From 6c0e1dc69f7679db3f050e149619abc16b8573c0 Mon Sep 17 00:00:00 2001 From: Gabor Krizsanits Date: Mon, 6 Jun 2016 15:13:33 +0200 Subject: [PATCH] Bug 1146873 - Handling sandbox policy setup failures. r=bobowen --- ipc/glue/GeckoChildProcessHost.cpp | 31 ++-- .../win/src/sandboxbroker/sandboxBroker.cpp | 161 ++++++++++-------- .../win/src/sandboxbroker/sandboxBroker.h | 3 +- 3 files changed, 113 insertions(+), 82 deletions(-) diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp index a730d3f56061..55d7182af83a 100644 --- a/ipc/glue/GeckoChildProcessHost.cpp +++ b/ipc/glue/GeckoChildProcessHost.cpp @@ -583,15 +583,19 @@ GeckoChildProcessHost::RunPerformAsyncLaunch(std::vector aExtraOpts { InitializeChannel(); - if (PerformAsyncLaunch(aExtraOpts, aArch)) { - return true; - } else { + bool ok = PerformAsyncLaunch(aExtraOpts, aArch); + if (!ok) { + // WaitUntilConnected might be waiting for us to signal. + // If something failed let's set the error state and notify. + MonitorAutoLock lock(mMonitor); + mProcessState = PROCESS_ERROR; + lock.Notify(); CHROMIUM_LOG(ERROR) << "Failed to launch " << XRE_ChildProcessTypeToString(mProcessType) << " subprocess"; Telemetry::Accumulate(Telemetry::SUBPROCESS_LAUNCH_FAILURE, nsDependentCString(XRE_ChildProcessTypeToString(mProcessType))); - return false; } + return ok; } void @@ -1030,6 +1034,9 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt #if defined(MOZ_CONTENT_SANDBOX) if (mSandboxLevel > 0 && !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) { + // For now we treat every failure as fatal in SetSecurityLevelForContentProcess + // and just crash there right away. Should this change in the future then we + // should also handle the error here. mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel); cmdLine.AppendLooseValue(UTF8ToWide("-sandbox")); shouldSandboxCurrentProcess = true; @@ -1040,16 +1047,16 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt case GeckoProcessType_Plugin: if (mSandboxLevel > 0 && !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) { - mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel); + bool ok = mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel); + if (!ok) { + return false; + } cmdLine.AppendLooseValue(UTF8ToWide("-sandbox")); shouldSandboxCurrentProcess = true; } break; case GeckoProcessType_IPDLUnitTest: // XXX: We don't sandbox this process type yet - // mSandboxBroker.SetSecurityLevelForIPDLUnitTestProcess(); - // cmdLine.AppendLooseValue(UTF8ToWide("-sandbox")); - // shouldSandboxCurrentProcess = true; break; case GeckoProcessType_GMPlugin: if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) { @@ -1060,7 +1067,10 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt bool isWidevine = std::any_of(aExtraOpts.begin(), aExtraOpts.end(), [](const std::string arg) { return arg.find("gmp-widevinecdm") != std::string::npos; }); auto level = isWidevine ? SandboxBroker::Restricted : SandboxBroker::LockDown; - mSandboxBroker.SetSecurityLevelForGMPlugin(level); + bool ok = mSandboxBroker.SetSecurityLevelForGMPlugin(level); + if (!ok) { + return false; + } cmdLine.AppendLooseValue(UTF8ToWide("-sandbox")); shouldSandboxCurrentProcess = true; } @@ -1146,9 +1156,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt #endif if (!process) { - MonitorAutoLock lock(mMonitor); - mProcessState = PROCESS_ERROR; - lock.Notify(); return false; } // NB: on OS X, we block much longer than we need to in order to diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp index 78b05e3b34ab..e4a5a72f86de 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -86,12 +86,10 @@ SandboxBroker::LaunchApp(const wchar_t *aPath, } #if defined(MOZ_CONTENT_SANDBOX) -bool +void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) { - if (!mPolicy) { - return false; - } + MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call."); sandbox::JobLevel jobLevel; sandbox::TokenLevel accessTokenLevel; @@ -101,6 +99,7 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) // The setting of these levels is pretty arbitrary, but they are a useful (if // crude) tool while we are tightening the policy. Gaps are left to try and // avoid changing their meaning. + MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1"); if (aSandboxLevel >= 20) { jobLevel = sandbox::JOB_LOCKDOWN; accessTokenLevel = sandbox::USER_LOCKDOWN; @@ -121,27 +120,29 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) accessTokenLevel = sandbox::USER_NON_ADMIN; initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else { - MOZ_ASSERT_UNREACHABLE("Should not be called with aSandboxLevel < 1"); - return false; } - sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, + sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, 0 /* ui_exceptions */); - bool ret = (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, accessTokenLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "SetIntegrityLevel should never fail, what happened?"); result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "SetDelayedIntegrityLevel should never fail, what happened?"); if (aSandboxLevel > 2) { result = mPolicy->SetAlternateDesktop(true); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "Failed to create alternate desktop for sandbox."); } sandbox::MitigationFlags mitigations = @@ -152,14 +153,16 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) sandbox::MITIGATION_DEP; result = mPolicy->SetProcessMitigations(mitigations); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "Invalid flags for SetProcessMitigations."); mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS | sandbox::MITIGATION_DLL_SEARCH_ORDER; result = mPolicy->SetDelayedProcessMitigations(mitigations); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "Invalid flags for SetDelayedProcessMitigations."); // Add the policy for the client side of a pipe. It is just a file // in the \pipe\ namespace. We restrict it to pipes that start with @@ -167,32 +170,41 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\chrome.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "With these static arguments AddRule should never fail, what happened?"); // Add the policy for the client side of the crash server pipe. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\gecko-crash-server-pipe.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "With these static arguments AddRule should never fail, what happened?"); // The content process needs to be able to duplicate named pipes back to the // broker process, which are File type handles. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"File"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "With these static arguments AddRule should never fail, what happened?"); // The content process needs to be able to duplicate shared memory to the // broker process, which are Section type handles. