Bug 928044 Part 2: Enable the content sandbox by default on Windows with an open policy. r=tabraldes,glandium,jimm

--HG--
rename : security/sandbox/win/src/warnonlysandbox/wosCallbacks.h => security/sandbox/win/src/logging/loggingCallbacks.h
rename : security/sandbox/win/src/warnonlysandbox/wosTypes.h => security/sandbox/win/src/logging/loggingTypes.h
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp => security/sandbox/win/src/logging/sandboxLogging.cpp
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h => security/sandbox/win/src/logging/sandboxLogging.h

browser/app/profile/firefox.js

@@ -1203,20 +1203,25 @@ pref("dom.ipc.plugins.enabled", true);
 pref("browser.tabs.remote.autostart", false);
 pref("browser.tabs.remote.desktopbehavior", true);
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
-// This controls whether the content process on Windows is sandboxed.
-// You also need to be using remote tabs, see above.
-// on = full sandbox enabled
-// warn = warn only sandbox enabled
-// anything else = sandbox disabled
-// This will probably require a restart.
-pref("browser.tabs.remote.sandbox", "off");
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+// When this pref is true the Windows process sandbox will set up dummy
+// interceptions and log to the browser console when calls fail in the sandboxed
+// process and also if they are subsequently allowed by the broker process.
+// This will require a restart.
+pref("security.sandbox.windows.log", false);
+
+#if defined(MOZ_CONTENT_SANDBOX)
+// This controls whether the Windows content process sandbox is using a more
+// strict sandboxing policy.  This will require a restart.
+pref("security.sandbox.windows.content.moreStrict", false);
 
 #if defined(MOZ_STACKWALKING)
-// This controls the depth of stack trace that is logged when the warn only
-// sandbox reports that a resource access request has been blocked.
-// This does not require a restart to take effect.
-pref("browser.tabs.remote.sandbox.warnOnlyStackTraceDepth", 0);
+// This controls the depth of stack trace that is logged when Windows sandbox
+// logging is turned on.  This is only currently available for the content
+// process because the only other sandbox (for GMP) has too strict a policy to
+// allow stack tracing.  This does not require a restart to take effect.
+pref("security.sandbox.windows.log.stackTraceDepth", 0);
+#endif
 #endif
 #endif
 

configure.in

@@ -6576,20 +6576,24 @@ if test -n "$gonkdir"; then
 fi
 
 case "$OS_TARGET:$NIGHTLY_BUILD" in
-WINNT:1)
+WINNT:*)
     MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
     ;;
 Darwin:1)
     MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
     ;;
-*)
-    MOZ_ARG_ENABLE_BOOL(content-sandbox,
-    [  --enable-content-sandbox        Enable sandboxing support for content-processes],
-        MOZ_CONTENT_SANDBOX=1,
-        MOZ_CONTENT_SANDBOX=)
-    ;;
 esac
 
+MOZ_ARG_ENABLE_BOOL(content-sandbox,
+[  --enable-content-sandbox Enable sandboxing support for content-processes
+  --disable-content-sandbox Disable sandboxing support for content-processes],
+    MOZ_CONTENT_SANDBOX=1,
+    MOZ_CONTENT_SANDBOX=)
+
+if test -n "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_SANDBOX"; then
+    AC_MSG_ERROR([--enable-content-sandbox and --disable-sandbox are conflicting options])
+fi
+
 if test -n "$MOZ_CONTENT_SANDBOX"; then
     AC_DEFINE(MOZ_CONTENT_SANDBOX)
 fi

