Bug 1127230: Change the NPAPI sandbox prefs to integers to indicate the level of sandboxing. r=bsmedberg

2024-09-13 09:24:08 -07:00 · 2015-01-30 17:48:15 +00:00 · 2015-01-30 17:48:15 +00:00 · bb1da6346b
commit bb1da6346b
parent 6072603124
8 changed files with 31 additions and 35 deletions
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1187,15 +1187,15 @@ pref("browser.tabs.remote.desktopbehavior", true);
 // This will require a restart.
 pref("security.sandbox.windows.log", false);

-// Controls whether the Windows NPAPI plugin process is sandboxed by default.
+// Controls whether and how the Windows NPAPI plugin process is sandboxed.
 // To get a different setting for a particular plugin replace "default", with
 // the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
-pref("dom.ipc.plugins.sandbox.default", false);
-pref("dom.ipc.plugins.sandbox.flash", true);
-
-// This controls whether the Windows NPAPI process sandbox is using a more
-// strict sandboxing policy.  This will require a restart.
-pref("dom.ipc.plugins.moreStrictSandbox", false);
+// On windows these levels are:
+// 0 - no sandbox
+// 1 - sandbox with USER_NON_ADMIN access token level
+// 2 - a more strict sandbox, which might cause functionality issues
+pref("dom.ipc.plugins.sandbox-level.default", 0);
+pref("dom.ipc.plugins.sandbox-level.flash", 1);

 #if defined(MOZ_CONTENT_SANDBOX)
 // This controls whether the Windows content process sandbox is using a more
--- a/dom/plugins/ipc/PluginModuleParent.cpp
+++ b/dom/plugins/ipc/PluginModuleParent.cpp
@ -394,12 +394,12 @@ PluginModuleChromeParent::LoadModule(const char* aFilePath, uint32_t aPluginId,
 {
    PLUGIN_LOG_DEBUG_FUNCTION;

-    bool enableSandbox = false;
+    int32_t sandboxLevel = 0;
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
-    nsAutoCString sandboxPref("dom.ipc.plugins.sandbox.");
+    nsAutoCString sandboxPref("dom.ipc.plugins.sandbox-level.");
    sandboxPref.Append(aPluginTag->GetNiceFileName());
-    if (NS_FAILED(Preferences::GetBool(sandboxPref.get(), &enableSandbox))) {
-      enableSandbox = Preferences::GetBool("dom.ipc.plugins.sandbox.default");
+    if (NS_FAILED(Preferences::GetInt(sandboxPref.get(), &sandboxLevel))) {
+      sandboxLevel = Preferences::GetInt("dom.ipc.plugins.sandbox-level.default");
    }
 #endif

@ -408,7 +408,7 @@ PluginModuleChromeParent::LoadModule(const char* aFilePath, uint32_t aPluginId,
    parent->mSubprocess->SetCallRunnableImmediately(!parent->mIsStartingAsync);
    TimeStamp launchStart = TimeStamp::Now();
    bool launched = parent->mSubprocess->Launch(Move(onLaunchedRunnable),
-                                                enableSandbox);
+                                                sandboxLevel);
    if (!launched) {
        // We never reached open
        parent->mShutdown = true;
--- a/dom/plugins/ipc/PluginProcessParent.cpp
+++ b/dom/plugins/ipc/PluginProcessParent.cpp
@ -14,10 +14,6 @@
 #include "mozilla/Telemetry.h"
 #include "nsThreadUtils.h"

-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-#include "mozilla/Preferences.h"
-#endif
-
 using std::vector;
 using std::string;

