +{ + if (sLogFunction) { + LogBlocked(aFunctionName, aContext, CallerPC()); + } +} + +MOZ_NEVER_INLINE void +LogBlocked(const char* aFunctionName, const wchar_t* aContext) +{ + if (sLogFunction) { + LogBlocked(aFunctionName, base::WideToUTF8(aContext).c_str(), CallerPC()); + } +} + +MOZ_NEVER_INLINE void +LogBlocked(const char* aFunctionName, const wchar_t* aContext, + uint16_t aLengthInBytes) +{ + if (sLogFunction) { + LogBlocked(aFunctionName, + base::WideToUTF8(std::wstring(aContext, aLengthInBytes / sizeof(wchar_t))).c_str(), + CallerPC()); + } +} + +void +LogAllowed(const char* aFunctionName, const char* aContext) +{ + if (sLogFunction) { + sLogFunction("Broker ALLOWED", aFunctionName, aContext, + /* aShouldLogStackTrace */ false, nullptr); + } +} + +void +LogAllowed(const char* aFunctionName, const wchar_t* aContext) +{ + if (sLogFunction) { + LogAllowed(aFunctionName, base::WideToUTF8(aContext).c_str()); + } +} + +void +LogAllowed(const char* aFunctionName, const wchar_t* aContext, + uint16_t aLengthInBytes) +{ + if (sLogFunction) { + LogAllowed(aFunctionName, + base::WideToUTF8(std::wstring(aContext, aLengthInBytes / sizeof(wchar_t))).c_str()); + } +} + +} // sandboxing +} // mozilla diff --git a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h new file mode 100644 index 0000000000..31c4ddb076 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h @@ -0,0 +1,50 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Set of helper methods to implement logging for Windows sandbox. + */ + +#ifndef security_sandbox_sandboxLogging_h__ +#define security_sandbox_sandboxLogging_h__ + +#include "loggingTypes.h" + +namespace sandbox { +class TargetPolicy; +} + +namespace mozilla { +namespace sandboxing { + +// This is used to pass a LogCallback to the sandboxing code, as the logging +// requires code to which we cannot link directly. +void ProvideLogFunction(LogFunction aLogFunction); + +// Log a "BLOCKED" msg to the browser console and, if DEBUG build, stderr. +// If the logging of a stack trace is enabled then a trace starting from the +// caller of the relevant LogBlocked overload will be logged, which should +// normally be the function that triggered the interception. +void LogBlocked(const char* aFunctionName, const char* aContext = nullptr); + +// Convenience functions to convert to char*. +void LogBlocked(const char* aFunctionName, const wchar_t* aContext); +void LogBlocked(const char* aFunctionName, const wchar_t* aContext, + uint16_t aLengthInBytes); + +// Log a "ALLOWED" msg to the browser console and, if DEBUG build, stderr. +void LogAllowed(const char* aFunctionName, const char* aContext = nullptr); + +// Convenience functions to convert to char*. +void LogAllowed(const char* aFunctionName, const wchar_t* aContext); +void LogAllowed(const char* aFunctionName, const wchar_t* aContext, + uint16_t aLengthInBytes); + + +} // sandboxing +} // mozilla + +#endif // security_sandbox_sandboxLogging_h__ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_common.h b/security/sandbox/chromium-shim/sandbox/win/src/line_break_common.h new file mode 100644 index 0000000000..b712239dde --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_common.h @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SANDBOX_SRC_LINE_BREAK_COMMON_H_ +#define SANDBOX_SRC_LINE_BREAK_COMMON_H_ + +#include "sandbox/win/src/crosscall_params.h" + +namespace sandbox { + +#if defined(MOZ_DEBUG) +// Set a low max brokered length for testing to exercise the chunking code. +static const std::ptrdiff_t kMaxBrokeredLen = 50; + +#else +// Parameters are stored aligned to sizeof(int64_t). +// So to calculate the maximum length we can use when brokering to the parent, +// we take the max params buffer size, take off 8 for the aligned length and 6 +// and 7 to allow for the maximum padding that can be added to the text and +// break before buffers. We then divide by three, because the text characters +// are wchar_t and the break before elements are uint8_t. +static const std::ptrdiff_t kMaxBrokeredLen = + (ActualCallParams<3, kIPCChannelSize>::MaxParamsSize() - 8 - 6 - 7) / 3; +#endif + +} // namespace sandbox + +#endif // SANDBOX_SRC_LINE_BREAK_COMMON_H_ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.cc b/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.cc new file mode 100644 index 0000000000..94401d18fa --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.cc @@ -0,0 +1,58 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "sandbox/win/src/line_break_dispatcher.h" + +#include "sandbox/win/src/line_break_common.h" +#include "sandbox/win/src/line_break_policy.h" +#include "sandbox/win/src/ipc_tags.h" +#include "sandbox/win/src/policy_params.h" + +namespace sandbox { + +LineBreakDispatcher::LineBreakDispatcher(PolicyBase* policy_base) + : policy_base_(policy_base) { + static const IPCCall get_complex_line_breaks = { + {IpcTag::GETCOMPLEXLINEBREAKS, {INPTR_TYPE, UINT32_TYPE, INOUTPTR_TYPE}}, + reinterpret_cast( + &LineBreakDispatcher::GetComplexLineBreaksCall)}; + + ipc_calls_.push_back(get_complex_line_breaks); +} + +bool LineBreakDispatcher::SetupService(InterceptionManager* manager, + IpcTag service) { + // We perform no interceptions for line breaking right now. + switch (service) { + case IpcTag::GETCOMPLEXLINEBREAKS: + return true; + + default: + return false; + } +} + +bool LineBreakDispatcher::GetComplexLineBreaksCall( + IPCInfo* ipc, CountedBuffer* text_buf, uint32_t length, + CountedBuffer* break_before_buf) { + if (length > kMaxBrokeredLen || + text_buf->Size() != length * sizeof(wchar_t) || + break_before_buf->Size() != length) { + return false; + } + + CountedParameterSet params; + EvalResult eval = + policy_base_->EvalPolicy(IpcTag::GETCOMPLEXLINEBREAKS, params.GetBase()); + auto* text = static_cast(text_buf->Buffer()); + auto* break_before = static_cast(break_before_buf->Buffer()); + ipc->return_info.win32_result = + LineBreakPolicy::GetComplexLineBreaksProxyAction(eval, text, length, + break_before); + return true; +} + +} // namespace sandbox diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.h b/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.h new file mode 100644 index 0000000000..774b5c5b56 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_dispatcher.h @@ -0,0 +1,38 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SANDBOX_SRC_LINE_BREAK_DISPATCHER_H_ +#define SANDBOX_SRC_LINE_BREAK_DISPATCHER_H_ + +#include "base/macros.h" +#include "sandbox/win/src/crosscall_server.h" +#include "sandbox/win/src/sandbox_policy_base.h" + +namespace sandbox { + +// This class handles line break related IPC calls. +class LineBreakDispatcher final : public Dispatcher { + public: + explicit LineBreakDispatcher(PolicyBase* policy_base); + ~LineBreakDispatcher() final {} + + // Dispatcher interface. + bool SetupService(InterceptionManager* manager, IpcTag service) final; + + private: + // Processes IPC requests coming from calls to + // TargetServices::GetComplexLineBreaks() in the target. + bool GetComplexLineBreaksCall(IPCInfo* ipc, CountedBuffer* text_buf, + uint32_t length, + CountedBuffer* break_before_buf); + + PolicyBase* policy_base_; + DISALLOW_COPY_AND_ASSIGN(LineBreakDispatcher); +}; + +} // namespace sandbox + +#endif // SANDBOX_SRC_LINE_BREAK_DISPATCHER_H_ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.cc b/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.cc new file mode 100644 index 0000000000..f2dcda0dc9 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.cc @@ -0,0 +1,108 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "sandbox/win/src/line_break_interception.h" + +#include + +#include "sandbox/win/src/crosscall_client.h" +#include "sandbox/win/src/ipc_tags.h" +#include "sandbox/win/src/line_break_common.h" +#include "sandbox/win/src/sandbox_nt_util.h" +#include "sandbox/win/src/sharedmem_ipc_client.h" + +namespace sandbox { + +static const int kBreakSearchRange = 32; + +ResultCode GetComplexLineBreaksProxy(const wchar_t* aText, uint32_t aLength, + uint8_t* aBreakBefore) { + // Make sure that a test length for kMaxBrokeredLen hasn't been set too small + // allowing for a surrogate pair at the end of a chunk as well. + DCHECK(kMaxBrokeredLen > kBreakSearchRange + 1); + + void* memory = GetGlobalIPCMemory(); + if (!memory) { + return SBOX_ERROR_NO_SPACE; + } + + memset(aBreakBefore, false, aLength); + + SharedMemIPCClient ipc(memory); + + uint8_t* breakBeforeIter = aBreakBefore; + const wchar_t* textIterEnd = aText + aLength; + do { + // Next chunk is either the remaining text or kMaxBrokeredLen long. + const wchar_t* textIter = aText + (breakBeforeIter - aBreakBefore); + const wchar_t* chunkEnd = textIter + kMaxBrokeredLen; + if (chunkEnd < textIterEnd) { + // Make sure we don't split a surrogate pair. + if (IS_HIGH_SURROGATE(*(chunkEnd - 1))) { + --chunkEnd; + } + } else { + // This chunk handles all the (remaining) text. + chunkEnd = textIterEnd; + } + + // Uniscribe seems to often (perhaps always) set the first element to a + // break, so we use chunk_start_reset to hold the known value of the first + // element of a chunk and reset it after Uniscribe processing. The only time + // we don't start from an already processed element is the first call, but + // resetting this to false is correct because whether we can break before + // the first character is decided by our caller. + uint8_t chunk_start_reset = *breakBeforeIter; + + uint32_t len = chunkEnd - textIter; + // CountedBuffer takes a wchar_t* even though it doesn't change the buffer. + CountedBuffer textBuf(const_cast(textIter), + sizeof(wchar_t) * len); + InOutCountedBuffer breakBeforeBuf(breakBeforeIter, len); + CrossCallReturn answer = {0}; + ResultCode code = CrossCall(ipc, IpcTag::GETCOMPLEXLINEBREAKS, textBuf, len, + breakBeforeBuf, &answer); + if (SBOX_ALL_OK != code) { + return code; + } + + if (answer.win32_result) { + ::SetLastError(answer.win32_result); + return SBOX_ERROR_GENERIC; + } + + *breakBeforeIter = chunk_start_reset; + + if (chunkEnd == textIterEnd) { + break; + } + + // We couldn't process all of the text in one go, so back up by 32 chars and + // look for a break, then continue from that position. We back up 32 chars + // to try to avoid any false breaks at the end of the buffer caused by us + // splitting it into chunks. + uint8_t* processedToEnd = breakBeforeIter + len; + breakBeforeIter = processedToEnd - kBreakSearchRange; + while (!*breakBeforeIter) { + if (++breakBeforeIter == processedToEnd) { + // We haven't found a break in the search range, so go back to the start + // of our search range to try and ensure we don't get any false breaks + // at the start of the new chunk. + breakBeforeIter = processedToEnd - kBreakSearchRange; + // Make sure we don't split a surrogate pair. + if (IS_LOW_SURROGATE( + *(aText + (breakBeforeIter - aBreakBefore)))) { + ++breakBeforeIter; + } + break; + } + } + } while (true); + + return SBOX_ALL_OK; +} + +} // namespace sandbox diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.h b/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.h new file mode 100644 index 0000000000..87681e2e90 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_interception.h @@ -0,0 +1,19 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SANDBOX_SRC_LINE_BREAK_INTERCEPTION_H_ +#define SANDBOX_SRC_LINE_BREAK_INTERCEPTION_H_ + +#include "sandbox/win/src/sandbox_types.h" + +namespace sandbox { + +ResultCode GetComplexLineBreaksProxy(const wchar_t* text, uint32_t length, + uint8_t* break_before); + +} // namespace sandbox + +#endif // SANDBOX_SRC_LINE_BREAK_INTERCEPTION_H_ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.cc b/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.cc new file mode 100644 index 0000000000..5533232643 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.cc @@ -0,0 +1,66 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "sandbox/win/src/line_break_policy.h" + +#include +#include +#include + +#include "sandbox/win/src/ipc_tags.h" +#include "sandbox/win/src/line_break_common.h" +#include "sandbox/win/src/policy_engine_opcodes.h" +#include "sandbox/win/src/policy_params.h" + +namespace sandbox { + +bool LineBreakPolicy::GenerateRules(const wchar_t* null, + TargetPolicy::Semantics semantics, + LowLevelPolicy* policy) { + if (TargetPolicy::LINE_BREAK_ALLOW != semantics) { + return false; + } + + PolicyRule line_break_rule(ASK_BROKER); + if (!policy->AddRule(IpcTag::GETCOMPLEXLINEBREAKS, &line_break_rule)) { + return false; + } + return true; +} + +/* static */ DWORD LineBreakPolicy::GetComplexLineBreaksProxyAction( + EvalResult eval_result, const wchar_t* text, uint32_t length, + uint8_t* break_before) { + // The only action supported is ASK_BROKER which means call the line breaker. + if (ASK_BROKER != eval_result) { + return ERROR_ACCESS_DENIED; + } + + int outItems = 0; + std::array items; + HRESULT result = ::ScriptItemize(text, length, kMaxBrokeredLen, nullptr, + nullptr, items.data(), &outItems); + if (result != 0) { + return ERROR_ACCESS_DENIED; + } + + std::array slas; + for (int iItem = 0; iItem < outItems; ++iItem) { + uint32_t endOffset = items[iItem + 1].iCharPos; + uint32_t startOffset = items[iItem].iCharPos; + if (FAILED(::ScriptBreak(text + startOffset, endOffset - startOffset, + &items[iItem].a, &slas[startOffset]))) { + return ERROR_ACCESS_DENIED; + } + } + + std::transform(slas.data(), slas.data() + length, break_before, + [](const SCRIPT_LOGATTR& sla) { return sla.fSoftBreak; }); + + return ERROR_SUCCESS; +} + +} // namespace sandbox diff --git a/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.h b/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.h new file mode 100644 index 0000000000..89fbf9b207 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/line_break_policy.h @@ -0,0 +1,35 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SANDBOX_SRC_LINE_BREAK_POLICY_H_ +#define SANDBOX_SRC_LINE_BREAK_POLICY_H_ + +#include "base/win/windows_types.h" +#include "sandbox/win/src/policy_low_level.h" +#include "sandbox/win/src/sandbox_policy.h" + +namespace sandbox { + +enum EvalResult; + +class LineBreakPolicy { + public: + // Creates the required low-level policy rules to evaluate a high-level + // policy rule for complex line breaks. + static bool GenerateRules(const wchar_t* type_name, + TargetPolicy::Semantics semantics, + LowLevelPolicy* policy); + + // Processes a TargetServices::GetComplexLineBreaks() request from the target. + static DWORD GetComplexLineBreaksProxyAction(EvalResult eval_result, + const wchar_t* text, + uint32_t length, + uint8_t* break_before); +}; + +} // namespace sandbox + +#endif // SANDBOX_SRC_LINE_BREAK_POLICY_H_ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/sandbox_policy_diagnostic.h b/security/sandbox/chromium-shim/sandbox/win/src/sandbox_policy_diagnostic.h new file mode 100644 index 0000000000..5b37ccc556 --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/sandbox_policy_diagnostic.h @@ -0,0 +1,31 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a partial implementation of Chromium's source file +// //sandbox/win/src/sandbox_policy_diagnostic.h + +#ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_DIAGNOSTIC_H_ +#define SANDBOX_WIN_SRC_SANDBOX_POLICY_DIAGNOSTIC_H_ + +#include "mozilla/Assertions.h" + +namespace sandbox { + +class PolicyBase; + +class PolicyDiagnostic final : public PolicyInfo { + public: + PolicyDiagnostic(PolicyBase*) {} + ~PolicyDiagnostic() override = default; + const char* JsonString() override { MOZ_CRASH(); } + + private: + DISALLOW_COPY_AND_ASSIGN(PolicyDiagnostic); +}; + +} // namespace sandbox + +#endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_DIAGNOSTIC_H_ diff --git a/security/sandbox/chromium-shim/sandbox/win/src/sidestep_resolver.h b/security/sandbox/chromium-shim/sandbox/win/src/sidestep_resolver.h new file mode 100644 index 0000000000..fe38484b0e --- /dev/null +++ b/security/sandbox/chromium-shim/sandbox/win/src/sidestep_resolver.h @@ -0,0 +1,58 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +// This is a dummy version of the Chromium source file +// sandbox/win/src/sidestep_resolver.h, which contains classes that are never +// actually used. We crash in the member functions to ensure this. +// Formatting and guards closely match original file for easy comparison. + +#ifndef SANDBOX_SRC_SIDESTEP_RESOLVER_H__ +#define SANDBOX_SRC_SIDESTEP_RESOLVER_H__ + +#include + +#include "base/macros.h" +#include "sandbox/win/src/nt_internals.h" +#include "sandbox/win/src/resolver.h" + +#include "mozilla/Assertions.h" + +namespace sandbox { + +class SidestepResolverThunk : public ResolverThunk { + public: + SidestepResolverThunk() {} + ~SidestepResolverThunk() override {} + + // Implementation of Resolver::Setup. + NTSTATUS Setup(const void* target_module, + const void* interceptor_module, + const char* target_name, + const char* interceptor_name, + const void* interceptor_entry_point, + void* thunk_storage, + size_t storage_bytes, + size_t* storage_used) override { MOZ_CRASH(); } + + size_t GetThunkSize() const override { MOZ_CRASH(); } + + private: + DISALLOW_COPY_AND_ASSIGN(SidestepResolverThunk); +}; + +class SmartSidestepResolverThunk : public SidestepResolverThunk { + public: + SmartSidestepResolverThunk() {} + ~SmartSidestepResolverThunk() override {} + + private: + DISALLOW_COPY_AND_ASSIGN(SmartSidestepResolverThunk); +}; + +} // namespace sandbox + + +#endif // SANDBOX_SRC_SIDESTEP_RESOLVER_H__ diff --git a/security/sandbox/chromium/LICENSE b/security/sandbox/chromium/LICENSE new file mode 100644 index 0000000000..a32e00ce6b --- /dev/null +++ b/security/sandbox/chromium/LICENSE @@ -0,0 +1,27 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/security/sandbox/chromium/base/at_exit.cc b/security/sandbox/chromium/base/at_exit.cc new file mode 100644 index 0000000000..eb7d26cdc7 --- /dev/null +++ b/security/sandbox/chromium/base/at_exit.cc @@ -0,0 +1,114 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/at_exit.h" + +#include +#include +#include + +#include "base/bind.h" +#include "base/callback.h" +#include "base/logging.h" + +namespace base { + +// Keep a stack of registered AtExitManagers. We always operate on the most +// recent, and we should never have more than one outside of testing (for a +// statically linked version of this library). Testing may use the shadow +// version of the constructor, and if we are building a dynamic library we may +// end up with multiple AtExitManagers on the same process. We don't protect +// this for thread-safe access, since it will only be modified in testing. +static AtExitManager* g_top_manager = nullptr; + +static bool g_disable_managers = false; + +AtExitManager::AtExitManager() : next_manager_(g_top_manager) { +// If multiple modules instantiate AtExitManagers they'll end up living in this +// module... they have to coexist. +#if !defined(COMPONENT_BUILD) + DCHECK(!g_top_manager); +#endif + g_top_manager = this; +} + +AtExitManager::~AtExitManager() { + if (!g_top_manager) { + NOTREACHED() << "Tried to ~AtExitManager without an AtExitManager"; + return; + } + DCHECK_EQ(this, g_top_manager); + + if (!g_disable_managers) + ProcessCallbacksNow(); + g_top_manager = next_manager_; +} + +// static +void AtExitManager::RegisterCallback(AtExitCallbackType func, void* param) { + DCHECK(func); + RegisterTask(base::BindOnce(func, param)); +} + +// static +void AtExitManager::RegisterTask(base::OnceClosure task) { + if (!g_top_manager) { + NOTREACHED() << "Tried to RegisterCallback without an AtExitManager"; + return; + } + + AutoLock lock(g_top_manager->lock_); +#if DCHECK_IS_ON() + DCHECK(!g_top_manager->processing_callbacks_); +#endif + g_top_manager->stack_.push(std::move(task)); +} + +// static +void AtExitManager::ProcessCallbacksNow() { + if (!g_top_manager) { + NOTREACHED() << "Tried to ProcessCallbacksNow without an AtExitManager"; + return; + } + + // Callbacks may try to add new callbacks, so run them without holding + // |lock_|. This is an error and caught by the DCHECK in RegisterTask(), but + // handle it gracefully in release builds so we don't deadlock. + base::stack tasks; + { + AutoLock lock(g_top_manager->lock_); + tasks.swap(g_top_manager->stack_); +#if DCHECK_IS_ON() + g_top_manager->processing_callbacks_ = true; +#endif + } + + // Relax the cross-thread access restriction to non-thread-safe RefCount. + // It's safe since all other threads should be terminated at this point. + ScopedAllowCrossThreadRefCountAccess allow_cross_thread_ref_count_access; + + while (!tasks.empty()) { + std::move(tasks.top()).Run(); + tasks.pop(); + } + +#if DCHECK_IS_ON() + AutoLock lock(g_top_manager->lock_); + // Expect that all callbacks have been run. + DCHECK(g_top_manager->stack_.empty()); + g_top_manager->processing_callbacks_ = false; +#endif +} + +void AtExitManager::DisableAllAtExitManagers() { + AutoLock lock(g_top_manager->lock_); + g_disable_managers = true; +} + +AtExitManager::AtExitManager(bool shadow) : next_manager_(g_top_manager) { + DCHECK(shadow || !g_top_manager); + g_top_manager = this; +} + +} // namespace base diff --git a/security/sandbox/chromium/base/at_exit.h b/security/sandbox/chromium/base/at_exit.h new file mode 100644 index 0000000000..fa652ac0c9 --- /dev/null +++ b/security/sandbox/chromium/base/at_exit.h @@ -0,0 +1,87 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_AT_EXIT_H_ +#define BASE_AT_EXIT_H_ + +#include "base/base_export.h" +#include "base/callback.h" +#include "base/containers/stack.h" +#include "base/macros.h" +#include "base/synchronization/lock.h" +#include "base/thread_annotations.h" + +namespace base { + +// This class provides a facility similar to the CRT atexit(), except that +// we control when the callbacks are executed. Under Windows for a DLL they +// happen at a really bad time and under the loader lock. This facility is +// mostly used by base::Singleton. +// +// The usage is simple. Early in the main() or WinMain() scope create an +// AtExitManager object on the stack: +// int main(...) { +// base::AtExitManager exit_manager; +// +// } +// When the exit_manager object goes out of scope, all the registered +// callbacks and singleton destructors will be called. + +class BASE_EXPORT AtExitManager { + public: + typedef void (*AtExitCallbackType)(void*); + + AtExitManager(); + + // The dtor calls all the registered callbacks. Do not try to register more + // callbacks after this point. + ~AtExitManager(); + + // Registers the specified function to be called at exit. The prototype of + // the callback function is void func(void*). + static void RegisterCallback(AtExitCallbackType func, void* param); + + // Registers the specified task to be called at exit. + static void RegisterTask(base::OnceClosure task); + + // Calls the functions registered with RegisterCallback in LIFO order. It + // is possible to register new callbacks after calling this function. + static void ProcessCallbacksNow(); + + // Disable all registered at-exit callbacks. This is used only in a single- + // process mode. + static void DisableAllAtExitManagers(); + + protected: + // This constructor will allow this instance of AtExitManager to be created + // even if one already exists. This should only be used for testing! + // AtExitManagers are kept on a global stack, and it will be removed during + // destruction. This allows you to shadow another AtExitManager. + explicit AtExitManager(bool shadow); + + private: + base::Lock lock_; + + base::stack stack_ GUARDED_BY(lock_); + +#if DCHECK_IS_ON() + bool processing_callbacks_ GUARDED_BY(lock_) = false; +#endif + + // Stack of managers to allow shadowing. + AtExitManager* const next_manager_; + + DISALLOW_COPY_AND_ASSIGN(AtExitManager); +}; + +#if defined(UNIT_TEST) +class ShadowingAtExitManager : public AtExitManager { + public: + ShadowingAtExitManager() : AtExitManager(true) {} +}; +#endif // defined(UNIT_TEST) + +} // namespace base + +#endif // BASE_AT_EXIT_H_ diff --git a/security/sandbox/chromium/base/atomic_ref_count.h b/security/sandbox/chromium/base/atomic_ref_count.h new file mode 100644 index 0000000000..5e48c82380 --- /dev/null +++ b/security/sandbox/chromium/base/atomic_ref_count.h @@ -0,0 +1,69 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This is a low level implementation of atomic semantics for reference +// counting. Please use base/memory/ref_counted.h directly instead. + +#ifndef BASE_ATOMIC_REF_COUNT_H_ +#define BASE_ATOMIC_REF_COUNT_H_ + +#include + +namespace base { + +class AtomicRefCount { + public: + constexpr AtomicRefCount() : ref_count_(0) {} + explicit constexpr AtomicRefCount(int initial_value) + : ref_count_(initial_value) {} + + // Increment