dom/ipc/ContentChild.cpp

@@ -1035,6 +1035,11 @@ SetUpSandboxEnvironment()
 void
 ContentChild::CleanUpSandboxEnvironment()
 {
+    // Sandbox environment is only currently set up with the more strict sandbox.
+    if (!Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
+        return;
+    }
+
     nsresult rv;
     nsCOMPtr<nsIProperties> directoryService =
         do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
@@ -1144,11 +1149,8 @@ ContentChild::RecvSetProcessSandbox()
 #endif
     SetContentProcessSandbox();
 #elif defined(XP_WIN)
-    nsAdoptingString contentSandboxPref =
-        Preferences::GetString("browser.tabs.remote.sandbox");
-    if (contentSandboxPref.EqualsLiteral("on")
-        || contentSandboxPref.EqualsLiteral("warn")) {
-        mozilla::SandboxTarget::Instance()->StartSandbox();
+    mozilla::SandboxTarget::Instance()->StartSandbox();
+    if (Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
         SetUpSandboxEnvironment();
     }
 #elif defined(XP_MACOSX)

ipc/contentproc/plugin-container.cpp

@@ -29,10 +29,7 @@
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "mozilla/sandboxTarget.h"
-
-#if defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/warnonlysandbox/wosCallbacks.h"
-#endif
+#include "mozilla/sandboxing/loggingCallbacks.h"
 #endif
 
 #if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
@@ -198,9 +195,7 @@ content_process_main(int argc, char* argv[])
         }
         mozilla::SandboxTarget::Instance()->SetStartSandboxCallback(StartSandboxCallback);
 
-#if defined(MOZ_CONTENT_SANDBOX)
-        mozilla::warnonlysandbox::PrepareForInit();
-#endif
+        mozilla::sandboxing::PrepareForLogging();
     }
 #endif
 #endif

ipc/glue/GeckoChildProcessHost.cpp

@@ -35,9 +35,9 @@
 #include "nsIWinTaskbar.h"
 #define NS_TASKBAR_CONTRACTID "@mozilla.org/windows-taskbar;1"
 
-#if defined(MOZ_CONTENT_SANDBOX)
+#if defined(MOZ_SANDBOX)
 #include "mozilla/Preferences.h"
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 #endif
 #endif
 
@@ -95,9 +95,11 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
     mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
     mProcessState(CREATING_CHANNEL),
     mDelegate(nullptr),
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
-    mEnableContentSandbox(false),
-    mWarnOnlyContentSandbox(false),
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
+    mEnableSandboxLogging(false),
+#if defined(MOZ_CONTENT_SANDBOX)
+    mMoreStrictContentSandbox(false),
+#endif
 #endif
     mChildProcessHandle(0)
 #if defined(MOZ_WIDGET_COCOA)
@@ -270,16 +272,20 @@ GeckoChildProcessHost::PrepareLaunch()
 #if defined(MOZ_CONTENT_SANDBOX)
   // We need to get the pref here as the process is launched off main thread.
   if (mProcessType == GeckoProcessType_Content) {
-    nsAdoptingString contentSandboxPref =
-      Preferences::GetString("browser.tabs.remote.sandbox");
-    if (contentSandboxPref.EqualsLiteral("on")) {
-      mEnableContentSandbox = true;
-    } else if (contentSandboxPref.EqualsLiteral("warn")) {
-      mEnableContentSandbox = true;
-      mWarnOnlyContentSandbox = true;
-    }
+    mMoreStrictContentSandbox =
+      Preferences::GetBool("security.sandbox.windows.content.moreStrict");
+    mEnableSandboxLogging =
+      Preferences::GetBool("security.sandbox.windows.log");
   }
 #endif
+
+#if defined(MOZ_SANDBOX)
+  // For other process types we can't rely on them being launched on main
+  // thread and they may not have access to prefs in the child process, so allow
+  // them to turn on logging via an environment variable.
+  mEnableSandboxLogging = mEnableSandboxLogging
+                          || !!PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING");
+#endif
 #endif
 }
 