@ -48,14 +44,12 @@ PluginProcessParent::~PluginProcessParent()

 bool
 PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask,
-                            bool aEnableSandbox)
+                            int32_t aSandboxLevel)
 {
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
-    mEnableNPAPISandbox = aEnableSandbox;
-    mMoreStrictSandbox =
-      Preferences::GetBool("dom.ipc.plugins.moreStrictSandbox");
+    mSandboxLevel = aSandboxLevel;
 #else
-    if (aEnableSandbox) {
+    if (aSandboxLevel != 0) {
        MOZ_ASSERT(false,
                   "Can't enable an NPAPI process sandbox for platform/build.");
    }
--- a/dom/plugins/ipc/PluginProcessParent.h
+++ b/dom/plugins/ipc/PluginProcessParent.h
@ -50,11 +50,11 @@ public:
     *
     * @param aLaunchCompleteTask Task that is executed on the main
     * thread once the asynchonous launch has completed.
-     * @param aEnableSandbox Enables a process sandbox if one is available for
-     * this platform/build. Will assert if true passed and one is not available.
+     * @param aSandboxLevel Determines the strength of the sandbox.
+     * <= 0 means no sandbox.
     */
    bool Launch(UniquePtr<LaunchCompleteTask> aLaunchCompleteTask = UniquePtr<LaunchCompleteTask>(),
-                bool aEnableSandbox = false);
+                int32_t aSandboxLevel = 0);

    void Delete();

--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -97,7 +97,7 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
    mDelegate(nullptr),
 #if defined(MOZ_SANDBOX) && defined(XP_WIN)
    mEnableSandboxLogging(false),
-    mEnableNPAPISandbox(false),
+    mSandboxLevel(0),
    mMoreStrictSandbox(false),
 #endif
    mChildProcessHandle(0)
@ -801,6 +801,10 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt

 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  bool shouldSandboxCurrentProcess = false;
+
+  // XXX: Bug 1124167: We should get rid of the process specific logic for
+  // sandboxing in this class at some point. Unfortunately it will take a bit
+  // of reorganizing so I don't think this patch is the right time.
  switch (mProcessType) {
    case GeckoProcessType_Content:
 #if defined(MOZ_CONTENT_SANDBOX)
@ -812,9 +816,9 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
 #endif // MOZ_CONTENT_SANDBOX
      break;
    case GeckoProcessType_Plugin:
-      if (mEnableNPAPISandbox &&
+      if (mSandboxLevel > 0 &&
          !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
-        mSandboxBroker.SetSecurityLevelForPluginProcess(mMoreStrictSandbox);
+        mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel);
        cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
        shouldSandboxCurrentProcess = true;
      }
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@ -172,11 +172,7 @@ protected:
  SandboxBroker mSandboxBroker;
  std::vector<std::wstring> mAllowedFilesRead;
  bool mEnableSandboxLogging;
-
-  // XXX: Bug 1124167: We should get rid of the process specific logic for
-  // sandboxing in this class at some point. Unfortunately it will take a bit
-  // of reorganizing so I don't think this patch is the right time.
-  bool mEnableNPAPISandbox;
+  int32_t mSandboxLevel;
  bool mMoreStrictSandbox;
 #endif
 #endif // XP_WIN
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -117,7 +117,7 @@ SandboxBroker::SetSecurityLevelForContentProcess(bool aMoreStrict)
 #endif

 bool
-SandboxBroker::SetSecurityLevelForPluginProcess(bool aMoreStrict)
+SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
 {
  if (!mPolicy) {
    return false;
@ -125,7 +125,7 @@ SandboxBroker::SetSecurityLevelForPluginProcess(bool aMoreStrict)

  sandbox::ResultCode result;
  bool ret;
-  if (aMoreStrict) {
+  if (aSandboxLevel >= 2) {
    result = mPolicy->SetJobLevel(sandbox::JOB_UNPROTECTED,
                                     0 /* ui_exceptions */);
    ret = (sandbox::SBOX_ALL_OK == result);
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@ -13,6 +13,8 @@
 #define SANDBOX_EXPORT __declspec(dllimport)
 #endif

+#include <stdint.h>
+
 namespace sandbox {
  class BrokerServices;
  class TargetPolicy;
@ -34,7 +36,7 @@ public:
 #if defined(MOZ_CONTENT_SANDBOX)
  bool SetSecurityLevelForContentProcess(bool aMoreStrict);
 #endif
-  bool SetSecurityLevelForPluginProcess(bool aMoreStrict);
+  bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
  bool SetSecurityLevelForIPDLUnitTestProcess();
  bool SetSecurityLevelForGMPlugin();