Bug 1250125: Make a 0 security.sandbox.content.level turn off the content process sandbox. r?tabraldes
This also fixes a bug where we weren't setting parts of the policy correctly for levels 3 to 9.
MozReview-Commit-ID: IXsg2nGOqoa
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -982,17 +982,18 @@ GeckoChildProcessHost::PerformAsyncLaunc
bool shouldSandboxCurrentProcess = false;
// XXX: Bug 1124167: We should get rid of the process specific logic for
// sandboxing in this class at some point. Unfortunately it will take a bit
// of reorganizing so I don't think this patch is the right time.
switch (mProcessType) {
case GeckoProcessType_Content:
#if defined(MOZ_CONTENT_SANDBOX)
- if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+ if (mSandboxLevel > 0 &&
+ !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
shouldSandboxCurrentProcess = true;
AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
}
#endif // MOZ_CONTENT_SANDBOX
break;
case GeckoProcessType_Plugin:
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -106,31 +106,29 @@ SandboxBroker::SetSecurityLevelForConten
accessTokenLevel = sandbox::USER_LOCKDOWN;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
} else if (aSandboxLevel >= 10) {
jobLevel = sandbox::JOB_RESTRICTED;
accessTokenLevel = sandbox::USER_LIMITED;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel == 2) {
+ } else if (aSandboxLevel >= 2) {
jobLevel = sandbox::JOB_INTERACTIVE;
accessTokenLevel = sandbox::USER_INTERACTIVE;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
} else if (aSandboxLevel == 1) {
jobLevel = sandbox::JOB_NONE;
accessTokenLevel = sandbox::USER_NON_ADMIN;
initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
} else {
- jobLevel = sandbox::JOB_NONE;
- accessTokenLevel = sandbox::USER_NON_ADMIN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+ MOZ_ASSERT_UNREACHABLE("Should not be called with aSandboxLevel < 1");
+ return false;
}
sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
0 /* ui_exceptions */);
bool ret = (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
accessTokenLevel);
@@ -141,34 +139,32 @@ SandboxBroker::SetSecurityLevelForConten
result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
ret = ret && (sandbox::SBOX_ALL_OK == result);
if (aSandboxLevel > 2) {
result = mPolicy->SetAlternateDesktop(true);
ret = ret && (sandbox::SBOX_ALL_OK == result);
}
- if (aSandboxLevel >= 1) {
- sandbox::MitigationFlags mitigations =
- sandbox::MITIGATION_BOTTOM_UP_ASLR |
- sandbox::MITIGATION_HEAP_TERMINATE |
- sandbox::MITIGATION_SEHOP |
- sandbox::MITIGATION_DEP_NO_ATL_THUNK |
- sandbox::MITIGATION_DEP;
+ sandbox::MitigationFlags mitigations =
+ sandbox::MITIGATION_BOTTOM_UP_ASLR |
+ sandbox::MITIGATION_HEAP_TERMINATE |
+ sandbox::MITIGATION_SEHOP |
+ sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+ sandbox::MITIGATION_DEP;
- result = mPolicy->SetProcessMitigations(mitigations);
- ret = ret && (sandbox::SBOX_ALL_OK == result);
+ result = mPolicy->SetProcessMitigations(mitigations);
+ ret = ret && (sandbox::SBOX_ALL_OK == result);
- mitigations =
- sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
- sandbox::MITIGATION_DLL_SEARCH_ORDER;
+ mitigations =
+ sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
+ sandbox::MITIGATION_DLL_SEARCH_ORDER;
- result = mPolicy->SetDelayedProcessMitigations(mitigations);
- ret = ret && (sandbox::SBOX_ALL_OK == result);
- }
+ result = mPolicy->SetDelayedProcessMitigations(mitigations);
+ ret = ret && (sandbox::SBOX_ALL_OK == result);
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\chrome.*");
ret = ret && (sandbox::SBOX_ALL_OK == result);