Bug 1177594: Use a USER_RESTRICTED token level on GMP process when integrity levels are available. r=cpearce,a=ritu
authorBob Owen <bobowencode@gmail.com>
Fri, 26 Jun 2015 14:19:12 +0100
changeset 275243 c9af6025b8bc7f76d135dd82ac3ff065d59e7e05
parent 275242 530b85a091bf8dc635e0d506b9634510c8d5776b
child 275244 b1b9503edc7c5f3b8e5d9723f94e0d9426b84a5e
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscpearce, ritu
bugs1177594
milestone40.0
Bug 1177594: Use a USER_RESTRICTED token level on GMP process when integrity levels are available. r=cpearce,a=ritu
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -255,22 +255,22 @@ bool
 SandboxBroker::SetSecurityLevelForGMPlugin()
 {
   if (!mPolicy) {
     return false;
   }
 
   auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
   bool ret = (sandbox::SBOX_ALL_OK == result);
-  if (base::win::GetVersion() > base::win::VERSION_WIN8_1) {
+  if (base::win::GetVersion() < base::win::VERSION_VISTA) {
+    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                    sandbox::USER_LOCKDOWN);
+  } else {
     result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                                     sandbox::USER_RESTRICTED);
-  } else {
-    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_LOCKDOWN);
   }
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
   result = mPolicy->SetAlternateDesktop(true);
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
   result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
   ret = ret && (sandbox::SBOX_ALL_OK == result);