redundant or unnecessary config

[qoijjj]

disable: OptimizationHints

shouldn't be needed, since OptimizationHintsFetching is disabled already

[qoijjj]

disable: OptimizationHintsFetchingAnonymousDataConsent

shouldn't be needed since OptimizationHintsFetching is disabled

[qoijjj]

"DefaultGeolocationSetting": 2,

shouldn't be needed since the default is already to ask

[qoijjj]

"AccessibilityImageLabelsEnabled": false,

defaults to false:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/accessibility/accessibility_labels_service.cc;l=148?q=AccessibilityImageLabelsEnabled%20lang:cc&ss=chromium%2Fchromium%2Fsrc

[qoijjj]

"WebRtcEventLogCollectionAllowed": false,

defaults to false:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/browser_ui_prefs.cc;l=108?q=WebRtcEventLogCollectionAllowed%20browser_ui_prefs&ss=chromium%2Fchromium%2Fsrc

[qoijjj]

"ImportSavedPasswords": false,

https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::ImportSavedPasswords

[qoijjj]

"DefaultInsecureContentSetting": 2,

mixed content is blocked by default:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/app/settings_strings.grdp;l=3462?q=IDS_SETTINGS_SITE_SETTINGS_INSECURE_CONTENT_BLOCK&ss=chromium%2Fchromium%2Fsrc

[qoijjj]

"RemoteDebuggingAllowed": false,

Only relevant for headless, which we don't build: https://source.chromium.org/chromium/chromium/src/+/main:headless/lib/browser/headless_browser_impl.cc;l=343?q=IsRemoteDebuggingAllowed%20lang:cc&ss=chromium%2Fchromium%2Fsrc

Also, only relevant if the user deliberately enables it:

https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::RemoteDebuggingAllowed

[qoijjj]

"SafeSitesFilterBehavior": 0,

Defaults to 0: https://admx.help/?Category=Chrome&Policy=Google.Policies.Chrome::SafeSitesFilterBehavior

[qoijjj]

"SpellCheckServiceEnabled": false,

disabled by default:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/spellchecker/spellcheck_factory.cc;l=66?q=spellcheck::prefs::kSpellCheckUseSpellingService%20lang:cc&ss=chromium%2Fchromium%2Fsrc

[qoijjj]

"UrlKeyedAnonymizedDataCollectionEnabled": false,

Contrary to the policy description, this appears to be disabled by default:

https://source.chromium.org/chromium/chromium/src/+/main:components/unified_consent/unified_consent_service.cc;l=187?q=setUrlKeyedAnonymizedDataCollectionEnabled%20lang:cc

[qoijjj]

"MediaRecommendationsEnabled": false,

policy was removed

https://source.chromium.org/chromium/chromium/src/+/main:components/policy/test/data/pref_mapping/MediaRecommendationsEnabled.json;l=3;bpv=1;bpt=0

[qoijjj]

"CloudPrintSubmitEnabled": false,

deprecated

[RKNF404]

Don't want to open a new issue since this is relevent here. I'm not sure if NetworkServiceSandboxEnabled true by default. I've attached some screenshots to show what I mean. This is the policy absent (process ID check using checksec): This is the policy enabled: Both following the Network service process. There does not appear to be Seccomp enabled when there is no policy. When it is enabled, there is also another process spawned under the Network service labeled type "broker": Similarly, it is absent when the policy isn't set to enabled. Not sure why this is, really strange behavior but I tested it on Windows as well with the same results. :/

[RKNF404]

On topic, SpellCheckServiceEnabled and AccessibilityImageLabelsEnabled might also not be disabled by default, since the policy has an unset clause defined for both. WebRtcEventLogCollectionAllowed might be in a similar boat but I can't make any sense of what the default value should be or is.

[qoijjj]

Don't want to open a new issue since this is relevent here. I'm not sure if NetworkServiceSandboxEnabled true by default. I've attached some screenshots to show what I mean. This is the policy absent (process ID check using

very strange. if this is the case then I'll need to dig through the code more

[qoijjj]

On topic, SpellCheckServiceEnabled and AccessibilityImageLabelsEnabled might also not be disabled by default, since the policy has an unset clause defined for both. WebRtcEventLogCollectionAllowed might be in a similar boat but I can't make any sense of what the default value should be or is.

