Bug 1187031: Move back to using USER_LOCKDOWN for the GMP sandbox policy on Windows. r=aklotz
authorBob Owen <bobowencode@gmail.com>
Wed, 21 Oct 2015 08:46:57 +0100
changeset 303912 8481c9619cc4d4098b7acdd3f77f7d1f8d3174c1
parent 303911 f20fa392e98b618b934efa12c5d91a8964cca67d
child 303913 1aca15a8d20d5de0d2b6920e66ee2fb1fa51c094
push id1001
push userraliiev@mozilla.com
push dateMon, 18 Jan 2016 19:06:03 +0000
treeherdermozilla-release@8b89261f3ac4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs1187031, 1208892
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1187031: Move back to using USER_LOCKDOWN for the GMP sandbox policy on Windows. r=aklotz This also removes turning off optimization for the Load function. That was an attempt to fix the side-by-side loading. It may also have helped with ensuring that the memsets were not optimized, but that has been fixed by Bug 1208892.
dom/media/gmp/GMPLoader.cpp
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/dom/media/gmp/GMPLoader.cpp
+++ b/dom/media/gmp/GMPLoader.cpp
@@ -12,17 +12,16 @@
 #include "prenv.h"
 #include "nsAutoPtr.h"
 
 #include <string>
 
 #ifdef XP_WIN
 #include "windows.h"
 #ifdef MOZ_SANDBOX
-#include "mozilla/Scoped.h"
 #include <intrin.h>
 #include <assert.h>
 #endif
 #endif
 
 #if defined(HASH_NODE_ID_WITH_DEVICE_ID)
 // In order to provide EME plugins with a "device binding" capability,
 // in the parent we generate and store some random bytes as salt for every
@@ -32,41 +31,16 @@
 // device specific data and munges that with the salt to create the
 // "node id" that we expose to EME plugins. It then overwrites the device
 // specific data, and activates the sandbox.
 #include "rlz/lib/machine_id.h"
 #include "rlz/lib/string_utils.h"
 #include "sha256.h"
 #endif
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-namespace {
-
-// Scoped type used by Load
-struct ScopedActCtxHandleTraits
-{
-  typedef HANDLE type;
-
-  static type empty()
-  {
-    return INVALID_HANDLE_VALUE;
-  }
-
-  static void release(type aActCtxHandle)
-  {
-    if (aActCtxHandle != INVALID_HANDLE_VALUE) {
-      ReleaseActCtx(aActCtxHandle);
-    }
-  }
-};
-typedef mozilla::Scoped<ScopedActCtxHandleTraits> ScopedActCtxHandle;
-
-} // namespace
-#endif
-
 namespace mozilla {
 namespace gmp {
 
 class GMPLoaderImpl : public GMPLoader {
 public:
   explicit GMPLoaderImpl(SandboxStarter* aStarter)
     : mSandboxStarter(aStarter)
   {}
@@ -141,21 +115,16 @@ static void SecureMemset(void* start, ui
   // Inline instructions equivalent to RtlSecureZeroMemory().
   for (size_t i = 0; i < size; ++i) {
     volatile uint8_t* p = static_cast<volatile uint8_t*>(start) + i;
     *p = value;
   }
 }
 #endif
 
-// The RAII variable holding the activation context that we create before
-// lowering the sandbox is getting optimized out.
-#if defined(_MSC_VER)
-#pragma optimize("g", off)
-#endif
 bool
 GMPLoaderImpl::Load(const char* aUTF8LibPath,
                     uint32_t aUTF8LibPathLen,
                     char* aOriginSalt,
                     uint32_t aOriginSaltLen,
                     const GMPPlatformAPI* aPlatformAPI)
 {
   std::string nodeId;
@@ -209,50 +178,36 @@ GMPLoaderImpl::Load(const char* aUTF8Lib
       }
     }
   } else
 #endif
   {
     nodeId = std::string(aOriginSalt, aOriginSalt + aOriginSaltLen);
   }
 
+  // Start the sandbox now that we've generated the device bound node id.
+  // This must happen after the node id is bound to the device id, as
+  // generating the device id requires privileges.
+  if (mSandboxStarter && !mSandboxStarter->Start(aUTF8LibPath)) {
+    return false;
+  }
+
+  // Load the GMP.
+  PRLibSpec libSpec;
 #ifdef XP_WIN
   int pathLen = MultiByteToWideChar(CP_UTF8, 0, aUTF8LibPath, -1, nullptr, 0);
   if (pathLen == 0) {
     return false;
   }
 
   nsAutoArrayPtr<wchar_t> widePath(new wchar_t[pathLen]);
   if (MultiByteToWideChar(CP_UTF8, 0, aUTF8LibPath, -1, widePath, pathLen) == 0) {
     return false;
   }
 
-#ifdef MOZ_SANDBOX
-  // If the GMP DLL is a side-by-side assembly with static imports then the DLL
-  // loader will attempt to create an activation context which will fail because
-  // of the sandbox. If we create an activation context before we start the
-  // sandbox then this one will get picked up by the DLL loader.
-  ACTCTX actCtx = { sizeof(actCtx) };
-  actCtx.dwFlags = ACTCTX_FLAG_RESOURCE_NAME_VALID;
-  actCtx.lpSource = widePath;
-  actCtx.lpResourceName = ISOLATIONAWARE_MANIFEST_RESOURCE_ID;
-  ScopedActCtxHandle actCtxHandle(CreateActCtx(&actCtx));
-#endif
-#endif
-
-  // Start the sandbox now that we've generated the device bound node id.
-  // This must happen after the node id is bound to the device id, as
-  // generating the device id requires privileges.
-  if (mSandboxStarter && !mSandboxStarter->Start(aUTF8LibPath)) {
-    return false;
-  }
-
-  // Load the GMP.
-  PRLibSpec libSpec;
-#ifdef XP_WIN
   libSpec.value.pathname_u = widePath;
   libSpec.type = PR_LibSpec_PathnameU;
 #else
   libSpec.value.pathname = aUTF8LibPath;
   libSpec.type = PR_LibSpec_Pathname;
 #endif
   mLib = PR_LoadLibraryWithFlags(libSpec, 0);
   if (!mLib) {
@@ -275,19 +230,16 @@ GMPLoaderImpl::Load(const char* aUTF8Lib
 
   mGetAPIFunc = reinterpret_cast<GMPGetAPIFunc>(PR_FindFunctionSymbol(mLib, "GMPGetAPI"));
   if (!mGetAPIFunc) {
     return false;
   }
 
   return true;
 }
-#if defined(_MSC_VER)
-#pragma optimize("", on)
-#endif
 
 GMPErr
 GMPLoaderImpl::GetAPI(const char* aAPIName,
                       void* aHostAPI,
                       void** aPluginAPI)
 {
   return mGetAPIFunc ? mGetAPIFunc(aAPIName, aHostAPI, aPluginAPI)
                      : GMPGenericErr;
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -292,23 +292,19 @@ bool
 SandboxBroker::SetSecurityLevelForGMPlugin()
 {
   if (!mPolicy) {
     return false;
   }
 
   auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
   bool ret = (sandbox::SBOX_ALL_OK == result);
-  if (base::win::GetVersion() < base::win::VERSION_VISTA) {
-    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_LOCKDOWN);
-  } else {
-    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_RESTRICTED);
-  }
+
+  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                  sandbox::USER_LOCKDOWN);
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
   result = mPolicy->SetAlternateDesktop(true);
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
   result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
   ret = ret && (sandbox::SBOX_ALL_OK == result);