Bug 1219369: In Windows debug builds allow write access to TEMP for logging purposes. r=tabraldes
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -48,16 +48,31 @@ SandboxBroker::LaunchApp(const wchar_t *
mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
// If logging enabled, set up the policy.
if (aEnableLogging) {
mozilla::sandboxing::ApplyLoggingPolicy(*mPolicy);
}
+#if defined(DEBUG)
+ // Allow write access to TEMP directory in debug builds for logging purposes.
+ // The path from GetTempPathW can have a length up to MAX_PATH + 1, including
+ // the null, so we need MAX_PATH + 2, so we can add an * to the end.
+ wchar_t tempPath[MAX_PATH + 2];
+ uint32_t pathLen = ::GetTempPathW(MAX_PATH + 1, tempPath);
+ if (pathLen > 0) {
+ // GetTempPath path ends with \ and returns the length without the null.
+ tempPath[pathLen] = L'*';
+ tempPath[pathLen + 1] = L'\0';
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY, tempPath);
+ }
+#endif
+
// Ceate the sandboxed process
PROCESS_INFORMATION targetInfo = {0};
sandbox::ResultCode result;
result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo);
if (sandbox::SBOX_ALL_OK != result) {
return false;
}
