commit 0b1cf66f3b35bccf28116a94bdb4b9fab38ee60c
parent 64c63627e4fdbb421c9bc6f68bbf311733d5c5d6
Author: Bob Owen <bobowencode@gmail.com>
Date: Tue, 28 Oct 2025 08:44:45 +0000
Bug 1996544 - Remove chrome pipe file read rules from sandboxed processes. r=handyman
We are removing this using a pref because we know that in the past some injected
DLLs have relied on this rule existing for their own pipes. This gives users a
work-around if they have issues.
Differential Revision: https://phabricator.services.mozilla.com/D270231
Diffstat:
2 files changed, 66 insertions(+), 45 deletions(-)
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -17003,6 +17003,15 @@
type: RelaxedAtomicUint32
value: 0
mirror: always
+
+ # Whether \\??\\pipe\\chrome.* rule is added to the sandbox configurations.
+ # We are removing this using a pref because we know that in the past some
+ # injected DLLs have relied on this rule existing for their own pipes.
+ # This gives users a work-around if they have issues.
+- name: security.sandbox.chrome-pipe-rule.enabled
+ type: RelaxedAtomicBool
+ value: false
+ mirror: always
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -1127,14 +1127,16 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
#endif
}
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
- L"\\??\\pipe\\chrome.*");
- MOZ_RELEASE_ASSERT(
- sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
+ L"\\??\\pipe\\chrome.*");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, "
+ "what happened?");
+ }
// Add the policy for the client side of the crash server pipe.
result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
@@ -1270,11 +1272,13 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
// 14 pages, so 13 allows one page for generic process rules.
sandboxing::SizeTrackingConfig trackingConfig(config, 13);
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- SANDBOX_SUCCEED_OR_CRASH(trackingConfig.AllowFileAccess(
- sandbox::FileSemantics::kAllowAny, L"\\??\\pipe\\chrome.*"));
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ SANDBOX_SUCCEED_OR_CRASH(trackingConfig.AllowFileAccess(
+ sandbox::FileSemantics::kAllowAny, L"\\??\\pipe\\chrome.*"));
+ }
// Add the policy for the client side of the crash server pipe.
SANDBOX_SUCCEED_OR_CRASH(
@@ -1369,14 +1373,16 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
result = AddCigToConfig(config);
SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(
- result,
- "With these static arguments AddRule should never fail, what happened?");
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never "
+ "fail, what happened?");
+ }
// Add the policy for the client side of the crash server pipe.
result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
@@ -1451,14 +1457,16 @@ bool SandboxBroker::SetSecurityLevelForSocketProcess() {
result = AddCigToConfig(config);
SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(
- result,
- "With these static arguments AddRule should never fail, what happened?");
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never "
+ "fail, what happened?");
+ }
// Add the policy for the client side of the crash server pipe.
result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
@@ -1722,14 +1730,16 @@ bool BuildUtilitySandbox(sandbox::TargetConfig* config,
}
#endif
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(
- result,
- "With these static arguments AddRule should never fail, what happened?");
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never "
+ "fail, what happened?");
+ }
// Add the policy for the client side of the crash server pipe.
result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
@@ -1851,14 +1861,16 @@ bool SandboxBroker::SetSecurityLevelForGMPlugin(
SANDBOX_ENSURE_SUCCESS(result,
"Invalid flags for SetDelayedProcessMitigations.");
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(
- result,
- "With these static arguments AddRule should never fail, what happened?");
+ if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never "
+ "fail, what happened?");
+ }
// Add the policy for the client side of the crash server pipe.
result = config->AllowFileAccess(sandbox::FileSemantics::kAllowAny,
