Sandbox for sharing's WebRTC service.

Confines the sharing service WebRTC helper in the union of utility
and renderer sandboxes.

Windows:-

Adds win32k lockdown.
Adds dynamic code disable.

Linux:-

Utility style seccomp with some calls removed.

Mac:-

Shortcuts to utility.

Testing:-

Manual test on each platform of large remote clipboard copy
to/from unmodified Canary with all sharing flags enabled.

Bug: 1045590
Change-Id: I72c1270c7db0dcce9e532ac97ad756fd22970574
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2051405Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: Richard Knoll <knollr@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#751902}

chrome/browser/chrome_content_browser_client.cc

@@ -3616,6 +3616,7 @@ base::string16 ChromeContentBrowserClient::GetAppContainerSidForSandboxType(
     case service_manager::SandboxType::kSoda:
     case service_manager::SandboxType::kProxyResolver:
     case service_manager::SandboxType::kPdfConversion:
+    case service_manager::SandboxType::kSharingService:
       // Should never reach here.
       CHECK(0);
       return base::string16();

chrome/browser/sharing/webrtc/sharing_mojo_service.cc

@@ -4,6 +4,7 @@
 
 #include "chrome/browser/sharing/webrtc/sharing_mojo_service.h"
 
+#include "build/build_config.h"
 #include "content/public/browser/service_process_host.h"
 
 namespace sharing {
@@ -13,7 +14,11 @@ mojo::PendingRemote<mojom::Sharing> LaunchSharing() {
   content::ServiceProcessHost::Launch<mojom::Sharing>(
       remote.InitWithNewPipeAndPassReceiver(),
       content::ServiceProcessHost::Options()
+#if defined(OS_MACOSX)
           .WithSandboxType(service_manager::SandboxType::kUtility)
+#else
+          .WithSandboxType(service_manager::SandboxType::kSharingService)
+#endif
           .WithDisplayName("Sharing Service")
           .Pass());
   return remote;

chrome/browser/ui/webui/sandbox/sandbox_handler.cc

@@ -60,6 +60,8 @@ std::string GetSandboxTypeInEnglish(content::SandboxType sandbox_type) {
       return "Proxy Resolver";
     case content::SandboxType::kPdfConversion:
       return "PDF Conversion";
+    case content::SandboxType::kSharingService:
+      return "Sharing";
   }
 }
 

content/browser/utility_process_host.cc

@@ -92,6 +92,9 @@ class UtilitySandboxedProcessLauncherDelegate
         sandbox_type_ == service_manager::SandboxType::kIme ||
 #endif  // OS_CHROMEOS
         sandbox_type_ == service_manager::SandboxType::kAudio ||
+#if !defined(OS_MACOSX)
+        sandbox_type_ == service_manager::SandboxType::kSharingService ||
+#endif
         sandbox_type_ == service_manager::SandboxType::kSoda;
     DCHECK(supported_sandbox_type);
 #endif  // DCHECK_IS_ON()
@@ -173,6 +176,22 @@ class UtilitySandboxedProcessLauncherDelegate
       service_manager::SandboxWin::SetJobLevel(
           cmd_line_, sandbox::JOB_UNPROTECTED, 0, policy);
     }
+
+    if (sandbox_type_ == service_manager::SandboxType::kSharingService) {
+      if (service_manager::IsWin32kLockdownEnabled()) {
+        auto result =
+            service_manager::SandboxWin::AddWin32kLockdownPolicy(policy, false);
+        if (result != sandbox::SBOX_ALL_OK)
+          return false;
+      }
+
+      auto delayed_flags = policy->GetDelayedProcessMitigations();
+      delayed_flags |= sandbox::MITIGATION_DYNAMIC_CODE_DISABLE;
+      auto result = policy->SetDelayedProcessMitigations(delayed_flags);
+      if (result != sandbox::SBOX_ALL_OK)
+        return false;
+    }
+
     return true;
   }
 #endif  // OS_WIN

content/browser/utility_process_sandbox_browsertest.cc

@@ -101,6 +101,7 @@ class UtilityProcessSandboxBrowserTest
       case SandboxType::kCdm:
       case SandboxType::kPpapi:
       case SandboxType::kPrintCompositor:
+      case SandboxType::kSharingService:
       case SandboxType::kUtility: {
         constexpr int kExpectedFullSandboxFlags =
             SandboxLinux::kPIDNS | SandboxLinux::kNetNS |

services/service_manager/sandbox/BUILD.gn

@@ -50,6 +50,8 @@ component("sandbox") {
       "linux/bpf_print_compositor_policy_linux.h",
       "linux/bpf_renderer_policy_linux.cc",
       "linux/bpf_renderer_policy_linux.h",
+      "linux/bpf_sharing_service_policy_linux.cc",
+      "linux/bpf_sharing_service_policy_linux.h",
       "linux/bpf_soda_policy_linux.cc",
       "linux/bpf_soda_policy_linux.h",
       "linux/bpf_utility_policy_linux.cc",

services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h"
+
+#include <errno.h>
+
+#include "build/build_config.h"
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+#include "sandbox/linux/system_headers/linux_syscalls.h"
+#include "services/service_manager/sandbox/linux/sandbox_linux.h"
+
+using sandbox::SyscallSets;
+using sandbox::bpf_dsl::Allow;
+using sandbox::bpf_dsl::Error;
+using sandbox::bpf_dsl::ResultExpr;
+
+namespace service_manager {
+
+ResultExpr SharingServiceProcessPolicy::EvaluateSyscall(int sysno) const {
+  switch (sysno) {
+    case __NR_ioctl:
+      return sandbox::RestrictIoctl();
+      // Allow the system calls below.
+#if defined(__i386__) || defined(__x86_64__) || defined(__mips__) || \
+    defined(__aarch64__)
+    case __NR_getrlimit:
+#endif
+#if defined(__i386__) || defined(__arm__)
+    case __NR_ugetrlimit:
+#endif
+    case __NR_mremap:  // https://crbug.com/546204
+    case __NR_pwrite64:
+    case __NR_times:
+      return Allow();
+    default:
+      // Default on the content baseline policy.
+      return BPFBasePolicy::EvaluateSyscall(sysno);
+  }
+}
+
+}  // namespace service_manager

