Bug 1316153 - Remove base::ChildPrivileges from IPC. r?billm r?bobowen
ChildPrivileges is a leftover from the B2G process model; it's now
mostly unused, except for the Windows sandbox using it to carry whether
a content process has file:/// access.
In general, when sandboxing needs to interact with process launch, the
inputs are some subset of: the GeckoProcessType, the subtype if content,
various prefs and even GPU configuration; and the resulting launch
adjustments are platform-specific. And on some platforms (e.g., OS X)
it's all done after launch. So a simple enum used cross-platform isn't
a good fit.
MozReview-Commit-ID: K31OHOpJzla
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -263,17 +263,16 @@
#include "mozilla/CodeCoverageHandler.h"
#endif
// For VP9Benchmark::sBenchmarkFpsPref
#include "Benchmark.h"
static NS_DEFINE_CID(kCClipboardCID, NS_CLIPBOARD_CID);
-using base::ChildPrivileges;
using base::KillProcess;
#ifdef MOZ_CRASHREPORTER
using namespace CrashReporter;
#endif
using namespace mozilla::dom::power;
using namespace mozilla::media;
using namespace mozilla::embedding;
@@ -2118,20 +2117,18 @@ ContentParent::ContentParent(ContentPare
}
// Request Windows message deferral behavior on our side of the PContent
// channel. Generally only applies to the situation where we get caught in
// a deadlock with the plugin process when sending CPOWs.
GetIPCChannel()->SetChannelFlags(MessageChannel::REQUIRE_DEFERRED_MESSAGE_PROTECTION);
#endif
NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
- ChildPrivileges privs = mRemoteType.EqualsLiteral(FILE_REMOTE_TYPE)
- ? base::PRIVILEGES_FILEREAD
- : base::PRIVILEGES_DEFAULT;
- mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, privs);
+ bool isFile = mRemoteType.EqualsLiteral(FILE_REMOTE_TYPE);
+ mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, isFile);
}
ContentParent::~ContentParent()
{
if (mForceKillTimer) {
mForceKillTimer->Cancel();
}
--- a/dom/ipc/PContent.ipdl
+++ b/dom/ipc/PContent.ipdl
@@ -65,17 +65,16 @@ include MemoryReportTypes;
include "mozilla/dom/PContentBridgeParent.h";
using GeoPosition from "nsGeoPositionIPCSerialiser.h";
using AlertNotificationType from "mozilla/AlertNotificationIPCSerializer.h";
using struct ChromePackage from "mozilla/chrome/RegistryMessageUtils.h";
using struct SubstitutionMapping from "mozilla/chrome/RegistryMessageUtils.h";
using struct OverrideMapping from "mozilla/chrome/RegistryMessageUtils.h";
-using base::ChildPrivileges from "base/process_util.h";
using base::ProcessId from "base/process.h";
using struct IPC::Permission from "mozilla/net/NeckoMessageUtils.h";
using class IPC::Principal from "mozilla/dom/PermissionMessageUtils.h";
using struct mozilla::null_t from "ipc/IPCMessageUtils.h";
using mozilla::a11y::IHandlerControlHolder from "mozilla/a11y/IPCTypes.h";
using mozilla::dom::NativeThreadId from "mozilla/dom/TabMessageUtils.h";
using mozilla::hal::ProcessPriority from "mozilla/HalTypes.h";
using mozilla::gfx::IntSize from "mozilla/gfx/2D.h";
--- a/ipc/chromium/moz.build
+++ b/ipc/chromium/moz.build
@@ -53,20 +53,16 @@ if os_win:
'src/base/time_win.cc',
'src/base/waitable_event_win.cc',
'src/base/win_util.cc',
'src/chrome/common/ipc_channel_win.cc',
'src/chrome/common/process_watcher_win.cc',
'src/chrome/common/transport_dib_win.cc',
]
- EXPORTS.base += [
- 'src/base/child_privileges.h',
- ]
-
elif not CONFIG['MOZ_SYSTEM_LIBEVENT']:
DIRS += ['src/third_party']
if os_posix:
UNIFIED_SOURCES += [
'src/base/condition_variable_posix.cc',
'src/base/file_descriptor_shuffle.cc',
'src/base/file_util_posix.cc',
deleted file mode 100644
--- a/ipc/chromium/src/base/child_privileges.h
+++ /dev/null
@@ -1,23 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef BASE_CHILD_PRIVILEGS_H_
-#define BASE_CHILD_PRIVILEGS_H_
-
-namespace base {
-
-enum ChildPrivileges {
- PRIVILEGES_DEFAULT,
- PRIVILEGES_UNPRIVILEGED,
- PRIVILEGES_INHERIT,
- // PRIVILEGES_DEFAULT plus file read permissions, used for file content process.
