Bug 1147911 Part 9: Ensure file read permissions for file content process on Windows. r=jimm, r=jld

2016-11-23 13:36:59 +00:00 · 2016-11-23 13:36:59 +00:00 · ca93c43645
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@ -1817,7 +1817,9 @@ ContentParent::ContentParent(ContentParent* aOpener,
 #endif

  NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
-  ChildPrivileges privs = base::PRIVILEGES_DEFAULT;
+  ChildPrivileges privs = mRemoteType.EqualsLiteral("file")
+                          ? base::PRIVILEGES_FILEREAD
+                          : base::PRIVILEGES_DEFAULT;
  mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, privs);
 }

--- a/ipc/chromium/moz.build
+++ b/ipc/chromium/moz.build
@ -58,6 +58,11 @@ if os_win:
        'src/chrome/common/process_watcher_win.cc',
        'src/chrome/common/transport_dib_win.cc',
    ]
+
+    EXPORTS.base += [
+        'src/base/child_privileges.h',
+    ]
+
 elif not CONFIG['MOZ_SYSTEM_LIBEVENT']:
    DIRS += ['src/third_party']

--- a/ipc/chromium/src/base/child_privileges.h
+++ b/ipc/chromium/src/base/child_privileges.h
@ -0,0 +1,23 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BASE_CHILD_PRIVILEGS_H_
+#define BASE_CHILD_PRIVILEGS_H_
+
+namespace base {
+
+enum ChildPrivileges {
+  PRIVILEGES_DEFAULT,
+  PRIVILEGES_UNPRIVILEGED,
+  PRIVILEGES_INHERIT,
+  // PRIVILEGES_DEFAULT plus file read permissions, used for file content process.
+  PRIVILEGES_FILEREAD,
+  PRIVILEGES_LAST
+};
+
+} // namespace base
+
+#endif  // BASE_CHILD_PRIVILEGS_H_
--- a/ipc/chromium/src/base/process_util.h
+++ b/ipc/chromium/src/base/process_util.h
@ -36,6 +36,7 @@
 #include <unistd.h>
 #endif

+#include "base/child_privileges.h"
 #include "base/command_line.h"
 #include "base/process.h"

@ -143,13 +144,6 @@ void SetAllFDsToCloseOnExec();
 void CloseSuperfluousFds(const base::InjectiveMultimap& saved_map);
 #endif

-enum ChildPrivileges {
-  PRIVILEGES_DEFAULT,
-  PRIVILEGES_UNPRIVILEGED,
-  PRIVILEGES_INHERIT,
-  PRIVILEGES_LAST
-};
-
 #if defined(OS_WIN)
 // Runs the given application name with the given command line. Normally, the
 // first command line argument should be the path to the process, and don't
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -761,7 +761,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
 #if defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD)
  base::environment_map newEnvVars;
  ChildPrivileges privs = mPrivileges;
-  if (privs == base::PRIVILEGES_DEFAULT) {
+  if (privs == base::PRIVILEGES_DEFAULT ||
+      privs == base::PRIVILEGES_FILEREAD) {
    privs = DefaultChildPrivileges();
  }

@ -1054,7 +1055,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
        // For now we treat every failure as fatal in SetSecurityLevelForContentProcess
        // and just crash there right away. Should this change in the future then we
        // should also handle the error here.
-        mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
+        mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel,
+                                                         mPrivileges);
        shouldSandboxCurrentProcess = true;
        AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
      }
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -92,7 +92,8 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,

 #if defined(MOZ_CONTENT_SANDBOX)
 void
-SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
+SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
+                                                 base::ChildPrivileges aPrivs)
 {
  MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");

@ -127,6 +128,16 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
  }

+  // If PRIVILEGES_FILEREAD required, don't allow settings that block reads.
+  if (aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
+    if (accessTokenLevel < sandbox::USER_NON_ADMIN) {
+      accessTokenLevel = sandbox::USER_NON_ADMIN;
+    }
+    if (delayedIntegrityLevel > sandbox::INTEGRITY_LEVEL_LOW) {
+      delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+    }
+  }
+
  sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
                                                    0 /* ui_exceptions */);
  MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@ -10,6 +10,8 @@
 #include <stdint.h>
 #include <windows.h>

+#include "base/child_privileges.h"
+
 namespace sandbox {
  class BrokerServices;
  class TargetPolicy;
@ -32,7 +34,8 @@ public:

  // Security levels for different types of processes
 #if defined(MOZ_CONTENT_SANDBOX)
-  void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
+  void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
+                                         base::ChildPrivileges aPrivs);
 #endif
  bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
  enum SandboxLevel {