a reference count. + // Returns the previous value of the count. + int Increment() { return Increment(1); } + + // Increment a reference count by "increment", which must exceed 0. + // Returns the previous value of the count. + int Increment(int increment) { + return ref_count_.fetch_add(increment, std::memory_order_relaxed); + } + + // Decrement a reference count, and return whether the result is non-zero. + // Insert barriers to ensure that state written before the reference count + // became zero will be visible to a thread that has just made the count zero. + bool Decrement() { + // TODO(jbroman): Technically this doesn't need to be an acquire operation + // unless the result is 1 (i.e., the ref count did indeed reach zero). + // However, there are toolchain issues that make that not work as well at + // present (notably TSAN doesn't like it). + return ref_count_.fetch_sub(1, std::memory_order_acq_rel) != 1; + } + + // Return whether the reference count is one. If the reference count is used + // in the conventional way, a refrerence count of 1 implies that the current + // thread owns the reference and no other thread shares it. This call + // performs the test for a reference count of one, and performs the memory + // barrier needed for the owning thread to act on the object, knowing that it + // has exclusive access to the object. + bool IsOne() const { return ref_count_.load(std::memory_order_acquire) == 1; } + + // Return whether the reference count is zero. With conventional object + // referencing counting, the object will be destroyed, so the reference count + // should never be zero. Hence this is generally used for a debug check. + bool IsZero() const { + return ref_count_.load(std::memory_order_acquire) == 0; + } + + // Returns the current reference count (with no barriers). This is subtle, and + // should be used only for debugging. + int SubtleRefCountForDebug() const { + return ref_count_.load(std::memory_order_relaxed); + } + + private: + std::atomic_int ref_count_; +}; + +} // namespace base + +#endif // BASE_ATOMIC_REF_COUNT_H_ diff --git a/security/sandbox/chromium/base/atomic_sequence_num.h b/security/sandbox/chromium/base/atomic_sequence_num.h new file mode 100644 index 0000000000..717e37a60b --- /dev/null +++ b/security/sandbox/chromium/base/atomic_sequence_num.h @@ -0,0 +1,33 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_ATOMIC_SEQUENCE_NUM_H_ +#define BASE_ATOMIC_SEQUENCE_NUM_H_ + +#include + +#include "base/macros.h" + +namespace base { + +// AtomicSequenceNumber is a thread safe increasing sequence number generator. +// Its constructor doesn't emit a static initializer, so it's safe to use as a +// global variable or static member. +class AtomicSequenceNumber { + public: + constexpr AtomicSequenceNumber() = default; + + // Returns an increasing sequence number starts from 0 for each call. + // This function can be called from any thread without data race. + inline int GetNext() { return seq_.fetch_add(1, std::memory_order_relaxed); } + + private: + std::atomic_int seq_{0}; + + DISALLOW_COPY_AND_ASSIGN(AtomicSequenceNumber); +}; + +} // namespace base + +#endif // BASE_ATOMIC_SEQUENCE_NUM_H_ diff --git a/security/sandbox/chromium/base/atomicops.h b/security/sandbox/chromium/base/atomicops.h new file mode 100644 index 0000000000..429e2457fc --- /dev/null +++ b/security/sandbox/chromium/base/atomicops.h @@ -0,0 +1,150 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// For atomic operations on reference counts, see atomic_refcount.h. +// For atomic operations on sequence numbers, see atomic_sequence_num.h. + +// The routines exported by this module are subtle. If you use them, even if +// you get the code right, it will depend on careful reasoning about atomicity +// and memory ordering; it will be less readable, and harder to maintain. If +// you plan to use these routines, you should have a good reason, such as solid +// evidence that performance would otherwise suffer, or there being no +// alternative. You should assume only properties explicitly guaranteed by the +// specifications in this file. You are almost certainly _not_ writing code +// just for the x86; if you assume x86 semantics, x86 hardware bugs and +// implementations on other archtectures will cause your code to break. If you +// do not know what you are doing, avoid these routines, and use a Mutex. +// +// It is incorrect to make direct assignments to/from an atomic variable. +// You should use one of the Load or Store routines. The NoBarrier +// versions are provided when no barriers are needed: +// NoBarrier_Store() +// NoBarrier_Load() +// Although there are currently no compiler enforcement, you are encouraged +// to use these. +// + +#ifndef BASE_ATOMICOPS_H_ +#define BASE_ATOMICOPS_H_ + +#include + +// Small C++ header which defines implementation specific macros used to +// identify the STL implementation. +// - libc++: captures __config for _LIBCPP_VERSION +// - libstdc++: captures bits/c++config.h for __GLIBCXX__ +#include + +#include "base/base_export.h" +#include "build/build_config.h" + +namespace base { +namespace subtle { + +typedef int32_t Atomic32; +#ifdef ARCH_CPU_64_BITS +// We need to be able to go between Atomic64 and AtomicWord implicitly. This +// means Atomic64 and AtomicWord should be the same type on 64-bit. +#if defined(__ILP32__) || defined(OS_NACL) +// NaCl's intptr_t is not actually 64-bits on 64-bit! +// http://code.google.com/p/nativeclient/issues/detail?id=1162 +typedef int64_t Atomic64; +#else +typedef intptr_t Atomic64; +#endif +#endif + +// Use AtomicWord for a machine-sized pointer. It will use the Atomic32 or +// Atomic64 routines below, depending on your architecture. +typedef intptr_t AtomicWord; + +// Atomically execute: +// result = *ptr; +// if (*ptr == old_value) +// *ptr = new_value; +// return result; +// +// I.e., replace "*ptr" with "new_value" if "*ptr" used to be "old_value". +// Always return the old value of "*ptr" +// +// This routine implies no memory barriers. +Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value); + +// Atomically store new_value into *ptr, returning the previous value held in +// *ptr. This routine implies no memory barriers. +Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr, Atomic32 new_value); + +// Atomically increment *ptr by "increment". Returns the new value of +// *ptr with the increment applied. This routine implies no memory barriers. +Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr, Atomic32 increment); + +Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr, + Atomic32 increment); + +// These following lower-level operations are typically useful only to people +// implementing higher-level synchronization operations like spinlocks, +// mutexes, and condition-variables. They combine CompareAndSwap(), a load, or +// a store with appropriate memory-ordering instructions. "Acquire" operations +// ensure that no later memory access can be reordered ahead of the operation. +// "Release" operations ensure that no previous memory access can be reordered +// after the operation. "Barrier" operations have both "Acquire" and "Release" +// semantics. +Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value); +Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value); + +void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value); +void Acquire_Store(volatile Atomic32* ptr, Atomic32 value); +void Release_Store(volatile Atomic32* ptr, Atomic32 value); + +Atomic32 NoBarrier_Load(volatile const Atomic32* ptr); +Atomic32 Acquire_Load(volatile const Atomic32* ptr); +Atomic32 Release_Load(volatile const Atomic32* ptr); + +// 64-bit atomic operations (only available on 64-bit processors). +#ifdef ARCH_CPU_64_BITS +Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value); +Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr, Atomic64 new_value); +Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr, Atomic64 increment); +Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr, Atomic64 increment); + +Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value); +Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value); +void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value); +void