Bug 1173371 Part 3: Add sandbox policy rule to allow read access to the Firefox program directory when it is on a network drive. r=aklotz

ipc/glue/GeckoChildProcessHost.cpp

@@ -40,6 +40,7 @@
 #if defined(MOZ_SANDBOX)
 #include "mozilla/Preferences.h"
 #include "mozilla/sandboxing/sandboxLogging.h"
+#include "nsDirectoryServiceUtils.h"
 #endif
 #endif
 
@@ -603,6 +604,46 @@ MaybeAddNsprLogFileAccess(std::vector<std::wstring>& aAllowedFilesReadWrite)
   AppendUTF16toUTF8(resolvedFilePath, resolvedEnvVar);
   PR_SetEnv(resolvedEnvVar.get());
 }
+
+static void
+AddContentSandboxAllowedFiles(int32_t aSandboxLevel,
+                              std::vector<std::wstring>& aAllowedFilesRead)
+{
+  if (aSandboxLevel < 1) {
+    return;
+  }
+
+  nsCOMPtr<nsIFile> binDir;
+  nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(binDir));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return;
+  }
+
+  nsAutoString binDirPath;
+  rv = binDir->GetPath(binDirPath);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return;
+  }
+
+  // If bin directory is on a remote drive add read access.
+  wchar_t volPath[MAX_PATH];
+  if (!::GetVolumePathNameW(binDirPath.get(), volPath, MAX_PATH)) {
+    return;
+  }
+
+  if (::GetDriveTypeW(volPath) != DRIVE_REMOTE) {
+    return;
+  }
+
+  // Convert network share path to format for sandbox policy.
+  if (Substring(binDirPath, 0, 2).Equals(L"\\\\")) {
+    binDirPath.InsertLiteral(L"??\\UNC", 1);
+  }
+
+  binDirPath.AppendLiteral(L"\\*");
+
+  aAllowedFilesRead.push_back(binDirPath.get());
+}
 #endif
 
 bool
@@ -910,6 +951,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
         mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
+        AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
       }
 #endif // MOZ_CONTENT_SANDBOX
       break;