Bug 1889932 p1: Set process ACL to the delayed integrity level in SetProcessIntegrityLevel. r=yjuglaret

This allows us to maintain the same access to our process when the integrity level on our access token is dropped. Differential Revision: https://phabricator.services.mozilla.com/D206784
2024-04-08 11:26:28 +00:00 · 2024-04-08 11:26:28 +00:00 · 64d690d144
commit 64d690d144
parent 96dfa038a5
3 changed files with 48 additions and 0 deletions
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@ -31,3 +31,4 @@ add_loongarch_defines.patch
 block_NtImpersonateAnonymousToken_before_LowerToken.patch
 fix_broker_alive_mutex.patch
 fix_max_syscalls_linux_aarch64.patch
+set_delayed_integrity_on_process_acl.patch
--- a/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
+++ b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
@ -0,0 +1,39 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1709836178 0
+#      Thu Mar 07 18:29:38 2024 +0000
+# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8
+# Parent  f9c20c064d639a146ffa09ec832aee6dff44643d
+Bug 1889932 p1: Set process ACL to the delayed integrity level in LowerToken. r=yjuglaret!
+
+This allows us to maintain the same access to our process when the integrity
+level on our access token is dropped.
+
+Differential Revision: https://phabricator.services.mozilla.com/D206784
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+@@ -302,16 +302,22 @@ DWORD SetTokenIntegrityLevel(HANDLE toke
+ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
+   // We don't check for an invalid level here because we'll just let it
+   // fail on the SetTokenIntegrityLevel call later on.
+   if (integrity_level == INTEGRITY_LEVEL_LAST) {
+     // No mandatory level specified, we don't change it.
+     return ERROR_SUCCESS;
+   }
+ 
+  // Set integrity level for our process ACL, so we retain access to it.
+  // We ignore failures because this is not a security measure, but some
+  // functionality may fail later in the process.
+  SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
+                          GetIntegrityLevelString(integrity_level));
+
+   HANDLE token_handle;
+   if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
+                           &token_handle))
+     return ::GetLastError();
+ 
+   base::win::ScopedHandle token(token_handle);
+ 
+   return SetTokenIntegrityLevel(token.Get(), integrity_level);
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@ -307,6 +307,14 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
    return ERROR_SUCCESS;
  }

+  // Set integrity level for our process ACL, so we retain access to it.
+  // We ignore failures because this is not a security measure, but some
+  // functionality may fail later in the process.
+  DWORD rv =
+      SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
+                              GetIntegrityLevelString(integrity_level));
+  DCHECK(rv == ERROR_SUCCESS);
+
  HANDLE token_handle;
  if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
                          &token_handle))