Removes \\.\pipe\chrome.nacl* from sandbox rules.

These pipes were used by Inter-Module Comms (IMC) but this was disabled some time ago. (see https://crbug.com/nativeclient/3864) Bug: 1023583 Change-Id: I8c6c573d32d6a7fff2218b8a3739d66684665185 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1934867Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Mark Seaborn <mseaborn@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#721063}

Removes \\.\pipe\chrome.nacl* from sandbox rules.
These pipes were used by Inter-Module Comms (IMC) but this was disabled some time ago. (see https://crbug.com/nativeclient/3864) Bug: 1023583 Change-Id: I8c6c573d32d6a7fff2218b8a3739d66684665185 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1934867Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Mark Seaborn <mseaborn@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#721063}
59f406bd · Alex Gough · Commit Bot · 3e67ce24 · 59f406bd · 59f406bd
Commit 59f406bd authored Dec 03, 2019 by Alex Gough Committed by Commit Bot Dec 03, 2019
4 changed files
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -3585,16 +3585,6 @@ base::string16 ChromeContentBrowserClient::GetAppContainerSidForSandboxType(

 bool ChromeContentBrowserClient::PreSpawnRenderer(sandbox::TargetPolicy* policy,
                                                  RendererSpawnFlags flags) {
-  // Allow the server side of a pipe restricted to the "chrome.nacl."
-  // namespace so that it cannot impersonate other system or other chrome
-  // service pipes. This is also done in nacl_broker_listener.cc.
-  sandbox::ResultCode result =
-      policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                      sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                      L"\\\\.\\pipe\\chrome.nacl.*");
-  if (result != sandbox::SBOX_ALL_OK)
-    return false;
-
 // Does not work under component build because all the component DLLs would need
 // to be manually added and maintained. Does not work under ASAN build because
 // ASAN has not yet fully initialized its instrumentation by the time the CIG
@@ -3614,7 +3604,7 @@ bool ChromeContentBrowserClient::PreSpawnRenderer(sandbox::TargetPolicy* policy,

  sandbox::MitigationFlags mitigations = policy->GetProcessMitigations();
  mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
-  result = policy->SetProcessMitigations(mitigations);
+  sandbox::ResultCode result = policy->SetProcessMitigations(mitigations);
  if (result != sandbox::SBOX_ALL_OK)
    return false;


--- a/components/nacl/broker/nacl_broker_listener.cc
+++ b/components/nacl/broker/nacl_broker_listener.cc
@@ -52,20 +52,6 @@ void NaClBrokerListener::Listen() {
  run_loop_.Run();
 }

-// NOTE: changes to this method need to be reviewed by the security team.
-bool NaClBrokerListener::PreSpawnTarget(sandbox::TargetPolicy* policy) {
-  // This code is duplicated in chrome_content_browser_client.cc.
-
-  // Allow the server side of a pipe restricted to the "chrome.nacl."
-  // namespace so that it cannot impersonate other system or other chrome
-  // service pipes.
-  sandbox::ResultCode result = policy->AddRule(
-      sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-      sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-      L"\\\\.\\pipe\\chrome.nacl.*");
-  return result == sandbox::SBOX_ALL_OK;
-}
-
 service_manager::SandboxType NaClBrokerListener::GetSandboxType() {
  return service_manager::SANDBOX_TYPE_PPAPI;
 }

--- a/components/nacl/broker/nacl_broker_listener.h
+++ b/components/nacl/broker/nacl_broker_listener.h
@@ -32,7 +32,6 @@ class NaClBrokerListener : public content::SandboxedProcessLauncherDelegate,
  void Listen();

  // content::SandboxedProcessLauncherDelegate implementation:
-  bool PreSpawnTarget(sandbox::TargetPolicy* policy) override;
  service_manager::SandboxType GetSandboxType() override;

  // IPC::Listener implementation.

--- a/services/service_manager/sandbox/win/sandbox_win.cc
+++ b/services/service_manager/sandbox/win/sandbox_win.cc
@@ -328,16 +328,6 @@ sandbox::ResultCode AddGenericPolicy(sandbox::TargetPolicy* policy) {
  if (result != sandbox::SBOX_ALL_OK)
    return result;

-  // Add the policy for the server side of nacl pipe. It is just a file
-  // in the \pipe\ namespace. We restrict it to pipes that start with
-  // "chrome.nacl" so the sandboxed process cannot connect to
-  // system services.
-  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                           sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY,
-                           L"\\\\.\\pipe\\chrome.nacl.*");
-  if (result != sandbox::SBOX_ALL_OK)
-    return result;
-
  // Allow the server side of sync sockets, which are pipes that have
  // the "chrome.sync" namespace and a randomly generated suffix.
  result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,