Bug 1366701 Part 2: Roll-up patch to apply remaining mozilla changes to chromium sandbox. r=tabraldes,aklotz,jimm,bobowen
authorBob Owen <bobowencode@gmail.com>
Sat, 29 Nov 2014 17:12:18 +0000
changeset 393418 387f44470903a99137251849adf382b82e66c159
parent 393417 d87028e56a054954aabd4936d787095d79a7babc
child 393419 0df37c7600d1df881266a0c6269ae125cc677428
push id32960
push usertoros@mozilla.com
push dateThu, 23 Nov 2017 22:29:10 +0000
reviewerstabraldes, aklotz, jimm, bobowen
bugs1366701
milestone59.0a1
Bug 1366701 Part 2: Roll-up patch to apply remaining mozilla changes to chromium sandbox. r=tabraldes,aklotz,jimm,bobowen Patches re-applied from security/sandbox/chromium-shim/patches/after_update/. See patch files for additional commit comments.
security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch
security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch
security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch
security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch
security/sandbox/chromium-shim/patches/after_update/change_USER_NON_ADMIN_to_blacklist.patch
security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch
security/sandbox/chromium-shim/patches/after_update/patch_order.txt
security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
security/sandbox/chromium/sandbox/win/src/handle_interception.cc
security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
security/sandbox/chromium/sandbox/win/src/registry_interception.cc
security/sandbox/chromium/sandbox/win/src/registry_policy.cc
security/sandbox/chromium/sandbox/win/src/restricted_token.cc
security/sandbox/chromium/sandbox/win/src/restricted_token.h
security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
security/sandbox/chromium/sandbox/win/src/sync_interception.cc
security/sandbox/chromium/sandbox/win/src/win_utils.cc
security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
security/sandbox/moz-chromium-commit-status.txt
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/add_WOW64_flags_to_allowed_registry_read_flags.patch
@@ -0,0 +1,34 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1482405067 0
+#      Thu Dec 22 11:11:07 2016 +0000
+# Node ID 43d0efc18f586e1ed90b95c4a52235c4648e96a9
+# Parent  266ef86795979f2ef9b6650d1bb35fb27d11ad86
+Add KEY_WOW64_64Key and KEY_WOW64_32KEY to the Chromium sandbox allowed registry read flags. r=aklotz
+
+Originally landed as changeset:
+https://hg.mozilla.org/mozilla-central/rev/d24db55deb85
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
+--- a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
++++ b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
+@@ -15,17 +15,18 @@
+ #include "sandbox/win/src/sandbox_types.h"
+ #include "sandbox/win/src/sandbox_utils.h"
+ #include "sandbox/win/src/win_utils.h"
+ 
+ namespace {
+ 
+ static const uint32_t kAllowedRegFlags =
+     KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_READ |
+-    GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL;
++    GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL | KEY_WOW64_64KEY |
++    KEY_WOW64_32KEY;
+ 
+ // Opens the key referenced by |obj_attributes| with |access| and
+ // checks what permission was given. Remove the WRITE flags and update
+ // |access| with the new value.
+ NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes,
+                                  DWORD* access) {
+   NtOpenKeyFunction NtOpenKey = NULL;
+   ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey);
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/add_interception_logging.patch
@@ -0,0 +1,748 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1417281138 0
+#      Sat Nov 29 17:12:18 2014 +0000
+# Node ID 6f0003647b90c4196fa349813baaaaf425900bf5
+# Parent  4cf17a52d84ad44e38c91c9f4106241f85f7bf9e
+Re-apply - Logging changes to the Chromium interception code. r=tabraldes
+
+Originally landed as changset:
+https://hg.mozilla.org/mozilla-central/rev/0f763c186855
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+@@ -9,16 +9,17 @@
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/policy_target.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ // This status occurs when trying to access a network share on the machine from
+ // which it is shared.
+ #define STATUS_NETWORK_OPEN_RESTRICTION ((NTSTATUS)0xC0000201L)
+ 
+ namespace sandbox {
+ 
+ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
+@@ -33,16 +34,20 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
+   NTSTATUS status = orig_CreateFile(file, desired_access, object_attributes,
+                                     io_status, allocation_size,
+                                     file_attributes, sharing, disposition,
+                                     options, ea_buffer, ea_length);
+   if (STATUS_ACCESS_DENIED != status &&
+       STATUS_NETWORK_OPEN_RESTRICTION != status)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtCreateFile",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   wchar_t* name = NULL;
+   do {
+     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
+       break;
+@@ -90,16 +95,19 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
+ 
+     __try {
+       *file = answer.handle;
+       io_status->Status = answer.nt_status;
+       io_status->Information = answer.extended[0].ulong_ptr;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtCreateFile",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   if (name)
+     operator delete(name, NT_ALLOC);
+ 
+   return status;
+ }
+ 
+@@ -110,16 +118,20 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
+                                  ULONG options) {
+   // Check if the process can open it first.
+   NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes,
+                                   io_status, sharing, options);
+   if (STATUS_ACCESS_DENIED != status &&
+       STATUS_NETWORK_OPEN_RESTRICTION != status)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtOpenFile",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   wchar_t* name = NULL;
+   do {
+     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
+       break;
+@@ -165,16 +177,19 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
+ 
+     __try {
+       *file = answer.handle;
+       io_status->Status = answer.nt_status;
+       io_status->Information = answer.extended[0].ulong_ptr;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtOpenFile",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   if (name)
+     operator delete(name, NT_ALLOC);
+ 
+   return status;
+ }
+ 
+@@ -183,16 +198,20 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
+     POBJECT_ATTRIBUTES object_attributes,
+     PFILE_BASIC_INFORMATION file_attributes) {
+   // Check if the process can query it first.
+   NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes);
+   if (STATUS_ACCESS_DENIED != status &&
+       STATUS_NETWORK_OPEN_RESTRICTION != status)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtQueryAttributesFile",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   wchar_t* name = NULL;
+   do {
+     if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
+       break;
+@@ -223,16 +242,19 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
+     ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name,
+                                 attributes, file_info, &answer);
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     status = answer.nt_status;
+ 
++    mozilla::sandboxing::LogAllowed("NtQueryAttributesFile",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   if (name)
+     operator delete(name, NT_ALLOC);
+ 
+   return status;
+ }
+ 
+@@ -242,16 +264,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
+     PFILE_NETWORK_OPEN_INFORMATION file_attributes) {
+   // Check if the process can query it first.
+   NTSTATUS status = orig_QueryFullAttributes(object_attributes,
+                                              file_attributes);
+   if (STATUS_ACCESS_DENIED != status &&
+       STATUS_NETWORK_OPEN_RESTRICTION != status)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   wchar_t* name = NULL;
+   do {
+     if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION),
+                         WRITE))
+@@ -282,16 +308,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
+     CrossCallReturn answer = {0};
+     ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name,
+                                 attributes, file_info, &answer);
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     status = answer.nt_status;
++
++    mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   if (name)
+     operator delete(name, NT_ALLOC);
+ 
+   return status;
+ }
+ 
+@@ -300,16 +330,18 @@ NTSTATUS WINAPI TargetNtSetInformationFi
+     PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length,
+     FILE_INFORMATION_CLASS file_info_class) {
+   // Check if the process can open it first.
+   NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length,
+                                             file_info_class);
+   if (STATUS_ACCESS_DENIED != status)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtSetInformationFile");
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   wchar_t* name = NULL;
+   do {
+     void* memory = GetGlobalIPCMemory();
+     if (NULL == memory)
+@@ -361,16 +393,17 @@ NTSTATUS WINAPI TargetNtSetInformationFi
+     ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file,
+                                 io_status_buffer, file_info_buffer, length,
+                                 file_info_class, &answer);
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     status = answer.nt_status;
++    mozilla::sandboxing::LogAllowed("NtSetInformationFile");
+   } while (false);
+ 
+   if (name)
+     operator delete(name, NT_ALLOC);
+ 
+   return status;
+ }
+ 
+diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+@@ -5,16 +5,17 @@
+ #include "sandbox/win/src/handle_interception.h"
+ 
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ namespace sandbox {
+ 
+ ResultCode DuplicateHandleProxy(HANDLE source_handle,
+                                 DWORD target_process_id,
+                                 HANDLE* target_handle,
+                                 DWORD desired_access,
+                                 DWORD options) {
+@@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s
+   ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
+                               source_handle, target_process_id,
+                               desired_access, options, &answer);
+   if (SBOX_ALL_OK != code)
+     return code;
+ 
+   if (answer.win32_result) {
+     ::SetLastError(answer.win32_result);
++    mozilla::sandboxing::LogBlocked("DuplicateHandle");
+     return SBOX_ERROR_GENERIC;
+   }
+ 
+   *target_handle = answer.handle;
++  mozilla::sandboxing::LogAllowed("DuplicateHandle");
+   return SBOX_ALL_OK;
+ }
+ 
+ }  // namespace sandbox
+ 
+diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
+@@ -7,31 +7,34 @@
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/policy_target.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ namespace sandbox {
+ 
+ HANDLE WINAPI TargetCreateNamedPipeW(
+     CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
+     DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
+     DWORD in_buffer_size, DWORD default_timeout,
+     LPSECURITY_ATTRIBUTES security_attributes) {
+   HANDLE pipe = orig_CreateNamedPipeW(pipe_name, open_mode, pipe_mode,
+                                       max_instance, out_buffer_size,
+                                       in_buffer_size, default_timeout,
+                                       security_attributes);
+   if (INVALID_HANDLE_VALUE != pipe)
+     return pipe;
+ 
++  mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return INVALID_HANDLE_VALUE;
+ 
+   DWORD original_error = ::GetLastError();
+ 
+   // We don't support specific Security Attributes.
+   if (security_attributes)
+@@ -57,16 +60,17 @@ HANDLE WINAPI TargetCreateNamedPipeW(
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     ::SetLastError(answer.win32_result);
+ 
+     if (ERROR_SUCCESS != answer.win32_result)
+       return INVALID_HANDLE_VALUE;
+ 
++    mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name);
+     return answer.handle;
+   } while (false);
+ 
+   ::SetLastError(original_error);
+   return INVALID_HANDLE_VALUE;
+ }
+ 
+ }  // namespace sandbox
+diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
+@@ -9,32 +9,34 @@
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/policy_target.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ namespace sandbox {
+ 
+ SANDBOX_INTERCEPT NtExports g_nt;
+ 
+ // Hooks NtOpenThread and proxy the call to the broker if it's trying to
+ // open a thread in the same process.
+ NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
+                                    PHANDLE thread, ACCESS_MASK desired_access,
+                                    POBJECT_ATTRIBUTES object_attributes,
+                                    PCLIENT_ID client_id) {
+   NTSTATUS status = orig_OpenThread(thread, desired_access, object_attributes,
+                                     client_id);
+   if (NT_SUCCESS(status))
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtOpenThread");
+   do {
+     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+       break;
+     if (!client_id)
+       break;
+ 
+     uint32_t thread_id = 0;
+     bool should_break = false;
+@@ -90,16 +92,17 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpe
+ 
+     __try {
+       // Write the output parameters.
+       *thread = answer.handle;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
+ 
++    mozilla::sandboxing::LogAllowed("NtOpenThread");
+     return answer.nt_status;
+   } while (false);
+ 
+   return status;
+ }
+ 
+ // Hooks NtOpenProcess and proxy the call to the broker if it's trying to
+ // open the current process.
+@@ -174,16 +177,17 @@ NTSTATUS WINAPI TargetNtOpenProcess(NtOp
+ 
+ NTSTATUS WINAPI TargetNtOpenProcessToken(
+     NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
+     ACCESS_MASK desired_access, PHANDLE token) {
+   NTSTATUS status = orig_OpenProcessToken(process, desired_access, token);
+   if (NT_SUCCESS(status))
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtOpenProcessToken");
+   do {
+     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+       break;
+ 
+     if (CURRENT_PROCESS != process)
+       break;
+ 
+     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
+@@ -205,30 +209,32 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
+ 
+     __try {
+       // Write the output parameters.
+       *token = answer.handle;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
+ 
++    mozilla::sandboxing::LogAllowed("NtOpenProcessToken");
+     return answer.nt_status;
+   } while (false);
+ 
+   return status;
+ }
+ 
+ NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
+     NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
+     ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token) {
+   NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access,
+                                             handle_attributes, token);
+   if (NT_SUCCESS(status))
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx");
+   do {
+     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+       break;
+ 
+     if (CURRENT_PROCESS != process)
+       break;
+ 
+     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
+@@ -250,16 +256,17 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
+ 
+     __try {
+       // Write the output parameters.
+       *token = answer.handle;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
+ 
++    mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx");
+     return answer.nt_status;
+   } while (false);
+ 
+   return status;
+ }
+ 
+ BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
+                                  LPCWSTR application_name, LPWSTR command_line,
+@@ -272,16 +279,18 @@ BOOL WINAPI TargetCreateProcessW(CreateP
+   if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
+       orig_CreateProcessW(application_name, command_line, process_attributes,
+                           thread_attributes, inherit_handles, flags,
+                           environment, current_directory, startup_info,
+                           process_information)) {
+     return TRUE;
+   }
+ 
++  mozilla::sandboxing::LogBlocked("CreateProcessW", application_name);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return FALSE;
+ 
+   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
+   // not be mapped yet.
+   DWORD original_error = ::GetLastError();
+ 
+@@ -312,16 +321,17 @@ BOOL WINAPI TargetCreateProcessW(CreateP
+                                 proc_info, &answer);
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     ::SetLastError(answer.win32_result);
+     if (ERROR_SUCCESS != answer.win32_result)
+       return FALSE;
+ 
++    mozilla::sandboxing::LogAllowed("CreateProcessW", application_name);
