wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

bug 1027906. Set delayed token level for GMP plugin processes to USER_RESTRICTED. Whitelist certain files and registry keys that are required for EME plugins to successfully load. r=bobowen. r=jesup. r=bent.

Browse Source
This commit is contained in:
Tim Abraldes 2014-08-29 17:34:26 -07:00
parent 86749afbf9
commit 89de880434
5 changed files with 175 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
content/media/gmp/GMPProcessParent.cpp
View File

@ -9,6 +9,12 @@
#include "base/string_util.h"
#include "base/process_util.h"
#ifdef XP_WIN
#include <codecvt>
#endif
#include <string>
using std::vector;
using std::string;
@ -43,6 +49,13 @@ GMPProcessParent::Launch(int32_t aTimeoutMs)
{
vector<string> args;
args.push_back(mGMPPath);
#ifdef XP_WIN
std::wstring_convert<std::codecvt_utf8<wchar_t>> converter;
std::wstring wGMPPath = converter.from_bytes(mGMPPath.c_str());
mAllowedFilesRead.push_back(wGMPPath + L"\\*");
#endif
return SyncLaunch(args, aTimeoutMs, base::GetCurrentProcessArchitecture());
}

11
ipc/glue/GeckoChildProcessHost.cpp
View File

@ -794,7 +794,16 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
MOZ_CRASH("Bad process type in GeckoChildProcessHost");
break;
};
#endif
if (shouldSandboxCurrentProcess) {
for (auto it = mAllowedFilesRead.begin();
it != mAllowedFilesRead.end();
++it) {
mSandboxBroker.AllowReadFile(it->c_str());
}
}
#endif // XP_WIN
// Add the application directory path (-appdir path)
AddAppDirToCommandLine(cmdLine);

1
ipc/glue/GeckoChildProcessHost.h
View File

@ -168,6 +168,7 @@ protected:
#ifdef MOZ_SANDBOX
SandboxBroker mSandboxBroker;
std::vector<std::wstring> mAllowedFilesRead;
#endif
#endif // XP_WIN

166
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -67,12 +67,18 @@ SandboxBroker::SetSecurityLevelForContentProcess()
return false;
}
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED_SAME_ACCESS);
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
mPolicy->SetAlternateDesktop(true);
return true;
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
bool ret = (sandbox::SBOX_ALL_OK == result);
result =
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED_SAME_ACCESS);
ret = ret && (sandbox::SBOX_ALL_OK == result);
result =
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetAlternateDesktop(true);
ret = ret && (sandbox::SBOX_ALL_OK == result);
return ret;
}
bool
@ -82,10 +88,12 @@ SandboxBroker::SetSecurityLevelForPluginProcess()
return false;
}
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
sandbox::USER_UNPROTECTED);
return true;
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
bool ret = (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
sandbox::USER_UNPROTECTED);
ret = ret && (sandbox::SBOX_ALL_OK == result);
return ret;
}
bool
@ -95,10 +103,13 @@ SandboxBroker::SetSecurityLevelForIPDLUnitTestProcess()
return false;
}
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED_SAME_ACCESS);
return true;
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
bool ret = (sandbox::SBOX_ALL_OK == result);
result =
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED_SAME_ACCESS);
ret = ret && (sandbox::SBOX_ALL_OK == result);
return ret;
}
bool
@ -108,14 +119,129 @@ SandboxBroker::SetSecurityLevelForGMPlugin()
return false;
}
mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED_SAME_ACCESS);
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
mPolicy->SetAlternateDesktop(true);
return true;
auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
bool ret = (sandbox::SBOX_ALL_OK == result);
result =
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_RESTRICTED);
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->SetAlternateDesktop(true);
ret = ret && (sandbox::SBOX_ALL_OK == result);
// We can't use an alternate desktop/window station AND initially
// set the process to low integrity. Upstream changes have been
// made to allow this and we should uncomment this section once
// we've rolled forward.
// result =
// mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
// ret = ret && (sandbox::SBOX_ALL_OK == result);
result =
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
ret = ret && (sandbox::SBOX_ALL_OK == result);
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\chrome.*");
ret = ret && (sandbox::SBOX_ALL_OK == result);
#ifdef DEBUG
// The plugin process can't create named events, but we'll
// make an exception for the events used in logging. Removing
// this will break EME in debug builds.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
sandbox::TargetPolicy::EVENTS_ALLOW_ANY,
L"ChromeIPCLog.*");
ret = ret && (sandbox::SBOX_ALL_OK == result);
#endif
// The following rules were added because, during analysis of an EME
// plugin during development, these registry keys were accessed when
// loading the plugin. Commenting out these policy exceptions caused
// plugin loading to fail, so they are necessary for proper functioning
// of at least one EME plugin.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_CURRENT_USER");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_CURRENT_USER\\Control Panel\\Desktop");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide");
ret = ret && (sandbox::SBOX_ALL_OK == result);
// The following rules were added because, during analysis of an EME
// plugin during development, these registry keys were accessed when
// loading the plugin. Commenting out these policy exceptions did not
// cause anything to break during initial testing, but might cause
// unforeseen issues down the road.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages");
ret = ret && (sandbox::SBOX_ALL_OK == result);
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
sandbox::TargetPolicy::REG_ALLOW_READONLY,
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest");
ret = ret && (sandbox::SBOX_ALL_OK == result);
return ret;
}
bool
SandboxBroker::AllowReadFile(wchar_t const *file)
{
auto result =
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_READONLY,
file);
return (sandbox::SBOX_ALL_OK == result);
}
bool
SandboxBroker::AllowReadWriteFile(wchar_t const *file)
{
auto result =
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
file);
return (sandbox::SBOX_ALL_OK == result);
}
bool
SandboxBroker::AllowDirectory(wchar_t const *dir)
{
auto result =
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
dir);
return (sandbox::SBOX_ALL_OK == result);
}
SandboxBroker::~SandboxBroker()
{

5
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
View File

@ -35,6 +35,11 @@ public:
bool SetSecurityLevelForIPDLUnitTestProcess();
bool SetSecurityLevelForGMPlugin();
// File system permissions
bool AllowReadFile(wchar_t const *file);
bool AllowReadWriteFile(wchar_t const *file);
bool AllowDirectory(wchar_t const *dir);
private:
static sandbox::BrokerServices *sBrokerService;
sandbox::TargetPolicy *mPolicy;