Sandbox for sharing's WebRTC service.

Confines the sharing service WebRTC helper in the union of utility and renderer sandboxes. Windows:- Adds win32k lockdown. Adds dynamic code disable. Linux:- Utility style seccomp with some calls removed. Mac:- Shortcuts to utility. Testing:- Manual test on each platform of large remote clipboard copy to/from unmodified Canary with all sharing flags enabled. Bug: 1045590 Change-Id: I72c1270c7db0dcce9e532ac97ad756fd22970574 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2051405Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Richard Knoll <knollr@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#751902}

Sandbox for sharing's WebRTC service.
Confines the sharing service WebRTC helper in the union of utility and renderer sandboxes. Windows:- Adds win32k lockdown. Adds dynamic code disable. Linux:- Utility style seccomp with some calls removed. Mac:- Shortcuts to utility. Testing:- Manual test on each platform of large remote clipboard copy to/from unmodified Canary with all sharing flags enabled. Bug: 1045590 Change-Id: I72c1270c7db0dcce9e532ac97ad756fd22970574 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2051405Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Richard Knoll <knollr@chromium.org> Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#751902}
63617356 · Alex Gough · Commit Bot · d16b4494 · 63617356 · 63617356
Commit 63617356 authored Mar 20, 2020 by Alex Gough Committed by Commit Bot Mar 20, 2020
13 changed files
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -3616,6 +3616,7 @@ base::string16 ChromeContentBrowserClient::GetAppContainerSidForSandboxType(
    case service_manager::SandboxType::kSoda:
    case service_manager::SandboxType::kProxyResolver:
    case service_manager::SandboxType::kPdfConversion:
+    case service_manager::SandboxType::kSharingService:
      // Should never reach here.
      CHECK(0);
      return base::string16();

--- a/chrome/browser/sharing/webrtc/sharing_mojo_service.cc
+++ b/chrome/browser/sharing/webrtc/sharing_mojo_service.cc
@@ -4,6 +4,7 @@
 #include "chrome/browser/sharing/webrtc/sharing_mojo_service.h"
+#include "build/build_config.h"
 #include "content/public/browser/service_process_host.h"
 namespace sharing {
@@ -13,7 +14,11 @@ mojo::PendingRemote<mojom::Sharing> LaunchSharing() {
  content::ServiceProcessHost::Launch<mojom::Sharing>(
      remote.InitWithNewPipeAndPassReceiver(),
      content::ServiceProcessHost::Options()
+#if defined(OS_MACOSX)
          .WithSandboxType(service_manager::SandboxType::kUtility)
+#else
+          .WithSandboxType(service_manager::SandboxType::kSharingService)
+#endif
          .WithDisplayName("Sharing Service")
          .Pass());
  return remote;

--- a/chrome/browser/ui/webui/sandbox/sandbox_handler.cc
+++ b/chrome/browser/ui/webui/sandbox/sandbox_handler.cc
@@ -60,6 +60,8 @@ std::string GetSandboxTypeInEnglish(content::SandboxType sandbox_type) {
      return "Proxy Resolver";
    case content::SandboxType::kPdfConversion:
      return "PDF Conversion";
+    case content::SandboxType::kSharingService:
+      return "Sharing";
  }
 }