- PRIVILEGES_FILEREAD,
- PRIVILEGES_LAST
-};
-
-} // namespace base
-
-#endif // BASE_CHILD_PRIVILEGS_H_
--- a/ipc/chromium/src/base/process_util.h
+++ b/ipc/chromium/src/base/process_util.h
@@ -31,17 +31,16 @@
#include <string>
#include <vector>
#include <stdio.h>
#include <stdlib.h>
#ifndef OS_WIN
#include <unistd.h>
#endif
-#include "base/child_privileges.h"
#include "base/command_line.h"
#include "base/process.h"
#if defined(OS_POSIX)
#include "base/file_descriptor_shuffle.h"
#endif
#include "mozilla/UniquePtr.h"
@@ -159,42 +158,32 @@ typedef std::vector<std::pair<int, int>
bool LaunchApp(const std::vector<std::string>& argv,
const file_handle_mapping_vector& fds_to_remap,
bool wait, ProcessHandle* process_handle);
typedef std::map<std::string, std::string> environment_map;
bool LaunchApp(const std::vector<std::string>& argv,
const file_handle_mapping_vector& fds_to_remap,
const environment_map& env_vars_to_set,
- ChildPrivileges privs,
- bool wait, ProcessHandle* process_handle,
- ProcessArchitecture arch=GetCurrentProcessArchitecture());
-bool LaunchApp(const std::vector<std::string>& argv,
- const file_handle_mapping_vector& fds_to_remap,
- const environment_map& env_vars_to_set,
bool wait, ProcessHandle* process_handle,
ProcessArchitecture arch=GetCurrentProcessArchitecture());
// Deleter for the array of strings allocated within BuildEnvironmentArray.
struct FreeEnvVarsArray
{
void operator()(char** array);
};
typedef mozilla::UniquePtr<char*[], FreeEnvVarsArray> EnvironmentArray;
// Merge an environment map with the current environment.
// Existing variables are overwritten by env_vars_to_set.
EnvironmentArray BuildEnvironmentArray(const environment_map& env_vars_to_set);
#endif
-// Adjust the privileges of this process to match |privs|. Only
-// returns if privileges were successfully adjusted.
-void SetCurrentProcessPrivileges(ChildPrivileges privs);
-
// Executes the application specified by cl. This function delegates to one
// of the above two platform-specific functions.
bool LaunchApp(const CommandLine& cl,
bool wait, bool start_hidden, ProcessHandle* process_handle);
// Used to filter processes by process ID.
class ProcessFilter {
public:
--- a/ipc/chromium/src/base/process_util_bsd.cc
+++ b/ipc/chromium/src/base/process_util_bsd.cc
@@ -31,27 +31,16 @@ bool LaunchApp(const std::vector<std::st
wait, process_handle);
}
bool LaunchApp(const std::vector<std::string>& argv,
const file_handle_mapping_vector& fds_to_remap,
const environment_map& env_vars_to_set,
bool wait, ProcessHandle* process_handle,
ProcessArchitecture arch) {
- return LaunchApp(argv, fds_to_remap, env_vars_to_set,
- PRIVILEGES_INHERIT,
- wait, process_handle);
-}
-
-bool LaunchApp(const std::vector<std::string>& argv,
- const file_handle_mapping_vector& fds_to_remap,
- const environment_map& env_vars_to_set,
- ChildPrivileges privs,
- bool wait, ProcessHandle* process_handle,
- ProcessArchitecture arch) {
bool retval = true;
char* argv_copy[argv.size() + 1];
for (size_t i = 0; i < argv.size(); i++) {
argv_copy[i] = const_cast<char*>(argv[i].c_str());
}
argv_copy[argv.size()] = NULL;
@@ -114,13 +103,9 @@ bool LaunchApp(const std::vector<std::st
bool LaunchApp(const CommandLine& cl,
bool wait, bool start_hidden, ProcessHandle* process_handle) {
// TODO(playmobil): Do we need to respect the start_hidden flag?
