From 928d72ea4e0c73d02c9471ee2b30d2f85b9b71c6 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:49:28 -0400 Subject: [PATCH 1/4] Fix issue network sandbox issue with GSSAPI --- .../fix-network-service-sandbox-gssapi.patch | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 patches/fix-network-service-sandbox-gssapi.patch diff --git a/patches/fix-network-service-sandbox-gssapi.patch b/patches/fix-network-service-sandbox-gssapi.patch new file mode 100644 index 00000000..9eb6b056 --- /dev/null +++ b/patches/fix-network-service-sandbox-gssapi.patch @@ -0,0 +1,34 @@ +diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc +index 249ff5ecffa8d..ae64bd27b9633 100644 +--- a/chrome/browser/net/system_network_context_manager.cc ++++ b/chrome/browser/net/system_network_context_manager.cc +@@ -533,8 +533,14 @@ void SystemNetworkContextManager::GssapiLibraryLoadObserver::Install( + + void SystemNetworkContextManager::GssapiLibraryLoadObserver:: + OnBeforeGssapiLibraryLoad() { ++ // Keeping this enabled will disable the Network Service Sandbox when a ++ // website tries to use GSSAPI, not very secure. ++ /* + owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader, + true); ++ */ ++ owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader, ++ false); + } + #endif // BUILDFLAG(IS_LINUX) + +diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom +index 3f3dac717be42..f03e34ceb404b 100644 +--- a/services/network/public/mojom/network_service.mojom ++++ b/services/network/public/mojom/network_service.mojom +@@ -95,7 +95,9 @@ struct HttpAuthDynamicParams { + + // Indicates whether the GSSAPI library should be loaded. Only supported on + // Chrome OS and Linux. +- bool allow_gssapi_library_load = true; ++ // GSSAPI will disable the Network Service Sandbox when websites try to load ++ // it, not desirable from a security perspective. ++ bool allow_gssapi_library_load = false; + + // True if Basic authentication challenges should be allowed for non-secure + // HTTP responses. From 28969553f81c7cbaf0de8dfd56f2e7d1e5d97d5f Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 30 Sep 2024 18:52:37 -0400 Subject: [PATCH 2/4] Rename to be more direct --- ...tch => disable-gssapi-to-enable-network-service-sandbox.patch} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename patches/{fix-network-service-sandbox-gssapi.patch => disable-gssapi-to-enable-network-service-sandbox.patch} (100%) diff --git a/patches/fix-network-service-sandbox-gssapi.patch b/patches/disable-gssapi-to-enable-network-service-sandbox.patch similarity index 100% rename from patches/fix-network-service-sandbox-gssapi.patch rename to patches/disable-gssapi-to-enable-network-service-sandbox.patch From c940f0055009c43b38d9c5869d24133325232db7 Mon Sep 17 00:00:00 2001 From: Rootkit404 <175176948+RKNF404@users.noreply.github.com> Date: Mon, 30 Sep 2024 23:46:18 -0400 Subject: [PATCH 3/4] Allow the behavior of GSSAPI to be configurable --- ...pi-to-enable-network-service-sandbox.patch | 23 ++++++++++--------- patches/expose-flags.patch | 9 ++++++-- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/patches/disable-gssapi-to-enable-network-service-sandbox.patch b/patches/disable-gssapi-to-enable-network-service-sandbox.patch index 9eb6b056..094424ae 100644 --- a/patches/disable-gssapi-to-enable-network-service-sandbox.patch +++ b/patches/disable-gssapi-to-enable-network-service-sandbox.patch @@ -1,34 +1,35 @@ diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc -index 249ff5ecffa8d..ae64bd27b9633 100644 +index 249ff5ecffa8d..c9c36e3226290 100644 --- a/chrome/browser/net/system_network_context_manager.cc +++ b/chrome/browser/net/system_network_context_manager.cc -@@ -533,8 +533,14 @@ void SystemNetworkContextManager::GssapiLibraryLoadObserver::Install( +@@ -533,8 +533,12 @@ void SystemNetworkContextManager::GssapiLibraryLoadObserver::Install( void