Acquire_Store(volatile Atomic64* ptr, Atomic64 value); +void Release_Store(volatile Atomic64* ptr, Atomic64 value); +Atomic64 NoBarrier_Load(volatile const Atomic64* ptr); +Atomic64 Acquire_Load(volatile const Atomic64* ptr); +Atomic64 Release_Load(volatile const Atomic64* ptr); +#endif // ARCH_CPU_64_BITS + +} // namespace subtle +} // namespace base + +#if defined(OS_WIN) && defined(ARCH_CPU_X86_FAMILY) +// TODO(jfb): Try to use base/atomicops_internals_portable.h everywhere. +// https://crbug.com/559247. +# include "base/atomicops_internals_x86_msvc.h" +#else +# include "base/atomicops_internals_portable.h" +#endif + +// On some platforms we need additional declarations to make +// AtomicWord compatible with our other Atomic* types. +#if defined(OS_MACOSX) || defined(OS_OPENBSD) +#include "base/atomicops_internals_atomicword_compat.h" +#endif + +#endif // BASE_ATOMICOPS_H_ diff --git a/security/sandbox/chromium/base/atomicops_internals_portable.h b/security/sandbox/chromium/base/atomicops_internals_portable.h new file mode 100644 index 0000000000..3b75be32c4 --- /dev/null +++ b/security/sandbox/chromium/base/atomicops_internals_portable.h @@ -0,0 +1,219 @@ +// Copyright (c) 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This file is an internal atomic implementation, use atomicops.h instead. +// +// This implementation uses C++11 atomics' member functions. The code base is +// currently written assuming atomicity revolves around accesses instead of +// C++11's memory locations. The burden is on the programmer to ensure that all +// memory locations accessed atomically are never accessed non-atomically (tsan +// should help with this). +// +// TODO(jfb) Modify the atomicops.h API and user code to declare atomic +// locations as truly atomic. See the static_assert below. +// +// Of note in this implementation: +// * All NoBarrier variants are implemented as relaxed. +// * All Barrier variants are implemented as sequentially-consistent. +// * Compare exchange's failure ordering is always the same as the success one +// (except for release, which fails as relaxed): using a weaker ordering is +// only valid under certain uses of compare exchange. +// * Acquire store doesn't exist in the C11 memory model, it is instead +// implemented as a relaxed store followed by a sequentially consistent +// fence. +// * Release load doesn't exist in the C11 memory model, it is instead +// implemented as sequentially consistent fence followed by a relaxed load. +// * Atomic increment is expected to return the post-incremented value, whereas +// C11 fetch add returns the previous value. The implementation therefore +// needs to increment twice (which the compiler should be able to detect and +// optimize). + +#ifndef BASE_ATOMICOPS_INTERNALS_PORTABLE_H_ +#define BASE_ATOMICOPS_INTERNALS_PORTABLE_H_ + +#include + +#include "build/build_config.h" + +namespace base { +namespace subtle { + +// This implementation is transitional and maintains the original API for +// atomicops.h. This requires casting memory locations to the atomic types, and +// assumes that the API and the C++11 implementation are layout-compatible, +// which isn't true for all implementations or hardware platforms. The static +// assertion should detect this issue, were it to fire then this header +// shouldn't be used. +// +// TODO(jfb) If this header manages to stay committed then the API should be +// modified, and all call sites updated. +typedef volatile std::atomic* AtomicLocation32; +static_assert(sizeof(*(AtomicLocation32) nullptr) == sizeof(Atomic32), + "incompatible 32-bit atomic layout"); + +inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + ((AtomicLocation32)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_relaxed, + std::memory_order_relaxed); + return old_value; +} + +inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr, + Atomic32 new_value) { + return ((AtomicLocation32)ptr) + ->exchange(new_value, std::memory_order_relaxed); +} + +inline Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr, + Atomic32 increment) { + return increment + + ((AtomicLocation32)ptr) + ->fetch_add(increment, std::memory_order_relaxed); +} + +inline Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr, + Atomic32 increment) { + return increment + ((AtomicLocation32)ptr)->fetch_add(increment); +} + +inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + ((AtomicLocation32)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_acquire, + std::memory_order_acquire); + return old_value; +} + +inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + ((AtomicLocation32)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_release, + std::memory_order_relaxed); + return old_value; +} + +inline void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value) { + ((AtomicLocation32)ptr)->store(value, std::memory_order_relaxed); +} + +inline void Acquire_Store(volatile Atomic32* ptr, Atomic32 value) { + ((AtomicLocation32)ptr)->store(value, std::memory_order_relaxed); + std::atomic_thread_fence(std::memory_order_seq_cst); +} + +inline void Release_Store(volatile Atomic32* ptr, Atomic32 value) { + ((AtomicLocation32)ptr)->store(value, std::memory_order_release); +} + +inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) { + return ((AtomicLocation32)ptr)->load(std::memory_order_relaxed); +} + +inline Atomic32 Acquire_Load(volatile const Atomic32* ptr) { + return ((AtomicLocation32)ptr)->load(std::memory_order_acquire); +} + +inline Atomic32 Release_Load(volatile const Atomic32* ptr) { + std::atomic_thread_fence(std::memory_order_seq_cst); + return ((AtomicLocation32)ptr)->load(std::memory_order_relaxed); +} + +#if defined(ARCH_CPU_64_BITS) + +typedef volatile std::atomic* AtomicLocation64; +static_assert(sizeof(*(AtomicLocation64) nullptr) == sizeof(Atomic64), + "incompatible 64-bit atomic layout"); + +inline Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + ((AtomicLocation64)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_relaxed, + std::memory_order_relaxed); + return old_value; +} + +inline Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr, + Atomic64 new_value) { + return ((AtomicLocation64)ptr) + ->exchange(new_value, std::memory_order_relaxed); +} + +inline Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr, + Atomic64 increment) { + return increment + + ((AtomicLocation64)ptr) + ->fetch_add(increment, std::memory_order_relaxed); +} + +inline Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr, + Atomic64 increment) { + return increment + ((AtomicLocation64)ptr)->fetch_add(increment); +} + +inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + ((AtomicLocation64)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_acquire, + std::memory_order_acquire); + return old_value; +} + +inline Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + ((AtomicLocation64)ptr) + ->compare_exchange_strong(old_value, + new_value, + std::memory_order_release, + std::memory_order_relaxed); + return old_value; +} + +inline void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value) { + ((AtomicLocation64)ptr)->store(value, std::memory_order_relaxed); +} + +inline void Acquire_Store(volatile Atomic64* ptr, Atomic64 value) { + ((AtomicLocation64)ptr)->store(value, std::memory_order_relaxed); + std::atomic_thread_fence(std::memory_order_seq_cst); +} + +inline void Release_Store(volatile Atomic64* ptr, Atomic64 value) { + ((AtomicLocation64)ptr)->store(value, std::memory_order_release); +} + +inline Atomic64 NoBarrier_Load(volatile const Atomic64* ptr) { + return ((AtomicLocation64)ptr)->load(std::memory_order_relaxed); +} + +inline Atomic64 Acquire_Load(volatile const Atomic64* ptr) { + return ((AtomicLocation64)ptr)->load(std::memory_order_acquire); +} + +inline Atomic64 Release_Load(volatile const Atomic64* ptr) { + std::atomic_thread_fence(std::memory_order_seq_cst); + return ((AtomicLocation64)ptr)->load(std::memory_order_relaxed); +} + +#endif // defined(ARCH_CPU_64_BITS) +} // namespace subtle +} // namespace base + +#endif // BASE_ATOMICOPS_INTERNALS_PORTABLE_H_ diff --git a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h new file mode 100644 index 0000000000..d9846f64b8 --- /dev/null +++ b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h @@ -0,0 +1,179 @@ +// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This file is an internal atomic implementation, use base/atomicops.h instead. + +#ifndef BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_ +#define BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_ + +#include "base/win/windows_types.h" + +#include + +#include + +#include "base/macros.h" +#include "build/build_config.h" + +namespace base { +namespace subtle { + +inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + LONG result = _InterlockedCompareExchange( + reinterpret_cast(ptr), + static_cast(new_value), + static_cast(old_value)); + return static_cast(result); +} + +inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr, + Atomic32 new_value) { + LONG result = _InterlockedExchange( + reinterpret_cast(ptr), + static_cast(new_value)); + return static_cast(result); +} + +inline Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr, + Atomic32 increment) { + return _InterlockedExchangeAdd( + reinterpret_cast(ptr), + static_cast(increment)) + increment; +} + +inline Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr, + Atomic32 increment) { + return Barrier_AtomicIncrement(ptr, increment); +} + +inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + return NoBarrier_CompareAndSwap(ptr, old_value, new_value); +} + +inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr, + Atomic32 old_value, + Atomic32 new_value) { + return NoBarrier_CompareAndSwap(ptr, old_value, new_value); +} + +inline void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value) { + *ptr = value; +} + +inline void Acquire_Store(volatile Atomic32* ptr, Atomic32 value) { + NoBarrier_AtomicExchange(ptr, value); + // acts as a barrier in this implementation +} + +inline void Release_Store(volatile Atomic32* ptr, Atomic32 value) { + *ptr = value; // works w/o barrier for current Intel chips as of June 2005 + // See comments in Atomic64 version of Release_Store() below. +} + +inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) { + return *ptr; +} + +inline Atomic32 Acquire_Load(volatile const Atomic32* ptr) { + Atomic32 value = *ptr; + return value; +} + +inline Atomic32 Release_Load(volatile const Atomic32* ptr) { + std::atomic_thread_fence(std::memory_order_seq_cst); + return *ptr; +} + +#if defined(_WIN64) + +// 64-bit low-level operations on 64-bit platform. + +static_assert(sizeof(Atomic64) == sizeof(PVOID), "atomic word is atomic"); + +inline Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + PVOID result = _InterlockedCompareExchangePointer( + reinterpret_cast(ptr), + reinterpret_cast(new_value), reinterpret_cast(old_value)); + return reinterpret_cast(result); +} + +inline Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr, + Atomic64 new_value) { + PVOID result = + _InterlockedExchangePointer(reinterpret_cast(ptr), + reinterpret_cast(new_value)); + return reinterpret_cast(result); +} + +inline Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr, + Atomic64 increment) { + return _InterlockedExchangeAdd64(reinterpret_cast(ptr), + static_cast(increment)) + + increment; +} + +inline Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr, + Atomic64 increment) { + return Barrier_AtomicIncrement(ptr, increment); +} + +inline void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value) { + *ptr = value; +} + +inline void Acquire_Store(volatile Atomic64* ptr, Atomic64 value) { + NoBarrier_AtomicExchange(ptr, value); + // acts as a barrier in this implementation +} + +inline void Release_Store(volatile Atomic64* ptr, Atomic64 value) { + *ptr = value; // works w/o barrier for current Intel chips as of June 2005 + + // When new chips come out, check: + // IA-32 Intel Architecture Software Developer's Manual, Volume 3: + // System Programming Guide, Chatper 7: Multiple-processor management, + // Section 7.2, Memory Ordering. + // Last seen at: + // http://developer.intel.com/design/pentium4/manuals/index_new.htm +} + +inline Atomic64 NoBarrier_Load(volatile const Atomic64* ptr) { + return *ptr; +} + +inline Atomic64 Acquire_Load(volatile const Atomic64* ptr) { + Atomic64 value = *ptr; + return value; +} + +inline Atomic64 Release_Load(volatile const Atomic64* ptr) { + std::atomic_thread_fence(std::memory_order_seq_cst); + return *ptr; +} + +inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + return NoBarrier_CompareAndSwap(ptr, old_value, new_value); +} + +inline Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr, + Atomic64 old_value, + Atomic64 new_value) { + return NoBarrier_CompareAndSwap(ptr, old_value, new_value); +} + + +#endif // defined(_WIN64) + +} // namespace subtle +} // namespace base + +#endif // BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_ diff --git a/security/sandbox/chromium/base/base_export.h b/security/sandbox/chromium/base/base_export.h new file mode 100644 index 0000000000..cf7ebd7816 --- /dev/null +++ b/security/sandbox/chromium/base/base_export.h @@ -0,0 +1,29 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_BASE_EXPORT_H_ +#define BASE_BASE_EXPORT_H_ + +#if defined(COMPONENT_BUILD) +#if defined(WIN32) + +#if defined(BASE_IMPLEMENTATION) +#define BASE_EXPORT __declspec(dllexport) +#else +#define BASE_EXPORT __declspec(dllimport) +#endif // defined(BASE_IMPLEMENTATION) + +#else // defined(WIN32) +#if defined(BASE_IMPLEMENTATION) +#define BASE_EXPORT __attribute__((visibility("default"))) +#else +#define BASE_EXPORT +#endif // defined(BASE_IMPLEMENTATION) +#endif + +#else // defined(COMPONENT_BUILD) +#define BASE_EXPORT +#endif + +#endif // BASE_BASE_EXPORT_H_ diff --git a/security/sandbox/chromium/base/base_paths.h b/security/sandbox/chromium/base/base_paths.h new file mode 100644 index 0000000000..2a163f48d4 --- /dev/null +++ b/security/sandbox/chromium/base/base_paths.h @@ -0,0 +1,55 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_BASE_PATHS_H_ +#define BASE_BASE_PATHS_H_ + +// This file declares path keys for the base module. These can be used with +// the PathService to access various special directories and files. + +#include "build/build_config.h" + +#if defined(OS_WIN) +#include "base/base_paths_win.h" +#elif defined(OS_MACOSX) +#include "base/base_paths_mac.h" +#elif defined(OS_ANDROID) +#include "base/base_paths_android.h" +#endif + +#if defined(OS_POSIX) || defined(OS_FUCHSIA) +#include "base/base_paths_posix.h" +#endif + +namespace base { + +enum BasePathKey { + PATH_START = 0, + + DIR_CURRENT, // Current directory. + DIR_EXE, // Directory containing FILE_EXE. + DIR_MODULE, // Directory containing FILE_MODULE. + DIR_ASSETS, // Directory that contains application assets. + DIR_TEMP, // Temporary directory. + DIR_HOME, // User's root home directory. On Windows this will look + // like "C:\Users\" which isn't necessarily a great + // place to put files. + FILE_EXE, // Path and filename of the current executable. + FILE_MODULE, // Path and filename of the module containing the code for + // the PathService (which could differ from FILE_EXE if the + // PathService were compiled into a shared object, for + // example). + DIR_SOURCE_ROOT, // Returns the root of the source tree. This key is useful + // for tests that need to locate various resources. It + // should not be used outside of test code. + DIR_USER_DESKTOP, // The current user's Desktop. + + DIR_TEST_DATA, // Used only for testing. + + PATH_END +}; + +} // namespace base + +#endif // BASE_BASE_PATHS_H_ diff --git a/security/sandbox/chromium/base/base_paths_win.h b/security/sandbox/chromium/base/base_paths_win.h new file mode 100644 index 0000000000..2db16a6271 --- /dev/null +++ b/security/sandbox/chromium/base/base_paths_win.h @@ -0,0 +1,53 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_BASE_PATHS_WIN_H_ +#define BASE_BASE_PATHS_WIN_H_ + +// This file declares windows-specific path keys for the base module. +// These can be used with the PathService to access various special +// directories and files. + +namespace base { + +enum { + PATH_WIN_START = 100, + + DIR_WINDOWS, // Windows directory, usually "c:\windows" + DIR_SYSTEM, // Usually c:\windows\system32" + // 32-bit 32-bit on 64-bit 64-bit on 64-bit + // DIR_PROGRAM_FILES 1 2 1 + // DIR_PROGRAM_FILESX86 