commit 937cc952fea7ebfb3c7247e53dee580bcc8675a9
parent d466f372d4f66b8ee512c5557e5b70326933e304
Author: Bob Owen <bobowencode@gmail.com>
Date: Thu, 30 Oct 2025 09:37:19 +0000
Bug 1996776 - Enable MITIGATION_KTM_COMPONENT on windows process sandboxes. r=handyman
We do not enable for WINDOWS_UTILS utility process as it is reasonable to think
that the kernel transaction manager could be used.
Differential Revision: https://phabricator.services.mozilla.com/D270499
Diffstat:
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -1057,6 +1057,7 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_DEP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
@@ -1243,6 +1244,7 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
sandbox::MitigationFlags initialMitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL | sandbox::MITIGATION_DEP;
@@ -1347,6 +1349,7 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
@@ -1430,6 +1433,7 @@ bool SandboxBroker::SetSecurityLevelForSocketProcess() {
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
@@ -1501,11 +1505,14 @@ struct UtilitySandboxProps {
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32 |
sandbox::MITIGATION_CET_COMPAT_MODE;
+ sandbox::MitigationFlags mExcludedInitialMitigations = 0;
+
sandbox::MitigationFlags mDelayedMitigations =
sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER |
@@ -1595,6 +1602,7 @@ struct WindowsUtilitySandboxProps : public UtilitySandboxProps {
mDelayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
mUseWin32kLockdown = false;
mUseCig = false;
+ mExcludedInitialMitigations = sandbox::MITIGATION_KTM_COMPONENT;
mDelayedMitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
}
@@ -1640,7 +1648,8 @@ void LogUtilitySandboxProps(const UtilitySandboxProps& us) {
us.mUseWin32kLockdown ? "yes" : "no");
logMsg.AppendPrintf("\tUse CIG: %s\n", us.mUseCig ? "yes" : "no");
logMsg.AppendPrintf("\tInitial mitigations: %016llx\n",
- static_cast<uint64_t>(us.mInitialMitigations));
+ static_cast<uint64_t>(us.mInitialMitigations &
+ ~us.mExcludedInitialMitigations));
logMsg.AppendPrintf("\tDelayed mitigations: %016llx\n",
static_cast<uint64_t>(us.mDelayedMitigations));
if (us.mPackagePrefix.IsEmpty()) {
@@ -1697,7 +1706,8 @@ bool BuildUtilitySandbox(sandbox::TargetConfig* config,
config->AddRestrictingRandomSid();
}
- result = config->SetProcessMitigations(us.mInitialMitigations);
+ result = config->SetProcessMitigations(us.mInitialMitigations &
+ ~us.mExcludedInitialMitigations);
SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetProcessMitigations.");
result = config->SetDelayedProcessMitigations(us.mDelayedMitigations);
@@ -1819,6 +1829,7 @@ bool SandboxBroker::SetSecurityLevelForGMPlugin(
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+ sandbox::MITIGATION_KTM_COMPONENT |
sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL |
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP;
