wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1126402: Add a pref to enable a more strict version of the Windows NPAPI process sandbox. r=bsmedberg, r=bbondy

Browse Source
This commit is contained in:
Bob Owen 2015-01-29 08:13:07 +00:00
parent 5c78397e93
commit 8299a8da28
6 changed files with 57 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browser/app/profile/firefox.js
View File

@ -1188,6 +1188,10 @@ pref("security.sandbox.windows.log", false);
pref("dom.ipc.plugins.sandbox.default", false);
pref("dom.ipc.plugins.sandbox.flash", true);
// This controls whether the Windows NPAPI process sandbox is using a more
// strict sandboxing policy. This will require a restart.
pref("dom.ipc.plugins.moreStrictSandbox", false);
#if defined(MOZ_CONTENT_SANDBOX)
// This controls whether the Windows content process sandbox is using a more
// strict sandboxing policy. This will require a restart.

6
dom/plugins/ipc/PluginProcessParent.cpp
View File

@ -14,6 +14,10 @@
#include "mozilla/Telemetry.h"
#include "nsThreadUtils.h"
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
#include "mozilla/Preferences.h"
#endif
using std::vector;
using std::string;
@ -48,6 +52,8 @@ PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchComple
{
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
mEnableNPAPISandbox = aEnableSandbox;
mMoreStrictSandbox =
Preferences::GetBool("dom.ipc.plugins.moreStrictSandbox");
#else
if (aEnableSandbox) {
MOZ_ASSERT(false,

10
ipc/glue/GeckoChildProcessHost.cpp
View File

@ -98,9 +98,7 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
#if defined(MOZ_SANDBOX) && defined(XP_WIN)
mEnableSandboxLogging(false),
mEnableNPAPISandbox(false),
#if defined(MOZ_CONTENT_SANDBOX)
mMoreStrictContentSandbox(false),
#endif
mMoreStrictSandbox(false),
#endif
mChildProcessHandle(0)
#if defined(MOZ_WIDGET_COCOA)
@ -273,7 +271,7 @@ GeckoChildProcessHost::PrepareLaunch()
#if defined(MOZ_CONTENT_SANDBOX)
// We need to get the pref here as the process is launched off main thread.
if (mProcessType == GeckoProcessType_Content) {
mMoreStrictContentSandbox =
mMoreStrictSandbox =
Preferences::GetBool("security.sandbox.windows.content.moreStrict");
mEnableSandboxLogging =
Preferences::GetBool("security.sandbox.windows.log");
@ -807,7 +805,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
case GeckoProcessType_Content:
#if defined(MOZ_CONTENT_SANDBOX)
if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
mSandboxBroker.SetSecurityLevelForContentProcess(mMoreStrictContentSandbox);
mSandboxBroker.SetSecurityLevelForContentProcess(mMoreStrictSandbox);
cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
shouldSandboxCurrentProcess = true;
}
@ -816,7 +814,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
case GeckoProcessType_Plugin:
if (mEnableNPAPISandbox &&
!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
mSandboxBroker.SetSecurityLevelForPluginProcess();
mSandboxBroker.SetSecurityLevelForPluginProcess(mMoreStrictSandbox);
cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
shouldSandboxCurrentProcess = true;
}

4
ipc/glue/GeckoChildProcessHost.h
View File

@ -177,9 +177,7 @@ protected:
// sandboxing in this class at some point. Unfortunately it will take a bit
// of reorganizing so I don't think this patch is the right time.
bool mEnableNPAPISandbox;
#if defined(MOZ_CONTENT_SANDBOX)
bool mMoreStrictContentSandbox;
#endif
bool mMoreStrictSandbox;
#endif
#endif // XP_WIN

47
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -117,19 +117,54 @@ SandboxBroker::SetSecurityLevelForContentProcess(bool aMoreStrict)
#endif
bool
SandboxBroker::SetSecurityLevelForPluginProcess()
SandboxBroker::SetSecurityLevelForPluginProcess(bool aMoreStrict)
{
if (!mPolicy) {
return false;
}
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE,
sandbox::ResultCode result;
bool ret;
if (aMoreStrict) {
result = mPolicy->SetJobLevel(sandbox::JOB_UNPROTECTED,
0 /* ui_exceptions */);
bool ret = (sandbox::SBOX_ALL_OK == result);
ret = (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_NON_ADMIN);
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_INTERACTIVE);
ret = ret && (sandbox::SBOX_ALL_OK == result);
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR |
sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP |
sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_DEP;
result = mPolicy->SetProcessMitigations(mitigations);
ret = ret && (sandbox::SBOX_ALL_OK == result);
mitigations =
sandbox::MITIGATION_STRICT_HANDLE_CHECKS;
result = mPolicy->SetDelayedProcessMitigations(mitigations);
ret = ret && (sandbox::SBOX_ALL_OK == result);
// The following is required for the Java plugin.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\jpi2_pid*_pipe*");
ret = ret && (sandbox::SBOX_ALL_OK == result);
} else {
result = mPolicy->SetJobLevel(sandbox::JOB_NONE,
0 /* ui_exceptions */);
ret = (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_NON_ADMIN);
ret = ret && (sandbox::SBOX_ALL_OK == result);
}
result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
ret = ret && (sandbox::SBOX_ALL_OK == result);

2
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
View File

@ -34,7 +34,7 @@ public:
#if defined(MOZ_CONTENT_SANDBOX)
bool SetSecurityLevelForContentProcess(bool aMoreStrict);
#endif
bool SetSecurityLevelForPluginProcess();
bool SetSecurityLevelForPluginProcess(bool aMoreStrict);
bool SetSecurityLevelForIPDLUnitTestProcess();
bool SetSecurityLevelForGMPlugin();