Bug 1123245 Part 1: Enable an open sandbox on Windows NPAPI processes. r=josh, r=tabraldes

2015-01-23 08:32:20 +00:00 · 2015-01-23 08:32:20 +00:00 · f6a727b6c9
--- a/dom/plugins/ipc/PluginProcessChild.cpp
+++ b/dom/plugins/ipc/PluginProcessChild.cpp
@ -12,6 +12,7 @@
 #include "base/command_line.h"
 #include "base/string_util.h"
 #include "chrome/common/chrome_switches.h"
+#include "nsDebugImpl.h"

 #if defined(XP_MACOSX)
 #include "nsCocoaFeatures.h"
@ -23,6 +24,10 @@ extern "C" CGError CGSSetDebugOptions(int options);
 #ifdef XP_WIN
 #include <objbase.h>
 bool ShouldProtectPluginCurrentDirectory(char16ptr_t pluginFilePath);
+#if defined(MOZ_SANDBOX)
+#define TARGET_SANDBOX_EXPORTS
+#include "mozilla/sandboxTarget.h"
+#endif
 #endif

 using mozilla::ipc::IOThreadChild;
@ -49,6 +54,8 @@ namespace plugins {
 bool
 PluginProcessChild::Init()
 {
+    nsDebugImpl::SetMultiprocessMode("NPAPI");
+
 #if defined(XP_MACOSX)
    // Remove the trigger for "dyld interposing" that we added in
    // GeckoChildProcessHost::PerformAsyncLaunchInternal(), in the host
@ -117,6 +124,13 @@ PluginProcessChild::Init()
    }

    pluginFilename = WideToUTF8(values[0]);
+
+#if defined(MOZ_SANDBOX)
+    // This is probably the earliest we would want to start the sandbox.
+    // As we attempt to tighten the sandbox, we may need to consider moving this
+    // to later in the plugin initialization.
+    mozilla::SandboxTarget::Instance()->StartSandbox();
+#endif
 #else
 #  error Sorry
 #endif
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -800,7 +800,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
    }
  }

-#if defined(XP_WIN)
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
  bool shouldSandboxCurrentProcess = false;
  switch (mProcessType) {
    case GeckoProcessType_Content:
@ -813,10 +813,11 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
 #endif // MOZ_CONTENT_SANDBOX
      break;
    case GeckoProcessType_Plugin:
-      // XXX: We don't sandbox this process type yet
-      // mSandboxBroker.SetSecurityLevelForPluginProcess();
-      // cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
-      // shouldSandboxCurrentProcess = true;
+      if (!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
+        mSandboxBroker.SetSecurityLevelForPluginProcess();
+        cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
+        shouldSandboxCurrentProcess = true;
+      }
      break;
    case GeckoProcessType_IPDLUnitTest:
      // XXX: We don't sandbox this process type yet
@ -825,13 +826,11 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
      // shouldSandboxCurrentProcess = true;
      break;
    case GeckoProcessType_GMPlugin:
-#ifdef MOZ_SANDBOX
      if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) {
        mSandboxBroker.SetSecurityLevelForGMPlugin();
        cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
        shouldSandboxCurrentProcess = true;
      }
-#endif
      break;
    case GeckoProcessType_Default:
    default:
@ -839,7 +838,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
      break;
  };

-#ifdef MOZ_SANDBOX
  if (shouldSandboxCurrentProcess) {
    for (auto it = mAllowedFilesRead.begin();
         it != mAllowedFilesRead.end();
@ -847,9 +845,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
      mSandboxBroker.AllowReadFile(it->c_str());
    }
  }
-#endif
-
-#endif // XP_WIN
+#endif // XP_WIN && MOZ_SANDBOX

  // Add the application directory path (-appdir path)
  AddAppDirToCommandLine(cmdLine);
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -123,11 +123,25 @@ SandboxBroker::SetSecurityLevelForPluginProcess()
    return false;
  }

-  auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
+  auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE,
+                                     0 /* ui_exceptions */);
  bool ret = (sandbox::SBOX_ALL_OK == result);
-  result = mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
-                                  sandbox::USER_UNPROTECTED);
+
+  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                  sandbox::USER_RESTRICTED_SAME_ACCESS);
  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+  result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+  // Add the policy for the client side of a pipe. It is just a file
+  // in the \pipe\ namespace. We restrict it to pipes that start with
+  // "chrome." so the sandboxed process cannot connect to system services.
+  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                            L"\\??\\pipe\\chrome.*");
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
  return ret;
 }