1 2 2 + // DIR_PROGRAM_FILES6432 1 1 1 + // 1 - C:\Program Files 2 - C:\Program Files (x86) + DIR_PROGRAM_FILES, // See table above. + DIR_PROGRAM_FILESX86, // See table above. + DIR_PROGRAM_FILES6432, // See table above. + + DIR_IE_INTERNET_CACHE, // Temporary Internet Files directory. + DIR_COMMON_START_MENU, // Usually "C:\ProgramData\Microsoft\Windows\ + // Start Menu\Programs" + DIR_START_MENU, // Usually "C:\Users\\AppData\Roaming\ + // Microsoft\Windows\Start Menu\Programs" + DIR_APP_DATA, // Application Data directory under the user + // profile. + DIR_LOCAL_APP_DATA, // "Local Settings\Application Data" directory + // under the user profile. + DIR_COMMON_APP_DATA, // Usually "C:\ProgramData". + DIR_APP_SHORTCUTS, // Where tiles on the start screen are stored, + // only for Windows 8. Maps to "Local\AppData\ + // Microsoft\Windows\Application Shortcuts\". + DIR_COMMON_DESKTOP, // Directory for the common desktop (visible + // on all user's Desktop). + DIR_USER_QUICK_LAUNCH, // Directory for the quick launch shortcuts. + DIR_TASKBAR_PINS, // Directory for the shortcuts pinned to taskbar. + DIR_IMPLICIT_APP_SHORTCUTS, // The implicit user pinned shortcut directory. + DIR_WINDOWS_FONTS, // Usually C:\Windows\Fonts. + + PATH_WIN_END +}; + +} // namespace base + +#endif // BASE_BASE_PATHS_WIN_H_ diff --git a/security/sandbox/chromium/base/base_switches.cc b/security/sandbox/chromium/base/base_switches.cc new file mode 100644 index 0000000000..6a47487961 --- /dev/null +++ b/security/sandbox/chromium/base/base_switches.cc @@ -0,0 +1,149 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "base/base_switches.h" +#include "build/build_config.h" + +namespace switches { + +// Delays execution of TaskPriority::BEST_EFFORT tasks until shutdown. +const char kDisableBestEffortTasks[] = "disable-best-effort-tasks"; + +// Disables the crash reporting. +const char kDisableBreakpad[] = "disable-breakpad"; + +// Comma-separated list of feature names to disable. See also kEnableFeatures. +const char kDisableFeatures[] = "disable-features"; + +// Force disabling of low-end device mode when set. +const char kDisableLowEndDeviceMode[] = "disable-low-end-device-mode"; + +// Indicates that crash reporting should be enabled. On platforms where helper +// processes cannot access to files needed to make this decision, this flag is +// generated internally. +const char kEnableCrashReporter[] = "enable-crash-reporter"; + +// Comma-separated list of feature names to enable. See also kDisableFeatures. +const char kEnableFeatures[] = "enable-features"; + +// Force low-end device mode when set. +const char kEnableLowEndDeviceMode[] = "enable-low-end-device-mode"; + +// This option can be used to force field trials when testing changes locally. +// The argument is a list of name and value pairs, separated by slashes. If a +// trial name is prefixed with an asterisk, that trial will start activated. +// For example, the following argument defines two trials, with the second one +// activated: "GoogleNow/Enable/*MaterialDesignNTP/Default/" This option can +// also be used by the browser process to send the list of trials to a +// non-browser process, using the same format. See +// FieldTrialList::CreateTrialsFromString() in field_trial.h for details. +const char kForceFieldTrials[] = "force-fieldtrials"; + +// Generates full memory crash dump. +const char kFullMemoryCrashReport[] = "full-memory-crash-report"; + +// Logs information about all tasks posted with TaskPriority::BEST_EFFORT. Use +// this to diagnose issues that are thought to be caused by +// TaskPriority::BEST_EFFORT execution fences. Note: Tasks posted to a +// non-BEST_EFFORT UpdateableSequencedTaskRunner whose priority is later lowered +// to BEST_EFFORT are not logged. +const char kLogBestEffortTasks[] = "log-best-effort-tasks"; + +// Suppresses all error dialogs when present. +const char kNoErrorDialogs[] = "noerrdialogs"; + +// Starts the sampling based profiler for the browser process at startup. This +// will only work if chrome has been built with the gn arg enable_profiling = +// true. The output will go to the value of kProfilingFile. +const char kProfilingAtStart[] = "profiling-at-start"; + +// Specifies a location for profiling output. This will only work if chrome has +// been built with the gyp variable profiling=1 or gn arg enable_profiling=true. +// +// {pid} if present will be replaced by the pid of the process. +// {count} if present will be incremented each time a profile is generated +// for this process. +// The default is chrome-profile-{pid} for the browser and test-profile-{pid} +// for tests. +const char kProfilingFile[] = "profiling-file"; + +// Controls whether profile data is periodically flushed to a file. Normally +// the data gets written on exit but cases exist where chromium doesn't exit +// cleanly (especially when using single-process). A time in seconds can be +// specified. +const char kProfilingFlush[] = "profiling-flush"; + +// When running certain tests that spawn child processes, this switch indicates +// to the test framework that the current process is a child process. +const char kTestChildProcess[] = "test-child-process"; + +// When running certain tests that spawn child processes, this switch indicates +// to the test framework that the current process should not initialize ICU to +// avoid creating any scoped handles too early in startup. +const char kTestDoNotInitializeIcu[] = "test-do-not-initialize-icu"; + +// Sends trace events from these categories to a file. +// --trace-to-file on its own sends to default categories. +const char kTraceToFile[] = "trace-to-file"; + +// Specifies the file name for --trace-to-file. If unspecified, it will +// go to a default file name. +const char kTraceToFileName[] = "trace-to-file-name"; + +// Gives the default maximal active V-logging level; 0 is the default. +// Normally positive values are used for V-logging levels. +const char kV[] = "v"; + +// Gives the per-module maximal V-logging levels to override the value +// given by --v. E.g. "my_module=2,foo*=3" would change the logging +// level for all code in source files "my_module.*" and "foo*.*" +// ("-inl" suffixes are also disregarded for this matching). +// +// Any pattern containing a forward or backward slash will be tested +// against the whole pathname and not just the module. E.g., +// "*/foo/bar/*=2" would change the logging level for all code in +// source files under a "foo/bar" directory. +const char kVModule[] = "vmodule"; + +// Will wait for 60 seconds for a debugger to come to attach to the process. +const char kWaitForDebugger[] = "wait-for-debugger"; + +#if defined(OS_WIN) +// Disable high-resolution timer on Windows. +const char kDisableHighResTimer[] = "disable-highres-timer"; + +// Disables the USB keyboard detection for blocking the OSK on Win8+. +const char kDisableUsbKeyboardDetect[] = "disable-usb-keyboard-detect"; +#endif + +#if defined(OS_LINUX) && !defined(OS_CHROMEOS) +// The /dev/shm partition is too small in certain VM environments, causing +// Chrome to fail or crash (see http://crbug.com/715363). Use this flag to +// work-around this issue (a temporary directory will always be used to create +// anonymous shared memory files). +const char kDisableDevShmUsage[] = "disable-dev-shm-usage"; +#endif + +#if defined(OS_POSIX) +// Used for turning on Breakpad crash reporting in a debug environment where +// crash reporting is typically compiled but disabled. +const char kEnableCrashReporterForTesting[] = + "enable-crash-reporter-for-testing"; +#endif + +#if defined(OS_ANDROID) +// Enables the reached code profiler that samples all threads in all processes +// to determine which functions are almost never executed. +const char kEnableReachedCodeProfiler[] = "enable-reached-code-profiler"; +#endif + +#if defined(OS_LINUX) +// Controls whether or not retired instruction counts are surfaced for threads +// in trace events on Linux. +// +// This flag requires the BPF sandbox to be disabled. +const char kEnableThreadInstructionCount[] = "enable-thread-instruction-count"; +#endif + +} // namespace switches diff --git a/security/sandbox/chromium/base/base_switches.h b/security/sandbox/chromium/base/base_switches.h