Bug 928061 - Enable separate Desktop in Windows sandbox policy. r=aklotz
authorBrian R. Bondy <netzen@gmail.com>
Thu, 20 Feb 2014 12:37:22 -0500
changeset 170065 3da0c8a851f80a3d3433498cb80610a66003650d
parent 170064 7dc90f3c1a213ba65292985de8c3d7c002bc8512
child 170066 22dc68fe321f689bf226951c052311dd5894b6f8
push id270
push userpvanderbeken@mozilla.com
push dateThu, 06 Mar 2014 09:24:21 +0000
reviewersaklotz
bugs928061
milestone30.0a1
Bug 928061 - Enable separate Desktop in Windows sandbox policy. r=aklotz
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -50,16 +50,19 @@ SandboxBroker::LaunchApp(const wchar_t *
   // Medium integrity, unrestricted, in the same window station, within the
   // same desktop, and has no job object.
   // We'll start to increase the restrictions over time.
   mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
   mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                          sandbox::USER_RESTRICTED_SAME_ACCESS);
   mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
 
+  // Set an alternate Desktop within a new window station
+  mPolicy->SetAlternateDesktop(false);
+
   // Ceate the sandboxed process
   PROCESS_INFORMATION targetInfo;
   sandbox::ResultCode result;
   result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo);
 
   // The sandboxed process is started in a suspended state, resumeit now that
   // we'eve set things up.
   ResumeThread(targetInfo.hThread);