services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_
+#define SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_SHARING_SERVICE_POLICY_LINUX_H_
+
+#include "base/macros.h"
+#include "services/service_manager/sandbox/linux/bpf_base_policy_linux.h"
+
+namespace service_manager {
+
+// This policy can be used by the Sharing service to host WebRTC.
+class SharingServiceProcessPolicy : public BPFBasePolicy {
+ public:
+  SharingServiceProcessPolicy() = default;
+  ~SharingServiceProcessPolicy() override = default;
+
+  sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
+      int system_call_number) const override;
+
+  SharingServiceProcessPolicy(const SharingServiceProcessPolicy&) = delete;
+  SharingServiceProcessPolicy& operator=(const SharingServiceProcessPolicy&) =
+      delete;
+};
+
+}  // namespace service_manager
+
+#endif  // SERVICES_SERVICE_MANAGER_SANDBOX_LINUX_BPF_UTILITY_POLICY_LINUX_H_

services/service_manager/sandbox/linux/sandbox_seccomp_bpf_linux.cc

@@ -43,6 +43,7 @@
 #include "services/service_manager/sandbox/linux/bpf_ppapi_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_print_compositor_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_renderer_policy_linux.h"
+#include "services/service_manager/sandbox/linux/bpf_sharing_service_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_soda_policy_linux.h"
 #include "services/service_manager/sandbox/linux/bpf_utility_policy_linux.h"
 
@@ -173,6 +174,8 @@ std::unique_ptr<BPFBasePolicy> SandboxSeccompBPF::PolicyForSandboxType(
       return std::make_unique<NetworkProcessPolicy>();
     case SandboxType::kAudio:
       return std::make_unique<AudioProcessPolicy>();
+    case SandboxType::kSharingService:
+      return std::make_unique<SharingServiceProcessPolicy>();
     case SandboxType::kSoda:
       return std::make_unique<SodaProcessPolicy>();
 #if defined(OS_CHROMEOS)
@@ -222,6 +225,7 @@ void SandboxSeccompBPF::RunSandboxSanityChecks(
     case SandboxType::kIme:
 #endif  // defined(OS_CHROMEOS)
     case SandboxType::kAudio:
+    case SandboxType::kSharingService:
     case SandboxType::kSoda:
     case SandboxType::kNetwork:
     case SandboxType::kUtility:

services/service_manager/sandbox/sandbox_type.cc

@@ -19,7 +19,6 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
 #if defined(OS_WIN)
     case SandboxType::kNoSandboxAndElevatedPrivileges:
       return true;
-
     case SandboxType::kXrCompositing:
       return !base::FeatureList::IsEnabled(
           service_manager::features::kXRSandbox);
@@ -51,6 +50,9 @@ bool IsUnsandboxedSandboxType(SandboxType sandbox_type) {
 #endif
 #if defined(OS_CHROMEOS)
     case SandboxType::kIme:
+#endif
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
 #endif
     case SandboxType::kSoda:
       return false;
@@ -99,6 +101,9 @@ void SetCommandLineFlagsForSandboxType(base::CommandLine* command_line,
 #if defined(OS_CHROMEOS)
     case SandboxType::kIme:
 #endif  // defined(OS_CHROMEOS)
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
+#endif
     case SandboxType::kSoda:
       DCHECK(command_line->GetSwitchValueASCII(switches::kProcessType) ==
              switches::kUtilityProcess);
@@ -175,6 +180,10 @@ std::string StringFromUtilitySandboxType(SandboxType sandbox_type) {
       return switches::kUtilitySandbox;
     case SandboxType::kAudio:
       return switches::kAudioSandbox;
+#if !defined(OS_MACOSX)
+    case SandboxType::kSharingService:
+      return switches::kSharingServiceSandbox;
+#endif
     case SandboxType::kSoda:
       return switches::kSodaSandbox;
 #if defined(OS_WIN)

services/service_manager/sandbox/sandbox_type.h

@@ -74,6 +74,11 @@ enum class SandboxType {
   kIme,
 #endif  // defined(OS_CHROMEOS)
 
+#if !defined(OS_MACOSX)
+  // Hosts WebRTC for Sharing Service, uses kUtility on OS_MACOSX.
+  kSharingService,
+#endif
+
   // The Speech On-Device API service process.
   kSoda,
 

services/service_manager/sandbox/switches.cc

@@ -28,6 +28,7 @@ const char kUtilitySandbox[] = "utility";
 const char kCdmSandbox[] = "cdm";
 const char kPrintCompositorSandbox[] = "print_compositor";
 const char kAudioSandbox[] = "audio";
+const char kSharingServiceSandbox[] = "sharing_service";
 const char kSodaSandbox[] = "soda";
 
 #if defined(OS_WIN)

services/service_manager/sandbox/switches.h

@@ -27,6 +27,7 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kUtilitySandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kCdmSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPrintCompositorSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAudioSandbox[];
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSharingServiceSandbox[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kSodaSandbox[];
 
 #if defined(OS_WIN)