Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-04-02 12:32:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1788233: Remove PermissionsService from process Windows sandboxing code. r=handyman

Browse Source 
Depends on D156069

Differential Revision: https://phabricator.services.mozilla.com/D156087
This commit is contained in:
Bob Owen 2022-09-07 09:42:04 +00:00
parent 692f8a5532
commit 3d2f6719a8
17 changed files with 15 additions and 750 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browser/app/nsBrowserApp.cpp
View File

@ -209,14 +209,11 @@ static int do_main(int argc, char* argv[], char* envp[]) {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
sandbox::BrokerServices* brokerServices =
sandboxing::GetInitializedBrokerServices();
sandboxing::PermissionsService* permissionsService =
sandboxing::GetPermissionsService();
if (!brokerServices) {
Output("Couldn't initialize the broker services.\n");
return 255;
}
config.sandboxBrokerServices = brokerServices;
config.sandboxPermissionsService = permissionsService;
#endif
#ifdef LIBFUZZER

158
security/sandbox/chromium-shim/patches/after_update/allow_flash_temporary_files.patch
View File

@ -1,158 +0,0 @@
# HG changeset patch
# User David Parks <dparks@mozilla.com>
# Date 1488233752 28800
# Mon Feb 27 14:15:52 2017 -0800
# Node ID 58cf9c0f78b7b229b6b3ba70b64b9719b30b3d48
# Parent 139c07a8ef8157027b3054d77fe3b5ff2c119081
Permit sandboxed processes to access Flash temporary files. r=bobowen
Allows the creation/use of temp files when the user has already green-lit
the use of a file for write purposes in that folder.
Originally landed in changeset:
https://hg.mozilla.org/mozilla-central/rev/0f64b24c40c4
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -213,16 +213,25 @@ bool FilesystemDispatcher::NtQueryAttrib
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
+ if (ASK_BROKER != result &&
+ mozilla::sandboxing::PermissionsService::GetInstance()->
+ UserGrantedFileAccess(ipc->client_info->process_id, filename,
+ 0, 0)) {
+ result = ASK_BROKER;
+ }
+
FILE_BASIC_INFORMATION* information =
reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer());
NTSTATUS nt_status;
if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info,
*name, attributes,
information, &nt_status)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
@@ -253,16 +262,25 @@ bool FilesystemDispatcher::NtQueryFullAt
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result = policy_base_->EvalPolicy(
IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
+ if (ASK_BROKER != result &&
+ mozilla::sandboxing::PermissionsService::GetInstance()->
+ UserGrantedFileAccess(ipc->client_info->process_id, filename,
+ 0, 0)) {
+ result = ASK_BROKER;
+ }
+
FILE_NETWORK_OPEN_INFORMATION* information =
reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer());
NTSTATUS nt_status;
if (!FileSystemPolicy::QueryFullAttributesFileAction(
result, *ipc->client_info, *name, attributes, information,
&nt_status)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
@@ -306,16 +324,26 @@ bool FilesystemDispatcher::NtSetInformat
params[FileName::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTSETINFO_RENAME, params.GetBase());
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted write access to file. We only permit
+ // the FileRenameInformation action.
+ if (ASK_BROKER != result && info_class == FileRenameInformation &&
+ mozilla::sandboxing::PermissionsService::GetInstance()->
+ UserGrantedFileAccess(ipc->client_info->process_id, filename,
+ FILE_WRITE_ATTRIBUTES, 0)) {
+ result = ASK_BROKER;
+ }
+
IO_STATUS_BLOCK* io_status =
reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer());
NTSTATUS nt_status;
if (!FileSystemPolicy::SetInformationFileAction(
result, *ipc->client_info, handle, rename_info, length, info_class,
io_status, &nt_status)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -227,19 +227,16 @@ TargetNtQueryAttributesFile(NtQueryAttri
sizeof(FILE_BASIC_INFORMATION));
uint32_t broker = BROKER_FALSE;
CountedParameterSet<FileName> params;
const wchar_t* name_ptr = name.get();
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(),
attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
break;
@@ -292,19 +289,16 @@ NTSTATUS WINAPI TargetNtQueryFullAttribu
sizeof(FILE_NETWORK_OPEN_INFORMATION));
uint32_t broker = BROKER_FALSE;
CountedParameterSet<FileName> params;
const wchar_t* name_ptr = name.get();
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE,
name.get(), attributes, file_info, &answer);
if (SBOX_ALL_OK != code)
break;
@@ -374,19 +368,16 @@ TargetNtSetInformationFile(NtSetInformat
break;
uint32_t broker = BROKER_FALSE;
CountedParameterSet<FileName> params;
const wchar_t* name_ptr = name.get();
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IpcTag::NTSETINFO_RENAME, params.GetBase()))
- break;
-
InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));
// This is actually not an InOut buffer, only In, but using InOut facility
// really helps to simplify the code.
InOutCountedBuffer file_info_buffer(file_info, length);
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code =