+     return TRUE;
+   } while (false);
+ 
+   ::SetLastError(original_error);
+   return FALSE;
+ }
+ 
+ BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
+@@ -335,16 +345,18 @@ BOOL WINAPI TargetCreateProcessA(CreateP
+   if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
+       orig_CreateProcessA(application_name, command_line, process_attributes,
+                           thread_attributes, inherit_handles, flags,
+                           environment, current_directory, startup_info,
+                           process_information)) {
+     return TRUE;
+   }
+ 
++  mozilla::sandboxing::LogBlocked("CreateProcessA", application_name);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return FALSE;
+ 
+   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
+   // not be mapped yet.
+   DWORD original_error = ::GetLastError();
+ 
+@@ -409,16 +421,17 @@ BOOL WINAPI TargetCreateProcessA(CreateP
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+     ::SetLastError(answer.win32_result);
+     if (ERROR_SUCCESS != answer.win32_result)
+       return FALSE;
+ 
++    mozilla::sandboxing::LogAllowed("CreateProcessA", application_name);
+     return TRUE;
+   } while (false);
+ 
+   ::SetLastError(original_error);
+   return FALSE;
+ }
+ 
+ HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread,
+diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
+@@ -9,31 +9,38 @@
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/policy_target.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ namespace sandbox {
+ 
+ NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
+                                   PHANDLE key, ACCESS_MASK desired_access,
+                                   POBJECT_ATTRIBUTES object_attributes,
+                                   ULONG title_index, PUNICODE_STRING class_name,
+                                   ULONG create_options, PULONG disposition) {
+   // Check if the process can create it first.
+   NTSTATUS status = orig_CreateKey(key, desired_access, object_attributes,
+                                    title_index, class_name, create_options,
+                                    disposition);
+   if (NT_SUCCESS(status))
+     return status;
+ 
++  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
++    mozilla::sandboxing::LogBlocked("NtCreateKey",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
++  }
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   do {
+     if (!ValidParameter(key, sizeof(HANDLE), WRITE))
+       break;
+ 
+@@ -109,16 +116,19 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCrea
+ 
+       if (disposition)
+        *disposition = answer.extended[0].unsigned_int;
+ 
+       status = answer.nt_status;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtCreateKey",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   return status;
+ }
+ 
+ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
+                                 ACCESS_MASK desired_access,
+                                 POBJECT_ATTRIBUTES object_attributes) {
+@@ -185,29 +195,38 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS
+         break;
+ 
+     __try {
+       *key = answer.handle;
+       status = answer.nt_status;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   return status;
+ }
+ 
+ NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
+                                 ACCESS_MASK desired_access,
+                                 POBJECT_ATTRIBUTES object_attributes) {
+   // Check if the process can open it first.
+   NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
+   if (NT_SUCCESS(status))
+     return status;
+ 
++  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
++    mozilla::sandboxing::LogBlocked("NtOpenKey",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
++  }
++
+   return CommonNtOpenKey(status, key, desired_access, object_attributes);
+ }
+ 
+ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
+                                   PHANDLE key, ACCESS_MASK desired_access,
+                                   POBJECT_ATTRIBUTES object_attributes,
+                                   ULONG open_options) {
+   // Check if the process can open it first.
+@@ -215,12 +234,18 @@ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpen
+                                    open_options);
+ 
+   // We do not support open_options at this time. The 2 current known values
+   // are REG_OPTION_CREATE_LINK, to open a symbolic link, and
+   // REG_OPTION_BACKUP_RESTORE to open the key with special privileges.
+   if (NT_SUCCESS(status) || open_options != 0)
+     return status;
+ 
++  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
++    mozilla::sandboxing::LogBlocked("NtOpenKeyEx",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
++  }
++
+   return CommonNtOpenKey(status, key, desired_access, object_attributes);
+ }
+ 
+ }  // namespace sandbox
+diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+@@ -9,16 +9,17 @@
+ #include "sandbox/win/src/crosscall_client.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/policy_target.h"
+ #include "sandbox/win/src/sandbox_factory.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ #include "sandbox/win/src/sharedmem_ipc_client.h"
+ #include "sandbox/win/src/target_services.h"
++#include "mozilla/sandboxing/sandboxLogging.h"
+ 
+ namespace sandbox {
+ 
+ ResultCode ProxyCreateEvent(LPCWSTR name,
+                             uint32_t initial_state,
+                             EVENT_TYPE event_type,
+                             void* ipc_memory,
+                             CrossCallReturn* answer) {
+@@ -59,16 +60,20 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
+                                     EVENT_TYPE event_type,
+                                     BOOLEAN initial_state) {
+   NTSTATUS status = orig_CreateEvent(event_handle, desired_access,
+                                      object_attributes, event_type,
+                                      initial_state);
+   if (status != STATUS_ACCESS_DENIED || !object_attributes)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtCreatEvent",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   do {
+     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
+       break;
+ 
+@@ -98,30 +103,37 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
+       break;
+     }
+     __try {
+       *event_handle = answer.handle;
+       status = STATUS_SUCCESS;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtCreateEvent",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   return status;
+ }
+ 
+ NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
+                                   PHANDLE event_handle,
+                                   ACCESS_MASK desired_access,
+                                   POBJECT_ATTRIBUTES object_attributes) {
+   NTSTATUS status = orig_OpenEvent(event_handle, desired_access,
+                                    object_attributes);
+   if (status != STATUS_ACCESS_DENIED || !object_attributes)
+     return status;
+ 
++  mozilla::sandboxing::LogBlocked("NtOpenEvent",
++                                  object_attributes->ObjectName->Buffer,
++                                  object_attributes->ObjectName->Length);
++  //
+   // We don't trust that the IPC can work this early.
+   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
+     return status;
+ 
+   do {
+     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
+       break;
+ 
+@@ -150,14 +162,17 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpen
+       break;
+     }
+     __try {
+       *event_handle = answer.handle;
+       status = STATUS_SUCCESS;
+     } __except(EXCEPTION_EXECUTE_HANDLER) {
+       break;
+     }
++    mozilla::sandboxing::LogAllowed("NtOpenEvent",
++                                    object_attributes->ObjectName->Buffer,
++                                    object_attributes->ObjectName->Length);
+   } while (false);
+ 
+   return status;
+ }
+ 
+ }  // namespace sandbox
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch
@@ -0,0 +1,158 @@
+# HG changeset patch
+# User David Parks <dparks@mozilla.com>
+# Date 1488233752 28800
+#      Mon Feb 27 14:15:52 2017 -0800
+# Node ID 58cf9c0f78b7b229b6b3ba70b64b9719b30b3d48
+# Parent  139c07a8ef8157027b3054d77fe3b5ff2c119081
+Permit sandboxed processes to access Flash temporary files. r=bobowen
+Allows the creation/use of temp files when the user has already green-lit
+the use of a file for write purposes in that folder.
+
+Originally landed in changeset:
+https://hg.mozilla.org/mozilla-central/rev/0f64b24c40c4
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+@@ -221,16 +221,25 @@ bool FilesystemDispatcher::NtQueryAttrib
+   params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+   // To evaluate the policy we need to call back to the policy object. We
+   // are just middlemen in the operation since is the FileSystemPolicy which
+   // knows what to do.
+   EvalResult result = policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG,
+                                                params.GetBase());
+ 
++  // If the policies forbid access (any result other than ASK_BROKER),
++  // then check for user-granted access to file.
++  if (ASK_BROKER != result &&
++      mozilla::sandboxing::PermissionsService::GetInstance()->
++        UserGrantedFileAccess(ipc->client_info->process_id, filename,
++                              0, 0)) {
++    result = ASK_BROKER;
++  }
++
+   FILE_BASIC_INFORMATION* information =
+         reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer());
+   NTSTATUS nt_status;
+   if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info,
+                                                    *name, attributes,
+                                                    information, &nt_status)) {
+     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
+     return true;
+@@ -261,16 +270,25 @@ bool FilesystemDispatcher::NtQueryFullAt
+   params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+   // To evaluate the policy we need to call back to the policy object. We
+   // are just middlemen in the operation since is the FileSystemPolicy which
+   // knows what to do.
+   EvalResult result = policy_base_->EvalPolicy(
+                           IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase());
+ 
++  // If the policies forbid access (any result other than ASK_BROKER),
++  // then check for user-granted access to file.
++  if (ASK_BROKER != result &&
++      mozilla::sandboxing::PermissionsService::GetInstance()->
++        UserGrantedFileAccess(ipc->client_info->process_id, filename,
++                              0, 0)) {
++    result = ASK_BROKER;
++  }
++
+   FILE_NETWORK_OPEN_INFORMATION* information =
+         reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer());
+   NTSTATUS nt_status;
+   if (!FileSystemPolicy::QueryFullAttributesFileAction(result,
+                                                        *ipc->client_info,
+                                                        *name, attributes,
+                                                        information,
+                                                        &nt_status)) {
+@@ -316,16 +334,26 @@ bool FilesystemDispatcher::NtSetInformat
+   params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+   // To evaluate the policy we need to call back to the policy object. We
+   // are just middlemen in the operation since is the FileSystemPolicy which
+   // knows what to do.
+   EvalResult result = policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG,
+                                                params.GetBase());
+ 
++  // If the policies forbid access (any result other than ASK_BROKER),
++  // then check for user-granted write access to file.  We only permit
++  // the FileRenameInformation action.
++  if (ASK_BROKER != result && info_class == FileRenameInformation &&
++      mozilla::sandboxing::PermissionsService::GetInstance()->
++        UserGrantedFileAccess(ipc->client_info->process_id, filename,
++                              FILE_WRITE_ATTRIBUTES, 0)) {
++    result = ASK_BROKER;
++  }
++
+   IO_STATUS_BLOCK* io_status =
+         reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer());
+   NTSTATUS nt_status;
+   if (!FileSystemPolicy::SetInformationFileAction(result, *ipc->client_info,
+                                                   handle, rename_info, length,
+                                                   info_class, io_status,
+                                                   &nt_status)) {
+     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
+diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+@@ -223,19 +223,16 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
+     InOutCountedBuffer file_info(file_attributes,
+                                  sizeof(FILE_BASIC_INFORMATION));
+ 
+     uint32_t broker = FALSE;
+     CountedParameterSet<FileName> params;
+     params[FileName::NAME] = ParamPickerMake(name);
+     params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+-    if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()))
+-      break;
+-
+     SharedMemIPCClient ipc(memory);
+     CrossCallReturn answer = {0};
+     ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name,
+                                 attributes, file_info, &answer);
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+@@ -290,19 +287,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
+     InOutCountedBuffer file_info(file_attributes,
+                                  sizeof(FILE_NETWORK_OPEN_INFORMATION));
+ 
+     uint32_t broker = FALSE;
+     CountedParameterSet<FileName> params;
+     params[FileName::NAME] = ParamPickerMake(name);
+     params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+-    if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()))
+-      break;
+-
+     SharedMemIPCClient ipc(memory);
+     CrossCallReturn answer = {0};
+     ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name,
+                                 attributes, file_info, &answer);
+ 
+     if (SBOX_ALL_OK != code)
+       break;
+ 
+@@ -369,19 +363,16 @@ NTSTATUS WINAPI TargetNtSetInformationFi
+     if (!NT_SUCCESS(ret) || !name)
+       break;
+ 
+     uint32_t broker = FALSE;
+     CountedParameterSet<FileName> params;
+     params[FileName::NAME] = ParamPickerMake(name);
+     params[FileName::BROKER] = ParamPickerMake(broker);
+ 
+-    if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase()))
+-      break;
+-
+     InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));
+     // This is actually not an InOut buffer, only In, but using InOut facility
+     // really helps to simplify the code.
+     InOutCountedBuffer file_info_buffer(file_info, length);
+ 
+     SharedMemIPCClient ipc(memory);
+     CrossCallReturn answer = {0};
+     ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file,
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/allow_rules_for_network_drive_and_non_file_devices.patch
@@ -0,0 +1,192 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1454317140 0
+#      Mon Feb 01 08:59:00 2016 +0000
+# Node ID 9870a92ea5f352ab5a841003a30ab52c8deb589e
+# Parent  d62b6a3a0c58528a8bf864bb5ab6bb9faada972b
+Change to allow network drives in sandbox rules with non-file device fix. r=aklotz
+
+Originally landed in changeset:
+https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc
++++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+@@ -190,63 +190,68 @@ bool ResolveRegistryName(base::string16 
+ 
+   return false;
+ }
+ 
+ // |full_path| can have any of the following forms:
+ //    \??\c:\some\foo\bar
+ //    \Device\HarddiskVolume0\some\foo\bar
+ //    \??\HarddiskVolume0\some\foo\bar
++//    \??\UNC\SERVER\Share\some\foo\bar
+ DWORD IsReparsePoint(const base::string16& full_path) {
+   // Check if it's a pipe. We can't query the attributes of a pipe.
+   if (IsPipe(full_path))
+     return ERROR_NOT_A_REPARSE_POINT;
+ 
+   base::string16 path;
+   bool nt_path = IsNTPath(full_path, &path);
+   bool has_drive = StartsWithDriveLetter(path);
+   bool is_device_path = IsDevicePath(path, &path);
+ 
+   if (!has_drive && !is_device_path && !nt_path)
+     return ERROR_INVALID_NAME;
+ 
+-  bool added_implied_device = false;
+   if (!has_drive) {
+-      path = base::string16(kNTDotPrefix) + path;
+-      added_implied_device = true;
++    // Add Win32 device namespace prefix, required for some Windows APIs.
++    path.insert(0, kNTDotPrefix);
+   }
+ 
+-  base::string16::size_type last_pos = base::string16::npos;
+-  bool passed_once = false;
++  // Ensure that volume path matches start of path.
++  wchar_t vol_path[MAX_PATH];
++  if (!::GetVolumePathNameW(path.c_str(), vol_path, MAX_PATH)) {
++    // This will fail if this is a device that isn't volume related, which can't
++    // then be a reparse point.
++    return is_device_path ? ERROR_NOT_A_REPARSE_POINT : ERROR_INVALID_NAME;
++  }
++