--- a/content/browser/utility_process_host.cc
+++ b/content/browser/utility_process_host.cc
@@ -92,6 +92,9 @@ class UtilitySandboxedProcessLauncherDelegate
        sandbox_type_ == service_manager::SandboxType::kIme ||
 #endif  // OS_CHROMEOS
        sandbox_type_ == service_manager::SandboxType::kAudio ||
+#if !defined(OS_MACOSX)
+        sandbox_type_ == service_manager::SandboxType::kSharingService ||
+#endif
        sandbox_type_ == service_manager::SandboxType::kSoda;
    DCHECK(supported_sandbox_type);
 #endif  // DCHECK_IS_ON()
@@ -173,6 +176,22 @@ class UtilitySandboxedProcessLauncherDelegate
      service_manager::SandboxWin::SetJobLevel(
          cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
    }
+    if (sandbox_type_ == service_manager::SandboxType::kSharingService) {
+      if (service_manager::IsWin32kLockdownEnabled()) {
+        auto result =
+            service_manager::SandboxWin::AddWin32kLockdownPolicy(policy, false);
+        if (result != sandbox::SBOX_ALL_OK)
+          return false;
+      }
+      auto delayed_flags = policy->GetDelayedProcessMitigations();
+      delayed_flags |= sandbox::MITIGATION_DYNAMIC_CODE_DISABLE;
+      auto result = policy->SetDelayedProcessMitigations(delayed_flags);
+      if (result != sandbox::SBOX_ALL_OK)
+        return false;
+    }
    return true;
  }
 #endif  // OS_WIN

--- a/content/browser/utility_process_sandbox_browsertest.cc
+++ b/content/browser/utility_process_sandbox_browsertest.cc
@@ -101,6 +101,7 @@ class UtilityProcessSandboxBrowserTest
      case SandboxType::kCdm:
      case SandboxType::kPpapi:
      case SandboxType::kPrintCompositor:
+      case SandboxType::kSharingService:
      case SandboxType::kUtility: {
        constexpr int kExpectedFullSandboxFlags =
            SandboxLinux::kPIDNS | SandboxLinux::kNetNS |

--- a/services/service_manager/sandbox/BUILD.gn
+++ b/services/service_manager/sandbox/BUILD.gn
@@ -50,6 +50,8 @@ component("sandbox") {
      "linux/bpf_print_compositor_policy_linux.h",
      "linux/bpf_renderer_policy_linux.cc",
      "linux/bpf_renderer_policy_linux.h",
+      "linux/bpf_sharing_service_policy_linux.cc",
+      "linux/bpf_sharing_service_policy_linux.h",
      "linux/bpf_soda_policy_linux.cc",
      "linux/bpf_soda_policy_linux.h",
      "linux/bpf_utility_policy_linux.cc",

--- a/services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.cc
+++ b/services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h"
+#include <errno.h>
+#include "build/build_config.h"
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+#include "sandbox/linux/system_headers/linux_syscalls.h"
+#include "services/service_manager/sandbox/linux/sandbox_linux.h"
+using sandbox::SyscallSets;
+using sandbox::bpf_dsl::Allow;
+using sandbox::bpf_dsl::Error;
+using sandbox::bpf_dsl::ResultExpr;
+namespace service_manager {
+ResultExpr SharingServiceProcessPolicy::EvaluateSyscall(int sysno) const {
+  switch (sysno) {
+    case __NR_ioctl:
+      return sandbox::RestrictIoctl();
+      // Allow the system calls below.
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
+    case __NR_getrlimit:
+#endif
+#if defined(__i386__) || defined(__arm__)
+    case __NR_ugetrlimit:
+#endif
+    case __NR_mremap:  // https://crbug.com/546204
+    case __NR_pwrite64:
+    case __NR_times:
+      return Allow();
+    default:
+      // Default on the content baseline policy.
+      return BPFBasePolicy::EvaluateSyscall(sysno);
+  }
+}
+}  // namespace service_manager
--- a/services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h
+++ b/services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_
+#define SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_
+#include "base/macros.h"
+#include "services/service_manager/sandbox/linux/bpf_base_policy_linux.h"
+namespace service_manager {
+// This policy can be used by the Sharing service to host WebRTC.
+class SharingServiceProcessPolicy : public BPFBasePolicy {
+ public:
+  SharingServiceProcessPolicy() = default;
+  ~SharingServiceProcessPolicy() override = default;
+  sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
+      int system_call_number) const override;
+  SharingServiceProcessPolicy(const SharingServiceProcessPolicy&) = delete;
+  SharingServiceProcessPolicy& operator=(const SharingServiceProcessPolicy&) =
+      delete;
+};
+}  // namespace service_manager
+#endif  // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_UTILITY_POLICY_LINUX_H_
--- a/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
+++ b/services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc
@@ -43,6 +43,7 @@
 #include "services/service_manager/sandbox/linux/bpf_ppapi_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_print_compositor_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_renderer_policy_linux.h"
+#include "services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_soda_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_utility_policy_linux.h"
@@ -173,6 +174,8 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
      return std::make_unique<NetworkProcessPolicy>();
    case SandboxType::kAudio:
      return std::make_unique<AudioProcessPolicy>();
+    case SandboxType::kSharingService:
+      return std::make_unique<SharingServiceProcessPolicy>();
    case SandboxType::kSoda:
      return std::make_unique<SodaProcessPolicy>();
 #if defined(OS_CHROMEOS)
@@ -222,6 +225,7 @@ void SandboxSeccompBPF::RunSandboxSanityChecks(
    case SandboxType::kIme:
 #endif  // defined(OS_CHROMEOS)
    case SandboxType::kAudio:
+    case SandboxType::kSharingService:
    case SandboxType::kSoda:
    case SandboxType::kNetwork:
    case SandboxType::kUtility:

--- a/services/service_manager/sandbox/sandbox_type.cc
+++ b/services/service_manager/sandbox/sandbox_type.cc
@@ -19,7 +19,6 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
 #if defined(OS_WIN)
    case SandboxType::kNoSandboxAndElevatedPrivileges:
      return true;
    case SandboxType::kXrCompositing:
      return !base::FeatureList::IsEnabled(
          service_manager::features::kXRSandbox);
@@ -51,6 +50,9 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
 #endif
 #if defined(OS_CHROMEOS)
    case SandboxType::kIme:
+#endif
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
 #endif
    case SandboxType::kSoda:
      return false;
@@ -99,6 +101,9 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line,
 #if defined(OS_CHROMEOS)
    case SandboxType::kIme:
 #endif  // defined(OS_CHROMEOS)
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
+#endif
    case SandboxType::kSoda:
      DCHECK(command_line->GetSwitchValueASCII(switches::kProcessType) ==
             switches::kUtilityProcess);
@@ -175,6 +180,10 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) {
      return switches::kUtilitySandbox;
    case SandboxType::kAudio:
      return switches::kAudioSandbox;
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
+      return switches::kSharingServiceSandbox;
+#endif
    case SandboxType::kSoda:
      return switches::kSodaSandbox;
 #if defined(OS_WIN)

--- a/services/service_manager/sandbox/sandbox_type.h
+++ b/services/service_manager/sandbox/sandbox_type.h
@@ -74,6 +74,11 @@ enum class SandboxType {
  kIme,
 #endif  // defined(OS_CHROMEOS)
+#if !defined(OS_MACOSX)
+  // Hosts WebRTC for Sharing Service, uses kUtility on OS_MACOSX.
+  kSharingService,
+#endif
  // The Speech On-Device API service process.
  kSoda,

--- a/services/service_manager/sandbox/switches.cc
+++ b/services/service_manager/sandbox/switches.cc
@@ -28,6 +28,7 @@ const char kUtilitySandbox[] = "utility";
 const char kCdmSandbox[] = "cdm";
 const char kPrintCompositorSandbox[] = "print_compositor";
 const char kAudioSandbox[] = "audio";
+const char kSharingServiceSandbox[] = "sharing_service";
 const char kSodaSandbox[] = "soda";
 #if defined(OS_WIN)

--- a/services/service_manager/sandbox/switches.h
+++ b/services/service_manager/sandbox/switches.h
@@ -27,6 +27,7 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kUtilitySandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kCdmSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPrintCompositorSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAudioSandbox[];
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSharingServiceSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSodaSandbox[];
 #if defined(OS_WIN)