Bug 1147911 Part 9: Ensure file read permissions for file content process on Windows. r=jimm, r=jld

This commit is contained in:
Bob Owen 2016-11-23 13:36:59 +00:00
Родитель fd9634b56e
Коммит ca93c43645
7 изменённых файлов: 52 добавлений и 12 удалений

Просмотреть файл

@ -1817,7 +1817,9 @@ ContentParent::ContentParent(ContentParent* aOpener,
#endif
NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
ChildPrivileges privs = base::PRIVILEGES_DEFAULT;
ChildPrivileges privs = mRemoteType.EqualsLiteral("file")
? base::PRIVILEGES_FILEREAD
: base::PRIVILEGES_DEFAULT;
mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, privs);
}

Просмотреть файл

@ -58,6 +58,11 @@ if os_win:
'src/chrome/common/process_watcher_win.cc',
'src/chrome/common/transport_dib_win.cc',
]
EXPORTS.base += [
'src/base/child_privileges.h',
]
elif not CONFIG['MOZ_SYSTEM_LIBEVENT']:
DIRS += ['src/third_party']

Просмотреть файл

@ -0,0 +1,23 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef BASE_CHILD_PRIVILEGS_H_
#define BASE_CHILD_PRIVILEGS_H_
namespace base {
enum ChildPrivileges {
PRIVILEGES_DEFAULT,
PRIVILEGES_UNPRIVILEGED,
PRIVILEGES_INHERIT,
// PRIVILEGES_DEFAULT plus file read permissions, used for file content process.
PRIVILEGES_FILEREAD,
PRIVILEGES_LAST
};
} // namespace base
#endif // BASE_CHILD_PRIVILEGS_H_

Просмотреть файл

@ -36,6 +36,7 @@
#include <unistd.h>
#endif
#include "base/child_privileges.h"
#include "base/command_line.h"
#include "base/process.h"
@ -143,13 +144,6 @@ void SetAllFDsToCloseOnExec();
void CloseSuperfluousFds(const base::InjectiveMultimap& saved_map);
#endif
enum ChildPrivileges {
PRIVILEGES_DEFAULT,
PRIVILEGES_UNPRIVILEGED,
PRIVILEGES_INHERIT,
PRIVILEGES_LAST
};
#if defined(OS_WIN)
// Runs the given application name with the given command line. Normally, the
// first command line argument should be the path to the process, and don't

Просмотреть файл

@ -761,7 +761,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
#if defined(OS_LINUX) || defined(OS_MACOSX) || defined(OS_BSD)
base::environment_map newEnvVars;
ChildPrivileges privs = mPrivileges;
if (privs == base::PRIVILEGES_DEFAULT) {
if (privs == base::PRIVILEGES_DEFAULT ||
privs == base::PRIVILEGES_FILEREAD) {
privs = DefaultChildPrivileges();
}
@ -1054,7 +1055,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
// For now we treat every failure as fatal in SetSecurityLevelForContentProcess
// and just crash there right away. Should this change in the future then we
// should also handle the error here.
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel,
mPrivileges);
shouldSandboxCurrentProcess = true;
AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
}

Просмотреть файл

@ -92,7 +92,8 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
#if defined(MOZ_CONTENT_SANDBOX)
void
SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
base::ChildPrivileges aPrivs)
{
MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
@ -127,6 +128,16 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
}
// If PRIVILEGES_FILEREAD required, don't allow settings that block reads.
if (aPrivs == base::ChildPrivileges::PRIVILEGES_FILEREAD) {
if (accessTokenLevel < sandbox::USER_NON_ADMIN) {
accessTokenLevel = sandbox::USER_NON_ADMIN;
}
if (delayedIntegrityLevel > sandbox::INTEGRITY_LEVEL_LOW) {
delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
}
}
sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
0 /* ui_exceptions */);
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,

Просмотреть файл

@ -10,6 +10,8 @@
#include <stdint.h>
#include <windows.h>
#include "base/child_privileges.h"
namespace sandbox {
class BrokerServices;
class TargetPolicy;
@ -32,7 +34,8 @@ public:
// Security levels for different types of processes
#if defined(MOZ_CONTENT_SANDBOX)
void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
base::ChildPrivileges aPrivs);
#endif
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
enum SandboxLevel {