Bug 1284897 - Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen
☠☠ backed out by 883e0e945f7a ☠ ☠
authorDavid Parks <dparks@mozilla.com>
Fri, 20 Jan 2017 08:27:57 -0800
changeset 373202 0740284125d33ce825023ae66fdf07484f62f0c4
parent 373201 71b9ac06a60a570b6a7ce4560a685f642122a9d4
child 373203 c35afe490583c88e2c6a7041aad3d1451b3e82bc
push id10863
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 23:02:23 +0000
treeherdermozilla-aurora@0931190cd725 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbobowen
bugs1284897
milestone54.0a1
Bug 1284897 - Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen Hook this into the browser via the XREAppData. This patch contains only the changes to Chromium source code.
security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -12,16 +12,18 @@
 #include "sandbox/win/src/interception.h"
 #include "sandbox/win/src/interceptors.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/policy_broker.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_nt_util.h"
 
+#include "mozilla/sandboxing/permissionsService.h"
+
 namespace sandbox {
 
 FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
     : policy_base_(policy_base) {
   static const IPCCall create_params = {
       {IPC_NTCREATEFILE_TAG,
        {WCHAR_TYPE,
         UINT32_TYPE,
@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile(
   params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->
+        UserGrantedFileAccess(ipc->client_info->process_id, filename,
+                              desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name,
                                           attributes, desired_access,
                                           file_attributes, share_access,
                                           create_disposition, create_options,
                                           &handle, &nt_status,
@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
   params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
   params[OpenFile::BROKER] = ParamPickerMake(broker);
 
   // To evaluate the policy we need to call back to the policy object. We
   // are just middlemen in the operation since is the FileSystemPolicy which
   // knows what to do.
   EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG,
                                                params.GetBase());
+
+  // If the policies forbid access (any result other than ASK_BROKER),
+  // then check for user-granted access to file.
+  if (ASK_BROKER != result &&
+      mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
+                                    ipc->client_info->process_id, filename,
+                                    desired_access, create_disposition)) {
+    result = ASK_BROKER;
+  }
+
   HANDLE handle;
   ULONG_PTR io_information = 0;
   NTSTATUS nt_status;
   if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name,
                                         attributes, desired_access,
                                         share_access, open_options, &handle,
                                         &nt_status, &io_information)) {
     ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -65,19 +65,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     // The following call must match in the parameters with
     // FilesystemDispatcher::ProcessNtCreateFile.
     ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
                                 desired_access_uint32, file_attributes, sharing,
                                 disposition, options_uint32, &answer);
     if (SBOX_ALL_OK != code)
@@ -148,19 +145,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
     uint32_t broker = FALSE;
     CountedParameterSet<OpenFile> params;
     params[OpenFile::NAME] = ParamPickerMake(name);
     params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
     params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
     params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
     params[OpenFile::BROKER] = ParamPickerMake(broker);
 
-    if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
-      break;
-
     SharedMemIPCClient ipc(memory);
     CrossCallReturn answer = {0};
     ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
                                 desired_access_uint32, sharing, options_uint32,
                                 &answer);
     if (SBOX_ALL_OK != code)
       break;