commit c4251eba3fb4f9993ad57a5c6100b4f9bc0d310b
parent ff221ce921c3f7a0127c9b36d28d99aa9cfc2e80
Author: Bob Owen <bobowencode@gmail.com>
Date: Wed, 3 Dec 2025 09:26:11 +0000
Bug 2002983 - Add hard coded rules for Adobe Creative Cloud fonts to Windows GPU sandbox. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D274407
Diffstat:
4 files changed, 66 insertions(+), 24 deletions(-)
diff --git a/security/sandbox/win/gtest/TestConfigHelpers.cpp b/security/sandbox/win/gtest/TestConfigHelpers.cpp
@@ -25,11 +25,19 @@ using ::testing::StartsWith;
using ::testing::StrEq;
using ::testing::StrictMock;
+// Only allow 2 pages to test by default.
+constexpr int kDefaultNumberOfPagesForTesting = 2;
static const nsLiteralString sWinUserProfile = uR"(C:\Users\Moz User)"_ns;
static const nsLiteralString sLocalAppData =
uR"(C:\Users\Moz User\AppData\Local)"_ns;
+static const nsLiteralString sRoamingAppData =
+ uR"(C:\Users\Moz User\AppData\Roaming)"_ns;
static const wchar_t* sWinUserFonts =
LR"(C:\Users\Moz User\AppData\Local\Microsoft\Windows\Fonts\*)";
+static const wchar_t* sAdobeLiveTypeFonts =
+ LR"(C:\Users\Moz User\AppData\Roaming\ADOBE\CORESYNC\PLUGINS\LIVETYPE\R\*)";
+static const wchar_t* sAdobeUserOwnedFonts =
+ LR"(C:\Users\Moz User\AppData\Roaming\ADOBE\USER OWNED FONTS\*)";
static const wchar_t* sTestRegKey = LR"(Software\MozFontsPathsTest)";
static const wchar_t* sTestFailRegKey = LR"(Software\MozFontsPathsTestFail)";
@@ -112,6 +120,8 @@ class UserFontConfigHelperTest : public testing::Test {
// We always expect the Windows User font dir rule to be added.
UserFontConfigHelperTest()
: mWinUserFontCall(EXPECT_READONLY_EQ(sWinUserFonts)) {
+ EXPECT_READONLY_EQ(sAdobeLiveTypeFonts);
+ EXPECT_READONLY_EQ(sAdobeUserOwnedFonts);
::RegCreateKeyExW(HKEY_CURRENT_USER, sTestRegKey, 0, nullptr,
REG_OPTION_VOLATILE, KEY_ALL_ACCESS, nullptr,
&mTestUserFontKey, nullptr);
@@ -130,7 +140,7 @@ class UserFontConfigHelperTest : public testing::Test {
void CreateHelperAndCallAddRules() {
UserFontConfigHelper policyHelper(sTestRegKey, sWinUserProfile,
- sLocalAppData);
+ sLocalAppData, sRoamingAppData);
sandboxing::SizeTrackingConfig trackingPolicy(&mConfig,
mNumberOfStoragePages);
policyHelper.AddRules(trackingPolicy);
@@ -140,14 +150,13 @@ class UserFontConfigHelperTest : public testing::Test {
StrictMock<MockConfig> mConfig;
const Expectation mWinUserFontCall;
HKEY mTestUserFontKey = nullptr;
- // Only allow one page to test by default.
- int32_t mNumberOfStoragePages = 1;
+ int32_t mNumberOfStoragePages = kDefaultNumberOfPagesForTesting;
};
-TEST_F(UserFontConfigHelperTest, WindowsDirRProgramDatauleAddedOnKeyFailure) {
+TEST_F(UserFontConfigHelperTest, WindowsDirRuleAddedOnKeyFailure) {
// Create helper with incorrect key name.
UserFontConfigHelper policyHelper(sTestFailRegKey, sWinUserProfile,
- sLocalAppData);
+ sLocalAppData, sRoamingAppData);
sandboxing::SizeTrackingConfig trackingPolicy(&mConfig, 1);
policyHelper.AddRules(trackingPolicy);
}
@@ -213,9 +222,6 @@ TEST_F(UserFontConfigHelperTest, PathsOutsideUsersDirAddedAtEnd) {
const auto* pdFont2 = LR"(C:\ProgramData\Fonts\FontFile2.ttf)";
SetUpPaths({pdFont1, userFont1, pdFont2, userFont2, userFont3});
- // These font rules won't fit in 1 page.