++  // vol_path includes a trailing slash, so reduce size for path and loop check.
++  size_t vol_path_len = wcslen(vol_path) - 1;
++  if (!EqualPath(path, vol_path, vol_path_len)) {
++    return ERROR_INVALID_NAME;
++  }
+ 
+   do {
+-    path = path.substr(0, last_pos);
+-
+     DWORD attributes = ::GetFileAttributes(path.c_str());
+     if (INVALID_FILE_ATTRIBUTES == attributes) {
+       DWORD error = ::GetLastError();
+       if (error != ERROR_FILE_NOT_FOUND &&
+           error != ERROR_PATH_NOT_FOUND &&
++          error != ERROR_INVALID_FUNCTION &&
+           error != ERROR_INVALID_NAME) {
+         // Unexpected error.
+-        if (passed_once && added_implied_device &&
+-            (path.rfind(L'\\') == kNTDotPrefixLen - 1)) {
+-          break;
+-        }
+         NOTREACHED_NT();
+         return error;
+       }
+     } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
+       // This is a reparse point.
+       return ERROR_SUCCESS;
+     }
+ 
+-    passed_once = true;
+-    last_pos = path.rfind(L'\\');
+-  } while (last_pos > 2);  // Skip root dir.
++    path.resize(path.rfind(L'\\'));
++  } while (path.size() > vol_path_len);  // Skip root dir.
+ 
+   return ERROR_NOT_A_REPARSE_POINT;
+ }
+ 
+ // We get a |full_path| of the forms accepted by IsReparsePoint(), and the name
+ // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
+ bool SameObject(HANDLE handle, const wchar_t* full_path) {
+   // Check if it's a pipe.
+@@ -256,63 +261,67 @@ bool SameObject(HANDLE handle, const wch
+   base::string16 actual_path;
+   if (!GetPathFromHandle(handle, &actual_path))
+     return false;
+ 
+   base::string16 path(full_path);
+   DCHECK_NT(!path.empty());
+ 
+   // This may end with a backslash.
+-  const wchar_t kBackslash = '\\';
+-  if (path.back() == kBackslash)
+-    path = path.substr(0, path.length() - 1);
++  if (path.back() == L'\\') {
++    path.pop_back();
++  }
+ 
+-  // Perfect match (case-insesitive check).
++  // Perfect match (case-insensitive check).
+   if (EqualPath(actual_path, path))
+     return true;
+ 
+   bool nt_path = IsNTPath(path, &path);
+   bool has_drive = StartsWithDriveLetter(path);
+ 
+   if (!has_drive && nt_path) {
+     base::string16 simple_actual_path;
+-    if (!IsDevicePath(actual_path, &simple_actual_path))
+-      return false;
+-
+-    // Perfect match (case-insesitive check).
+-    return (EqualPath(simple_actual_path, path));
++    if (IsDevicePath(path, &path)) {
++      if (IsDevicePath(actual_path, &simple_actual_path)) {
++        // Perfect match (case-insensitive check).
++        return (EqualPath(simple_actual_path, path));
++      } else {
++        return false;
++      }
++    } else {
++      // Add Win32 device namespace for GetVolumePathName.
++      path.insert(0, kNTDotPrefix);
++    }
+   }
+ 
+-  if (!has_drive)
++  // Get the volume path in the same format as actual_path.
++  wchar_t vol_path[MAX_PATH];
++  if (!::GetVolumePathName(path.c_str(), vol_path, MAX_PATH)) {
+     return false;
+-
+-  // We only need 3 chars, but let's alloc a buffer for four.
+-  wchar_t drive[4] = {0};
+-  wchar_t vol_name[MAX_PATH];
+-  memcpy(drive, &path[0], 2 * sizeof(*drive));
+-
+-  // We'll get a double null terminated string.
+-  DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH);
+-  if (vol_length < 2 || vol_length == MAX_PATH)
++  }
++  size_t vol_path_len = wcslen(vol_path);
++  base::string16 nt_vol;
++  if (!GetNtPathFromWin32Path(vol_path, &nt_vol)) {
+     return false;
+-
+-  // Ignore the nulls at the end.
+-  vol_length = static_cast<DWORD>(wcslen(vol_name));
++  }
+ 
+   // The two paths should be the same length.
+-  if (vol_length + path.size() - 2 != actual_path.size())
++  if (nt_vol.size() + path.size() - vol_path_len != actual_path.size()) {
+     return false;
++  }
+ 
+-  // Check up to the drive letter.
+-  if (!EqualPath(actual_path, vol_name, vol_length))
++  // Check the volume matches.
++  if (!EqualPath(actual_path, nt_vol.c_str(), nt_vol.size())) {
+     return false;
++  }
+ 
+-  // Check the path after the drive letter.
+-  if (!EqualPath(actual_path, vol_length, path, 2))
++  // Check the path after the volume matches.
++  if (!EqualPath(actual_path, nt_vol.size(), path, vol_path_len)) {
+     return false;
++  }
+ 
+   return true;
+ }
+ 
+ // Just make a best effort here.  There are lots of corner cases that we're
+ // not expecting - and will fail to make long.
+ bool ConvertToLongPath(base::string16* native_path,
+                        const base::string16* drive_letter) {
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/change_USER_NON_ADMIN_to_blacklist.patch
@@ -0,0 +1,170 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1486465183 0
+#      Tue Feb 07 10:59:43 2017 +0000
+# Node ID 69c8c415e87bd14843e26488e9cff30e39d69750
+# Parent  945bec53811d358e3c668405bc1feb63e671782a
+Change USER_NON_ADMIN access token level from whitelist to blacklist containing Admin SIDs. r=jimm
+
+Originally landed in changeset:
+https://hg.mozilla.org/mozilla-central/rev/0e6bf137521e
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
+@@ -254,16 +254,50 @@ DWORD RestrictedToken::AddAllSidsForDeny
+             reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
+       }
+     }
+   }
+ 
+   return ERROR_SUCCESS;
+ }
+ 
++DWORD RestrictedToken::AddDenyOnlySids(const std::vector<Sid>& deny_only_sids) {
++  DCHECK(init_);
++  if (!init_) {
++    return ERROR_NO_TOKEN;
++  }
++
++  DWORD error;
++  std::unique_ptr<BYTE[]> buffer =
++    GetTokenInfo(effective_token_, TokenGroups, &error);
++
++  if (!buffer) {
++    return error;
++  }
++
++  TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
++
++  // Build the list of the deny only group SIDs
++  for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
++    if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 &&
++        (token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) {
++      for (unsigned int j = 0; j < deny_only_sids.size(); ++j) {
++        if (::EqualSid(const_cast<SID*>(deny_only_sids[j].GetPSID()),
++                       token_groups->Groups[i].Sid)) {
++          sids_for_deny_only_.push_back(
++              reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
++          break;
++        }
++      }
++    }
++  }
++
++  return ERROR_SUCCESS;
++}
++
+ DWORD RestrictedToken::AddSidForDenyOnly(const Sid &sid) {
+   DCHECK(init_);
+   if (!init_)
+     return ERROR_NO_TOKEN;
+ 
+   sids_for_deny_only_.push_back(sid);
+   return ERROR_SUCCESS;
+ }
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.h b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h
++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
+@@ -83,16 +83,27 @@ class RestrictedToken {
+   //    std::vector<Sid> sid_exceptions;
+   //    sid_exceptions.push_back(ATL::Sids::Users().GetPSID());
+   //    sid_exceptions.push_back(ATL::Sids::World().GetPSID());
+   //    restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
+   // Note: A Sid marked for Deny Only in a token cannot be used to grant
+   // access to any resource. It can only be used to deny access.
+   DWORD AddAllSidsForDenyOnly(std::vector<Sid> *exceptions);
+ 
++  // Lists all sids in the token and mark them as Deny Only if present in the
++  // deny_only_sids parameter.
++  //
++  // If the function succeeds, the return value is ERROR_SUCCESS. If the
++  // function fails, the return value is the win32 error code corresponding to
++  // the error.
++  //
++  // Note: A Sid marked for Deny Only in a token cannot be used to grant
++  // access to any resource. It can only be used to deny access.
++  DWORD AddDenyOnlySids(const std::vector<Sid>& deny_only_sids);
++
+   // Adds a user or group SID for Deny Only in the restricted token.
+   // Parameter: sid is the SID to add in the Deny Only list.
+   // The return value is always ERROR_SUCCESS.
+   //
+   // Sample Usage:
+   //    restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID());
+   DWORD AddSidForDenyOnly(const Sid &sid);
+ 
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+@@ -26,16 +26,17 @@ DWORD CreateRestrictedToken(TokenLevel s
+                             base::win::ScopedHandle* token) {
+   RestrictedToken restricted_token;
+   restricted_token.Init(NULL);  // Initialized with the current process token
+   if (lockdown_default_dacl)
+     restricted_token.SetLockdownDefaultDacl();
+ 
+   std::vector<base::string16> privilege_exceptions;
+   std::vector<Sid> sid_exceptions;
++  std::vector<Sid> deny_only_sids;
+ 
+   bool deny_sids = true;
+   bool remove_privileges = true;
+ 
+   switch (security_level) {
+     case USER_UNPROTECTED: {
+       deny_sids = false;
+       remove_privileges = false;
+@@ -50,20 +51,26 @@ DWORD CreateRestrictedToken(TokenLevel s
+         if (ERROR_SUCCESS != err_code) {
+           return err_code;
+         }
+       }
+ 
+       break;
+     }
+     case USER_NON_ADMIN: {
+-      sid_exceptions.push_back(WinBuiltinUsersSid);
+-      sid_exceptions.push_back(WinWorldSid);
+-      sid_exceptions.push_back(WinInteractiveSid);
+-      sid_exceptions.push_back(WinAuthenticatedUserSid);
++      deny_sids = false;
++      deny_only_sids.push_back(WinBuiltinAdministratorsSid);
++      deny_only_sids.push_back(WinAccountAdministratorSid);
++      deny_only_sids.push_back(WinAccountDomainAdminsSid);
++      deny_only_sids.push_back(WinAccountCertAdminsSid);
++      deny_only_sids.push_back(WinAccountSchemaAdminsSid);
++      deny_only_sids.push_back(WinAccountEnterpriseAdminsSid);
++      deny_only_sids.push_back(WinAccountPolicyAdminsSid);
++      deny_only_sids.push_back(WinBuiltinHyperVAdminsSid);
++      deny_only_sids.push_back(WinLocalAccountAndAdministratorSid);
+       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
+       break;
+     }
+     case USER_INTERACTIVE: {
+       sid_exceptions.push_back(WinBuiltinUsersSid);
+       sid_exceptions.push_back(WinWorldSid);
+       sid_exceptions.push_back(WinInteractiveSid);
+       sid_exceptions.push_back(WinAuthenticatedUserSid);
+@@ -116,16 +123,21 @@ DWORD CreateRestrictedToken(TokenLevel s
+     }
+   }
+ 
+   DWORD err_code = ERROR_SUCCESS;
+   if (deny_sids) {
+     err_code = restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
+     if (ERROR_SUCCESS != err_code)
+       return err_code;
++  } else if (!deny_only_sids.empty()) {
++    err_code = restricted_token.AddDenyOnlySids(deny_only_sids);
++    if (ERROR_SUCCESS != err_code) {
++      return err_code;
++    }
+   }
+ 
+   if (remove_privileges) {
+     err_code = restricted_token.DeleteAllPrivileges(&privilege_exceptions);
+     if (ERROR_SUCCESS != err_code)
+       return err_code;
+   }
+ 
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch
@@ -0,0 +1,132 @@
+# HG changeset patch
+# User David Parks <dparks@mozilla.com>
+# Date 1484929677 28800
+#      Fri Jan 20 08:27:57 2017 -0800
+# Node ID d6a40d4bae2bdce74539e2606d0ead89c091a089
+# Parent  b14dffc51edda918dbaadf2ece96d0ecdd9f6f25
+Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen
+
+Hook this into the browser via the XREAppData. This patch contains only the changes to Chromium source code.
+
+Originally landed in changeset:
+https://hg.mozilla.org/mozilla-central/rev/6ecd19d25822
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+@@ -12,16 +12,18 @@
+ #include "sandbox/win/src/interception.h"
+ #include "sandbox/win/src/interceptors.h"
+ #include "sandbox/win/src/ipc_tags.h"
+ #include "sandbox/win/src/policy_broker.h"
+ #include "sandbox/win/src/policy_params.h"
+ #include "sandbox/win/src/sandbox.h"
+ #include "sandbox/win/src/sandbox_nt_util.h"
+ 
++#include "mozilla/sandboxing/permissionsService.h"
++
+ namespace sandbox {
+ 
+ FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
+     : policy_base_(policy_base) {
+   static const IPCCall create_params = {
+       {IPC_NTCREATEFILE_TAG,
+        {WCHAR_TYPE,
+         UINT32_TYPE,
+@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile(
+   params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
+   params[OpenFile::BROKER] = ParamPickerMake(broker);
+ 
+   // To evaluate the policy we need to call back to the policy object. We
+   // are just middlemen in the operation since is the FileSystemPolicy which
+   // knows what to do.
+   EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG,
+                                                params.GetBase());
++
++  // If the policies forbid access (any result other than ASK_BROKER),
++  // then check for user-granted access to file.
++  if (ASK_BROKER != result &&
++      mozilla::sandboxing::PermissionsService::GetInstance()->
++        UserGrantedFileAccess(ipc->client_info->process_id, filename,
++                              desired_access, create_disposition)) {
++    result = ASK_BROKER;
++  }
++
+   HANDLE handle;
+   ULONG_PTR io_information = 0;
+   NTSTATUS nt_status;
+   if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name,
+                                           attributes, desired_access,
+                                           file_attributes, share_access,
+                                           create_disposition, create_options,
+                                           &handle, &nt_status,
+@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
+   params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
+   params[OpenFile::BROKER] = ParamPickerMake(broker);
+ 
+   // To evaluate the policy we need to call back to the policy object. We
+   // are just middlemen in the operation since is the FileSystemPolicy which
+   // knows what to do.
+   EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG,
+                                                params.GetBase());
++
++  // If the policies forbid access (any result other than ASK_BROKER),
++  // then check for user-granted access to file.
++  if (ASK_BROKER != result &&
++      mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
++                                    ipc->client_info->process_id, filename,
++                                    desired_access, create_disposition)) {
++    result = ASK_BROKER;
++  }
++
+   HANDLE handle;
+   ULONG_PTR io_information = 0;
+   NTSTATUS nt_status;
+   if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name,
+                                         attributes, desired_access,
+                                         share_access, open_options, &handle,
+                                         &nt_status, &io_information)) {
+     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
+diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+@@ -70,19 +70,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
+     uint32_t broker = FALSE;
+     CountedParameterSet<OpenFile> params;
+     params[OpenFile::NAME] = ParamPickerMake(name);
+     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
+     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
+     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
+     params[OpenFile::BROKER] = ParamPickerMake(broker);
+ 
+-    if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
+-      break;
+-
+     SharedMemIPCClient ipc(memory);
+     CrossCallReturn answer = {0};
+     // The following call must match in the parameters with
+     // FilesystemDispatcher::ProcessNtCreateFile.
+     ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
+                                 desired_access_uint32, file_attributes, sharing,
+                                 disposition, options_uint32, &answer);
+     if (SBOX_ALL_OK != code)
+@@ -154,19 +151,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
+     uint32_t broker = FALSE;
+     CountedParameterSet<OpenFile> params;
+     params[OpenFile::NAME] = ParamPickerMake(name);
+     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
+     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
+     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
+     params[OpenFile::BROKER] = ParamPickerMake(broker);
+ 
+-    if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
+-      break;
+-
+     SharedMemIPCClient ipc(memory);
+     CrossCallReturn answer = {0};
+     ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
+                                 desired_access_uint32, sharing, options_uint32,
+                                 &answer);
+     if (SBOX_ALL_OK != code)
+       break;
+ 
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/after_update/patch_order.txt
@@ -0,0 +1,6 @@
+add_interception_logging.patch
+allow_rules_for_network_drive_and_non_file_devices.patch
+add_WOW64_flags_to_allowed_registry_read_flags.patch
+change_USER_NON_ADMIN_to_blacklist.patch
+consult_PermissionsService_for_file_access.patch
+allow_flash_temporary_files.patch
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -12,16 +12,18 @@
 #include "sandbox/win/src/interception.h"
 #include "sandbox/win/src/interceptors.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_broker.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 
+#include "mozilla/sandboxing/permissionsService.h"
+
 namespace sandbox {
 
 FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
     : policy_base_(policy_base) {
   static const IPCCall create_params = {
       {IPC_NTCREATEFILE_TAG,
        {WCHAR_TYPE,
         UINT32_TYPE,
@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile(
   params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name,
                                           attributes, desired_access,
                                           file_attributes, share_access,
                                           create_disposition, create_options,
                                           &handle, &nt_status,
@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
   params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
+                                    ipc->client_info->process_id, filename,
+                                    desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name,
                                         attributes, desired_access,
                                         share_access, open_options, &handle,
                                         &nt_status, &io_information)) {
     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
@@ -199,16 +221,25 @@ bool FilesystemDispatcher::NtQueryAttrib
   params[FileName::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG,
                                                params.GetBase());
 
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              0, 0)) {
+    result = ASK_BROKER;
+  }
+
   FILE_BASIC_INFORMATION* information =
         reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer());
   NTSTATUS nt_status;
   if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info,
                                                    *name, attributes,
                                                    information, &nt_status)) {
     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
     return true;
@@ -239,16 +270,25 @@ bool FilesystemDispatcher::NtQueryFullAt
   params[FileName::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(
                           IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase());
 
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              0, 0)) {
+    result = ASK_BROKER;
+  }
+
   FILE_NETWORK_OPEN_INFORMATION* information =
         reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer());
   NTSTATUS nt_status;
   if (!FileSystemPolicy::QueryFullAttributesFileAction(result,
                                                        *ipc->client_info,
                                                        *name, attributes,
                                                        information,
                                                        &nt_status)) {
@@ -294,16 +334,26 @@ bool FilesystemDispatcher::NtSetInformat
   params[FileName::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG,
                                                params.GetBase());
 
