Closed qoijjj closed 3 months ago
disable: OptimizationHintsFetchingAnonymousDataConsent
shouldn't be needed since OptimizationHintsFetching is disabled
"DefaultGeolocationSetting": 2,
shouldn't be needed since the default is already to ask
"AccessibilityImageLabelsEnabled": false,
defaults to false:
"WebRtcEventLogCollectionAllowed": false,
defaults to false:
"ImportSavedPasswords": false,
https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::ImportSavedPasswords
"DefaultInsecureContentSetting": 2,
mixed content is blocked by default:
"RemoteDebuggingAllowed": false,
Only relevant for headless, which we don't build: https://source.chromium.org/chromium/chromium/src/+/main:headless/lib/browser/headless_browser_impl.cc;l=343?q=IsRemoteDebuggingAllowed%20lang:cc&ss=chromium%2Fchromium%2Fsrc
Also, only relevant if the user deliberately enables it:
https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::RemoteDebuggingAllowed
"SafeSitesFilterBehavior": 0,
Defaults to 0: https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::SafeSitesFilterBehavior
"SpellCheckServiceEnabled": false,
disabled by default:
"UrlKeyedAnonymizedDataCollectionEnabled": false,
Contrary to the policy description, this appears to be disabled by default:
"MediaRecommendationsEnabled": false,
policy was removed
"CloudPrintSubmitEnabled": false,
deprecated
Don't want to open a new issue since this is relevent here. I'm not sure if NetworkServiceSandboxEnabled
true by default. I've attached some screenshots to show what I mean. This is the policy absent (process ID check using checksec
):
This is the policy enabled:
Both following the Network service process. There does not appear to be Seccomp enabled when there is no policy. When it is enabled, there is also another process spawned under the Network service labeled type "broker":
Similarly, it is absent when the policy isn't set to enabled. Not sure why this is, really strange behavior but I tested it on Windows as well with the same results. :/
On topic, SpellCheckServiceEnabled
and AccessibilityImageLabelsEnabled
might also not be disabled by default, since the policy has an unset clause defined for both. WebRtcEventLogCollectionAllowed
might be in a similar boat but I can't make any sense of what the default value should be or is.
Don't want to open a new issue since this is relevent here. I'm not sure if
NetworkServiceSandboxEnabled
true by default. I've attached some screenshots to show what I mean. This is the policy absent (process ID check using
very strange. if this is the case then I'll need to dig through the code more
On topic,
SpellCheckServiceEnabled
andAccessibilityImageLabelsEnabled
might also not be disabled by default, since the policy has an unset clause defined for both.WebRtcEventLogCollectionAllowed
might be in a similar boat but I can't make any sense of what the default value should be or is.
Generally I recommend ignoring the policy descriptions as they are sometimes inaccurate. I recommend looking at what the code says and does instead.
@RKNF404 The only reason I can see from the code why the network sandbox would be disabled is if you left the policy in place but with a non-true value:
https://chromium-review.googlesource.com/c/chromium/src/+/4702341
If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on Google Chrome release, currently running field trials, and platform.
@RKNF404 are you running secureblue? what policies and chromium.conf are you running?
Generally I recommend ignoring the policy descriptions as they are sometimes inaccurate. I recommend looking at what the code says and does instead.
I definitely double check with code definitions, but it's hard to definitvely say sometimes. Safe than sorry, no harm done if there is room for doubt. But that's my mentality. There are cases where features are disabled (or enabled) and they do not coincide with the browsers behavior, especially code defined defaults.
The only reason I can see from the code why the network sandbox would be disabled is if you left the policy in place but with a non-true value:
I expressely did not disable it, just removed it.
are you running secureblue? what policies and chromium.conf are you running?
I'm on Workstation, running my own conf file. The feature to toggle the sandbox is not used either. I do publish my policies and flags if you want me to link it. But, I don't think what I do makes a difference.
I definitely double check with code definitions, but it's hard to definitvely say sometimes. Safe than sorry, no harm done if there is room for doubt. But that's my mentality. There are cases where features are disabled (or enabled) and they do not coincide with the browsers behavior, especially code defined defaults.
Agreed, we should test thoroughly.
I'm on Workstation, running my own conf file. The feature to toggle the sandbox is not used either. I do publish my policies and flags if you want me to link it. But, I don't think what I do makes a difference.
The only reason I asked is cause the policy mentions field trials, which you might have enabled/disabled.
I will test these more once the build completes.
I will test these more once the build completes.
I tested it on just chromium from Fedora, so you can test it that way short term, since it is the basis.
The only reason I asked is cause the policy mentions field trials, which you might have enabled/disabled.
