Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin

Depends on D145872 Differential Revision: https://phabricator.services.mozilla.com/D145873

Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin
f2a9df28 · Bob Owen · f6064889 · f2a9df28 · f2a9df28 · f2a9df28
Commit f2a9df28 authored 2 years ago by Bob Owen
--- a/browser/app/nsBrowserApp.cpp
+++ b/browser/app/nsBrowserApp.cpp
@@ -297,10 +297,20 @@ int main(int argc, char* argv[], char* envp[]) {
    DllBlocklist_Initialize(gBlocklistInitFlags |
                            eDllBlocklistInitFlagIsChildProcess);
 #  endif
+#  if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    // We need to initialize the sandbox TargetServices before InitXPCOMGlue
+    // because we might need the sandbox broker to give access to some files.
+    if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
+      Output("Failed to initialize the sandbox target services.");
+      return 255;
+    }
+#  endif
 #  if defined(XP_WIN)
    // Ideally, we would be able to set our DPI awareness in
    // firefox.exe.manifest Unfortunately, that would cause Win32k calls when
    // user32.dll gets loaded, which would be incompatible with Win32k Lockdown
+    // We need to call this after GetInitializedTargetServices because it can
+    // affect the detection of the win32k lockdown status.
    //
    // MSDN says that it's allowed-but-not-recommended to initialize DPI
    // programatically, as long as it's done before any HWNDs are created.
@@ -310,14 +320,6 @@ int main(int argc, char* argv[], char* envp[]) {
      (void)result;  // Ignore errors since some tools block DPI calls
    }
 #  endif
-#  if defined(XP_WIN) && defined(MOZ_SANDBOX)
-    // We need to initialize the sandbox TargetServices before InitXPCOMGlue
-    // because we might need the sandbox broker to give access to some files.
-    if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
-      Output("Failed to initialize the sandbox target services.");
-      return 255;
-    }
-#  endif

    nsresult rv = InitXPCOMGlue(LibLoadingStrategy::NoReadAhead);
    if (NS_FAILED(rv)) {

--- a/mozglue/misc/WindowsProcessMitigations.cpp
+++ b/mozglue/misc/WindowsProcessMitigations.cpp
@@ -4,11 +4,13 @@
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

-#include "mozilla/DynamicallyLinkedFunctionPtr.h"
 #include "mozilla/WindowsProcessMitigations.h"

 #include <processthreadsapi.h>

+#include "mozilla/Assertions.h"
+#include "mozilla/DynamicallyLinkedFunctionPtr.h"
+
 #if (_WIN32_WINNT < 0x0602)
 BOOL WINAPI GetProcessMitigationPolicy(
    HANDLE hProcess, PROCESS_MITIGATION_POLICY MitigationPolicy, PVOID lpBuffer,
@@ -26,20 +28,34 @@ FetchGetProcessMitigationPolicyFunc() {
  return pGetProcessMitigationPolicy;
 }

+static bool sWin32kLockedDownInPolicy = false;
+
 MFBT_API bool IsWin32kLockedDown() {
-  auto pGetProcessMitigationPolicy = FetchGetProcessMitigationPolicyFunc();
-  if (!pGetProcessMitigationPolicy) {
-    return false;
-  }
+  static bool sWin32kLockedDown = []() {
+    auto pGetProcessMitigationPolicy = FetchGetProcessMitigationPolicyFunc();

-  PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY polInfo;
-  if (!pGetProcessMitigationPolicy(::GetCurrentProcess(),
-                                   ProcessSystemCallDisablePolicy, &polInfo,
-                                   sizeof(polInfo))) {
-    return false;
-  }
+    PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY polInfo;
+    if (!pGetProcessMitigationPolicy ||
+        !pGetProcessMitigationPolicy(::GetCurrentProcess(),
+                                     ProcessSystemCallDisablePolicy, &polInfo,
+                                     sizeof(polInfo))) {
+      // We failed to get pointer to GetProcessMitigationPolicy or the call
+      // to it failed, so just return what the sandbox policy says.
+      return sWin32kLockedDownInPolicy;
+    }
+
+    MOZ_RELEASE_ASSERT(
+        !sWin32kLockedDownInPolicy || !!polInfo.DisallowWin32kSystemCalls,
+        "Win32k Lockdown enabled in sandbox policy but not process.");
+
+    return !!polInfo.DisallowWin32kSystemCalls;
+  }();
+
+  return sWin32kLockedDown;
+}

-  return polInfo.DisallowWin32kSystemCalls;
+MFBT_API void SetWin32kLockedDownInPolicy() {
+  sWin32kLockedDownInPolicy = true;
 }

 MFBT_API bool IsDynamicCodeDisabled() {

--- a/mozglue/misc/WindowsProcessMitigations.h
+++ b/mozglue/misc/WindowsProcessMitigations.h
@@ -12,6 +12,7 @@
 namespace mozilla {

 MFBT_API bool IsWin32kLockedDown();
+MFBT_API void SetWin32kLockedDownInPolicy();
 MFBT_API bool IsDynamicCodeDisabled();
 MFBT_API bool IsEafPlusEnabled();


--- a/security/sandbox/win/SandboxInitialization.cpp
+++ b/security/sandbox/win/SandboxInitialization.cpp
@@ -13,6 +13,10 @@
 #include "mozilla/sandboxing/permissionsService.h"
 #include "mozilla/WindowsProcessMitigations.h"

+namespace sandbox {
+extern "C" MitigationFlags g_shared_mitigations;
+}
+
 namespace mozilla {
 namespace sandboxing {

@@ -130,6 +134,12 @@ static sandbox::TargetServices* InitializeTargetServices() {
  // This might disable the verifier, so we want to do it before it is used.
  InitializeHandleVerifier();

+  // This needs to be set before anything calls IsWin32kLockedDown, which
+  // EnableApiQueryInterception does.
+  if (sandbox::g_shared_mitigations & sandbox::MITIGATION_WIN32K_DISABLE) {
+    SetWin32kLockedDownInPolicy();
+  }
+
  EnableApiQueryInterception();

  sandbox::TargetServices* targetServices =