зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1123245 Part 1: Enable an open sandbox on Windows NPAPI processes. r=josh, r=tabraldes
This commit is contained in:
Родитель
58957e76da
Коммит
f6a727b6c9
|
@ -12,6 +12,7 @@
|
|||
#include "base/command_line.h"
|
||||
#include "base/string_util.h"
|
||||
#include "chrome/common/chrome_switches.h"
|
||||
#include "nsDebugImpl.h"
|
||||
|
||||
#if defined(XP_MACOSX)
|
||||
#include "nsCocoaFeatures.h"
|
||||
|
@ -23,6 +24,10 @@ extern "C" CGError CGSSetDebugOptions(int options);
|
|||
#ifdef XP_WIN
|
||||
#include <objbase.h>
|
||||
bool ShouldProtectPluginCurrentDirectory(char16ptr_t pluginFilePath);
|
||||
#if defined(MOZ_SANDBOX)
|
||||
#define TARGET_SANDBOX_EXPORTS
|
||||
#include "mozilla/sandboxTarget.h"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
using mozilla::ipc::IOThreadChild;
|
||||
|
@ -49,6 +54,8 @@ namespace plugins {
|
|||
bool
|
||||
PluginProcessChild::Init()
|
||||
{
|
||||
nsDebugImpl::SetMultiprocessMode("NPAPI");
|
||||
|
||||
#if defined(XP_MACOSX)
|
||||
// Remove the trigger for "dyld interposing" that we added in
|
||||
// GeckoChildProcessHost::PerformAsyncLaunchInternal(), in the host
|
||||
|
@ -117,6 +124,13 @@ PluginProcessChild::Init()
|
|||
}
|
||||
|
||||
pluginFilename = WideToUTF8(values[0]);
|
||||
|
||||
#if defined(MOZ_SANDBOX)
|
||||
// This is probably the earliest we would want to start the sandbox.
|
||||
// As we attempt to tighten the sandbox, we may need to consider moving this
|
||||
// to later in the plugin initialization.
|
||||
mozilla::SandboxTarget::Instance()->StartSandbox();
|
||||
#endif
|
||||
#else
|
||||
# error Sorry
|
||||
#endif
|
||||
|
|
|
@ -800,7 +800,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(XP_WIN)
|
||||
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
|
||||
bool shouldSandboxCurrentProcess = false;
|
||||
switch (mProcessType) {
|
||||
case GeckoProcessType_Content:
|
||||
|
@ -813,10 +813,11 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
#endif // MOZ_CONTENT_SANDBOX
|
||||
break;
|
||||
case GeckoProcessType_Plugin:
|
||||
// XXX: We don't sandbox this process type yet
|
||||
// mSandboxBroker.SetSecurityLevelForPluginProcess();
|
||||
// cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
|
||||
// shouldSandboxCurrentProcess = true;
|
||||
if (!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
|
||||
mSandboxBroker.SetSecurityLevelForPluginProcess();
|
||||
cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
|
||||
shouldSandboxCurrentProcess = true;
|
||||
}
|
||||
break;
|
||||
case GeckoProcessType_IPDLUnitTest:
|
||||
// XXX: We don't sandbox this process type yet
|
||||
|
@ -825,13 +826,11 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
// shouldSandboxCurrentProcess = true;
|
||||
break;
|
||||
case GeckoProcessType_GMPlugin:
|
||||
#ifdef MOZ_SANDBOX
|
||||
if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) {
|
||||
mSandboxBroker.SetSecurityLevelForGMPlugin();
|
||||
cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
|
||||
shouldSandboxCurrentProcess = true;
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
case GeckoProcessType_Default:
|
||||
default:
|
||||
|
@ -839,7 +838,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
break;
|
||||
};
|
||||
|
||||
#ifdef MOZ_SANDBOX
|
||||
if (shouldSandboxCurrentProcess) {
|
||||
for (auto it = mAllowedFilesRead.begin();
|
||||
it != mAllowedFilesRead.end();
|
||||
|
@ -847,9 +845,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
|||
mSandboxBroker.AllowReadFile(it->c_str());
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif // XP_WIN
|
||||
#endif // XP_WIN && MOZ_SANDBOX
|
||||
|
||||
// Add the application directory path (-appdir path)
|
||||
AddAppDirToCommandLine(cmdLine);
|
||||
|
|
|
@ -123,11 +123,25 @@ SandboxBroker::SetSecurityLevelForPluginProcess()
|
|||
return false;
|
||||
}
|
||||
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE,
|
||||
0 /* ui_exceptions */);
|
||||
bool ret = (sandbox::SBOX_ALL_OK == result);
|
||||
result = mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
|
||||
sandbox::USER_UNPROTECTED);
|
||||
|
||||
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
// Add the policy for the client side of a pipe. It is just a file
|
||||
// in the \pipe\ namespace. We restrict it to pipes that start with
|
||||
// "chrome." so the sandboxed process cannot connect to system services.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
L"\\??\\pipe\\chrome.*");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче