Bug 1287426 Part 5: Re-apply - Logging changes to the Chromium interception code. r=tabraldes
authorBob Owen <bobowencode@gmail.com>
Sat, 29 Nov 2014 17:12:18 +0000
changeset 312804 a05726163a79b404bf3248a86e3261e44cf50793
parent 312803 00d1d90c348b5f5edd2a5a42306d1771742bb06c
child 312805 9069b89a690b7d65dc1fd3e00cc80f6e1774ecb1
push id30658
push usercbook@mozilla.com
push dateTue, 06 Sep 2016 13:28:59 +0000
treeherdermozilla-central@bec2b7e3c0eb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstabraldes
bugs1287426
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1287426 Part 5: Re-apply - Logging changes to the Chromium interception code. r=tabraldes Originally landed as changset: https://hg.mozilla.org/mozilla-central/rev/0f763c186855 MozReview-Commit-ID: DtuHfDoB1Dx
security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
security/sandbox/chromium/sandbox/win/src/handle_interception.cc
security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
security/sandbox/chromium/sandbox/win/src/registry_interception.cc
security/sandbox/chromium/sandbox/win/src/sync_interception.cc
security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -9,16 +9,17 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
                                    PHANDLE file, ACCESS_MASK desired_access,
                                    POBJECT_ATTRIBUTES object_attributes,
                                    PIO_STATUS_BLOCK io_status,
                                    PLARGE_INTEGER allocation_size,
@@ -28,16 +29,20 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
   // Check if the process can open it first.
   NTSTATUS status = orig_CreateFile(file, desired_access, object_attributes,
                                     io_status, allocation_size,
                                     file_attributes, sharing, disposition,
                                     options, ea_buffer, ea_length);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreateFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
       break;
@@ -85,16 +90,19 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
 
     __try {
       *file = answer.handle;
       io_status->Status = answer.nt_status;
       io_status->Information = answer.extended[0].ulong_ptr;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -104,16 +112,20 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
                                  PIO_STATUS_BLOCK io_status, ULONG sharing,
                                  ULONG options) {
   // Check if the process can open it first.
   NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes,
                                   io_status, sharing, options);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
       break;
@@ -159,16 +171,19 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
 
     __try {
       *file = answer.handle;
       io_status->Status = answer.nt_status;
       io_status->Information = answer.extended[0].ulong_ptr;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -176,16 +191,20 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
     NtQueryAttributesFileFunction orig_QueryAttributes,
     POBJECT_ATTRIBUTES object_attributes,
     PFILE_BASIC_INFORMATION file_attributes) {
   // Check if the process can query it first.
   NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
       break;
@@ -216,16 +235,19 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
     ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name,
                                 attributes, file_info, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
 
+    mozilla::sandboxing::LogAllowed("NtQueryAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -234,16 +256,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
     POBJECT_ATTRIBUTES object_attributes,
     PFILE_NETWORK_OPEN_INFORMATION file_attributes) {
   // Check if the process can query it first.
   NTSTATUS status = orig_QueryFullAttributes(object_attributes,
                                              file_attributes);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION),
                         WRITE))
@@ -274,16 +300,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name,
                                 attributes, file_info, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
+
+    mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -292,16 +322,18 @@ NTSTATUS WINAPI TargetNtSetInformationFi
     PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length,
     FILE_INFORMATION_CLASS file_info_class) {
   // Check if the process can open it first.
   NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length,
                                             file_info_class);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtSetInformationFile");
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     void* memory = GetGlobalIPCMemory();
     if (NULL == memory)
@@ -353,16 +385,17 @@ NTSTATUS WINAPI TargetNtSetInformationFi
     ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file,
                                 io_status_buffer, file_info_buffer, length,
                                 file_info_class, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
+    mozilla::sandboxing::LogAllowed("NtSetInformationFile");
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
@@ -5,16 +5,17 @@
 #include "sandbox/win/src/handle_interception.h"
 
