Bug 1287426 Part 8: Change the USER_NON_ADMIN token to be a restricted token with the same access. r=aklotz
authorBob Owen <bobowencode@gmail.com>
Tue, 06 Sep 2016 08:57:22 +0100
changeset 354092 32f4d07e9d99b5685bba2b75366a3c01b61468a1
parent 354091 e834e810a3faaa0edf7c364677563589e39f5098
child 354093 30689f91602f7bca209426bd296f275620747f9d
push id6570
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:26:13 +0000
treeherdermozilla-beta@f455459b2ae5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs1287426
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1287426 Part 8: Change the USER_NON_ADMIN token to be a restricted token with the same access. r=aklotz This is to work around an issue where the call to CoInitializeSecurity in MainThreadRuntime::InitializeSecurity causes the impersonation token, used to give the pre-lockdown permissions, to be replaced with one with no rights. This only seems to happen when the lockdown token is USER_NON_ADMIN, which is not a restricted token. MozReview-Commit-ID: 6HFuDFmWLTf
security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -48,16 +48,29 @@ DWORD CreateRestrictedToken(TokenLevel s
       break;
     }
     case USER_NON_ADMIN: {
       sid_exceptions.push_back(WinBuiltinUsersSid);
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       sid_exceptions.push_back(WinAuthenticatedUserSid);
       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
+      // We need to make USER_NON_ADMIN into a restricted token to work around a
+      // conflict with a call to CoInitializeSecurity (see bug 1287426).
+      // To do this we add the same restricted SIDs as USER_INTERACTIVE, because
+      // USER_NON_ADMIN should have at least the same permissions. We also add
+      // in any that are in the deny only exception list above, which should
+      // give the new USER_NON_ADMIN token the same permissions as the old.
+      restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
+      restricted_token.AddRestrictingSid(WinWorldSid);
+      restricted_token.AddRestrictingSid(WinInteractiveSid);
+      restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
+      restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+      restricted_token.AddRestrictingSidCurrentUser();
+      restricted_token.AddRestrictingSidLogonSession();
       break;
     }
     case USER_INTERACTIVE: {
       sid_exceptions.push_back(WinBuiltinUsersSid);
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       sid_exceptions.push_back(WinAuthenticatedUserSid);
       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ b/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
@@ -1,8 +1,9 @@
 Please add a link to the bugzilla bug and patch name that should be re-applied.
 Also, please update any existing links to their actual mozilla-central changeset.
 
 https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part4.patch
 https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part5.patch
 https://hg.mozilla.org/mozilla-central/rev/7df8d6639971
 https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part6.patch
 https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part7.patch
+https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part8.patch