Bug 1344453 - Part 2: Add FILES_ALLOW_READONLY rule to all paths when Windows child process should have full read access. r=jimm, a=lizzard
authorBob Owen <bobowencode@gmail.com>
Tue, 28 Mar 2017 08:36:16 +0100
changeset 379372 85c59b19c241b3072441003583daff98655fd933
parent 379371 cfb4a743d65715d56dcb16ddf009397e2a9644e8
child 379373 7844cf131047221c0bd6475cf5c2608cb7050c29
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm, lizzard
bugs1344453
milestone53.0
Bug 1344453 - Part 2: Add FILES_ALLOW_READONLY rule to all paths when Windows child process should have full read access. r=jimm, a=lizzard
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -214,16 +214,27 @@ SandboxBroker::SetSecurityLevelForConten
   mitigations =
     sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
     sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
   result = mPolicy->SetDelayedProcessMitigations(mitigations);
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "Invalid flags for SetDelayedProcessMitigations.");
 
+  // We still have edge cases where the child at low integrity can't read some
+  // files, so add a rule to allow read access to everything when required.
+  if (aSandboxLevel == 1 ||
+      aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
+    result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                              sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                              L"*");
+    MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+                       "With these static arguments AddRule should never fail, what happened?");
+  }
+
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                             sandbox::TargetPolicy::FILES_ALLOW_ANY,
                             L"\\??\\pipe\\chrome.*");
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "With these static arguments AddRule should never fail, what happened?");