Bug 1423296 - Don't use MITIGATION_IMAGE_LOAD_NO_LOW_LABEL when running from a network drive. r=jimm, a=jcristau
authorBob Owen <bobowencode@gmail.com>
Fri, 08 Dec 2017 19:00:54 +0000
changeset 445303 b61b2f87160b375d54b121920b4befd9668963e5
parent 445302 aa78bfc225318b8e86f07ac56d8b65055e6d4f82
child 445304 d7ddb4b0dc03cb110b8936c89465ca5e08ea71be
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm, jcristau
bugs1423296
milestone58.0
Bug 1423296 - Don't use MITIGATION_IMAGE_LOAD_NO_LOW_LABEL when running from a network drive. r=jimm, a=jcristau
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -480,21 +480,22 @@ SandboxBroker::SetSecurityLevelForConten
 
   if (aSandboxLevel > 4) {
     result = mPolicy->SetAlternateDesktop(false);
     MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                        "Failed to create alternate desktop for sandbox.");
   }
 
   if (aSandboxLevel > 3) {
-    mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     // If we're running from a network drive then we can't block loading from
-    // remote locations.
+    // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
+    // this situation also means the process fails to start (bug 1423296).
     if (!sRunningFromNetworkDrive) {
-      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE;
+      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+                     sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     }
   }
 
 
   result = mPolicy->SetProcessMitigations(mitigations);
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "Invalid flags for SetProcessMitigations.");