Bug 1378061: Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs. r=jimm
authorBob Owen <bobowencode@gmail.com>
Wed, 05 Jul 2017 21:00:55 +0100
changeset 367530 04edb03fb817d692e7e502e86b618febad0c5ba8
parent 367529 66be3d83bc9b2a871a465a8febbefe7d2469ca88
child 367531 68b0765559eff69f367bf5b6af98c1f9d1601655
push id32137
push usercbook@mozilla.com
push dateThu, 06 Jul 2017 09:18:21 +0000
treeherdermozilla-central@018b3829d0a7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm
bugs1378061
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1378061: Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs. r=jimm
security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -78,17 +78,21 @@ DWORD CreateRestrictedToken(TokenLevel s
       restricted_token.AddRestrictingSidLogonSession();
       break;
     }
     case USER_LIMITED: {
       sid_exceptions.push_back(WinBuiltinUsersSid);
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
-      restricted_token.AddUserSidForDenyOnly();
+      // This breaks web audio, so we don't want to do this in the restricting
+      // SIDs (normal) case. See bug 1378061.
+      if (!gUseRestricting) {
+        restricted_token.AddUserSidForDenyOnly();
+      }
       restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
       restricted_token.AddRestrictingSid(WinWorldSid);
       restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
 
       // This token has to be able to create objects in BNO.
       // Unfortunately, on Vista+, it needs the current logon sid
       // in the token to achieve this. You should also set the process to be
       // low integrity level so it can't access object created by other