SystemNetworkContextManager::GssapiLibraryLoadObserver:: OnBeforeGssapiLibraryLoad() { + // Keeping this enabled will disable the Network Service Sandbox when a -+ // website tries to use GSSAPI, not very secure. -+ /* ++ // website tries to use GSSAPI, not very secure. Flag can re-enable. owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader, - true); -+ */ -+ owner_->local_state_->SetBoolean(prefs::kReceivedHttpAuthNegotiateHeader, -+ false); +- true); ++ base::CommandLine:: ++ ForCurrentProcess()->HasSwitch( ++ "enable-gssapi")); } #endif // BUILDFLAG(IS_LINUX) diff --git a/services/network/public/mojom/network_service.mojom b/services/network/public/mojom/network_service.mojom -index 3f3dac717be42..f03e34ceb404b 100644 +index 3f3dac717be42..29a9946052308 100644 --- a/services/network/public/mojom/network_service.mojom +++ b/services/network/public/mojom/network_service.mojom -@@ -95,7 +95,9 @@ struct HttpAuthDynamicParams { +@@ -95,7 +95,11 @@ struct HttpAuthDynamicParams { // Indicates whether the GSSAPI library should be loaded. Only supported on // Chrome OS and Linux. - bool allow_gssapi_library_load = true; + // GSSAPI will disable the Network Service Sandbox when websites try to load + // it, not desirable from a security perspective. -+ bool allow_gssapi_library_load = false; ++ bool allow_gssapi_library_load = base::CommandLine:: ++ ForCurrentProcess()->HasSwitch( ++ "enable-gssapi")); // True if Basic authentication challenges should be allowed for non-secure // HTTP responses. diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index ff147dee..06a9c8a1 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -1,8 +1,8 @@ diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc -index 96370d4ac35a9..6429e45f5013e 100644 +index 9d0181f447a1a..f362603d31caf 100644 --- a/chrome/browser/about_flags.cc +++ b/chrome/browser/about_flags.cc -@@ -4190,6 +4190,36 @@ const FeatureEntry kFeatureEntries[] = { +@@ -4220,6 +4220,41 @@ const FeatureEntry kFeatureEntries[] = { // //tools/flags/generate_unexpire_flags.py. #include "build/chromeos_buildflags.h" #include "chrome/browser/unexpire_flags_gen.inc" @@ -36,6 +36,11 @@ index 96370d4ac35a9..6429e45f5013e 100644 + "Shows punycode for IDN domains to mitigate IDN homograph attacks. " + "Defaults to disabled. This feature is provided by hardened-chromium.", + kOsAll, FEATURE_VALUE_TYPE(url::kShowPunycodeDomains)}, ++ {"enable-gssapi", "Enable GSSAPI Authentication", ++ "Enables GSSAPI for authentication. WARNING! This can cause the " ++ "network service sandbox to become persistently disabled, enable only " ++ "if absolutely necessary. This flag is provided by hardened-chromium.", ++ kOsLinux, SINGLE_DISABLE_VALUE_TYPE("enable-gssapi")}, {variations::switches::kEnableBenchmarking, flag_descriptions::kEnableBenchmarkingName, flag_descriptions::kEnableBenchmarkingDescription, kOsAll, From e7f43461eb99693fec72fb914f4d823577cb58d3 Mon Sep 17 00:00:00 2001 From: Root <175176948+RKNF404@users.noreply.github.com> Date: Tue, 1 Oct 2024 09:13:41 -0400 Subject: [PATCH 4/4] Invert flag default status --- patches/expose-flags.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/expose-flags.patch b/patches/expose-flags.patch index 06a9c8a1..5e444455 100644 --- a/patches/expose-flags.patch +++ b/patches/expose-flags.patch @@ -40,7 +40,7 @@ index 9d0181f447a1a..f362603d31caf 100644 + "Enables GSSAPI for authentication. WARNING! This can cause the " + "network service sandbox to become persistently disabled, enable only " + "if absolutely necessary. This flag is provided by hardened-chromium.", -+ kOsLinux, SINGLE_DISABLE_VALUE_TYPE("enable-gssapi")}, ++ kOsLinux, SINGLE_VALUE_TYPE("enable-gssapi")}, {variations::switches::kEnableBenchmarking, flag_descriptions::kEnableBenchmarkingName, flag_descriptions::kEnableBenchmarkingDescription, kOsAll,