зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1841629 p1: Make USER_RESTRICTED_NON_ADMIN allow for use_restricting_sids settings. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D182998
This commit is contained in:
Родитель
a5a680e7e5
Коммит
abe79cb63d
|
@ -56,7 +56,31 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
|
|||
sid_exceptions.push_back(WinWorldSid);
|
||||
sid_exceptions.push_back(WinInteractiveSid);
|
||||
sid_exceptions.push_back(WinAuthenticatedUserSid);
|
||||
@@ -108,49 +112,57 @@ DWORD CreateRestrictedToken(HANDLE effec
|
||||
@@ -108,64 +112,74 @@ DWORD CreateRestrictedToken(HANDLE effec
|
||||
break;
|
||||
}
|
||||
case USER_RESTRICTED_NON_ADMIN: {
|
||||
sid_exceptions.push_back(WinBuiltinUsersSid);
|
||||
sid_exceptions.push_back(WinWorldSid);
|
||||
sid_exceptions.push_back(WinInteractiveSid);
|
||||
sid_exceptions.push_back(WinAuthenticatedUserSid);
|
||||
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
|
||||
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
|
||||
- restricted_token.AddRestrictingSid(WinWorldSid);
|
||||
- restricted_token.AddRestrictingSid(WinInteractiveSid);
|
||||
- restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
|
||||
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
|
||||
- restricted_token.AddRestrictingSidCurrentUser();
|
||||
- restricted_token.AddRestrictingSidLogonSession();
|
||||
+ if (use_restricting_sids) {
|
||||
+ restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
|
||||
+ restricted_token.AddRestrictingSid(WinWorldSid);
|
||||
+ restricted_token.AddRestrictingSid(WinInteractiveSid);
|
||||
+ restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
|
||||
+ restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
|
||||
+ restricted_token.AddRestrictingSidCurrentUser();
|
||||
+ restricted_token.AddRestrictingSidLogonSession();
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
case USER_INTERACTIVE: {
|
||||
|
|
|
@ -109,6 +109,7 @@ DWORD CreateRestrictedToken(HANDLE effective_token,
|
|||
sid_exceptions.push_back(WinInteractiveSid);
|
||||
sid_exceptions.push_back(WinAuthenticatedUserSid);
|
||||
privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
|
||||
if (use_restricting_sids) {
|
||||
restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
|
||||
restricted_token.AddRestrictingSid(WinWorldSid);
|
||||
restricted_token.AddRestrictingSid(WinInteractiveSid);
|
||||
|
@ -116,6 +117,7 @@ DWORD CreateRestrictedToken(HANDLE effective_token,
|
|||
restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
|
||||
restricted_token.AddRestrictingSidCurrentUser();
|
||||
restricted_token.AddRestrictingSidLogonSession();
|
||||
}
|
||||
break;
|
||||
}
|
||||
case USER_INTERACTIVE: {
|
||||
|
|
Загрузка…
Ссылка в новой задаче