зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1147911 Part 9: Ensure file read permissions for file content process on Windows. r=jimm, r=jld
This commit is contained in:
Родитель
fd9634b56e
Коммит
ca93c43645
|
@ -1817,7 +1817,9 @@ ContentParent::ContentParent(ContentParent* aOpener,
|
|||
#endif
|
||||
|
||||
NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
|
||||
ChildPrivileges privs = base::PRIVILEGES_DEFAULT;
|
||||
ChildPrivileges privs = mRemoteType.EqualsLiteral("file")
|
||||
? base::PRIVILEGES_FILEREAD
|
||||
: base::PRIVILEGES_DEFAULT;
|
||||
mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, privs);
|
||||
}
|
||||
|
||||
|
|
|
@ -58,6 +58,11 @@ if os_win:
|
|||
'src/chrome/common/process_watcher_win.cc',
|
||||
'src/chrome/common/transport_dib_win.cc',
|
||||
]
|
||||
|
||||
EXPORTS.base += [
|
||||
'src/base/child_privileges.h',
|
||||
]
|
||||
|
||||
elif not CONFIG['MOZ_SYSTEM_LIBEVENT']:
|
||||
DIRS += ['src/third_party']
|
||||
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef BASE_CHILD_PRIVILEGS_H_
|
||||
#define BASE_CHILD_PRIVILEGS_H_
|
||||
|
||||
namespace base {
|
||||
|
||||
enum ChildPrivileges {
|
||||
PRIVILEGES_DEFAULT,
|
||||
PRIVILEGES_UNPRIVILEGED,
|
||||
PRIVILEGES_INHERIT,
|
||||
// PRIVILEGES_DEFAULT plus file read permissions, used for file content process.
|
||||
PRIVILEGES_FILEREAD,
|
||||
PRIVILEGES_LAST
|
||||
};
|
||||
|
||||
} // namespace base
|
||||
|
||||
#endif // BASE_CHILD_PRIVILEGS_H_
|
|
@ -36,6 +36,7 @@
|
|||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
#include "base/child_privileges.h"
|
||||
#include "base/command_line.h"
|
||||
#include "base/process.h"
|
||||
|
||||
|
@ -143,13 +144,6 @@ void SetAllFDsToCloseOnExec();
|
|||
void CloseSuperfluousFds(const base::InjectiveMultimap& saved_map);
|
||||
#endif
|
||||
|
||||
enum ChildPrivileges {
|
||||
PRIVILEGES_DEFAULT,
|
||||
PRIVILEGES_UNPRIVILEGED,
|
||||
PRIVILEGES_INHERIT,
|
||||
PRIVILEGES_LAST
|
||||
};
|
||||
|
||||
#if defined(OS_WIN)
|
||||
// Runs the given application name with the given command line. Normally, the
|
||||
// first command line argument should be the path to the process, and don't
|
||||
|
|
|
@ -761,7 +761,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
#if defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD)
|
||||
base::environment_map newEnvVars;
|
||||
ChildPrivileges privs = mPrivileges;
|
||||
if (privs == base::PRIVILEGES_DEFAULT) {
|
||||
if (privs == base::PRIVILEGES_DEFAULT ||
|
||||
privs == base::PRIVILEGES_FILEREAD) {
|
||||
privs = DefaultChildPrivileges();
|
||||
}
|
||||
|
||||
|
@ -1054,7 +1055,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
// For now we treat every failure as fatal in SetSecurityLevelForContentProcess
|
||||
// and just crash there right away. Should this change in the future then we
|
||||
// should also handle the error here.
|
||||
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
|
||||
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel,
|
||||
mPrivileges);
|
||||
shouldSandboxCurrentProcess = true;
|
||||
AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
|
||||
}
|
||||
|
|
|
@ -92,7 +92,8 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
|
|||
|
||||
#if defined(MOZ_CONTENT_SANDBOX)
|
||||
void
|
||||
SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
|
||||
SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
|
||||
base::ChildPrivileges aPrivs)
|
||||
{
|
||||
MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
|
||||
|
||||
|
@ -127,6 +128,16 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
|
|||
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
|
||||
}
|
||||
|
||||
// If PRIVILEGES_FILEREAD required, don't allow settings that block reads.
|
||||
if (aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
|
||||
if (accessTokenLevel < sandbox::USER_NON_ADMIN) {
|
||||
accessTokenLevel = sandbox::USER_NON_ADMIN;
|
||||
}
|
||||
if (delayedIntegrityLevel > sandbox::INTEGRITY_LEVEL_LOW) {
|
||||
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
|
||||
}
|
||||
}
|
||||
|
||||
sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
|
||||
0 /* ui_exceptions */);
|
||||
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
|
||||
|
|
|
@ -10,6 +10,8 @@
|
|||
#include <stdint.h>
|
||||
#include <windows.h>
|
||||
|
||||
#include "base/child_privileges.h"
|
||||
|
||||
namespace sandbox {
|
||||
class BrokerServices;
|
||||
class TargetPolicy;
|
||||
|
@ -32,7 +34,8 @@ public:
|
|||
|
||||
// Security levels for different types of processes
|
||||
#if defined(MOZ_CONTENT_SANDBOX)
|
||||
void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
|
||||
void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
|
||||
base::ChildPrivileges aPrivs);
|
||||
#endif
|
||||
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
|
||||
enum SandboxLevel {
|
||||
|
|
Загрузка…
Ссылка в новой задаче