file_handle_mapping_vector no_files;
return LaunchApp(cl.argv(), no_files, wait, process_handle);
}
-void SetCurrentProcessPrivileges(ChildPrivileges privs) {
-
-}
-
} // namespace base
--- a/ipc/chromium/src/base/process_util_linux.cc
+++ b/ipc/chromium/src/base/process_util_linux.cc
@@ -11,23 +11,16 @@
#include <sys/wait.h>
#include <unistd.h>
#include "base/eintr_wrapper.h"
#include "base/logging.h"
#include "mozilla/Move.h"
#include "mozilla/UniquePtr.h"
-/*
- * We fall back to an arbitrary UID. This is generally the UID for user
- * `nobody', albeit it is not always the case.
- */
-# define CHILD_UNPRIVILEGED_UID 65534
-# define CHILD_UNPRIVILEGED_GID 65534
-
namespace {
static mozilla::EnvironmentLog gProcessLog("MOZ_PROCESS_LOG");
} // namespace
namespace base {
@@ -38,27 +31,16 @@ bool LaunchApp(const std::vector<std::st
wait, process_handle);
}
bool LaunchApp(const std::vector<std::string>& argv,
const file_handle_mapping_vector& fds_to_remap,
const environment_map& env_vars_to_set,
bool wait, ProcessHandle* process_handle,
ProcessArchitecture arch) {
- return LaunchApp(argv, fds_to_remap, env_vars_to_set,
- PRIVILEGES_INHERIT,
- wait, process_handle);
-}
-
-bool LaunchApp(const std::vector<std::string>& argv,
- const file_handle_mapping_vector& fds_to_remap,
- const environment_map& env_vars_to_set,
- ChildPrivileges privs,
- bool wait, ProcessHandle* process_handle,
- ProcessArchitecture arch) {
mozilla::UniquePtr<char*[]> argv_cstr(new char*[argv.size() + 1]);
// Illegal to allocate memory after fork and before execvp
InjectiveMultimap fd_shuffle1, fd_shuffle2;
fd_shuffle1.reserve(fds_to_remap.size());
fd_shuffle2.reserve(fds_to_remap.size());
EnvironmentArray envp = BuildEnvironmentArray(env_vars_to_set);
@@ -77,18 +59,16 @@ bool LaunchApp(const std::vector<std::st
_exit(127);
CloseSuperfluousFds(fd_shuffle2);
for (size_t i = 0; i < argv.size(); i++)
argv_cstr[i] = const_cast<char*>(argv[i].c_str());
argv_cstr[argv.size()] = NULL;
- SetCurrentProcessPrivileges(privs);
-
execve(argv_cstr[0], argv_cstr.get(), envp.get());
// if we get here, we're in serious trouble and should complain loudly
// NOTE: This is async signal unsafe; it could deadlock instead. (But
// only on debug builds; otherwise it's a signal-safe no-op.)