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 ResultCode DuplicateHandleProxy(HANDLE source_handle,
                                 DWORD target_process_id,
                                 HANDLE* target_handle,
                                 DWORD desired_access,
                                 DWORD options) {
@@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s
   ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
                               source_handle, target_process_id,
                               desired_access, options, &answer);
   if (SBOX_ALL_OK != code)
     return code;
 
   if (answer.win32_result) {
     ::SetLastError(answer.win32_result);
+    mozilla::sandboxing::LogBlocked("DuplicateHandle");
     return SBOX_ERROR_GENERIC;
   }
 
   *target_handle = answer.handle;
+  mozilla::sandboxing::LogAllowed("DuplicateHandle");
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox
 
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
@@ -7,31 +7,34 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 HANDLE WINAPI TargetCreateNamedPipeW(
     CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
     DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
     DWORD in_buffer_size, DWORD default_timeout,
     LPSECURITY_ATTRIBUTES security_attributes) {
   HANDLE pipe = orig_CreateNamedPipeW(pipe_name, open_mode, pipe_mode,
                                       max_instance, out_buffer_size,
                                       in_buffer_size, default_timeout,
                                       security_attributes);
   if (INVALID_HANDLE_VALUE != pipe)
     return pipe;
 
+  mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return INVALID_HANDLE_VALUE;
 
   DWORD original_error = ::GetLastError();
 
   // We don't support specific Security Attributes.
   if (security_attributes)
@@ -57,16 +60,17 @@ HANDLE WINAPI TargetCreateNamedPipeW(
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
 
     if (ERROR_SUCCESS != answer.win32_result)
       return INVALID_HANDLE_VALUE;
 
+    mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name);
     return answer.handle;
   } while (false);
 
   ::SetLastError(original_error);
   return INVALID_HANDLE_VALUE;
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
@@ -9,32 +9,34 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT NtExports g_nt;
 
 // Hooks NtOpenThread and proxy the call to the broker if it's trying to
 // open a thread in the same process.
 NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
                                    PHANDLE thread, ACCESS_MASK desired_access,
                                    POBJECT_ATTRIBUTES object_attributes,
                                    PCLIENT_ID client_id) {
   NTSTATUS status = orig_OpenThread(thread, desired_access, object_attributes,
                                     client_id);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenThread");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
     if (!client_id)
       break;
 
     uint32_t thread_id = 0;
     bool should_break = false;
@@ -90,16 +92,17 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpe
 
     __try {
       // Write the output parameters.
       *thread = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenThread");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 // Hooks NtOpenProcess and proxy the call to the broker if it's trying to
 // open the current process.
@@ -174,16 +177,17 @@ NTSTATUS WINAPI TargetNtOpenProcess(NtOp
 
 NTSTATUS WINAPI TargetNtOpenProcessToken(
     NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
     ACCESS_MASK desired_access, PHANDLE token) {
   NTSTATUS status = orig_OpenProcessToken(process, desired_access, token);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessToken");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
 
     if (CURRENT_PROCESS != process)
       break;
 
     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
@@ -205,30 +209,32 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
 
     __try {
       // Write the output parameters.
       *token = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessToken");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
     NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
     ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token) {
   NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access,
                                             handle_attributes, token);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
 
     if (CURRENT_PROCESS != process)
       break;
 
     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
@@ -250,16 +256,17 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
 
     __try {
       // Write the output parameters.
       *token = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
                                  LPCWSTR application_name, LPWSTR command_line,
@@ -272,16 +279,18 @@ BOOL WINAPI TargetCreateProcessW(CreateP
   if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
       orig_CreateProcessW(application_name, command_line, process_attributes,
                           thread_attributes, inherit_handles, flags,
                           environment, current_directory, startup_info,
                           process_information)) {
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessW", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
 
   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
   // not be mapped yet.
   DWORD original_error = ::GetLastError();
 
@@ -311,16 +320,17 @@ BOOL WINAPI TargetCreateProcessW(CreateP
                                 command_line, cur_dir, proc_info, &answer);
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessW", application_name);
     return TRUE;
   } while (false);
 
