Bug 1415160: Part 2 - Add mitigations to plugin process if not running from network drive r=bobowen
authorDavid Parks <dparks@mozilla.com>
Thu, 21 Dec 2017 12:36:02 -0800
changeset 403964 9659c9a29139b0b66e1cfdeb26dd7735f4846006
parent 403963 e6fc425cf9b479597aacc8646b1d21b2c529e299
child 403965 e976b6442e9fe73692fb1933d41dd3b43986827d
push id99905
push userapavel@mozilla.com
push dateThu, 15 Feb 2018 16:17:46 +0000
treeherdermozilla-inbound@9659c9a29139 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbobowen
bugs1415160
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1415160: Part 2 - Add mitigations to plugin process if not running from network drive r=bobowen Adds MITIGATION_IMAGE_LOAD_NO_REMOTE and MITIGATION_IMAGE_LOAD_NO_LOW_LABEL to the plugin process if we aren't running from a networked drive. The same condition applies to these mitigations in the content process.
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -777,16 +777,21 @@ SandboxBroker::SetSecurityLevelForPlugin
     sandbox::MITIGATION_SEHOP |
     sandbox::MITIGATION_DEP_NO_ATL_THUNK |
     sandbox::MITIGATION_DEP |
     sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY |
     sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
     sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
     sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
 
+  if (!sRunningFromNetworkDrive) {
+    mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+                   sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
+  }
+
   result = mPolicy->SetProcessMitigations(mitigations);
   SANDBOX_ENSURE_SUCCESS(result,
                          "Invalid flags for SetProcessMitigations.");
 
   sandbox::MitigationFlags delayedMitigations =
     sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   result = mPolicy->SetDelayedProcessMitigations(delayedMitigations);