@@ -790,11 +796,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   switch (mProcessType) {
     case GeckoProcessType_Content:
 #if defined(MOZ_CONTENT_SANDBOX)
-      if (!mEnableContentSandbox) {
-        break;
-      }
       if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
-        mSandboxBroker.SetSecurityLevelForContentProcess(mWarnOnlyContentSandbox);
+        mSandboxBroker.SetSecurityLevelForContentProcess(mMoreStrictContentSandbox);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
       }
@@ -864,6 +867,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   if (shouldSandboxCurrentProcess) {
     mSandboxBroker.LaunchApp(cmdLine.program().c_str(),
                              cmdLine.command_line_string().c_str(),
+                             mEnableSandboxLogging,
                              &process);
   } else
 #endif

ipc/glue/GeckoChildProcessHost.h

@@ -168,10 +168,9 @@ protected:
 #ifdef MOZ_SANDBOX
   SandboxBroker mSandboxBroker;
   std::vector<std::wstring> mAllowedFilesRead;
-
+  bool mEnableSandboxLogging;
 #if defined(MOZ_CONTENT_SANDBOX)
-  bool mEnableContentSandbox;
-  bool mWarnOnlyContentSandbox;
+  bool mMoreStrictContentSandbox;
 #endif
 #endif
 #endif // XP_WIN

security/sandbox/moz.build

@@ -18,12 +18,11 @@ elif CONFIG['OS_ARCH'] == 'WINNT':
         'win/src/sandboxtarget',
     ]
 
-    if CONFIG['MOZ_CONTENT_SANDBOX']:
-        EXPORTS.mozilla.warnonlysandbox += [
-            'win/src/warnonlysandbox/warnOnlySandbox.h',
-            'win/src/warnonlysandbox/wosCallbacks.h',
-            'win/src/warnonlysandbox/wosTypes.h',
-        ]
+    EXPORTS.mozilla.sandboxing += [
+        'win/src/logging/loggingCallbacks.h',
+        'win/src/logging/loggingTypes.h',
+        'win/src/logging/sandboxLogging.h',
+    ]
 
     include('objs.mozbuild')
     SOURCES += security_sandbox_cppsrcs

security/sandbox/objs.mozbuild

@@ -60,6 +60,7 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'win/src/interception.cc',
         'win/src/interception_agent.cc',
         'win/src/job.cc',
+        'win/src/logging/sandboxLogging.cpp',
         'win/src/named_pipe_dispatcher.cc',
         'win/src/named_pipe_interception.cc',
         'win/src/named_pipe_policy.cc',
@@ -102,11 +103,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'win/src/window.cc',
     ]
 
-    if CONFIG['MOZ_CONTENT_SANDBOX']:
-        security_sandbox_lcppsrcs += [
-            'win/src/warnonlysandbox/warnOnlySandbox.cpp',
-        ]
-
     if CONFIG['CPU_ARCH'] == 'x86_64':
         security_sandbox_lcppsrcs += [
             'win/src/interceptors_64.cc',

security/sandbox/win/src/logging/loggingCallbacks.h

@@ -4,11 +4,11 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef security_sandbox_wosEnableCallbacks_h__
-#define security_sandbox_wosEnableCallbacks_h__
+#ifndef security_sandbox_loggingCallbacks_h__
+#define security_sandbox_loggingCallbacks_h__
 
-#include "mozilla/warnonlysandbox/wosTypes.h"
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
+#include "mozilla/sandboxing/loggingTypes.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 #ifdef TARGET_SANDBOX_EXPORTS
 #include <sstream>
@@ -27,20 +27,20 @@
 #endif
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // We need to use a callback to work around the fact that sandbox_s lib is
 // linked into plugin-container.exe directly and also via xul.dll via
 // sandboxbroker.dll. This causes problems with holding the state required to
-// work the warn only sandbox.
+// implement sandbox logging.
 // So, we provide a callback from plugin-container.exe that the code in xul.dll
 // can call to make sure we hit the right version of the code.
 void TARGET_SANDBOX_EXPORT
 SetProvideLogFunctionCb(ProvideLogFunctionCb aProvideLogFunctionCb);
 