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted write access to file.  We only permit
+  // the FileRenameInformation action.
+  if (ASK_BROKER != result && info_class == FileRenameInformation &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              FILE_WRITE_ATTRIBUTES, 0)) {
+    result = ASK_BROKER;
+  }
+
   IO_STATUS_BLOCK* io_status =
         reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer());
   NTSTATUS nt_status;
   if (!FileSystemPolicy::SetInformationFileAction(result, *ipc->client_info,
                                                   handle, rename_info, length,
                                                   info_class, io_status,
                                                   &nt_status)) {
     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -9,16 +9,17 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 // This status occurs when trying to access a network share on the machine from
 // which it is shared.
 #define STATUS_NETWORK_OPEN_RESTRICTION ((NTSTATUS)0xC0000201L)
 
 namespace sandbox {
 
 NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
@@ -33,16 +34,20 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
   NTSTATUS status = orig_CreateFile(file, desired_access, object_attributes,
                                     io_status, allocation_size,
                                     file_attributes, sharing, disposition,
                                     options, ea_buffer, ea_length);
   if (STATUS_ACCESS_DENIED != status &&
       STATUS_NETWORK_OPEN_RESTRICTION != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreateFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
       break;
@@ -65,19 +70,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     // The following call must match in the parameters with
     // FilesystemDispatcher::ProcessNtCreateFile.
     ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
                                 desired_access_uint32, file_attributes, sharing,
                                 disposition, options_uint32, &answer);
     if (SBOX_ALL_OK != code)
@@ -90,16 +92,19 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
 