DLOG(ERROR) << "FAILED TO exec() CHILD PROCESS, path: " << argv_cstr[0];
_exit(127);
} else {
gProcessLog.print("==> process %d launched child process %d\n",
@@ -105,28 +85,9 @@ bool LaunchApp(const std::vector<std::st
bool LaunchApp(const CommandLine& cl,
bool wait, bool start_hidden,
ProcessHandle* process_handle) {
file_handle_mapping_vector no_files;
return LaunchApp(cl.argv(), no_files, wait, process_handle);
}
-void SetCurrentProcessPrivileges(ChildPrivileges privs) {
- if (privs == PRIVILEGES_INHERIT) {
- return;
- }
-
- gid_t gid = CHILD_UNPRIVILEGED_GID;
- uid_t uid = CHILD_UNPRIVILEGED_UID;
- if (setgid(gid) != 0) {
- DLOG(ERROR) << "FAILED TO setgid() CHILD PROCESS";
- _exit(127);
- }
- if (setuid(uid) != 0) {
- DLOG(ERROR) << "FAILED TO setuid() CHILD PROCESS";
- _exit(127);
- }
- if (chdir("/") != 0)
- gProcessLog.print("==> could not chdir()\n");
-}
-
} // namespace base
--- a/ipc/chromium/src/base/process_util_mac.mm
+++ b/ipc/chromium/src/base/process_util_mac.mm
@@ -29,27 +29,16 @@ bool LaunchApp(const std::vector<std::st
wait, process_handle);
}
bool LaunchApp(const std::vector<std::string>& argv,
const file_handle_mapping_vector& fds_to_remap,
const environment_map& env_vars_to_set,
bool wait, ProcessHandle* process_handle,
ProcessArchitecture arch) {
- return LaunchApp(argv, fds_to_remap, env_vars_to_set,
- PRIVILEGES_INHERIT,
- wait, process_handle);
-}
-
-bool LaunchApp(const std::vector<std::string>& argv,
- const file_handle_mapping_vector& fds_to_remap,
- const environment_map& env_vars_to_set,
- ChildPrivileges privs,
- bool wait, ProcessHandle* process_handle,
- ProcessArchitecture arch) {
bool retval = true;
char* argv_copy[argv.size() + 1];
for (size_t i = 0; i < argv.size(); i++) {
argv_copy[i] = const_cast<char*>(argv[i].c_str());
}
argv_copy[argv.size()] = NULL;
@@ -146,13 +135,9 @@ bool LaunchApp(const std::vector<std::st
bool LaunchApp(const CommandLine& cl,
bool wait, bool start_hidden, ProcessHandle* process_handle) {
// TODO(playmobil): Do we need to respect the start_hidden flag?
file_handle_mapping_vector no_files;
return LaunchApp(cl.argv(), no_files, wait, process_handle);
}
-void SetCurrentProcessPrivileges(ChildPrivileges privs) {
-
-}
-
} // namespace base
--- a/ipc/chromium/src/base/process_util_win.cc
+++ b/ipc/chromium/src/base/process_util_win.cc
@@ -396,20 +396,16 @@ bool DidProcessCrash(bool* child_exited,
exitcode == 0xC000013A || // Control-C/end session.
exitcode == 0x40010004) { // Debugger terminated process/end session.
return false;
}
return true;
}
-void SetCurrentProcessPrivileges(ChildPrivileges privs) {
-
-}
-
///////////////////////////////////////////////////////////////////////////////
// ProcesMetrics
ProcessMetrics::ProcessMetrics(ProcessHandle process) : process_(process),
last_time_(0),
last_system_time_(0) {
SYSTEM_INFO system_info;
GetSystemInfo(&system_info);
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -70,38 +70,26 @@ using mozilla::ipc::GeckoChildProcessHos
#ifdef MOZ_WIDGET_ANDROID
#include "AndroidBridge.h"
#include "GeneratedJNIWrappers.h"
#include "mozilla/jni/Refs.h"
#include "mozilla/jni/Utils.h"
#endif
-// We currently don't drop privileges on any platform, because we have to worry
-// about plugins and extensions breaking.
-static const bool kLowRightsSubprocesses = false;
-
static bool
ShouldHaveDirectoryService()
{
return GeckoProcessType_Default == XRE_GetProcessType();
}
-/*static*/
-base::ChildPrivileges
-GeckoChildProcessHost::DefaultChildPrivileges()
-{
- return (kLowRightsSubprocesses ?