-// Initialize the warn only sandbox if required.
+// Provide a call back so a pointer to a logging function can be passed later.
 static void
-PrepareForInit()
+PrepareForLogging()
 {
   SetProvideLogFunctionCb(ProvideLogFunction);
 }
@@ -67,7 +67,7 @@ StackFrameToOStringStream(uint32_t aFrameNumber, void* aPC, void* aSP,
   char buf[1024];
   NS_DescribeCodeAddress(aPC, &details);
   NS_FormatCodeAddressDetails(buf, sizeof(buf), aFrameNumber, aPC, &details);
-  *stream << "--" << buf << '\n';
+  *stream << std::endl << "--" << buf;
   stream->flush();
 }
 #endif
@@ -85,12 +85,11 @@ Log(const char* aMessageType,
   if (aContext) {
     msgStream << " for : " << aContext;
   }
-  msgStream << std::endl;
 
 #ifdef MOZ_STACKWALKING
   if (aShouldLogStackTrace) {
     if (sStackTraceDepth) {
-      msgStream << "Stack Trace:" << std::endl;
+      msgStream << std::endl << "Stack Trace:";
       NS_StackWalk(StackFrameToOStringStream, aFramesToSkip, sStackTraceDepth,
                    &msgStream, 0, nullptr);
     }
@@ -98,29 +97,39 @@ Log(const char* aMessageType,
 #endif
 
   std::string msg = msgStream.str();
-#ifdef DEBUG
-  std::cerr << msg;
+#if defined(DEBUG)
+  // Use NS_DebugBreak directly as we want child process prefix, but not source
+  // file or line number.
+  NS_DebugBreak(NS_DEBUG_WARNING, nullptr, msg.c_str(), nullptr, -1);
 #endif
 
   nsContentUtils::LogMessageToConsole(msg.c_str());
 }
 
-// Initialize the warn only sandbox if required.
+// Initialize sandbox logging if required.
 static void
-InitIfRequired()
+InitLoggingIfRequired()
 {
-  if (XRE_GetProcessType() == GeckoProcessType_Content
-      && Preferences::GetString("browser.tabs.remote.sandbox").EqualsLiteral("warn")
-      && sProvideLogFunctionCb) {
-#ifdef MOZ_STACKWALKING
-    Preferences::AddUintVarCache(&sStackTraceDepth,
-      "browser.tabs.remote.sandbox.warnOnlyStackTraceDepth");
-#endif
+  if (!sProvideLogFunctionCb) {
+    return;
+  }
+
+  if (Preferences::GetBool("security.sandbox.windows.log") ||
+      PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
     sProvideLogFunctionCb(Log);
+
+#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_STACKWALKING)
+    // We can only log the stack trace on process types where we know that the
+    // sandbox won't prevent it.
+    if (XRE_GetProcessType() == GeckoProcessType_Content) {
+      Preferences::AddUintVarCache(&sStackTraceDepth,
+        "security.sandbox.windows.log.stackTraceDepth");
+    }
+#endif
   }
 }
 #endif
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_wosEnableCallbacks_h__
+#endif // security_sandbox_loggingCallbacks_h__

security/sandbox/win/src/logging/loggingTypes.h

@@ -4,13 +4,13 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef security_sandbox_wosTypes_h__
-#define security_sandbox_wosTypes_h__
+#ifndef security_sandbox_loggingTypes_h__
+#define security_sandbox_loggingTypes_h__
 
 #include <stdint.h>
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // We are using callbacks here that are passed in from the core code to prevent
 // a circular dependency in the linking during the build.
@@ -21,7 +21,7 @@ typedef void (*LogFunction) (const char* aMessageType,
                              uint32_t aFramesToSkip);
 typedef void (*ProvideLogFunctionCb) (LogFunction aLogFunction);
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_wosTypes_h__
+#endif // security_sandbox_loggingTypes_h__

security/sandbox/win/src/logging/sandboxLogging.cpp

@@ -4,56 +4,32 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "warnOnlySandbox.h"
+#include "sandboxLogging.h"
 
 #include "base/strings/utf_string_conversions.h"
 #include "sandbox/win/src/sandbox_policy.h"
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 void
-ApplyWarnOnlyPolicy(sandbox::TargetPolicy& aPolicy)
+ApplyLoggingPolicy(sandbox::TargetPolicy& aPolicy)
 {
-  // Add rules to allow everything that we can, so that we can add logging to
-  // warn when we would be blocked by the sandbox.
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                  sandbox::TargetPolicy::FILES_ALLOW_ANY, L"*");
+  // Add dummy rules, so that we can log in the interception code.
+  // We already have a file interception set up for the client side of pipes.
+  // Also, passing just "dummy" for file system policy causes win_utils.cc
+  // IsReparsePoint() to loop.
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                  sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"*");
+                  sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
-                  sandbox::TargetPolicy::PROCESS_ALL_EXEC, L"*");
+                  sandbox::TargetPolicy::PROCESS_MIN_EXEC, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CLASSES_ROOT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CURRENT_USER\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_LOCAL_MACHINE\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_USERS\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_DATA\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_TEXT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_NLSTEXT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CURRENT_CONFIG\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_DYN_DATA\\*");
+                  sandbox::TargetPolicy::REG_ALLOW_READONLY,
+                  L"HKEY_CURRENT_USER\\dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
-                  sandbox::TargetPolicy::EVENTS_ALLOW_ANY, L"*");
+                  sandbox::TargetPolicy::EVENTS_ALLOW_READONLY, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                  sandbox::TargetPolicy::HANDLES_DUP_ANY, L"*");
+                  sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"dummy");
 }
 
 static LogFunction sLogFunction = nullptr;
@@ -122,5 +98,5 @@ LogAllowed(const char* aFunctionName, const wchar_t* aContext,
   }
 }
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla

security/sandbox/win/src/logging/sandboxLogging.h

@@ -5,15 +5,13 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
- * Set of helper methods to implement a warn only sandbox.
- * Only providing simple namespaced functions as this code will probably be
- * removed once we are properly shipping the content sandbox.
+ * Set of helper methods to implement logging for Windows sandbox.
  */
 
-#ifndef security_sandbox_warnOnlySandbox_h__
-#define security_sandbox_warnOnlySandbox_h__
+#ifndef security_sandbox_sandboxLogging_h__
+#define security_sandbox_sandboxLogging_h__
 
-#include "wosTypes.h"
+#include "loggingTypes.h"
 
 #ifdef SANDBOX_EXPORTS
 #define SANDBOX_EXPORT __declspec(dllexport)
@@ -26,14 +24,14 @@ class TargetPolicy;
 }
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // This is used to pass a LogCallback to the sandboxing code, as the logging
 // requires code to which we cannot link directly.
 void SANDBOX_EXPORT ProvideLogFunction(LogFunction aLogFunction);
 
-// Set up the sandbox to allow everything via the broker, so we can log calls.
-void ApplyWarnOnlyPolicy(sandbox::TargetPolicy& aPolicy);
+// Set up dummy interceptions via the broker, so we can log calls.
+void ApplyLoggingPolicy(sandbox::TargetPolicy& aPolicy);
 
 // Log a "BLOCKED" msg to the browser console and, if DEBUG build, stderr.
 // If the logging of a stack trace is enabled then the default aFramesToSkip
@@ -56,7 +54,7 @@ void LogAllowed(const char* aFunctionName, const wchar_t* aContext,
                 uint16_t aLength);
 
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_warnOnlySandbox_h__
+#endif // security_sandbox_sandboxLogging_h__

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -8,9 +8,7 @@
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/security_level.h"
-#if defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
-#endif
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace mozilla
 {
@@ -37,6 +35,7 @@ SandboxBroker::SandboxBroker()
 bool
 SandboxBroker::LaunchApp(const wchar_t *aPath,
                          const wchar_t *aArguments,
+                         const bool aEnableLogging,
                          void **aProcessHandle)
 {
   if (!sBrokerService || !mPolicy) {
@@ -47,6 +46,11 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
   mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
   mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
 
