Bug 1094667: Use the USER_NON_ADMIN access token by default for the Windows content sandbox. r=tabraldes
authorBob Owen <bobowencode@gmail.com>
Sat, 29 Nov 2014 17:12:18 +0000
changeset 218115 f76fa8396ca825cca0b0a49bc6d0c30ba5b0bb86
parent 218114 0f763c186855905fdd78cc4a0f18cbef9c3c5e04
child 218116 ba93c0eb3cf7061f259bfd4eb420ff81b1350cac
push id27914
push userphilringnalda@gmail.com
push dateSun, 30 Nov 2014 16:31:04 +0000
treeherdermozilla-central@74861ffc991f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstabraldes
bugs1094667
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1094667: Use the USER_NON_ADMIN access token by default for the Windows content sandbox. r=tabraldes
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -92,17 +92,17 @@ SandboxBroker::SetSecurityLevelForConten
 
     result = mPolicy->SetAlternateDesktop(true);
     ret = ret && (sandbox::SBOX_ALL_OK == result);
   } else {
     result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
     bool ret = (sandbox::SBOX_ALL_OK == result);
 
     result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_RESTRICTED_SAME_ACCESS);
+                                    sandbox::USER_NON_ADMIN);
     ret = ret && (sandbox::SBOX_ALL_OK == result);
 
     result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
     ret = ret && (sandbox::SBOX_ALL_OK == result);
   }
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with