     __try {
       *file = answer.handle;
       io_status->Status = answer.nt_status;
       io_status->Information = answer.extended[0].ulong_ptr;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -110,16 +115,20 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
                                  ULONG options) {
   // Check if the process can open it first.
   NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes,
                                   io_status, sharing, options);
   if (STATUS_ACCESS_DENIED != status &&
       STATUS_NETWORK_OPEN_RESTRICTION != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file, sizeof(HANDLE), WRITE))
       break;
@@ -142,19 +151,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
                                 desired_access_uint32, sharing, options_uint32,
                                 &answer);
     if (SBOX_ALL_OK != code)
       break;
 
@@ -165,16 +171,19 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
 
     __try {
       *file = answer.handle;
       io_status->Status = answer.nt_status;
       io_status->Information = answer.extended[0].ulong_ptr;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -183,16 +192,20 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
     POBJECT_ATTRIBUTES object_attributes,
     PFILE_BASIC_INFORMATION file_attributes) {
   // Check if the process can query it first.
   NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes);
   if (STATUS_ACCESS_DENIED != status &&
       STATUS_NETWORK_OPEN_RESTRICTION != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
       break;
@@ -210,29 +223,29 @@ NTSTATUS WINAPI TargetNtQueryAttributesF
     InOutCountedBuffer file_info(file_attributes,
                                  sizeof(FILE_BASIC_INFORMATION));
 
     uint32_t broker = FALSE;
     CountedParameterSet<FileName> params;
     params[FileName::NAME] = ParamPickerMake(name);
     params[FileName::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name,
                                 attributes, file_info, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
 
+    mozilla::sandboxing::LogAllowed("NtQueryAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -242,16 +255,20 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
     PFILE_NETWORK_OPEN_INFORMATION file_attributes) {
   // Check if the process can query it first.
   NTSTATUS status = orig_QueryFullAttributes(object_attributes,
                                              file_attributes);
   if (STATUS_ACCESS_DENIED != status &&
       STATUS_NETWORK_OPEN_RESTRICTION != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION),
                         WRITE))
@@ -270,28 +287,29 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
     InOutCountedBuffer file_info(file_attributes,
                                  sizeof(FILE_NETWORK_OPEN_INFORMATION));
 
     uint32_t broker = FALSE;
     CountedParameterSet<FileName> params;
     params[FileName::NAME] = ParamPickerMake(name);
     params[FileName::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name,
                                 attributes, file_info, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
+
+    mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
@@ -300,16 +318,18 @@ NTSTATUS WINAPI TargetNtSetInformationFi
     PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length,
     FILE_INFORMATION_CLASS file_info_class) {
   // Check if the process can open it first.
   NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length,
                                             file_info_class);
   if (STATUS_ACCESS_DENIED != status)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtSetInformationFile");
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   wchar_t* name = NULL;
   do {
     void* memory = GetGlobalIPCMemory();
     if (NULL == memory)
@@ -343,34 +363,32 @@ NTSTATUS WINAPI TargetNtSetInformationFi
     if (!NT_SUCCESS(ret) || !name)
       break;
 
     uint32_t broker = FALSE;
     CountedParameterSet<FileName> params;
     params[FileName::NAME] = ParamPickerMake(name);
     params[FileName::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase()))
-      break;
-
     InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));
     // This is actually not an InOut buffer, only In, but using InOut facility
     // really helps to simplify the code.
     InOutCountedBuffer file_info_buffer(file_info, length);
 
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file,
                                 io_status_buffer, file_info_buffer, length,
                                 file_info_class, &answer);
 
     if (SBOX_ALL_OK != code)
       break;
 
     status = answer.nt_status;
+    mozilla::sandboxing::LogAllowed("NtSetInformationFile");
   } while (false);
 
   if (name)
     operator delete(name, NT_ALLOC);
 
   return status;
 }
 
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
@@ -5,16 +5,17 @@
 #include "sandbox/win/src/handle_interception.h"
 
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 ResultCode DuplicateHandleProxy(HANDLE source_handle,
                                 DWORD target_process_id,
                                 HANDLE* target_handle,
                                 DWORD desired_access,
                                 DWORD options) {
@@ -29,17 +30,19 @@ ResultCode DuplicateHandleProxy(HANDLE s
   ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
                               source_handle, target_process_id,
                               desired_access, options, &answer);
   if (SBOX_ALL_OK != code)
     return code;
 
   if (answer.win32_result) {
     ::SetLastError(answer.win32_result);
+    mozilla::sandboxing::LogBlocked("DuplicateHandle");
     return SBOX_ERROR_GENERIC;
   }
 
   *target_handle = answer.handle;
+  mozilla::sandboxing::LogAllowed("DuplicateHandle");
   return SBOX_ALL_OK;
 }
 
 }  // namespace sandbox
 
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
@@ -7,31 +7,34 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 HANDLE WINAPI TargetCreateNamedPipeW(
     CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
     DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
     DWORD in_buffer_size, DWORD default_timeout,
     LPSECURITY_ATTRIBUTES security_attributes) {
   HANDLE pipe = orig_CreateNamedPipeW(pipe_name, open_mode, pipe_mode,
                                       max_instance, out_buffer_size,
                                       in_buffer_size, default_timeout,
                                       security_attributes);
   if (INVALID_HANDLE_VALUE != pipe)
     return pipe;
 
+  mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return INVALID_HANDLE_VALUE;
 
   DWORD original_error = ::GetLastError();
 
   // We don't support specific Security Attributes.
   if (security_attributes)
@@ -57,16 +60,17 @@ HANDLE WINAPI TargetCreateNamedPipeW(
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
 
     if (ERROR_SUCCESS != answer.win32_result)
       return INVALID_HANDLE_VALUE;
 
+    mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name);
     return answer.handle;
   } while (false);
 
   ::SetLastError(original_error);
   return INVALID_HANDLE_VALUE;
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
@@ -9,32 +9,34 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 SANDBOX_INTERCEPT NtExports g_nt;
 
 // Hooks NtOpenThread and proxy the call to the broker if it's trying to
 // open a thread in the same process.
 NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
                                    PHANDLE thread, ACCESS_MASK desired_access,
                                    POBJECT_ATTRIBUTES object_attributes,
                                    PCLIENT_ID client_id) {
   NTSTATUS status = orig_OpenThread(thread, desired_access, object_attributes,
                                     client_id);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenThread");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
     if (!client_id)
       break;
 
     uint32_t thread_id = 0;
     bool should_break = false;
@@ -90,16 +92,17 @@ NTSTATUS WINAPI TargetNtOpenThread(NtOpe
 
     __try {
       // Write the output parameters.
       *thread = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenThread");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 // Hooks NtOpenProcess and proxy the call to the broker if it's trying to
 // open the current process.
@@ -174,16 +177,17 @@ NTSTATUS WINAPI TargetNtOpenProcess(NtOp
 
 NTSTATUS WINAPI TargetNtOpenProcessToken(
     NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
     ACCESS_MASK desired_access, PHANDLE token) {
   NTSTATUS status = orig_OpenProcessToken(process, desired_access, token);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessToken");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
 
     if (CURRENT_PROCESS != process)
       break;
 
     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
@@ -205,30 +209,32 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
 
     __try {
       // Write the output parameters.
       *token = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessToken");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
     NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
     ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token) {
   NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access,
                                             handle_attributes, token);
   if (NT_SUCCESS(status))
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx");
   do {
     if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
       break;
 
     if (CURRENT_PROCESS != process)
       break;
 
     if (!ValidParameter(token, sizeof(HANDLE), WRITE))
@@ -250,16 +256,17 @@ NTSTATUS WINAPI TargetNtOpenProcessToken
 
     __try {
       // Write the output parameters.
       *token = answer.handle;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
 
+    mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx");
     return answer.nt_status;
   } while (false);
 
   return status;
 }
 
 BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
                                  LPCWSTR application_name, LPWSTR command_line,
@@ -272,16 +279,18 @@ BOOL WINAPI TargetCreateProcessW(CreateP
   if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
       orig_CreateProcessW(application_name, command_line, process_attributes,
                           thread_attributes, inherit_handles, flags,
                           environment, current_directory, startup_info,
                           process_information)) {
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessW", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
 
   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
   // not be mapped yet.
   DWORD original_error = ::GetLastError();
 
@@ -312,16 +321,17 @@ BOOL WINAPI TargetCreateProcessW(CreateP
                                 proc_info, &answer);
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessW", application_name);
     return TRUE;
   } while (false);
 
   ::SetLastError(original_error);
   return FALSE;
 }
 
 BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
@@ -335,16 +345,18 @@ BOOL WINAPI TargetCreateProcessA(CreateP
   if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
       orig_CreateProcessA(application_name, command_line, process_attributes,
                           thread_attributes, inherit_handles, flags,
                           environment, current_directory, startup_info,
                           process_information)) {
     return TRUE;
   }
 
