Bug 1273372 Part 4: Add AppLocker rules to GMP sandbox policy. r=aklotz
authorBob Owen <bobowencode@gmail.com>
Thu, 22 Dec 2016 11:11:07 +0000
changeset 374286 9174d825a6ee546db547c7bfc45a223c858f3532
parent 374285 d24db55deb859d9d56c2af110896f3dfccced41e
child 374287 84ba5ac2326637c96878318434d9fc580be92fb9
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs1273372
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1273372 Part 4: Add AppLocker rules to GMP sandbox policy. r=aklotz
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -474,16 +474,37 @@ SandboxBroker::SetSecurityLevelForGMPlug
                          "With these static arguments AddRule should never fail, what happened?");
 
   result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
                             sandbox::TargetPolicy::REG_ALLOW_READONLY,
                             L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest");
   SANDBOX_ENSURE_SUCCESS(result,
                          "With these static arguments AddRule should never fail, what happened?");
 
+  // The following rules were added to allow a GMP to be loaded when any
+  // AppLocker DLL rules are specified. If the rules specifically block the DLL
+  // then it will not load.
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                            sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+                            L"\\Device\\SrpDevice");
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "With these static arguments AddRule should never fail, what happened?");
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+                            sandbox::TargetPolicy::REG_ALLOW_READONLY,
+                            L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\");
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "With these static arguments AddRule should never fail, what happened?");
+  // On certain Windows versions there is a double slash before GP in the path.
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+                            sandbox::TargetPolicy::REG_ALLOW_READONLY,
+                            L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\\\GP\\");
+  SANDBOX_ENSURE_SUCCESS(result,
+                         "With these static arguments AddRule should never fail, what happened?");
+
+
   return true;
 }
 #undef SANDBOX_ENSURE_SUCCESS
 
 bool
 SandboxBroker::AllowReadFile(wchar_t const *file)
 {
   if (!mPolicy) {