The wording there seems very broad to be fair, I think they just mean using variations to enable it on like 1% of system or something. But yeah, I don't think I mess with any policies or flags that would tinker with it. I guess the ChromeVariations policy? Maybe?
accidentally edited instead of responding
you can test it that way short term, since it is the basis.
yep i will
I guess the ChromeVariations policy? Maybe?
yeah i'm not sure. just spitballing
@RKNF404 I think I found a potential cause of the discrepancy you're seeing. I just ran checksec against two different chromium processes for the same chromium instance with the network sandbox enabled, and one showed No Seccomp
, while the other showed Seccomp-bpf
.
So it might be that the network change was not the cause of the difference in seccomp results, and the results are a red herring
if you run checksec --proc-all
you'll see that some chromium processes show seccomp, others don't, regardless of network sandbox policy.
@RKNF404
actually wait, you said you filtered on Network Service, I missed that.
let me try that
5408 /usr/lib64/chromium-browser/chromium-browser --type=utility --utility-sub-type=network.mojom.NetworkService
# checksec --proc=5408
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
chromium-browse 5408 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
Nope, I'm seeing No Seccomp for the NetworkService process with the policy enabled @RKNF404
interesting. it looks like field trials of the network service sandbox only started this year for windows:
https://chromium-review.googlesource.com/c/chromium/src/+/5260025
hmm, but this config is already present:
"NetworkServiceSandboxLinuxAndChromeOS": [
{
"platforms": [
"linux",
"chromeos",
"chromeos_lacros"
],
"experiments": [
{
"name": "EnabledWithMitigation",
"enable_features": [
"NetworkServiceFileAllowlist",
"NetworkServiceSandbox",
"NetworkServiceSyscallFilter"
],
"disable_features": [
"kForceDisableSpectreVariant2MitigationInNetworkService"
]
}
]
}
],
@RKNF404 I think I found it. It's disabled by default contrary to the other code:
To double check, I tried with both suid and namespace sandboxing, both with the NetworkServiceSandboxEnabled policy set to true, both showing the following for the network.mojom.NetworkService
* Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
chromium-browse 5417 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes
@RKNF404 can you double check your findings?
Nope, I'm seeing No Seccomp for the NetworkService process with the policy enabled
Huh... strange. On the vanilla Fedora build? Did you try enabling the sandboxing features? Like NetworkServiceSyscallFilter
? Without enabling NetworkServiceSandbox
?\
can you double check your findings?
Was typing the above response as you replied, I can try again. I did test a few times before initially raising this to make sure I wasn't crazy.
Huh... strange. On the vanilla Fedora build? Did you try enabling the sandboxing features? Like
NetworkServiceSyscallFilter
? Without enablingNetworkServiceSandbox
?\
This is the vanilla fedora build with secureblue policies and config
NetworkServiceSyscallFilter
is this a policy?
it's enabled by default regardless: https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/features.cc;l=31?q=NetworkServiceSandbox%20lang:cc
@qoijjj It's a feature, it's just a test to see if it is being enabled but seccomp itself isn't, or the policy isn't enabling the sandbox at all.
@qoijjj It's a feature, it's just a test to see if it is being enabled but seccomp itself isn't, or the policy isn't enabling the sandbox at all.
I see, so you're passing it in --enable-features?
I see, so you're passing it in --enable-features?
I am not, I'm interested what would happen if you did.
Anyway, just tested with JUST the policy enabled, removed all of my flags and policies. Still the same. I forgot to record checksec results but seccomp is enabled the case where the policy is enabled: Here is it not included at all:
@RKNF404 how are you verifing the seccomp state is the same without checksec? or you used it but just didn't record it?
also @RKNF404 are you on discord? would be easier :smile:
Used, didnt record. Sorry. I retook one screenshot with the PID and realized after I forgot to record.
I am, yeah. Better there than bloating an issue with comments.
@RKNF404 message me in #dev, I don't know what your username is
There's a discord server? If so, I was not aware tbh
@RKNF404 confirmed in code, spellcheck service is disabled by default:
@qoijjj Looks like it. Similar with WebRtcEventLogCollectionAllowed. https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/browser_ui_prefs.cc;l=108 Couldn't find anything to say otherwise. You were right.
me neither. with sync though I did more digging into the logic, and it's more nuanced. It looks like sync might be enabled by default according to this function:
I'm gonna invert the logic and make it return true only if "--enable-sync" is explicitly passed
Cool. Not sure if sync is enabled by default, just allowed. Still, disabling it with explicit opt-in seems like a good idea.
Side note, I'll also add clarification for the SafeSitesFilterBehavior policy to whether it is enabled by default or not. For verity's sake, it is not: https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/browser/url_blocklist_manager.cc;l=376 Thought it would be nice to have the code to back it to void doubt.
disable: OptimizationHints
shouldn't be needed, since OptimizationHintsFetching is disabled already