Implement sandbox hooks to forward OPM related GDI system calls.

Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc: https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jwJM/edit?usp=sharing

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng

Committed: https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609
Cr-Commit-Position: refs/heads/master@{#390051}

[Will Harris, 2016-04-05 03:49:01]

wfh@chromium.org changed reviewers:
+ wfh@chromium.org

[Will Harris, 2016-04-05 03:49:02]

many interceptions...

https://codereview.chromium.org/1856993003/diff/40001/sandbox/win/src/process...
File sandbox/win/src/process_mitigations_win32k_policy.cc (right):

https://codereview.chromium.org/1856993003/diff/40001/sandbox/win/src/process...
sandbox/win/src/process_mitigations_win32k_policy.cc:196: protected_output,
static_cast<DXGKMDT_OPM_RANDOM_NUMBER*>(random_number));
reinterpret_cast

[forshaw, 2016-04-06 14:14:33]

forshaw@chromium.org changed reviewers:
+ jschuh@chromium.org

[forshaw, 2016-04-06 14:14:35]

So I've made some changes, still many interceptions, not much I can really do
about that :( I've added more testing and a fake GDI/USER interface so it'll
work everywhere, not just on a real machine. So PTAL at the basic
structure/style etc. Guess this will need detailed security review regardless.

Also adding jschuh@ for info.

[Will Harris, 2016-04-08 16:59:25]

Description was changed from

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

BUG=523278
==========

to

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

BUG=523278
==========

[Will Harris, 2016-04-08 16:59:26]

wfh@chromium.org changed reviewers:
- jschuh@chromium.org

[Will Harris, 2016-04-08 17:00:19]

can you link the design doc in the bug or the cl?

[forshaw, 2016-04-08 17:26:12]

On 2016/04/08 17:00:19, Will Harris wrote:
> can you link the design doc in the bug or the cl?

Design document is here:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

[forshaw, 2016-04-08 17:26:34]

Description was changed from

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

BUG=523278
==========

to

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
==========

[Will Harris, 2016-04-11 21:23:02]

looking good. in general we do the policy checks inside the interception before
sending the CrosCall IPC to check that the policy has the interception in place
- via QueryBroker.

c.f.
https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/win/src/fi...

https://codereview.chromium.org/1856993003/diff/40001/sandbox/win/src/process...
File sandbox/win/src/process_mitigations_win32k_policy.cc (right):

https://codereview.chromium.org/1856993003/diff/40001/sandbox/win/src/process...
sandbox/win/src/process_mitigations_win32k_policy.cc:196: protected_output,
static_cast<DXGKMDT_OPM_RANDOM_NUMBER*>(random_number));
On 2016/04/05 03:49:02, Will Harris wrote:
> reinterpret_cast

actually static_cast here is fine.

[forshaw, 2016-04-11 21:44:36]

On 2016/04/11 21:23:02, Will Harris wrote:
> looking good. in general we do the policy checks inside the interception
before
> sending the CrosCall IPC to check that the policy has the interception in
place
> - via QueryBroker.
> 
> c.f.
>
https://code.google.com/p/chromium/codesearch#chromium/src/sandbox/win/src/fi...

The policy ensures that only if we want to implement the OPM apis do the EAT
hooks get enabled, so in theory if our hooks are being called we already know
that the policy has enabled us. Due to the way that the policy is structured
it's tricky to selectively enable the IPC side of things so at the current time
we always enable the IPC dispatchers and check at the start of the call whether
the OPM emulation policy is enabled. Certainly this is atypical to other
policies but this is either on or off, there's little change we'd need any
flexible policy such as checking for certain paths, the APIs are not that
clever.

[Will Harris, 2016-04-26 17:17:13]

lgtm

[Will Harris, 2016-04-26 17:18:26]

https://codereview.chromium.org/1856993003/diff/160001/content/browser/ppapi_...
File content/browser/ppapi_plugin_process_host.cc (right):

https://codereview.chromium.org/1856993003/diff/160001/content/browser/ppapi_...
content/browser/ppapi_plugin_process_host.cc:100: if
(!AddWin32kLockdownPolicy(policy, true))
might want to pull this into a separate CL, i.e. have this 'false' for now, then
it's easily revertable, and also you can commit this one now as you have all
approvals.

[forshaw, 2016-04-26 17:38:04]

The CQ bit was checked by forshaw@chromium.org

[forshaw, 2016-04-26 17:38:04]

The patchset sent to the CQ was uploaded after l-g-t-m from wfh@chromium.org
Link to the patchset: https://codereview.chromium.org/1856993003/#ps180001
(title: "Removed content changes")

[commit-bot: I haz the power, 2016-04-26 17:38:19]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1856993003/180001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1856993003/180001

[Will Harris, 2016-04-26 18:29:22]

Description was changed from

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
==========

to

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng
==========

[commit-bot: I haz the power, 2016-04-26 21:42:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-04-26 21:42:09]

Try jobs failed on following builders:
  win10_chromium_x64_rel_ng on tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win10_chromium_x6...)

[forshaw, 2016-04-27 05:07:14]

The CQ bit was checked by forshaw@chromium.org

[commit-bot: I haz the power, 2016-04-27 05:07:26]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1856993003/180001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1856993003/180001

[commit-bot: I haz the power, 2016-04-27 06:46:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-04-27 06:46:20]

Try jobs failed on following builders:
  win10_chromium_x64_rel_ng on tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win10_chromium_x6...)

[forshaw, 2016-04-27 11:07:33]

The CQ bit was checked by forshaw@chromium.org

[forshaw, 2016-04-27 11:07:34]

The patchset sent to the CQ was uploaded after l-g-t-m from wfh@chromium.org
Link to the patchset: https://codereview.chromium.org/1856993003/#ps200001
(title: "Removed header")

[commit-bot: I haz the power, 2016-04-27 11:07:53]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1856993003/200001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1856993003/200001

[commit-bot: I haz the power, 2016-04-27 12:34:24]

Description was changed from

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng
==========

to

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng
==========

[commit-bot: I haz the power, 2016-04-27 12:34:25]

Committed patchset #11 (id:200001)

[commit-bot: I haz the power, 2016-04-27 12:35:57]

Description was changed from

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng
==========

to

==========
Implement sandbox hooks to forward OPM related GDI system calls.
This patch adds hooks to the Windows sandbox to forward Output Protection
Manager system calls to the browser process when running under Win32k
lockdown. This allows a locked down process to enable output protection when
playing back media.

Design Doc:
https://docs.google.com/document/d/1cn8lpZiu0DQLovkbJSMmRlPyM0ETtjdsgvOOfR6jw...

BUG=523278
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win10_chromium_x64_rel_ng

Committed: https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609
Cr-Commit-Position: refs/heads/master@{#390051}
==========

[commit-bot: I haz the power, 2016-04-27 12:35:58]

Patchset 11 (id:??) landed as
https://crrev.com/5ef755bb1a9e77e296b46a08e4cb61078e769609
Cr-Commit-Position: refs/heads/master@{#390051}