   ::SetLastError(original_error);
   return FALSE;
 }
 
 BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
@@ -333,16 +343,18 @@ BOOL WINAPI TargetCreateProcessA(CreateP
                                  LPPROCESS_INFORMATION process_information) {
   if (orig_CreateProcessA(application_name, command_line, process_attributes,
                           thread_attributes, inherit_handles, flags,
                           environment, current_directory, startup_info,
                           process_information)) {
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessA", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
 
   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
   // not be mapped yet.
   DWORD original_error = ::GetLastError();
 
@@ -395,16 +407,17 @@ BOOL WINAPI TargetCreateProcessA(CreateP
 
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessA", application_name);
     return TRUE;
   } while (false);
 
   ::SetLastError(original_error);
   return FALSE;
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
@@ -9,31 +9,38 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
                                   PHANDLE key, ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes,
                                   ULONG title_index, PUNICODE_STRING class_name,
                                   ULONG create_options, PULONG disposition) {
   // Check if the process can create it first.
   NTSTATUS status = orig_CreateKey(key, desired_access, object_attributes,
                                    title_index, class_name, create_options,
                                    disposition);
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(key, sizeof(HANDLE), WRITE))
       break;
 
@@ -109,16 +116,19 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCrea
 
       if (disposition)
        *disposition = answer.extended[0].unsigned_int;
 
       status = answer.nt_status;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
                                 ACCESS_MASK desired_access,
                                 POBJECT_ATTRIBUTES object_attributes) {
@@ -185,29 +195,38 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS
         break;
 
     __try {
       *key = answer.handle;
       status = answer.nt_status;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
                                 ACCESS_MASK desired_access,
                                 POBJECT_ATTRIBUTES object_attributes) {
   // Check if the process can open it first.
   NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 
 NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
                                   PHANDLE key, ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes,
                                   ULONG open_options) {
   // Check if the process can open it first.
@@ -215,12 +234,18 @@ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpen
                                    open_options);
 
   // We do not support open_options at this time. The 2 current known values
   // are REG_OPTION_CREATE_LINK, to open a symbolic link, and
   // REG_OPTION_BACKUP_RESTORE to open the key with special privileges.
   if (NT_SUCCESS(status) || open_options != 0)
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKeyEx",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
@@ -9,16 +9,17 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 ResultCode ProxyCreateEvent(LPCWSTR name,
                             uint32_t initial_state,
                             EVENT_TYPE event_type,
                             void* ipc_memory,
                             CrossCallReturn* answer) {
@@ -59,16 +60,20 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
                                     EVENT_TYPE event_type,
                                     BOOLEAN initial_state) {
   NTSTATUS status = orig_CreateEvent(event_handle, desired_access,
                                      object_attributes, event_type,
                                      initial_state);
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreatEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
       break;
 
@@ -98,30 +103,37 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
       break;
     }
     __try {
       *event_handle = answer.handle;
       status = STATUS_SUCCESS;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
                                   PHANDLE event_handle,
                                   ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes) {
   NTSTATUS status = orig_OpenEvent(event_handle, desired_access,
                                    object_attributes);
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+  //
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
       break;
 
@@ -150,14 +162,17 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpen
       break;
     }
     __try {
       *event_handle = answer.handle;
       status = STATUS_SUCCESS;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 }  // namespace sandbox
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ b/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
@@ -1,8 +1,8 @@
 Please add a link to the bugzilla bug and patch name that should be re-applied.
 Also, please update any existing links to their actual mozilla-central changeset.
 
 https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part4.patch
-https://hg.mozilla.org/mozilla-central/rev/421446ab2347
+https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part5.patch
 https://hg.mozilla.org/mozilla-central/rev/7df8d6639971
 https://hg.mozilla.org/mozilla-central/rev/afa4f68de47c
 https://bugzilla.mozilla.org/show_bug.cgi?id=1273852