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"Section"); - ret = ret && (sandbox::SBOX_ALL_OK == result); - - return ret; + MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, + "With these static arguments AddRule should never fail, what happened?"); } #endif +#define SANDBOX_ENSURE_SUCCESS(result, message) \ + do { \ + MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \ + if (sandbox::SBOX_ALL_OK != result) \ + return false; \ + } while (0) + bool SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) { @@ -224,16 +236,21 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, 0 /* ui_exceptions */); - bool ret = (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, accessTokenLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "SetIntegrityLevel should never fail, what happened?"); + result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "SetDelayedIntegrityLevel should never fail, what happened?"); sandbox::MitigationFlags mitigations = sandbox::MITIGATION_BOTTOM_UP_ASLR | @@ -243,7 +260,8 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) sandbox::MITIGATION_DEP; result = mPolicy->SetProcessMitigations(mitigations); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Invalid flags for SetProcessMitigations."); // Add the policy for the client side of a pipe. It is just a file // in the \pipe\ namespace. We restrict it to pipes that start with @@ -251,13 +269,15 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\chrome.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); // Add the policy for the client side of the crash server pipe. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\gecko-crash-server-pipe.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); // The NPAPI process needs to be able to duplicate shared memory to the // content process and broker process, which are Section type handles. @@ -265,36 +285,23 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, sandbox::TargetPolicy::HANDLES_DUP_ANY, L"Section"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"Section"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); // The following is required for the Java plugin. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\jpi2_pid*_pipe*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); - return ret; -} - -bool -SandboxBroker::SetSecurityLevelForIPDLUnitTestProcess() -{ - if (!mPolicy) { - return false; - } - - auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0); - bool ret = (sandbox::SBOX_ALL_OK == result); - result = - mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, - sandbox::USER_RESTRICTED_SAME_ACCESS); - ret = ret && (sandbox::SBOX_ALL_OK == result); - return ret; + return true; } bool @@ -305,22 +312,26 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) } auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); - bool ret = (sandbox::SBOX_ALL_OK == result); - + SANDBOX_ENSURE_SUCCESS(result, + "SetJobLevel should never fail with these arguments, what happened?"); auto level = (aLevel == Restricted) ? sandbox::USER_RESTRICTED : sandbox::USER_LOCKDOWN; result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, level); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "SetTokenLevel should never fail with these arguments, what happened?"); result = mPolicy->SetAlternateDesktop(true); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Failed to create alternate desktop for sandbox."); result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); - ret = ret && (sandbox::SBOX_ALL_OK == result); + MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, + "SetIntegrityLevel should never fail with these arguments, what happened?"); result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "SetIntegrityLevel should never fail with these arguments, what happened?"); sandbox::MitigationFlags mitigations = sandbox::MITIGATION_BOTTOM_UP_ASLR | @@ -330,14 +341,16 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) sandbox::MITIGATION_DEP; result = mPolicy->SetProcessMitigations(mitigations); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Invalid flags for SetProcessMitigations."); mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS | sandbox::MITIGATION_DLL_SEARCH_ORDER; result = mPolicy->SetDelayedProcessMitigations(mitigations); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "Invalid flags for SetDelayedProcessMitigations."); // Add the policy for the client side of a pipe. It is just a file // in the \pipe\ namespace. We restrict it to pipes that start with @@ -345,13 +358,15 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\chrome.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); // Add the policy for the client side of the crash server pipe. result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, L"\\??\\pipe\\gecko-crash-server-pipe.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); #ifdef DEBUG // The plugin process can't create named events, but we'll @@ -360,7 +375,8 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC, sandbox::TargetPolicy::EVENTS_ALLOW_ANY, L"ChromeIPCLog.*"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); #endif // The following rules were added because, during analysis of an EME @@ -371,22 +387,26 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_CURRENT_USER"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_CURRENT_USER\\Control Panel\\Desktop"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); // The following rules were added because, during analysis of an EME @@ -397,25 +417,30 @@ SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel) result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY, sandbox::TargetPolicy::REG_ALLOW_READONLY, L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"); - ret = ret && (sandbox::SBOX_ALL_OK == result); + SANDBOX_ENSURE_SUCCESS(result, + "With these static arguments AddRule should never fail, what happened?"); - return ret; + return true; } +#undef SANDBOX_ENSURE_SUCCESS bool SandboxBroker::AllowReadFile(wchar_t const *file) diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h index 6cb4034aa3a5..3f73ec890335 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h @@ -32,10 +32,9 @@ public: // Security levels for different types of processes #if defined(MOZ_CONTENT_SANDBOX) - bool SetSecurityLevelForContentProcess(int32_t aSandboxLevel); + void SetSecurityLevelForContentProcess(int32_t aSandboxLevel); #endif bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel); - bool SetSecurityLevelForIPDLUnitTestProcess(); enum SandboxLevel { LockDown, Restricted