+  // If logging enabled, set up the policy.
+  if (aEnableLogging) {
+    mozilla::sandboxing::ApplyLoggingPolicy(*mPolicy);
+  }
+
   // Ceate the sandboxed process
   PROCESS_INFORMATION targetInfo;
   sandbox::ResultCode result;
@@ -65,26 +69,40 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
 
 #if defined(MOZ_CONTENT_SANDBOX)
 bool
-SandboxBroker::SetSecurityLevelForContentProcess(bool inWarnOnlyMode)
+SandboxBroker::SetSecurityLevelForContentProcess(bool aMoreStrict)
 {
   if (!mPolicy) {
     return false;
   }
 
-  auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
-  bool ret = (sandbox::SBOX_ALL_OK == result);
+  sandbox::ResultCode result;
+  bool ret;
+  if (aMoreStrict) {
+    result = mPolicy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0);
+    ret = (sandbox::SBOX_ALL_OK == result);
 
-  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                  sandbox::USER_RESTRICTED_SAME_ACCESS);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                    sandbox::USER_INTERACTIVE);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  // If the delayed integrity level is changed then SetUpSandboxEnvironment and
-  // CleanUpSandboxEnvironment in ContentChild should be changed or removed.
-  result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    // If the delayed integrity level is lowered then SetUpSandboxEnvironment and
+    // CleanUpSandboxEnvironment in ContentChild should be changed or removed.
+    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  result = mPolicy->SetAlternateDesktop(true);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    result = mPolicy->SetAlternateDesktop(true);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  } else {
+    result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
+    bool ret = (sandbox::SBOX_ALL_OK == result);
+
+    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                    sandbox::USER_RESTRICTED_SAME_ACCESS);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  }
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
@@ -94,9 +112,6 @@ SandboxBroker::SetSecurityLevelForContentProcess(bool inWarnOnlyMode)
                             L"\\??\\pipe\\chrome.*");
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  if (inWarnOnlyMode) {
-    mozilla::warnonlysandbox::ApplyWarnOnlyPolicy(*mPolicy);
-  }
   return ret;
 }
 #endif

security/sandbox/win/src/sandboxbroker/sandboxBroker.h

@@ -26,12 +26,13 @@ public:
   SandboxBroker();
   bool LaunchApp(const wchar_t *aPath,
                  const wchar_t *aArguments,
+                 const bool aEnableLogging,
                  void **aProcessHandle);
   virtual ~SandboxBroker();
 
   // Security levels for different types of processes
 #if defined(MOZ_CONTENT_SANDBOX)
-  bool SetSecurityLevelForContentProcess(bool inWarnOnlyMode);
+  bool SetSecurityLevelForContentProcess(bool aMoreStrict);
 #endif
   bool SetSecurityLevelForPluginProcess();
   bool SetSecurityLevelForIPDLUnitTestProcess();

toolkit/xre/nsEmbedFunctions.cpp

@@ -75,9 +75,9 @@
 
 #include "GeckoProfiler.h"
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
 #define TARGET_SANDBOX_EXPORTS
-#include "mozilla/warnonlysandbox/wosCallbacks.h"
+#include "mozilla/sandboxing/loggingCallbacks.h"
 #endif
 
 #ifdef MOZ_IPDL_TESTS
@@ -558,10 +558,10 @@ XRE_InitChildProcess(int aArgc,
         return NS_ERROR_FAILURE;
       }
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
       // We need to do this after the process has been initialised, as
-      // InitIfRequired needs access to prefs.
-      mozilla::warnonlysandbox::InitIfRequired();
+      // InitLoggingIfRequired may need access to prefs.
+      mozilla::sandboxing::InitLoggingIfRequired();
 #endif
 
       // Run the UI event loop on the main thread.