commit 20d67ce666ae906bcf317c880bfe96ba9b935a3b
parent bd481b3e5f4982633d411e3b86ba7481e27126ca
Author: Bob Owen <bobowencode@gmail.com>
Date: Mon, 3 Nov 2025 11:45:27 +0000
Bug 1996251 p1 - Add USER_LOCKDOWN_WITH_TRAVERSE access token level. r=yjuglaret
Differential Revision: https://phabricator.services.mozilla.com/D269974
Diffstat:
4 files changed, 94 insertions(+), 0 deletions(-)
diff --git a/security/sandbox/chromium-shim/patches/51_add_USER_LOCKDOWN_WITH_TRAVERSE.patch b/security/sandbox/chromium-shim/patches/51_add_USER_LOCKDOWN_WITH_TRAVERSE.patch
@@ -0,0 +1,76 @@
+Author: Bob Owen <bobowencode@gmail.com>
+
+Add USER_LOCKDOWN_WITH_TRAVERSE access token level.
+
+diff --git a/sandbox/win/src/restricted_token_utils.cc b/sandbox/win/src/restricted_token_utils.cc
+index cb8d18a1a832..1dc7fd219f88 100644
+--- a/sandbox/win/src/restricted_token_utils.cc
++++ b/sandbox/win/src/restricted_token_utils.cc
+@@ -137,16 +137,26 @@ absl::optional<base::win::AccessToken> CreateRestrictedToken(
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kRestricted);
+ if (unique_restricted_sid) {
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
+ }
+ } else {
+ restricted_token.AddUserSidForDenyOnly();
+ }
+ break;
++ case USER_LOCKDOWN_WITH_TRAVERSE:
++ if (use_restricting_sids) {
++ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);
++ if (unique_restricted_sid) {
++ restricted_token.AddRestrictingSid(*unique_restricted_sid);
++ }
++ } else {
++ restricted_token.AddUserSidForDenyOnly();
++ }
++ break;
+ case USER_LOCKDOWN:
+ remove_traverse_privilege = true;
+ if (use_restricting_sids) {
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);
+ if (unique_restricted_sid) {
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
+ }
+ } else {
+diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h
+index f9110600a11a..a86c4576f6e8 100644
+--- a/sandbox/win/src/security_level.h
++++ b/sandbox/win/src/security_level.h
+@@ -38,16 +38,18 @@ enum IntegrityLevel {
+ // The Token level specifies a set of security profiles designed to
+ // provide the bulk of the security of sandbox.
+ //
+ // TokenLevel |Restricting |Deny Only |Privileges|
+ // |Sids |Sids | |
+ // ----------------------------|--------------|----------------|----------|
+ // USER_LOCKDOWN | Null Sid | All | None |
+ // ----------------------------|--------------|----------------|----------|
++// USER_LOCKDOWN_WITH_TRAVERSE | Null Sid | All | Traverse |
++// ----------------------------|--------------|----------------|----------|
+ // USER_RESTRICTED | RESTRICTED | All | Traverse |
+ // ----------------------------|--------------|----------------|----------|
+ // USER_LIMITED | Users | All except: | Traverse |
+ // | Everyone | Users | |
+ // | RESTRICTED | Everyone | |
+ // | | Interactive | |
+ // ----------------------------|--------------|----------------|----------|
+ // USER_INTERACTIVE | Users | All except: | Traverse |
+@@ -77,16 +79,17 @@ enum IntegrityLevel {
+ // and on the broker token itself.
+ //
+ // The LOCKDOWN level is designed to allow access to almost nothing that has
+ // security associated with and they are the recommended levels to run sandboxed
+ // code specially if there is a chance that the broker is process might be
+ // started by a user that belongs to the Admins or power users groups.
+ enum TokenLevel {
+ USER_LOCKDOWN = 0,
++ USER_LOCKDOWN_WITH_TRAVERSE,
+ USER_RESTRICTED,
+ USER_LIMITED,
+ USER_INTERACTIVE,
+ USER_RESTRICTED_NON_ADMIN,
+ USER_RESTRICTED_SAME_ACCESS,
+ USER_UNPROTECTED,
+ USER_LAST
+ };
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -142,6 +142,16 @@ absl::optional<base::win::AccessToken> CreateRestrictedToken(
restricted_token.AddUserSidForDenyOnly();
}
break;
+ case USER_LOCKDOWN_WITH_TRAVERSE:
+ if (use_restricting_sids) {
+ restricted_token.AddRestrictingSid(base::win::WellKnownSid::kNull);
+ if (unique_restricted_sid) {
+ restricted_token.AddRestrictingSid(*unique_restricted_sid);
+ }
+ } else {
+ restricted_token.AddUserSidForDenyOnly();
+ }
+ break;
case USER_LOCKDOWN:
remove_traverse_privilege = true;
if (use_restricting_sids) {
diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
@@ -43,6 +43,8 @@ enum IntegrityLevel {
// ----------------------------|--------------|----------------|----------|
// USER_LOCKDOWN | Null Sid | All | None |
// ----------------------------|--------------|----------------|----------|
+// USER_LOCKDOWN_WITH_TRAVERSE | Null Sid | All | Traverse |
+// ----------------------------|--------------|----------------|----------|
// USER_RESTRICTED | RESTRICTED | All | Traverse |
// ----------------------------|--------------|----------------|----------|
// USER_LIMITED | Users | All except: | Traverse |
@@ -82,6 +84,7 @@ enum IntegrityLevel {
// started by a user that belongs to the Admins or power users groups.
enum TokenLevel {
USER_LOCKDOWN = 0,
+ USER_LOCKDOWN_WITH_TRAVERSE,
USER_RESTRICTED,
USER_LIMITED,
USER_INTERACTIVE,
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -976,6 +976,11 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
accessTokenLevel = sandbox::USER_LOCKDOWN;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
+ } else if (aSandboxLevel >= 9) {
+ jobLevel = sandbox::JobLevel::kLockdown;
+ accessTokenLevel = sandbox::USER_LOCKDOWN_WITH_TRAVERSE;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
} else if (aSandboxLevel >= 8) {
jobLevel = sandbox::JobLevel::kLockdown;
accessTokenLevel = sandbox::USER_RESTRICTED;