- base::PRIVILEGES_UNPRIVILEGED : base::PRIVILEGES_INHERIT);
-}
-
GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
- ChildPrivileges aPrivileges)
+ bool aIsFileContent)
: mProcessType(aProcessType),
- mPrivileges(aPrivileges),
+ mIsFileContent(aIsFileContent),
mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
mProcessState(CREATING_CHANNEL),
#if defined(MOZ_SANDBOX) && defined(XP_WIN)
mEnableSandboxLogging(false),
mSandboxLevel(0),
#endif
mChildProcessHandle(0)
#if defined(MOZ_WIDGET_COCOA)
@@ -727,21 +715,16 @@ GeckoChildProcessHost::PerformAsyncLaunc
// For POSIX, we have to be extremely anal about *not* using
// std::wstring in code compiled with Mozilla's -fshort-wchar
// configuration, because chromium is compiled with -fno-short-wchar
// and passing wstrings from one config to the other is unsafe. So
// we split the logic here.
# if defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD) || defined(OS_SOLARIS)
base::environment_map newEnvVars;
- ChildPrivileges privs = mPrivileges;
- if (privs == base::PRIVILEGES_DEFAULT ||
- privs == base::PRIVILEGES_FILEREAD) {
- privs = DefaultChildPrivileges();
- }
# if defined(MOZ_WIDGET_GTK)
if (mProcessType == GeckoProcessType_Content) {
// disable IM module to avoid sandbox violation
newEnvVars["GTK_IM_MODULE"] = "gtk-im-context-simple";
// Disable ATK accessibility code in content processes because it conflicts
// with the sandbox, and we proxy that information through the main process
@@ -919,17 +902,17 @@ GeckoChildProcessHost::PerformAsyncLaunc
childArgv.push_back(childProcessType);
# if defined(MOZ_WIDGET_ANDROID)
LaunchAndroidService(childProcessType, childArgv, mFileMap, &process);
# else // goes with defined(MOZ_WIDGET_ANDROID)
base::LaunchApp(childArgv, mFileMap,
# if defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD) || defined(OS_SOLARIS)
- newEnvVars, privs,
+ newEnvVars,
# endif // defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD) || defined(OS_SOLARIS)
false, &process, arch);
# endif // defined(MOZ_WIDGET_ANDROID)
// We're in the parent and the child was launched. Close the child FD in the
// parent as soon as possible, which will allow the parent to detect when the
// child closes its FD (either due to normal exit or due to crash).
GetChannel()->CloseClientFileDescriptor();
@@ -1045,17 +1028,17 @@ GeckoChildProcessHost::PerformAsyncLaunc
case GeckoProcessType_Content:
# if defined(MOZ_CONTENT_SANDBOX)
if (mSandboxLevel > 0 &&
!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
// For now we treat every failure as fatal in SetSecurityLevelForContentProcess
// and just crash there right away. Should this change in the future then we
// should also handle the error here.
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel,
- mPrivileges);
+ mIsFileContent);
shouldSandboxCurrentProcess = true;
}
# endif // defined(MOZ_CONTENT_SANDBOX)
break;
case GeckoProcessType_Plugin:
if (mSandboxLevel > 0 &&
!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
bool ok = mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel);
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@@ -30,23 +30,20 @@ namespace ipc {
class GeckoChildProcessHost : public ChildProcessHost
{
protected:
typedef mozilla::Monitor Monitor;
typedef std::vector<std::string> StringVector;
public:
- typedef base::ChildPrivileges ChildPrivileges;
typedef base::ProcessHandle ProcessHandle;
- static ChildPrivileges DefaultChildPrivileges();
-
explicit GeckoChildProcessHost(GeckoProcessType aProcessType,
- ChildPrivileges aPrivileges=base::PRIVILEGES_DEFAULT);
+ bool aIsFileContent = false);
~GeckoChildProcessHost();
static nsresult GetArchitecturesForBinary(const char *path, uint32_t *result);
static uint32_t GetSupportedArchitecturesForProcessType(GeckoProcessType type);
static uint32_t GetUniqueID();
@@ -120,17 +117,17 @@ public:
// For bug 943174: Skip the EnsureProcessTerminated call in the destructor.
void SetAlreadyDead();
static void EnableSameExecutableForContentProc() { sRunSelfAsContentProc = true; }
protected:
GeckoProcessType mProcessType;
- ChildPrivileges mPrivileges;
+ bool mIsFileContent;
Monitor mMonitor;
FilePath mProcessPath;
// This value must be accessed while holding mMonitor.
enum {
// This object has been constructed, but the OS process has not
// yet.