- mNumberOfStoragePages = 2;
-
auto& userDirFont1 = EXPECT_READONLY_EQ(userFont1).After(mWinUserFontCall);
auto& userDirFont2 = EXPECT_READONLY_EQ(userFont2).After(mWinUserFontCall);
auto& userDirFont3 = EXPECT_READONLY_EQ(userFont3).After(mWinUserFontCall);
@@ -242,9 +248,6 @@ TEST_F(UserFontConfigHelperTest, SubKeyPathsOutsideUsersDirAddedAtEnd) {
ASSERT_EQ(lStatus, ERROR_SUCCESS);
SetUpPathsInKey(subKey.get(), {pdFont2, userFont3});
- // These font rules won't fit in 1 page.
- mNumberOfStoragePages = 2;
-
auto& userDirFont1 = EXPECT_READONLY_EQ(userFont1).After(mWinUserFontCall);
auto& userDirFont2 = EXPECT_READONLY_EQ(userFont2).After(mWinUserFontCall);
auto& userDirFont3 =
@@ -347,15 +350,18 @@ TEST_F(UserFontConfigHelperTest,
CreateHelperAndCallAddRules();
}
+auto RuleSize(const wchar_t* aRulePath) {
+ return (12 * sizeof(sandbox::PolicyOpcode)) +
+ ((wcslen(aRulePath) + 4) * sizeof(wchar_t) * 4);
+}
+
std::wstring MakeLongFontPath(const wchar_t* aPrefix, const wchar_t* aSuffix) {
static size_t sReqPathLen = []() {
- // Bytes taken up by the Windows user font path rule.
- size_t winUserFontSpace =
- (12 * sizeof(sandbox::PolicyOpcode)) +
- ((wcslen(sWinUserFonts) + 4) * sizeof(wchar_t) * 4);
-
- // The test fixture allows for one page.
- size_t remainingSpace = 4096 - winUserFontSpace;
+ // Take the bytes required for the static rules from the starting memory
+ // allowance for tests.
+ size_t remainingSpace =
+ (4096 * kDefaultNumberOfPagesForTesting) - RuleSize(sWinUserFonts) -
+ RuleSize(sAdobeLiveTypeFonts) - RuleSize(sAdobeUserOwnedFonts);
// We want 3 paths to be too big, so divide by 3 and reverse the formula.
size_t spacePerFontPath = remainingSpace / 3;
diff --git a/security/sandbox/win/src/sandboxbroker/ConfigHelpers.cpp b/security/sandbox/win/src/sandboxbroker/ConfigHelpers.cpp
@@ -85,8 +85,11 @@ sandbox::ResultCode SizeTrackingConfig::AllowFileAccess(
UserFontConfigHelper::UserFontConfigHelper(const wchar_t* aUserFontKeyPath,
const nsString& aWinUserProfile,
- const nsString& aLocalAppData)
- : mWinUserProfile(aWinUserProfile), mLocalAppData(aLocalAppData) {
+ const nsString& aLocalAppData,
+ const nsString& aRoamingAppData)
+ : mWinUserProfile(aWinUserProfile),
+ mLocalAppData(aLocalAppData),
+ mRoamingAppData(aRoamingAppData) {
LSTATUS lStatus =
::RegOpenKeyExW(HKEY_CURRENT_USER, aUserFontKeyPath, 0,
KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS, &mUserFontKey);
@@ -226,6 +229,27 @@ void UserFontConfigHelper::AddRules(SizeTrackingConfig& aConfig) const {
windowsUserFontDir.getW());
}
+ // Add two hard coded rules for Adobe Creative Cloud fonts, as it uses
+ // AddFontResource to register its fonts so they don't appear in the registry.
