Bug 1841629 p1: Make USER_RESTRICTED_NON_ADMIN allow for use_restricting_sids settings. r=handyman

Differential Revision: https://phabricator.services.mozilla.com/D182998
2023-07-10 08:00:19 +00:00 · 2023-07-10 08:00:19 +00:00 · abe79cb63d
--- a/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch
+++ b/security/sandbox/chromium-shim/patches/with_update/add_option_to_not_use_restricting_sids.patch
@ -56,7 +56,31 @@ diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
       sid_exceptions.push_back(WinWorldSid);
       sid_exceptions.push_back(WinInteractiveSid);
       sid_exceptions.push_back(WinAuthenticatedUserSid);
-@@ -108,49 +112,57 @@ DWORD CreateRestrictedToken(HANDLE effec
+@@ -108,64 +112,74 @@ DWORD CreateRestrictedToken(HANDLE effec
+       break;
+     }
+     case USER_RESTRICTED_NON_ADMIN: {
+       sid_exceptions.push_back(WinBuiltinUsersSid);
+       sid_exceptions.push_back(WinWorldSid);
+       sid_exceptions.push_back(WinInteractiveSid);
+       sid_exceptions.push_back(WinAuthenticatedUserSid);
+       privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
+-      restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
+-      restricted_token.AddRestrictingSid(WinWorldSid);
+-      restricted_token.AddRestrictingSid(WinInteractiveSid);
+-      restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
+-      restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+-      restricted_token.AddRestrictingSidCurrentUser();
+-      restricted_token.AddRestrictingSidLogonSession();
+      if (use_restricting_sids) {
+        restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
+        restricted_token.AddRestrictingSid(WinWorldSid);
+        restricted_token.AddRestrictingSid(WinInteractiveSid);
+        restricted_token.AddRestrictingSid(WinAuthenticatedUserSid);
+        restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
+        restricted_token.AddRestrictingSidCurrentUser();
+        restricted_token.AddRestrictingSidLogonSession();
+      }
       break;
     }
     case USER_INTERACTIVE: {
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@ -109,6 +109,7 @@ DWORD CreateRestrictedToken(HANDLE effective_token,
      sid_exceptions.push_back(WinInteractiveSid);
      sid_exceptions.push_back(WinAuthenticatedUserSid);
      privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
+      if (use_restricting_sids) {
        restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
        restricted_token.AddRestrictingSid(WinWorldSid);
        restricted_token.AddRestrictingSid(WinInteractiveSid);
@ -116,6 +117,7 @@ DWORD CreateRestrictedToken(HANDLE effective_token,
        restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
        restricted_token.AddRestrictingSidCurrentUser();
        restricted_token.AddRestrictingSidLogonSession();
+      }
      break;
    }
    case USER_INTERACTIVE: {