CREATING_CHANNEL = 0,
--- a/ipc/glue/IPCMessageUtils.h
+++ b/ipc/glue/IPCMessageUtils.h
@@ -250,23 +250,16 @@ struct ContiguousEnumSerializerInclusive
*/
template <typename E,
E AllBits>
struct BitFlagsEnumSerializer
: EnumSerializer<E,
BitFlagsEnumValidator<E, AllBits>>
{};
-template <>
-struct ParamTraits<base::ChildPrivileges>
- : public ContiguousEnumSerializer<base::ChildPrivileges,
- base::PRIVILEGES_DEFAULT,
- base::PRIVILEGES_LAST>
-{ };
-
/**
* A helper class for serializing plain-old data (POD) structures.
* The memory representation of the structure is written to and read from
* the serialized stream directly, without individual processing of the
* structure's members.
*
* Derive ParamTraits<T> from PlainOldDataSerializer<T> if T is POD.
*/
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -340,17 +340,17 @@ SetJobLevel(sandbox::TargetPolicy* aPoli
return aPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
}
#if defined(MOZ_CONTENT_SANDBOX)
void
SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
- base::ChildPrivileges aPrivs)
+ bool aIsFileProcess)
{
MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
sandbox::JobLevel jobLevel;
sandbox::TokenLevel accessTokenLevel;
sandbox::IntegrityLevel initialIntegrityLevel;
sandbox::IntegrityLevel delayedIntegrityLevel;
@@ -380,18 +380,19 @@ SandboxBroker::SetSecurityLevelForConten
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
} else if (aSandboxLevel == 1) {
jobLevel = sandbox::JOB_NONE;
accessTokenLevel = sandbox::USER_NON_ADMIN;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
}
- // If PRIVILEGES_FILEREAD required, don't allow settings that block reads.
- if (aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
+ // If the process will handle file: URLs, don't allow settings that
+ // block reads.
+ if (aIsFileProcess) {
if (accessTokenLevel < sandbox::USER_NON_ADMIN) {
accessTokenLevel = sandbox::USER_NON_ADMIN;
}
if (delayedIntegrityLevel > sandbox::INTEGRITY_LEVEL_LOW) {
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
}
}
@@ -468,18 +469,17 @@ SandboxBroker::SetSecurityLevelForConten
// reason the addition of the content temp failed, this will give write access
// to the normal TEMP dir. However such failures should be pretty rare and
// without this printing will not currently work.
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
sContentTempDir, NS_LITERAL_STRING("\\*"));
// We still have edge cases where the child at low integrity can't read some
// files, so add a rule to allow read access to everything when required.
- if (aSandboxLevel == 1 ||
- aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
+ if (aSandboxLevel == 1 || aIsFileProcess) {
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_READONLY,
L"*");
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, what happened?");
} else {
// Add rule to allow read access to installation directory.
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_READONLY,
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -5,17 +5,16 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
#define __SECURITY_SANDBOX_SANDBOXBROKER_H__
#include <stdint.h>
#include <windows.h>
-#include "base/child_privileges.h"
#include "nsXULAppAPI.h"
namespace sandbox {
class BrokerServices;
class TargetPolicy;
}
namespace mozilla {
@@ -38,17 +37,17 @@ public:
GeckoProcessType aProcessType,
const bool aEnableLogging,
void **aProcessHandle);
virtual ~SandboxBroker();
// Security levels for different types of processes
#if defined(MOZ_CONTENT_SANDBOX)
void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
- base::ChildPrivileges aPrivs);
+ bool aIsFileProcess);
#endif
void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel);
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
enum SandboxLevel {
LockDown,
Restricted