Bug 1423296: Don't use MITIGATION_IMAGE_LOAD_NO_LOW_LABEL when running from a network drive. r=jimm
authorBob Owen <bobowencode@gmail.com>
Fri, 08 Dec 2017 19:00:54 +0000
changeset 395710 3a5a8818db5af9993407439a97bf3c4638fb34fb
parent 395709 b6f1a44cf6830e2068332794b100c35a6552dcdf
child 395711 5067390af63cab48cc3f9bc688f662b6b4035504
push id98177
push userbobowencode@gmail.com
push dateFri, 08 Dec 2017 19:01:19 +0000
treeherdermozilla-inbound@3a5a8818db5a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm
bugs1423296
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1423296: Don't use MITIGATION_IMAGE_LOAD_NO_LOW_LABEL when running from a network drive. r=jimm
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -482,21 +482,22 @@ SandboxBroker::SetSecurityLevelForConten
 
   if (aSandboxLevel > 4) {
     result = mPolicy->SetAlternateDesktop(false);
     MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                        "Failed to create alternate desktop for sandbox.");
   }
 
   if (aSandboxLevel > 3) {
-    mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     // If we're running from a network drive then we can't block loading from
-    // remote locations.
+    // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
+    // this situation also means the process fails to start (bug 1423296).
     if (!sRunningFromNetworkDrive) {
-      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE;
+      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+                     sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     }
   }
 
 
   result = mPolicy->SetProcessMitigations(mitigations);
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "Invalid flags for SetProcessMitigations.");