+  mozilla::sandboxing::LogBlocked("CreateProcessA", application_name);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return FALSE;
 
   // Don't call GetLastError before InitCalled() succeeds because kernel32 may
   // not be mapped yet.
   DWORD original_error = ::GetLastError();
 
@@ -409,16 +421,17 @@ BOOL WINAPI TargetCreateProcessA(CreateP
 
     if (SBOX_ALL_OK != code)
       break;
 
     ::SetLastError(answer.win32_result);
     if (ERROR_SUCCESS != answer.win32_result)
       return FALSE;
 
+    mozilla::sandboxing::LogAllowed("CreateProcessA", application_name);
     return TRUE;
   } while (false);
 
   ::SetLastError(original_error);
   return FALSE;
 }
 
 HANDLE WINAPI TargetCreateThread(CreateThreadFunction orig_CreateThread,
--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
@@ -9,31 +9,38 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
                                   PHANDLE key, ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes,
                                   ULONG title_index, PUNICODE_STRING class_name,
                                   ULONG create_options, PULONG disposition) {
   // Check if the process can create it first.
   NTSTATUS status = orig_CreateKey(key, desired_access, object_attributes,
                                    title_index, class_name, create_options,
                                    disposition);
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(key, sizeof(HANDLE), WRITE))
       break;
 
@@ -109,16 +116,19 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCrea
 
       if (disposition)
        *disposition = answer.extended[0].unsigned_int;
 
       status = answer.nt_status;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
                                 ACCESS_MASK desired_access,
                                 POBJECT_ATTRIBUTES object_attributes) {
@@ -185,29 +195,38 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS
         break;
 
     __try {
       *key = answer.handle;
       status = answer.nt_status;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
                                 ACCESS_MASK desired_access,
                                 POBJECT_ATTRIBUTES object_attributes) {
   // Check if the process can open it first.
   NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
   if (NT_SUCCESS(status))
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKey",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 
 NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
                                   PHANDLE key, ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes,
                                   ULONG open_options) {
   // Check if the process can open it first.
@@ -215,12 +234,18 @@ NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpen
                                    open_options);
 
   // We do not support open_options at this time. The 2 current known values
   // are REG_OPTION_CREATE_LINK, to open a symbolic link, and
   // REG_OPTION_BACKUP_RESTORE to open the key with special privileges.
   if (NT_SUCCESS(status) || open_options != 0)
     return status;
 
+  if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
+    mozilla::sandboxing::LogBlocked("NtOpenKeyEx",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
+  }
+
   return CommonNtOpenKey(status, key, desired_access, object_attributes);
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
+++ b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
@@ -15,17 +15,18 @@
 #include "sandbox/win/src/sandbox_types.h"
 #include "sandbox/win/src/sandbox_utils.h"
 #include "sandbox/win/src/win_utils.h"
 
 namespace {
 
 static const uint32_t kAllowedRegFlags =
     KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_READ |
-    GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL;
+    GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL | KEY_WOW64_64KEY |
+    KEY_WOW64_32KEY;
 
 // Opens the key referenced by |obj_attributes| with |access| and
 // checks what permission was given. Remove the WRITE flags and update
 // |access| with the new value.
 NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes,
                                  DWORD* access) {
   NtOpenKeyFunction NtOpenKey = NULL;
   ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey);
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
@@ -254,16 +254,50 @@ DWORD RestrictedToken::AddAllSidsForDeny
             reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
       }
     }
   }
 
   return ERROR_SUCCESS;
 }
 
+DWORD RestrictedToken::AddDenyOnlySids(const std::vector<Sid>& deny_only_sids) {
+  DCHECK(init_);
+  if (!init_) {
+    return ERROR_NO_TOKEN;
+  }
+
+  DWORD error;
+  std::unique_ptr<BYTE[]> buffer =
+    GetTokenInfo(effective_token_, TokenGroups, &error);
+
+  if (!buffer) {
+    return error;
+  }
+
+  TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
+
+  // Build the list of the deny only group SIDs
+  for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
+    if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 &&
+        (token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) {
+      for (unsigned int j = 0; j < deny_only_sids.size(); ++j) {
+        if (::EqualSid(const_cast<SID*>(deny_only_sids[j].GetPSID()),
+                       token_groups->Groups[i].Sid)) {
+          sids_for_deny_only_.push_back(
+              reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
+          break;
+        }
+      }
+    }
+  }
+
+  return ERROR_SUCCESS;
+}
+
 DWORD RestrictedToken::AddSidForDenyOnly(const Sid &sid) {
   DCHECK(init_);
   if (!init_)
     return ERROR_NO_TOKEN;
 
   sids_for_deny_only_.push_back(sid);
   return ERROR_SUCCESS;
 }
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
@@ -83,16 +83,27 @@ class RestrictedToken {
   //    std::vector<Sid> sid_exceptions;
   //    sid_exceptions.push_back(ATL::Sids::Users().GetPSID());
   //    sid_exceptions.push_back(ATL::Sids::World().GetPSID());
   //    restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
   // Note: A Sid marked for Deny Only in a token cannot be used to grant
   // access to any resource. It can only be used to deny access.
   DWORD AddAllSidsForDenyOnly(std::vector<Sid> *exceptions);
 
+  // Lists all sids in the token and mark them as Deny Only if present in the
+  // deny_only_sids parameter.
+  //
+  // If the function succeeds, the return value is ERROR_SUCCESS. If the
+  // function fails, the return value is the win32 error code corresponding to
+  // the error.
+  //
+  // Note: A Sid marked for Deny Only in a token cannot be used to grant
+  // access to any resource. It can only be used to deny access.
+  DWORD AddDenyOnlySids(const std::vector<Sid>& deny_only_sids);
+
   // Adds a user or group SID for Deny Only in the restricted token.
   // Parameter: sid is the SID to add in the Deny Only list.
   // The return value is always ERROR_SUCCESS.
   //
   // Sample Usage:
   //    restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID());
   DWORD AddSidForDenyOnly(const Sid &sid);
 
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -26,16 +26,17 @@ DWORD CreateRestrictedToken(TokenLevel s
                             base::win::ScopedHandle* token) {
   RestrictedToken restricted_token;
   restricted_token.Init(NULL);  // Initialized with the current process token
   if (lockdown_default_dacl)
     restricted_token.SetLockdownDefaultDacl();
 
   std::vector<base::string16> privilege_exceptions;
   std::vector<Sid> sid_exceptions;
+  std::vector<Sid> deny_only_sids;
 
   bool deny_sids = true;
   bool remove_privileges = true;
 
   switch (security_level) {
     case USER_UNPROTECTED: {
       deny_sids = false;
       remove_privileges = false;
@@ -50,20 +51,26 @@ DWORD CreateRestrictedToken(TokenLevel s
         if (ERROR_SUCCESS != err_code) {
           return err_code;
         }
       }
 
       break;
     }
     case USER_NON_ADMIN: {
-      sid_exceptions.push_back(WinBuiltinUsersSid);
-      sid_exceptions.push_back(WinWorldSid);
-      sid_exceptions.push_back(WinInteractiveSid);
-      sid_exceptions.push_back(WinAuthenticatedUserSid);
+      deny_sids = false;
+      deny_only_sids.push_back(WinBuiltinAdministratorsSid);
+      deny_only_sids.push_back(WinAccountAdministratorSid);
+      deny_only_sids.push_back(WinAccountDomainAdminsSid);
+      deny_only_sids.push_back(WinAccountCertAdminsSid);
+      deny_only_sids.push_back(WinAccountSchemaAdminsSid);
+      deny_only_sids.push_back(WinAccountEnterpriseAdminsSid);
+      deny_only_sids.push_back(WinAccountPolicyAdminsSid);
+      deny_only_sids.push_back(WinBuiltinHyperVAdminsSid);
+      deny_only_sids.push_back(WinLocalAccountAndAdministratorSid);
       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
       break;
     }
     case USER_INTERACTIVE: {
       sid_exceptions.push_back(WinBuiltinUsersSid);
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       sid_exceptions.push_back(WinAuthenticatedUserSid);
@@ -116,16 +123,21 @@ DWORD CreateRestrictedToken(TokenLevel s
     }
   }
 
   DWORD err_code = ERROR_SUCCESS;
   if (deny_sids) {
     err_code = restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
     if (ERROR_SUCCESS != err_code)
       return err_code;
+  } else if (!deny_only_sids.empty()) {
+    err_code = restricted_token.AddDenyOnlySids(deny_only_sids);
+    if (ERROR_SUCCESS != err_code) {
+      return err_code;
+    }
   }
 
   if (remove_privileges) {
     err_code = restricted_token.DeleteAllPrivileges(&privilege_exceptions);
     if (ERROR_SUCCESS != err_code)
       return err_code;
   }
 
--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
@@ -9,16 +9,17 @@
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/policy_target.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace sandbox {
 
 ResultCode ProxyCreateEvent(LPCWSTR name,
                             uint32_t initial_state,
                             EVENT_TYPE event_type,
                             void* ipc_memory,
                             CrossCallReturn* answer) {
@@ -59,16 +60,20 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
                                     EVENT_TYPE event_type,
                                     BOOLEAN initial_state) {
   NTSTATUS status = orig_CreateEvent(event_handle, desired_access,
                                      object_attributes, event_type,
                                      initial_state);
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtCreatEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
       break;
 
