Bug 1393805 - Part 3 - Add Windows whitelisted directory for system extensions development. r?bobowen
MozReview-Commit-ID: 8K5c3mUlqna
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -45,16 +45,17 @@ sandbox::BrokerServices *SandboxBroker::
bool SandboxBroker::sRunningFromNetworkDrive = false;
// Cached special directories used for adding policy rules.
static UniquePtr<nsString> sBinDir;
static UniquePtr<nsString> sProfileDir;
static UniquePtr<nsString> sContentTempDir;
static UniquePtr<nsString> sRoamingAppDataDir;
static UniquePtr<nsString> sLocalAppDataDir;
+static UniquePtr<nsString> sUserExtensionsDevDir;
#ifdef ENABLE_SYSTEM_EXTENSION_DIRS
static UniquePtr<nsString> sUserExtensionsDir;
#endif
static LazyLogModule sSandboxBrokerLog("SandboxBroker");
#define LOG_E(...) MOZ_LOG(sSandboxBrokerLog, LogLevel::Error, (__VA_ARGS__))
#define LOG_W(...) MOZ_LOG(sSandboxBrokerLog, LogLevel::Warning, (__VA_ARGS__))
@@ -125,16 +126,17 @@ SandboxBroker::CacheRulesDirectories()
return;
}
CacheDirAndAutoClear(dirSvc, NS_GRE_DIR, &sBinDir);
CacheDirAndAutoClear(dirSvc, NS_APP_USER_PROFILE_50_DIR, &sProfileDir);
CacheDirAndAutoClear(dirSvc, NS_APP_CONTENT_PROCESS_TEMP_DIR, &sContentTempDir);
CacheDirAndAutoClear(dirSvc, NS_WIN_APPDATA_DIR, &sRoamingAppDataDir);
CacheDirAndAutoClear(dirSvc, NS_WIN_LOCAL_APPDATA_DIR, &sLocalAppDataDir);
+ CacheDirAndAutoClear(dirSvc, XRE_USER_SYS_EXTENSION_DEV_DIR, &sUserExtensionsDevDir);
#ifdef ENABLE_SYSTEM_EXTENSION_DIRS
CacheDirAndAutoClear(dirSvc, XRE_USER_SYS_EXTENSION_DIR, &sUserExtensionsDir);
#endif
}
SandboxBroker::SandboxBroker()
{
if (sBrokerService) {
@@ -494,16 +496,20 @@ SandboxBroker::SetSecurityLevelForConten
// Add rule to allow read access to the chrome directory within profile.
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_READONLY,
sProfileDir, NS_LITERAL_STRING("\\chrome\\*"));
// Add rule to allow read access to the extensions directory within profile.
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_READONLY,
sProfileDir, NS_LITERAL_STRING("\\extensions\\*"));
+ // Read access to a directory for system extension dev (see bug 1393805)
+ AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+ sUserExtensionsDevDir, NS_LITERAL_STRING("\\*"));
+
#ifdef ENABLE_SYSTEM_EXTENSION_DIRS
// Add rule to allow read access to the per-user extensions directory.
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_READONLY,
sUserExtensionsDir, NS_LITERAL_STRING("\\*"));
#endif
}
// Add the policy for the client side of a pipe. It is just a file