+ nsAutoString adobeLiveTypeFonts(mRoamingAppData);
+ adobeLiveTypeFonts += uR"(\ADOBE\CORESYNC\PLUGINS\LIVETYPE\R\*)"_ns;
+ result = aConfig.AllowFileAccess(sandbox::FileSemantics::kAllowReadonly,
+ adobeLiveTypeFonts.getW());
+ if (result != sandbox::SBOX_ALL_OK) {
+ NS_ERROR("Failed to add Adobe LiveType font dir policy rule.");
+ LOG_E("Failed (ResultCode %d) to add read access to: %S", result,
+ adobeLiveTypeFonts.getW());
+ }
+ nsAutoString adobeUserOwnedFonts(mRoamingAppData);
+ adobeUserOwnedFonts += uR"(\ADOBE\USER OWNED FONTS\*)"_ns;
+ result = aConfig.AllowFileAccess(sandbox::FileSemantics::kAllowReadonly,
+ adobeUserOwnedFonts.getW());
+ if (result != sandbox::SBOX_ALL_OK) {
+ NS_ERROR("Failed to add Adobe user owned font dir policy rule.");
+ LOG_E("Failed (ResultCode %d) to add read access to: %S", result,
+ adobeUserOwnedFonts.getW());
+ }
+
// We failed to open the registry key, we can't do any more.
if (!mUserFontKey) {
return;
diff --git a/security/sandbox/win/src/sandboxbroker/ConfigHelpers.h b/security/sandbox/win/src/sandboxbroker/ConfigHelpers.h
@@ -37,7 +37,8 @@ MOZ_RAII class UserFontConfigHelper final {
public:
UserFontConfigHelper(const wchar_t* aUserFontKeyPath,
const nsString& aWinUserProfile,
- const nsString& aLocalAppData);
+ const nsString& aLocalAppData,
+ const nsString& aRoamingAppData);
~UserFontConfigHelper();
void AddRules(sandboxing::SizeTrackingConfig& aConfig) const;
@@ -48,6 +49,7 @@ MOZ_RAII class UserFontConfigHelper final {
private:
const nsString& mWinUserProfile;
const nsString& mLocalAppData;
+ const nsString& mRoamingAppData;
HKEY mUserFontKey = nullptr;
};
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -75,6 +75,7 @@ static StaticAutoPtr<nsString> sBinDir;
static StaticAutoPtr<nsString> sProfileDir;
static StaticAutoPtr<nsString> sWindowsProfileDir;
static StaticAutoPtr<nsString> sLocalAppDataDir;
+static StaticAutoPtr<nsString> sRoamingAppDataDir;
static StaticAutoPtr<nsString> sSystemFontsDir;
static StaticAutoPtr<nsString> sWindowsSystemDir;
static StaticAutoPtr<nsString> sLocalAppDataLowDir;
@@ -148,6 +149,7 @@ void SandboxBroker::Initialize(sandbox::BrokerServices* aBrokerServices,
sProfileDir = nullptr;
sWindowsProfileDir = nullptr;
sLocalAppDataDir = nullptr;
+ sRoamingAppDataDir = nullptr;
sSystemFontsDir = nullptr;
sWindowsSystemDir = nullptr;
sLocalAppDataLowDir = nullptr;
@@ -263,6 +265,12 @@ static void AddCachedWindowsDirRule(
AddCachedDirRule(aConfig, aAccess, sLocalAppDataLowDir, aRelativePath);
return;
}
+ if (aFolderID == FOLDERID_RoamingAppData) {
+ EnsureWindowsDirCached(FOLDERID_RoamingAppData, sRoamingAppDataDir,
+ "Failed to get Windows RoamingAppData folder");
+ AddCachedDirRule(aConfig, aAccess, sRoamingAppDataDir, aRelativePath);
+ return;
+ }
if (aFolderID == FOLDERID_Profile) {
EnsureWindowsDirCached(FOLDERID_Profile, sWindowsProfileDir,
"Failed to get Windows Profile folder");
@@ -1366,11 +1374,13 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
EnsureWindowsDirCached(FOLDERID_Profile, sWindowsProfileDir,
"Failed to get Windows Profile folder");
EnsureWindowsDirCached(FOLDERID_LocalAppData, sLocalAppDataDir,
- "Failed to get Windows LocalAppDataLow folder");
- if (sWindowsProfileDir && sLocalAppDataDir) {
+ "Failed to get Windows LocalAppData folder");
+ EnsureWindowsDirCached(FOLDERID_RoamingAppData, sRoamingAppDataDir,
+ "Failed to get Windows RoamingAppData folder");
+ if (sWindowsProfileDir && sLocalAppDataDir && sRoamingAppDataDir) {
sandboxing::UserFontConfigHelper configHelper(
LR"(Software\Microsoft\Windows NT\CurrentVersion\Fonts)",
- *sWindowsProfileDir, *sLocalAppDataDir);
+ *sWindowsProfileDir, *sLocalAppDataDir, *sRoamingAppDataDir);
configHelper.AddRules(trackingConfig);
}
}