@@ -98,30 +103,37 @@ NTSTATUS WINAPI TargetNtCreateEvent(NtCr
       break;
     }
     __try {
       *event_handle = answer.handle;
       status = STATUS_SUCCESS;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtCreateEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
                                   PHANDLE event_handle,
                                   ACCESS_MASK desired_access,
                                   POBJECT_ATTRIBUTES object_attributes) {
   NTSTATUS status = orig_OpenEvent(event_handle, desired_access,
                                    object_attributes);
   if (status != STATUS_ACCESS_DENIED || !object_attributes)
     return status;
 
+  mozilla::sandboxing::LogBlocked("NtOpenEvent",
+                                  object_attributes->ObjectName->Buffer,
+                                  object_attributes->ObjectName->Length);
+  //
   // We don't trust that the IPC can work this early.
   if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
     return status;
 
   do {
     if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
       break;
 
@@ -150,14 +162,17 @@ NTSTATUS WINAPI TargetNtOpenEvent(NtOpen
       break;
     }
     __try {
       *event_handle = answer.handle;
       status = STATUS_SUCCESS;
     } __except(EXCEPTION_EXECUTE_HANDLER) {
       break;
     }
+    mozilla::sandboxing::LogAllowed("NtOpenEvent",
+                                    object_attributes->ObjectName->Buffer,
+                                    object_attributes->ObjectName->Length);
   } while (false);
 
   return status;
 }
 
 }  // namespace sandbox
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
@@ -190,63 +190,68 @@ bool ResolveRegistryName(base::string16 
 
   return false;
 }
 
 // |full_path| can have any of the following forms:
 //    \??\c:\some\foo\bar
 //    \Device\HarddiskVolume0\some\foo\bar
 //    \??\HarddiskVolume0\some\foo\bar
+//    \??\UNC\SERVER\Share\some\foo\bar
 DWORD IsReparsePoint(const base::string16& full_path) {
   // Check if it's a pipe. We can't query the attributes of a pipe.
   if (IsPipe(full_path))
     return ERROR_NOT_A_REPARSE_POINT;
 
   base::string16 path;
   bool nt_path = IsNTPath(full_path, &path);
   bool has_drive = StartsWithDriveLetter(path);
   bool is_device_path = IsDevicePath(path, &path);
 
   if (!has_drive && !is_device_path && !nt_path)
     return ERROR_INVALID_NAME;
 
-  bool added_implied_device = false;
   if (!has_drive) {
-      path = base::string16(kNTDotPrefix) + path;
-      added_implied_device = true;
+    // Add Win32 device namespace prefix, required for some Windows APIs.
+    path.insert(0, kNTDotPrefix);
   }
 
-  base::string16::size_type last_pos = base::string16::npos;
-  bool passed_once = false;
+  // Ensure that volume path matches start of path.
+  wchar_t vol_path[MAX_PATH];
+  if (!::GetVolumePathNameW(path.c_str(), vol_path, MAX_PATH)) {
+    // This will fail if this is a device that isn't volume related, which can't
+    // then be a reparse point.
+    return is_device_path ? ERROR_NOT_A_REPARSE_POINT : ERROR_INVALID_NAME;
+  }
+
+  // vol_path includes a trailing slash, so reduce size for path and loop check.
+  size_t vol_path_len = wcslen(vol_path) - 1;
+  if (!EqualPath(path, vol_path, vol_path_len)) {
+    return ERROR_INVALID_NAME;
+  }
 
   do {
-    path = path.substr(0, last_pos);
-
     DWORD attributes = ::GetFileAttributes(path.c_str());
     if (INVALID_FILE_ATTRIBUTES == attributes) {
       DWORD error = ::GetLastError();
       if (error != ERROR_FILE_NOT_FOUND &&
           error != ERROR_PATH_NOT_FOUND &&
+          error != ERROR_INVALID_FUNCTION &&
           error != ERROR_INVALID_NAME) {
         // Unexpected error.
-        if (passed_once && added_implied_device &&
-            (path.rfind(L'\\') == kNTDotPrefixLen - 1)) {
-          break;
-        }
         NOTREACHED_NT();
         return error;
       }
     } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
       // This is a reparse point.
       return ERROR_SUCCESS;
     }
 
-    passed_once = true;
-    last_pos = path.rfind(L'\\');
-  } while (last_pos > 2);  // Skip root dir.
+    path.resize(path.rfind(L'\\'));
+  } while (path.size() > vol_path_len);  // Skip root dir.
 
   return ERROR_NOT_A_REPARSE_POINT;
 }
 
 // We get a |full_path| of the forms accepted by IsReparsePoint(), and the name
 // we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
 bool SameObject(HANDLE handle, const wchar_t* full_path) {
   // Check if it's a pipe.
@@ -256,63 +261,67 @@ bool SameObject(HANDLE handle, const wch
   base::string16 actual_path;
   if (!GetPathFromHandle(handle, &actual_path))
     return false;
 
   base::string16 path(full_path);
   DCHECK_NT(!path.empty());
 
   // This may end with a backslash.
-  const wchar_t kBackslash = '\\';
-  if (path.back() == kBackslash)
-    path = path.substr(0, path.length() - 1);
+  if (path.back() == L'\\') {
+    path.pop_back();
+  }
 
-  // Perfect match (case-insesitive check).
+  // Perfect match (case-insensitive check).
   if (EqualPath(actual_path, path))
     return true;
 
   bool nt_path = IsNTPath(path, &path);
   bool has_drive = StartsWithDriveLetter(path);
 
   if (!has_drive && nt_path) {
     base::string16 simple_actual_path;
-    if (!IsDevicePath(actual_path, &simple_actual_path))
-      return false;
-
-    // Perfect match (case-insesitive check).
-    return (EqualPath(simple_actual_path, path));
+    if (IsDevicePath(path, &path)) {
+      if (IsDevicePath(actual_path, &simple_actual_path)) {
+        // Perfect match (case-insensitive check).
+        return (EqualPath(simple_actual_path, path));
+      } else {
+        return false;
+      }
+    } else {
+      // Add Win32 device namespace for GetVolumePathName.
+      path.insert(0, kNTDotPrefix);
+    }
   }
 
-  if (!has_drive)
+  // Get the volume path in the same format as actual_path.
+  wchar_t vol_path[MAX_PATH];
+  if (!::GetVolumePathName(path.c_str(), vol_path, MAX_PATH)) {
     return false;
-
-  // We only need 3 chars, but let's alloc a buffer for four.
-  wchar_t drive[4] = {0};
-  wchar_t vol_name[MAX_PATH];
-  memcpy(drive, &path[0], 2 * sizeof(*drive));
-
-  // We'll get a double null terminated string.
-  DWORD vol_length = ::QueryDosDeviceW(drive, vol_name, MAX_PATH);
-  if (vol_length < 2 || vol_length == MAX_PATH)
+  }
+  size_t vol_path_len = wcslen(vol_path);
+  base::string16 nt_vol;
+  if (!GetNtPathFromWin32Path(vol_path, &nt_vol)) {
     return false;
-
-  // Ignore the nulls at the end.
-  vol_length = static_cast<DWORD>(wcslen(vol_name));
+  }
 
   // The two paths should be the same length.
-  if (vol_length + path.size() - 2 != actual_path.size())
+  if (nt_vol.size() + path.size() - vol_path_len != actual_path.size()) {
     return false;
+  }
 
-  // Check up to the drive letter.
-  if (!EqualPath(actual_path, vol_name, vol_length))
+  // Check the volume matches.
+  if (!EqualPath(actual_path, nt_vol.c_str(), nt_vol.size())) {
     return false;
+  }
 
-  // Check the path after the drive letter.
-  if (!EqualPath(actual_path, vol_length, path, 2))
+  // Check the path after the volume matches.
+  if (!EqualPath(actual_path, nt_vol.size(), path, vol_path_len)) {
     return false;
+  }
 
   return true;
 }
 
 // Just make a best effort here.  There are lots of corner cases that we're
 // not expecting - and will fail to make long.
 bool ConvertToLongPath(base::string16* native_path,
                        const base::string16* drive_letter) {
deleted file mode 100644
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-Please add a link to the bugzilla bug and patch name that should be re-applied.
-Also, please update any existing links to their actual mozilla-central changeset.
-
-https://hg.mozilla.org/mozilla-central/rev/a05726163a79
-https://hg.mozilla.org/mozilla-central/rev/e834e810a3fa
-https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302
-https://hg.mozilla.org/mozilla-central/rev/d24db55deb85
-https://hg.mozilla.org/mozilla-central/rev/0e6bf137521e
-https://hg.mozilla.org/mozilla-central/rev/1755a454e2de
-https://bugzilla.mozilla.org/show_bug.cgi?id=1385928 bug1385928.patch
-https://chromium.googlesource.com/chromium/src/+/0cb5dadc2b1f84fbbd9c6f75056e38d05a5b07d3
-https://chromium.googlesource.com/chromium/src/+/db4c64b63d6098294ed255e962700fd2d465575e
deleted file mode 100644
--- a/security/sandbox/moz-chromium-commit-status.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Chromium Commit                            Directory / File (relative to security/sandbox/)
-----------------------------------------   ------------------------------------------------
-b169b9a1cc402573843e8c952af14c4e43487e91   chromium
-611754aea9d1c0ba5c7980fa267fd005dc249b85   chromium/sandbox/win/src/policy_target.cc