зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1339105 Part 3: Move NPAPI windows process sandbox file rules into SandboxBroker. r=jimm
This also removes a rule that was added for sandboxing the Java plugin, which we never did and we now only allow Flash anyway.
This commit is contained in:
Родитель
ad828b90f2
Коммит
16a4871cdf
|
@ -14,10 +14,6 @@
|
|||
#include "mozilla/Telemetry.h"
|
||||
#include "nsThreadUtils.h"
|
||||
|
||||
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
|
||||
#include "nsDirectoryServiceDefs.h"
|
||||
#endif
|
||||
|
||||
using std::vector;
|
||||
using std::string;
|
||||
|
||||
|
@ -56,82 +52,12 @@ PluginProcessParent::~PluginProcessParent()
|
|||
#endif
|
||||
}
|
||||
|
||||
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
|
||||
static void
|
||||
AddSandboxAllowedFile(vector<std::wstring>& aAllowedFiles, nsIProperties* aDirSvc,
|
||||
const char* aDir, const nsAString& aSuffix = EmptyString())
|
||||
{
|
||||
nsCOMPtr<nsIFile> userDir;
|
||||
nsresult rv = aDirSvc->Get(aDir, NS_GET_IID(nsIFile), getter_AddRefs(userDir));
|
||||
if (NS_WARN_IF(NS_FAILED(rv))) {
|
||||
return;
|
||||
}
|
||||
|
||||
nsAutoString userDirPath;
|
||||
rv = userDir->GetPath(userDirPath);
|
||||
if (NS_WARN_IF(NS_FAILED(rv))) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!aSuffix.IsEmpty()) {
|
||||
userDirPath.Append(aSuffix);
|
||||
}
|
||||
aAllowedFiles.push_back(std::wstring(userDirPath.get()));
|
||||
return;
|
||||
}
|
||||
|
||||
static void
|
||||
AddSandboxAllowedFiles(int32_t aSandboxLevel,
|
||||
vector<std::wstring>& aAllowedFilesRead,
|
||||
vector<std::wstring>& aAllowedFilesReadWrite,
|
||||
vector<std::wstring>& aAllowedDirectories)
|
||||
{
|
||||
if (aSandboxLevel < 2) {
|
||||
return;
|
||||
}
|
||||
|
||||
nsresult rv;
|
||||
nsCOMPtr<nsIProperties> dirSvc =
|
||||
do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
|
||||
if (NS_WARN_IF(NS_FAILED(rv))) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Level 2 and above is now using low integrity, so we need to give write
|
||||
// access to the Flash directories.
|
||||
// This should be made Flash specific (Bug 1171396).
|
||||
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
|
||||
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
|
||||
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Adobe\\Flash Player\\*"));
|
||||
|
||||
// Access also has to be given to create the parent directories as they may
|
||||
// not exist.
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia"));
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia"));
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Adobe"));
|
||||
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
|
||||
NS_LITERAL_STRING("\\Adobe\\Flash Player"));
|
||||
}
|
||||
#endif
|
||||
|
||||
bool
|
||||
PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask,
|
||||
int32_t aSandboxLevel)
|
||||
{
|
||||
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
|
||||
mSandboxLevel = aSandboxLevel;
|
||||
AddSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead,
|
||||
mAllowedFilesReadWrite, mAllowedDirectories);
|
||||
#else
|
||||
if (aSandboxLevel != 0) {
|
||||
MOZ_ASSERT(false,
|
||||
|
|
|
@ -1028,18 +1028,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
++it) {
|
||||
mSandboxBroker.AllowReadFile(it->c_str());
|
||||
}
|
||||
|
||||
for (auto it = mAllowedFilesReadWrite.begin();
|
||||
it != mAllowedFilesReadWrite.end();
|
||||
++it) {
|
||||
mSandboxBroker.AllowReadWriteFile(it->c_str());
|
||||
}
|
||||
|
||||
for (auto it = mAllowedDirectories.begin();
|
||||
it != mAllowedDirectories.end();
|
||||
++it) {
|
||||
mSandboxBroker.AllowDirectory(it->c_str());
|
||||
}
|
||||
}
|
||||
#endif // XP_WIN && MOZ_SANDBOX
|
||||
|
||||
|
|
|
@ -157,8 +157,6 @@ protected:
|
|||
#ifdef MOZ_SANDBOX
|
||||
SandboxBroker mSandboxBroker;
|
||||
std::vector<std::wstring> mAllowedFilesRead;
|
||||
std::vector<std::wstring> mAllowedFilesReadWrite;
|
||||
std::vector<std::wstring> mAllowedDirectories;
|
||||
bool mEnableSandboxLogging;
|
||||
int32_t mSandboxLevel;
