Bug 1426733: Use restricting SIDs in Windows NPAPI process sandbox (r=bobowen)
authorDavid Parks <dparks@mozilla.com>
Thu, 18 Oct 2018 16:27:56 +0000
changeset 497741 9b976167b45aa1ea14c163e0dd4480ec1439289b
parent 497740 9db2b627026f6e936b4ab8529479e3a84ad51a39
child 497742 5441249fe31416707df434bc6f886d923543de46
push id10002
push userarchaeopteryx@coole-files.de
push dateFri, 19 Oct 2018 23:09:29 +0000
treeherdermozilla-beta@01378c910610 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbobowen
bugs1426733
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1426733: Use restricting SIDs in Windows NPAPI process sandbox (r=bobowen) Allow NPAPI sandbox to use restricting SIDs. This hardens the plugin sandbox. Differential Revision: https://phabricator.services.mozilla.com/D8746
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -741,24 +741,19 @@ SandboxBroker::SetSecurityLevelForPlugin
 
   sandbox::MitigationFlags delayedMitigations =
     sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   result = mPolicy->SetDelayedProcessMitigations(delayedMitigations);
   SANDBOX_ENSURE_SUCCESS(result,
                          "Invalid flags for SetDelayedProcessMitigations.");
 
-#ifndef NIGHTLY_BUILD
-  // We are experimenting with using restricting SIDs in the nightly builds
-  mPolicy->SetDoNotUseRestrictingSIDs();
-#else
   // Add rule to allow read / write access to a special plugin temp dir.
   AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
                    sPluginTempDir, NS_LITERAL_STRING("\\*"));
-#endif
 
   if (aSandboxLevel >= 2) {
     // Level 2 and above uses low integrity, so we need to give write access to
     // the Flash directories.
     AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
                      sRoamingAppDataDir,
                      NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
     AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,