Chromium 沙盒Sandbox源码介绍(3)
本篇主要说下沙箱的环境变量策略【Environment】:
一、环境变量:
getEnvironmentStrings 函数返回指向内存块的指针,该内存块包含调用进程的环境变量 (系统和用户环境变量)
getEnvironmentStrings 函数 (processenv.h) - Win32 apps | Microsoft Learn
使用例子参考 :更改环境变量 - Win32 apps | Microsoft Learn
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>#define BUFSIZE 4096int _tmain()
{TCHAR chNewEnv[BUFSIZE];LPTSTR lpszCurrentVariable; DWORD dwFlags=0;TCHAR szAppName[]=TEXT("ex3.exe");STARTUPINFO si;PROCESS_INFORMATION pi;BOOL fSuccess; // Copy environment strings into an environment block. lpszCurrentVariable = (LPTSTR) chNewEnv;if (FAILED(StringCchCopy(lpszCurrentVariable, BUFSIZE, TEXT("MySetting=A")))){printf("String copy failed\n"); return FALSE;}lpszCurrentVariable += lstrlen(lpszCurrentVariable) + 1; if (FAILED(StringCchCopy(lpszCurrentVariable, BUFSIZE, TEXT("MyVersion=2")))) {printf("String copy failed\n"); return FALSE;}// Terminate the block with a NULL byte. lpszCurrentVariable += lstrlen(lpszCurrentVariable) + 1; *lpszCurrentVariable = (TCHAR)0; // Create the child process, specifying a new environment block. SecureZeroMemory(&si, sizeof(STARTUPINFO));si.cb = sizeof(STARTUPINFO);#ifdef UNICODEdwFlags = CREATE_UNICODE_ENVIRONMENT;
#endiffSuccess = CreateProcess(szAppName, NULL, NULL, NULL, TRUE, dwFlags,(LPVOID) chNewEnv, // new environment blockNULL, &si, &pi); if (! fSuccess) {printf("CreateProcess failed (%d)\n", GetLastError());return FALSE;}WaitForSingleObject(pi.hProcess, INFINITE);return TRUE;
}二、环境变量控制策略实现:
sandbox\win\src\target_process.cc
在创建的进程根据测试限制其只能访问指定环境变量:
// Only copy a limited list of variables to the target from the broker's
// environment. These are
// * "Path", "SystemDrive", "SystemRoot", "TEMP", "TMP": Needed for normal
// operation and tests.
// * "LOCALAPPDATA": Needed for App Container processes.
// * "CHROME_CRASHPAD_PIPE_NAME": Needed for crashpad.
if (startup_info_helper->IsEnvironmentFiltered()) {wchar_t* old_environment = ::GetEnvironmentStringsW();if (!old_environment) {return SBOX_ERROR_CANNOT_OBTAIN_ENVIRONMENT;}// Only copy a limited list of variables to the target from the broker's// environment. These are// * "Path", "SystemDrive", "SystemRoot", "TEMP", "TMP": Needed for normal// operation and tests.// * "LOCALAPPDATA": Needed for App Container processes.// * "CHROME_CRASHPAD_PIPE_NAME": Needed for crashpad.static constexpr std::wstring_view to_keep[] = {L"Path",L"SystemDrive",L"SystemRoot",L"TEMP",L"TMP",L"LOCALAPPDATA",L"CHROME_CRASHPAD_PIPE_NAME"};new_env = FilterEnvironment(old_environment, to_keep);::FreeEnvironmentStringsW(old_environment);}bool inherit_handles = startup_info_helper->ShouldInheritHandles();PROCESS_INFORMATION temp_process_info = {};if (!::CreateProcessAsUserW(lockdown_token_.get(), exe_path, cmd_line.get(),nullptr, // No security attribute.nullptr, // No thread attribute.inherit_handles, flags,new_env.empty() ? nullptr : std::data(new_env),nullptr, // Use current directory of the caller.startup_info->startup_info(),&temp_process_info)) {*win_error = ::GetLastError();return SBOX_ERROR_CREATE_PROCESS;}bas三、看下浏览器进程的环境变量情况截图:
1、主进程环境变量:
2、GPU进程环境变量:
3、network进程环境变量:
4、storage service进程环境变量:
5、备用渲染进程受沙箱环境变量策略限制:
只有受限的Path", "SystemDrive", "SystemRoot", "TEMP", "TMP"等。
6、新标签进程受沙箱环境变量策略限制:
只有受限的Path", "SystemDrive", "SystemRoot", "TEMP", "TMP"等。
7、辅助框架进程受沙箱环境变量策略限制:
只有受限的Path", "SystemDrive", "SystemRoot", "TEMP", "TMP"等。
