Mercurial > releases > mozilla-beta / changeset / 9b976167b45aa1ea14c163e0dd4480ec1439289b
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1426733: Use restricting SIDs in Windows NPAPI process sandbox (r=bobowen)
authorDavid Parks <dparks@mozilla.com>
Thu, 18 Oct 2018 16:27:56 +0000
changeset 497741 9b976167b45aa1ea14c163e0dd4480ec1439289b
parent 497740 9db2b627026f6e936b4ab8529479e3a84ad51a39
child 497742 5441249fe31416707df434bc6f886d923543de46
push id10002
push userarchaeopteryx@coole-files.de
push dateFri, 19 Oct 2018 23:09:29 +0000
treeherdermozilla-beta@01378c910610 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbobowen
bugs1426733
milestone64.0a1
first release with
nightly linux32
7d74c5905384 / 64.0a1 / 20181019100103 / files
nightly linux64
7d74c5905384 / 64.0a1 / 20181019100103 / files
nightly mac
7d74c5905384 / 64.0a1 / 20181019100103 / files
nightly win32
7d74c5905384 / 64.0a1 / 20181019100103 / files
nightly win64
7d74c5905384 / 64.0a1 / 20181019100103 / files
last release without
nightly linux32
8f709fd4aa46 / 64.0a1 / 20181018123730 / files
nightly linux64
8f709fd4aa46 / 64.0a1 / 20181018123730 / files
nightly mac
8f709fd4aa46 / 64.0a1 / 20181018123730 / files
nightly win32
8f709fd4aa46 / 64.0a1 / 20181018123730 / files
nightly win64
8f709fd4aa46 / 64.0a1 / 20181018123730 / files
Bug 1426733: Use restricting SIDs in Windows NPAPI process sandbox (r=bobowen) Allow NPAPI sandbox to use restricting SIDs. This hardens the plugin sandbox. Differential Revision: https://phabricator.services.mozilla.com/D8746
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp file | annotate | diff | comparison | revisions 
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -741,24 +741,19 @@ SandboxBroker::SetSecurityLevelForPlugin
 
   sandbox::MitigationFlags delayedMitigations =
     sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   result = mPolicy->SetDelayedProcessMitigations(delayedMitigations);
   SANDBOX_ENSURE_SUCCESS(result,
                          "Invalid flags for SetDelayedProcessMitigations.");
 
-#ifndef NIGHTLY_BUILD
-  // We are experimenting with using restricting SIDs in the nightly builds
-  mPolicy->SetDoNotUseRestrictingSIDs();
-#else
   // Add rule to allow read / write access to a special plugin temp dir.
   AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
                    sPluginTempDir, NS_LITERAL_STRING("\\*"));
-#endif
 
   if (aSandboxLevel >= 2) {
     // Level 2 and above uses low integrity, so we need to give write access to
     // the Flash directories.
     AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
                      sRoamingAppDataDir,
                      NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
     AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
mozilla-beta
Deployed from e404c980045c at 2021-03-01T18:43:48Z.