Bug 1378061 - Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs. r=jimm, a=jcristau
authorBob Owen <bobowencode@gmail.com>
Wed, 05 Jul 2017 21:00:55 +0100
changeset 411975 6075562b897b0ec87d7075da96cfec60cdf38bc2
parent 411974 e2c2664908514254ce8e99ef21315eb19a84fca7
child 411976 3cefc04b2b98d1aeb929df9526f4bca6d60e7c25
push id7514
push userryanvm@gmail.com
push dateMon, 17 Jul 2017 13:37:24 +0000
treeherdermozilla-beta@e26b1f5d635e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm, jcristau
bugs1378061
milestone55.0
Bug 1378061 - Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs. r=jimm, a=jcristau
security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -78,17 +78,21 @@ DWORD CreateRestrictedToken(TokenLevel s
       restricted_token.AddRestrictingSidLogonSession();
       break;
     }
     case USER_LIMITED: {
       sid_exceptions.push_back(WinBuiltinUsersSid);
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
-      restricted_token.AddUserSidForDenyOnly();
+      // This breaks web audio, so we don't want to do this in the restricting
+      // SIDs (normal) case. See bug 1378061.
+      if (!gUseRestricting) {
+        restricted_token.AddUserSidForDenyOnly();
+      }
       restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
       restricted_token.AddRestrictingSid(WinWorldSid);
       restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
 
       // This token has to be able to create objects in BNO.
       // Unfortunately, on Vista+, it needs the current logon sid
       // in the token to achieve this. You should also set the process to be
       // low integrity level so it can't access object created by other