зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1695556 p1: Allow reparse points in chromium sandbox code. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D135692
This commit is contained in:
Родитель
c033a12a53
Коммит
9b1cd0242d
|
@ -92,7 +92,6 @@ bool FilesystemDispatcher::NtCreateFile(IPCInfo* ipc,
|
||||||
uint32_t create_disposition,
|
uint32_t create_disposition,
|
||||||
uint32_t create_options) {
|
uint32_t create_options) {
|
||||||
if (!PreProcessName(name)) {
|
if (!PreProcessName(name)) {
|
||||||
// The path requested might contain a reparse point.
|
|
||||||
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -146,7 +145,6 @@ bool FilesystemDispatcher::NtOpenFile(IPCInfo* ipc,
|
||||||
uint32_t share_access,
|
uint32_t share_access,
|
||||||
uint32_t open_options) {
|
uint32_t open_options) {
|
||||||
if (!PreProcessName(name)) {
|
if (!PreProcessName(name)) {
|
||||||
// The path requested might contain a reparse point.
|
|
||||||
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -201,7 +199,6 @@ bool FilesystemDispatcher::NtQueryAttributesFile(IPCInfo* ipc,
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (!PreProcessName(name)) {
|
if (!PreProcessName(name)) {
|
||||||
// The path requested might contain a reparse point.
|
|
||||||
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -250,7 +247,6 @@ bool FilesystemDispatcher::NtQueryFullAttributesFile(IPCInfo* ipc,
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (!PreProcessName(name)) {
|
if (!PreProcessName(name)) {
|
||||||
// The path requested might contain a reparse point.
|
|
||||||
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -312,7 +308,6 @@ bool FilesystemDispatcher::NtSetInformationFile(IPCInfo* ipc,
|
||||||
name.assign(rename_info->FileName,
|
name.assign(rename_info->FileName,
|
||||||
rename_info->FileNameLength / sizeof(rename_info->FileName[0]));
|
rename_info->FileNameLength / sizeof(rename_info->FileName[0]));
|
||||||
if (!PreProcessName(&name)) {
|
if (!PreProcessName(&name)) {
|
||||||
// The path requested might contain a reparse point.
|
|
||||||
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,12 +44,6 @@ NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle,
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!sandbox::SameObject(local_handle, obj_attributes->ObjectName->Buffer)) {
|
|
||||||
// The handle points somewhere else. Fail the operation.
|
|
||||||
::CloseHandle(local_handle);
|
|
||||||
return STATUS_ACCESS_DENIED;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, target_process,
|
if (!::DuplicateHandle(::GetCurrentProcess(), local_handle, target_process,
|
||||||
target_file_handle, 0, false,
|
target_file_handle, 0, false,
|
||||||
DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
|
DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
|
||||||
|
@ -405,13 +399,25 @@ bool FileSystemPolicy::SetInformationFileAction(EvalResult eval_result,
|
||||||
}
|
}
|
||||||
|
|
||||||
bool PreProcessName(std::wstring* path) {
|
bool PreProcessName(std::wstring* path) {
|
||||||
|
// We now allow symbolic links to be opened via the broker, so we can no
|
||||||
|
// longer rely on the same object check where we checked the path of the
|
||||||
|
// opened file against the original. We don't specify a root when creating
|
||||||
|
// OBJECT_ATTRIBUTES from file names for brokering so they must be fully
|
||||||
|
// qualified and we can just check for the parent directory double dot between
|
||||||
|
// two backslashes. NtCreateFile doesn't seem to allow it anyway, but this is
|
||||||
|
// just an extra precaution. It also doesn't seem to allow the forward slash
|
||||||
|
// at least in fully qualified names so we rule out that as well, to simplify
|
||||||
|
// the combinations we might have to check.
|
||||||
|
if (path->find(L'/') != std::wstring::npos) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (path->find(L"\\..\\") != std::wstring::npos) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
ConvertToLongPath(path);
|
ConvertToLongPath(path);
|
||||||
|
return true;
|
||||||
if (ERROR_NOT_A_REPARSE_POINT == IsReparsePoint(*path))
|
|
||||||
return true;
|
|
||||||
|
|
||||||
// We can't process a reparsed file.
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
std::wstring FixNTPrefixForMatch(const std::wstring& name) {
|
std::wstring FixNTPrefixForMatch(const std::wstring& name) {
|
||||||
|
|
Загрузка…
Ссылка в новой задаче