Generally I recommend ignoring the policy descriptions as they are sometimes inaccurate. I recommend looking at what the code says and does instead.

[qoijjj]

@RKNF404 The only reason I can see from the code why the network sandbox would be disabled is if you left the policy in place but with a non-true value:

https://chromium-review.googlesource.com/c/chromium/src/+/4702341

[qoijjj]

If this policy is not set, the default configuration for the network sandbox will be used. This may vary depending on Google Chrome release, currently running field trials, and platform.

@RKNF404 are you running secureblue? what policies and chromium.conf are you running?

[RKNF404]

Generally I recommend ignoring the policy descriptions as they are sometimes inaccurate. I recommend looking at what the code says and does instead.

I definitely double check with code definitions, but it's hard to definitvely say sometimes. Safe than sorry, no harm done if there is room for doubt. But that's my mentality. There are cases where features are disabled (or enabled) and they do not coincide with the browsers behavior, especially code defined defaults.

The only reason I can see from the code why the network sandbox would be disabled is if you left the policy in place but with a non-true value:

I expressely did not disable it, just removed it.

are you running secureblue? what policies and chromium.conf are you running?

I'm on Workstation, running my own conf file. The feature to toggle the sandbox is not used either. I do publish my policies and flags if you want me to link it. But, I don't think what I do makes a difference.

[qoijjj]

I definitely double check with code definitions, but it's hard to definitvely say sometimes. Safe than sorry, no harm done if there is room for doubt. But that's my mentality. There are cases where features are disabled (or enabled) and they do not coincide with the browsers behavior, especially code defined defaults.

Agreed, we should test thoroughly.

I'm on Workstation, running my own conf file. The feature to toggle the sandbox is not used either. I do publish my policies and flags if you want me to link it. But, I don't think what I do makes a difference.

The only reason I asked is cause the policy mentions field trials, which you might have enabled/disabled.

I will test these more once the build completes.

[RKNF404]

I will test these more once the build completes.

I tested it on just chromium from Fedora, so you can test it that way short term, since it is the basis.

The only reason I asked is cause the policy mentions field trials, which you might have enabled/disabled.

The wording there seems very broad to be fair, I think they just mean using variations to enable it on like 1% of system or something. But yeah, I don't think I mess with any policies or flags that would tinker with it. I guess the ChromeVariations policy? Maybe?

[qoijjj]

accidentally edited instead of responding

you can test it that way short term, since it is the basis.

yep i will

I guess the ChromeVariations policy? Maybe?

yeah i'm not sure. just spitballing

[qoijjj]

@RKNF404 I think I found a potential cause of the discrepancy you're seeing. I just ran checksec against two different chromium processes for the same chromium instance with the network sandbox enabled, and one showed No Seccomp, while the other showed Seccomp-bpf.

So it might be that the network change was not the cause of the difference in seccomp results, and the results are a red herring

[qoijjj]

if you run checksec --proc-all you'll see that some chromium processes show seccomp, others don't, regardless of network sandbox policy.

@RKNF404

[qoijjj]

actually wait, you said you filtered on Network Service, I missed that.

let me try that

[qoijjj]

5408   /usr/lib64/chromium-browser/chromium-browser --type=utility --utility-sub-type=network.mojom.NetworkService

# checksec --proc=5408

         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
 chromium-browse   5408 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes

Nope, I'm seeing No Seccomp for the NetworkService process with the policy enabled @RKNF404

[qoijjj]

interesting. it looks like field trials of the network service sandbox only started this year for windows:

https://chromium-review.googlesource.com/c/chromium/src/+/5260025

[qoijjj]

hmm, but this config is already present:

   "NetworkServiceSandboxLinuxAndChromeOS": [
        {
            "platforms": [
                "linux",
                "chromeos",
                "chromeos_lacros"
            ],
            "experiments": [
                {
                    "name": "EnabledWithMitigation",
                    "enable_features": [
                        "NetworkServiceFileAllowlist",
                        "NetworkServiceSandbox",
                        "NetworkServiceSyscallFilter"
                    ],
                    "disable_features": [
                        "kForceDisableSpectreVariant2MitigationInNetworkService"
                    ]
                }
            ]
        }
    ],

[qoijjj]

@RKNF404 I think I found it. It's disabled by default contrary to the other code:

https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/features.cc;l=23?q=NetworkServiceSandbox%20lang:cc

[qoijjj]

To double check, I tried with both suid and namespace sandboxing, both with the NetworkServiceSandboxEnabled policy set to true, both showing the following for the network.mojom.NetworkService

* Does the CPU support NX: Yes

         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
 chromium-browse   5417 Full RELRO      Canary found            No Seccomp       NX enabled    PIE enabled             Yes

@RKNF404 can you double check your findings?