new file mode 100644 index 0000000000..b1923efc1e --- /dev/null +++ b/security/sandbox/chromium/base/base_switches.h @@ -0,0 +1,60 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Defines all the "base" command-line switches. + +#ifndef BASE_BASE_SWITCHES_H_ +#define BASE_BASE_SWITCHES_H_ + +#include "build/build_config.h" + +namespace switches { + +extern const char kDisableBestEffortTasks[]; +extern const char kDisableBreakpad[]; +extern const char kDisableFeatures[]; +extern const char kDisableLowEndDeviceMode[]; +extern const char kEnableCrashReporter[]; +extern const char kEnableFeatures[]; +extern const char kEnableLowEndDeviceMode[]; +extern const char kForceFieldTrials[]; +extern const char kFullMemoryCrashReport[]; +extern const char kLogBestEffortTasks[]; +extern const char kNoErrorDialogs[]; +extern const char kProfilingAtStart[]; +extern const char kProfilingFile[]; +extern const char kProfilingFlush[]; +extern const char kTestChildProcess[]; +extern const char kTestDoNotInitializeIcu[]; +extern const char kTraceToFile[]; +extern const char kTraceToFileName[]; +extern const char kV[]; +extern const char kVModule[]; +extern const char kWaitForDebugger[]; + +#if defined(OS_WIN) +extern const char kDisableHighResTimer[]; +extern const char kDisableUsbKeyboardDetect[]; +#endif + +#if defined(OS_LINUX) && !defined(OS_CHROMEOS) +extern const char kDisableDevShmUsage[]; +#endif + +#if defined(OS_POSIX) +extern const char kEnableCrashReporterForTesting[]; +#endif + +#if defined(OS_ANDROID) +extern const char kEnableReachedCodeProfiler[]; +extern const char kOrderfileMemoryOptimization[]; +#endif + +#if defined(OS_LINUX) +extern const char kEnableThreadInstructionCount[]; +#endif + +} // namespace switches + +#endif // BASE_BASE_SWITCHES_H_ diff --git a/security/sandbox/chromium/base/bind.h b/security/sandbox/chromium/base/bind.h new file mode 100644 index 0000000000..0bbc2aceb1 --- /dev/null +++ b/security/sandbox/chromium/base/bind.h @@ -0,0 +1,470 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef BASE_BIND_H_ +#define BASE_BIND_H_ + +#include +#include +#include +#include + +#include "base/bind_internal.h" +#include "base/compiler_specific.h" +#include "build/build_config.h" + +#if defined(OS_MACOSX) && !HAS_FEATURE(objc_arc) +#include "base/mac/scoped_block.h" +#endif + +// ----------------------------------------------------------------------------- +// Usage documentation +// ----------------------------------------------------------------------------- +// +// Overview: +// base::BindOnce() and base::BindRepeating() are helpers for creating +// base::OnceCallback and base::RepeatingCallback objects respectively. +// +// For a runnable object of n-arity, the base::Bind*() family allows partial +// application of the first m arguments. The remaining n - m arguments must be +// passed when invoking the callback with Run(). +// +// // The first argument is bound at callback creation; the remaining +// // two must be passed when calling Run() on the callback object. +// base::OnceCallback cb = base::BindOnce( +// [](short x, int y, long z) { return x * y * z; }, 42); +// +// When binding to a method, the receiver object must also be specified at +// callback creation time. When Run() is invoked, the method will be invoked on +// the specified receiver object. +// +// class C : public base::RefCounted { void F(); }; +// auto instance = base::MakeRefCounted(); +// auto cb = base::BindOnce(&C::F, instance); +// std::move(cb).Run(); // Identical to instance->F() +// +// base::Bind is currently a type alias for base::BindRepeating(). In the +// future, we expect to flip this to default to base::BindOnce(). +// +// See //docs/callback.md for the full documentation. +// +// ----------------------------------------------------------------------------- +// Implementation notes +// ----------------------------------------------------------------------------- +// +// If you're reading the implementation, before proceeding further, you should +// read the top comment of base/bind_internal.h for a definition of common +// terms and concepts. + +namespace base { + +namespace internal { + +// IsOnceCallback is a std::true_type if |T| is a OnceCallback. +template +struct IsOnceCallback : std::false_type {}; + +template +struct IsOnceCallback> : std::true_type {}; + +// Helper to assert that parameter |i| of type |Arg| can be bound, which means: +// - |Arg| can be retained internally as |Storage|. +// - |Arg| can be forwarded as |Unwrapped| to |Param|. +template +struct AssertConstructible { + private: + static constexpr bool param_is_forwardable = + std::is_constructible::value; + // Unlike the check for binding into storage below, the check for + // forwardability drops the const qualifier for repeating callbacks. This is + // to try to catch instances where std::move()--which forwards as a const + // reference with repeating callbacks--is used instead of base::Passed(). + static_assert( + param_is_forwardable || + !std::is_constructible&&>::value, + "Bound argument |i| is move-only but will be forwarded by copy. " + "Ensure |Arg| is bound using base::Passed(), not std::move()."); + static_assert( + param_is_forwardable, + "Bound argument |i| of type |Arg| cannot be forwarded as " + "|Unwrapped| to the bound functor, which declares it as |Param|."); + + static constexpr bool arg_is_storable = + std::is_constructible::value; + static_assert(arg_is_storable || + !std::is_constructible&&>::value, + "Bound argument |i| is move-only but will be bound by copy. " + "Ensure |Arg| is mutable and bound using std::move()."); + static_assert(arg_is_storable, + "Bound argument |i| of type |Arg| cannot be converted and " + "bound as |Storage|."); +}; + +// Takes three same-length TypeLists, and applies AssertConstructible for each +// triples. +template +struct AssertBindArgsValidity; + +template +struct AssertBindArgsValidity, + TypeList, + TypeList, + TypeList> + : AssertConstructible, Unwrapped, Params>... { + static constexpr bool ok = true; +}; + +// The implementation of TransformToUnwrappedType below. +template +struct TransformToUnwrappedTypeImpl; + +template +struct TransformToUnwrappedTypeImpl { + using StoredType = std::decay_t; + using ForwardType = StoredType&&; + using Unwrapped = decltype(Unwrap(std::declval())); +}; + +template +struct TransformToUnwrappedTypeImpl { + using StoredType = std::decay_t; + using ForwardType = const StoredType&; + using Unwrapped = decltype(Unwrap(std::declval())); +}; + +// Transform |T| into `Unwrapped` type, which is passed to the target function. +// Example: +// In is_once == true case, +// `int&&` -> `int&&`, +// `const int&` -> `int&&`, +// `OwnedWrapper&` -> `int*&&`. +// In is_once == false case, +// `int&&` -> `const int&`, +// `const int&` -> `const int&`, +// `OwnedWrapper&` -> `int* const &`. +template +using TransformToUnwrappedType = + typename TransformToUnwrappedTypeImpl::Unwrapped; + +// Transforms |Args| into `Unwrapped` types, and packs them into a TypeList. +// If |is_method| is true, tries to dereference the first argument to support +// smart pointers. +template +struct MakeUnwrappedTypeListImpl { + using Type = TypeList...>; +}; + +// Performs special handling for this pointers. +// Example: +// int* -> int*, +// std::unique_ptr -> int*. +template +struct MakeUnwrappedTypeListImpl { + using UnwrappedReceiver = TransformToUnwrappedType; + using Type = TypeList()), + TransformToUnwrappedType...>; +}; + +template +using MakeUnwrappedTypeList = + typename MakeUnwrappedTypeListImpl::Type; + +// Used below in BindImpl to determine whether to use Invoker::Run or +// Invoker::RunOnce. +// Note: Simply using `kIsOnce ? &Invoker::RunOnce : &Invoker::Run` does not +// work, since the compiler needs to check whether both expressions are +// well-formed. Using `Invoker::Run` with a OnceCallback triggers a +// static_assert, which is why the ternary expression does not compile. +// TODO(crbug.com/752720): Remove this indirection once we have `if constexpr`. +template +constexpr auto GetInvokeFunc(std::true_type) { + return Invoker::RunOnce; +} + +template +constexpr auto GetInvokeFunc(std::false_type) { + return Invoker::Run; +} + +template