|
||||
#endif
|
||||
|
|
|
@ -31,6 +31,8 @@ sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
|
|||
static UniquePtr<nsString> sBinDir;
|
||||
static UniquePtr<nsString> sProfileDir;
|
||||
static UniquePtr<nsString> sContentTempDir;
|
||||
static UniquePtr<nsString> sRoamingAppDataDir;
|
||||
static UniquePtr<nsString> sLocalAppDataDir;
|
||||
|
||||
static LazyLogModule sSandboxBrokerLog("SandboxBroker");
|
||||
|
||||
|
@ -86,6 +88,8 @@ SandboxBroker::CacheRulesDirectories()
|
|||
CacheDirAndAutoClear(dirSvc, NS_GRE_DIR, &sBinDir);
|
||||
CacheDirAndAutoClear(dirSvc, NS_APP_USER_PROFILE_50_DIR, &sProfileDir);
|
||||
CacheDirAndAutoClear(dirSvc, NS_APP_CONTENT_PROCESS_TEMP_DIR, &sContentTempDir);
|
||||
CacheDirAndAutoClear(dirSvc, NS_WIN_APPDATA_DIR, &sRoamingAppDataDir);
|
||||
CacheDirAndAutoClear(dirSvc, NS_WIN_LOCAL_APPDATA_DIR, &sLocalAppDataDir);
|
||||
}
|
||||
|
||||
SandboxBroker::SandboxBroker()
|
||||
|
@ -565,6 +569,41 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
|
|||
SANDBOX_ENSURE_SUCCESS(result,
|
||||
"Invalid flags for SetProcessMitigations.");
|
||||
|
||||
if (aSandboxLevel >= 2) {
|
||||
// Level 2 and above uses low integrity, so we need to give write access to
|
||||
// the Flash directories.
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
sLocalAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Adobe\\Flash Player\\*"));
|
||||
|
||||
// Access also has to be given to create the parent directories as they may
|
||||
// not exist.
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sLocalAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sLocalAppDataDir,
|
||||
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Adobe"));
|
||||
AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
sRoamingAppDataDir,
|
||||
NS_LITERAL_STRING("\\Adobe\\Flash Player"));
|
||||
}
|
||||
|
||||
// Add the policy for the client side of a pipe. It is just a file
|
||||
// in the \pipe\ namespace. We restrict it to pipes that start with
|
||||
// "chrome." so the sandboxed process cannot connect to system services.
|
||||
|
@ -596,13 +635,6 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
|
|||
SANDBOX_ENSURE_SUCCESS(result,
|
||||
"With these static arguments AddRule should never fail, what happened?");
|
||||
|
||||
// The following is required for the Java plugin.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
L"\\??\\pipe\\jpi2_pid*_pipe*");
|
||||
SANDBOX_ENSURE_SUCCESS(result,
|
||||
"With these static arguments AddRule should never fail, what happened?");
|
||||
|
||||
// These register keys are used by the file-browser dialog box. They
|
||||
// remember the most-recently-used folders.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
|
@ -798,45 +830,6 @@ SandboxBroker::AllowReadFile(wchar_t const *file)
|
|||
return true;
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AllowReadWriteFile(wchar_t const *file)
|
||||
{
|
||||
if (!mPolicy) {
|
||||
return false;
|
||||
}
|
||||
|
||||
auto result =
|
||||
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
file);
|
||||
if (sandbox::SBOX_ALL_OK != result) {
|
||||
LOG_E("Failed (ResultCode %d) to add read/write access to: %S",
|
||||
result, file);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AllowDirectory(wchar_t const *dir)
|
||||
{
|
||||
if (!mPolicy) {
|
||||
return false;
|
||||
}
|
||||
|
||||
auto result =
|
||||
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
dir);
|
||||
if (sandbox::SBOX_ALL_OK != result) {
|
||||
LOG_E("Failed (ResultCode %d) to add directory access to: %S", result, dir);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AddTargetPeer(HANDLE aPeerProcess)
|
||||
{
|
||||
|
|
|
@ -55,8 +55,6 @@ public:
|
|||
|
||||
// File system permissions
|
||||
bool AllowReadFile(wchar_t const *file);
|
||||
bool AllowReadWriteFile(wchar_t const *file);
|
||||
bool AllowDirectory(wchar_t const *dir);
|
||||
|
||||
// Exposes AddTargetPeer from broker services, so that none sandboxed
|
||||
// processes can be added as handle duplication targets.
|
||||
|
|
Загрузка…
Ссылка в новой задаче