[RKNF404]

Nope, I'm seeing No Seccomp for the NetworkService process with the policy enabled

Huh... strange. On the vanilla Fedora build? Did you try enabling the sandboxing features? Like NetworkServiceSyscallFilter? Without enabling NetworkServiceSandbox?\

can you double check your findings?

Was typing the above response as you replied, I can try again. I did test a few times before initially raising this to make sure I wasn't crazy.

[qoijjj]

Huh... strange. On the vanilla Fedora build? Did you try enabling the sandboxing features? Like NetworkServiceSyscallFilter? Without enabling NetworkServiceSandbox?\

This is the vanilla fedora build with secureblue policies and config

NetworkServiceSyscallFilter

is this a policy?

it's enabled by default regardless: https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/features.cc;l=31?q=NetworkServiceSandbox%20lang:cc

[RKNF404]

@qoijjj It's a feature, it's just a test to see if it is being enabled but seccomp itself isn't, or the policy isn't enabling the sandbox at all.

[qoijjj]

@qoijjj It's a feature, it's just a test to see if it is being enabled but seccomp itself isn't, or the policy isn't enabling the sandbox at all.

I see, so you're passing it in --enable-features?

[RKNF404]

I see, so you're passing it in --enable-features?

I am not, I'm interested what would happen if you did.

Anyway, just tested with JUST the policy enabled, removed all of my flags and policies. Still the same. I forgot to record checksec results but seccomp is enabled the case where the policy is enabled: Here is it not included at all:

[qoijjj]

@RKNF404 how are you verifing the seccomp state is the same without checksec? or you used it but just didn't record it?

[qoijjj]

also @RKNF404 are you on discord? would be easier :smile:

[RKNF404]

Used, didnt record. Sorry. I retook one screenshot with the PID and realized after I forgot to record.

[RKNF404]

I am, yeah. Better there than bloating an issue with comments.

[qoijjj]

@RKNF404 message me in #dev, I don't know what your username is

[RKNF404]

There's a discord server? If so, I was not aware tbh

[qoijjj]

@RKNF404 confirmed in code, spellcheck service is disabled by default:

https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/spellchecker/spellcheck_factory.cc;l=69?q=kSpellCheckUseSpellingService%20lang:cc&ss=chromium%2Fchromium%2Fsrc&start=1

[qoijjj]

@RKNF404 same with image labels: https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/accessibility/accessibility_labels_service.cc;l=148?q=kAccessibilityImageLabelsEnabled%20lang:cc&ss=chromium%2Fchromium%2Fsrc

[RKNF404]

@qoijjj Looks like it. Similar with WebRtcEventLogCollectionAllowed. https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ui/browser_ui_prefs.cc;l=108 Couldn't find anything to say otherwise. You were right.

[qoijjj]

me neither. with sync though I did more digging into the logic, and it's more nuanced. It looks like sync might be enabled by default according to this function:

https://source.chromium.org/chromium/chromium/src/+/main:components/sync/base/command_line_switches.cc;l=14;drc=4cc063ac39c4a0d1f6011421b259a9715bb16de1;bpv=1;bpt=1

I'm gonna invert the logic and make it return true only if "--enable-sync" is explicitly passed

[qoijjj]

@RKNF404 network service: https://github.com/secureblue/hardened-chromium/commit/3c6e77ab52b09afbcb1074ceb3f8e70efb334503

sync: https://github.com/secureblue/hardened-chromium/commit/50d6ab90f4fe2361748b9cfbf0e4eed597877dca

[RKNF404]

Cool. Not sure if sync is enabled by default, just allowed. Still, disabling it with explicit opt-in seems like a good idea.

[RKNF404]

Side note, I'll also add clarification for the SafeSitesFilterBehavior policy to whether it is enabled by default or not. For verity's sake, it is not: https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/browser/url_blocklist_manager.cc;l=376 Thought it would be nice to have the code to back it to void doubt.