Create a flag for allowing third party module injection.

This creates the "allow-third-party-modules" flag, and plumbs it into the sandbox to disable the BINARY_SIGNATURE process mitigation when specified. It also adds this flag to the list of bad flags. In the future this CL will also be integrated with the third party blocking logic in chrome_elf. BUG=757454 Change-Id: I38199c295d4957795ff9c1302889115af5a8222a Reviewed-on: https://chromium-review.googlesource.com/751298Reviewed-by: Penny MacNeil <pennymac@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Chris Hamilton <chrisha@chromium.org> Cr-Commit-Position: refs/heads/master@{#515400}

Create a flag for allowing third party module injection.
This creates the "allow-third-party-modules" flag, and plumbs it into the sandbox to disable the BINARY_SIGNATURE process mitigation when specified. It also adds this flag to the list of bad flags. In the future this CL will also be integrated with the third party blocking logic in chrome_elf. BUG=757454 Change-Id: I38199c295d4957795ff9c1302889115af5a8222a Reviewed-on: https://chromium-review.googlesource.com/751298Reviewed-by: Penny MacNeil <pennymac@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Chris Hamilton <chrisha@chromium.org> Cr-Commit-Position: refs/heads/master@{#515400}
63be0473 · Chris Hamilton · Commit Bot · 211309f1 · 63be0473 · 63be0473
Commit 63be0473 authored Nov 10, 2017 by Chris Hamilton Committed by Commit Bot Nov 10, 2017
4 changed files
--- a/chrome/browser/ui/startup/bad_flags_prompt.cc
+++ b/chrome/browser/ui/startup/bad_flags_prompt.cc
@@ -91,6 +91,9 @@ void ShowBadFlagsPrompt(Browser* browser) {
    service_manager::switches::kDisableGpuSandbox,
    service_manager::switches::kDisableSeccompFilterSandbox,
    service_manager::switches::kDisableSetuidSandbox,
+#if defined(OS_WIN)
+    service_manager::switches::kAllowThirdPartyModules,
+#endif
    switches::kDisableWebSecurity,
 #if BUILDFLAG(ENABLE_NACL)
    switches::kNaClDangerousNoSandboxNonSfi,

--- a/services/service_manager/sandbox/switches.cc
+++ b/services/service_manager/sandbox/switches.cc
@@ -65,6 +65,12 @@ const char kGpuSandboxAllowSysVShm[] = "gpu-sandbox-allow-sysv-shm";
 // Makes GPU sandbox failures fatal.
 const char kGpuSandboxFailuresFatal[] = "gpu-sandbox-failures-fatal";
+#if defined(OS_WIN)
+// Allows third party modules to inject by disabling the BINARY_SIGNATURE
+// mitigation policy on Win10+. Also has other effects in ELF.
+const char kAllowThirdPartyModules[] = "allow-third-party-modules";
+#endif
 // Flags spied upon from other layers.
 const char kGpuProcess[] = "gpu-process";
 const char kPpapiBrokerProcess[] = "ppapi-broker";

--- a/services/service_manager/sandbox/switches.h
+++ b/services/service_manager/sandbox/switches.h
@@ -40,6 +40,9 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kDisableWin32kLockDown[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableAppContainer[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxAllowSysVShm[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuSandboxFailuresFatal[];
+#if defined(OS_WIN)
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kAllowThirdPartyModules[];
+#endif
 // Flags spied upon from other layers.
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuProcess[];

--- a/services/service_manager/sandbox/win/sandbox_win.cc
+++ b/services/service_manager/sandbox/win/sandbox_win.cc
@@ -760,7 +760,8 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess(
  mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                sandbox::MITIGATION_DLL_SEARCH_ORDER;
  if (base::FeatureList::IsEnabled(
-          service_manager::features::kWinSboxForceMsSigned)) {
+          service_manager::features::kWinSboxForceMsSigned) &&
+      !cmd_line->HasSwitch(switches::kAllowThirdPartyModules)) {
    mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
  }
  result = policy->SetDelayedProcessMitigations(mitigations);