Bug 1284897 - Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen
☠☠ backed out by 883e0e945f7a ☠ ☠
authorDavid Parks <dparks@mozilla.com>
Fri, 20 Jan 2017 08:27:57 -0800
changeset 344175 0740284125d33ce825023ae66fdf07484f62f0c4
parent 344174 71b9ac06a60a570b6a7ce4560a685f642122a9d4
child 344176 c35afe490583c88e2c6a7041aad3d1451b3e82bc
push id31402
push usercbook@mozilla.com
push dateWed, 22 Feb 2017 13:33:50 +0000
treeherdermozilla-central@f5372cb6c3c7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbobowen
bugs1284897
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1284897 - Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen Hook this into the browser via the XREAppData. This patch contains only the changes to Chromium source code.
security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -12,16 +12,18 @@
 #include "sandbox/win/src/interception.h"
 #include "sandbox/win/src/interceptors.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_broker.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 
+#include "mozilla/sandboxing/permissionsService.h"
+
 namespace sandbox {
 
 FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
     : policy_base_(policy_base) {
   static const IPCCall create_params = {
       {IPC_NTCREATEFILE_TAG,
        {WCHAR_TYPE,
         UINT32_TYPE,
@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile(
   params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name,
                                           attributes, desired_access,
                                           file_attributes, share_access,
                                           create_disposition, create_options,
                                           &handle, &nt_status,
@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
   params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
+                                    ipc->client_info->process_id, filename,
+                                    desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name,
                                         attributes, desired_access,
                                         share_access, open_options, &handle,
                                         &nt_status, &io_information)) {
     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -65,19 +65,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     // The following call must match in the parameters with
     // FilesystemDispatcher::ProcessNtCreateFile.
     ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
                                 desired_access_uint32, file_attributes, sharing,
                                 disposition, options_uint32, &answer);
     if (SBOX_ALL_OK != code)
@@ -148,19 +145,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
                                 desired_access_uint32, sharing, options_uint32,
                                 &answer);
     if (SBOX_ALL_OK != code)
       break;