132
security/sandbox/chromium-shim/patches/after_update/consult_PermissionsService_for_file_access.patch
View File

@ -1,132 +0,0 @@
# HG changeset patch
# User David Parks <dparks@mozilla.com>
# Date 1484929677 28800
# Fri Jan 20 08:27:57 2017 -0800
# Node ID d6a40d4bae2bdce74539e2606d0ead89c091a089
# Parent b14dffc51edda918dbaadf2ece96d0ecdd9f6f25
Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen
Hook this into the browser via the XREAppData. This patch contains only the changes to Chromium source code.
Originally landed in changeset:
https://hg.mozilla.org/mozilla-central/rev/6ecd19d25822
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
@@ -12,16 +12,18 @@
#include "sandbox/win/src/interception.h"
#include "sandbox/win/src/interceptors.h"
#include "sandbox/win/src/ipc_tags.h"
#include "sandbox/win/src/policy_broker.h"
#include "sandbox/win/src/policy_params.h"
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_nt_util.h"
+#include "mozilla/sandboxing/permissionsService.h"
+
namespace sandbox {
FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
: policy_base_(policy_base) {
static const IPCCall create_params = {
{IpcTag::NTCREATEFILE,
{WCHAR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE,
UINT32_TYPE, UINT32_TYPE}},
@@ -105,16 +107,26 @@ bool FilesystemDispatcher::NtCreateFile(
params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
params[OpenFile::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTCREATEFILE, params.GetBase());
+
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
+ if (ASK_BROKER != result &&
+ mozilla::sandboxing::PermissionsService::GetInstance()->
+ UserGrantedFileAccess(ipc->client_info->process_id, filename,
+ desired_access, create_disposition)) {
+ result = ASK_BROKER;
+ }
+
HANDLE handle;
ULONG_PTR io_information = 0;
NTSTATUS nt_status;
if (!FileSystemPolicy::CreateFileAction(
result, *ipc->client_info, *name, attributes, desired_access,
file_attributes, share_access, create_disposition, create_options,
&handle, &nt_status, &io_information)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
@@ -150,16 +162,26 @@ bool FilesystemDispatcher::NtOpenFile(IP
params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
params[OpenFile::BROKER] = ParamPickerMake(broker);
// To evaluate the policy we need to call back to the policy object. We
// are just middlemen in the operation since is the FileSystemPolicy which
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTOPENFILE, params.GetBase());
+
+ // If the policies forbid access (any result other than ASK_BROKER),
+ // then check for user-granted access to file.
+ if (ASK_BROKER != result &&
+ mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
+ ipc->client_info->process_id, filename,
+ desired_access, create_disposition)) {
+ result = ASK_BROKER;
+ }
+
HANDLE handle;
ULONG_PTR io_information = 0;
NTSTATUS nt_status;
if (!FileSystemPolicy::OpenFileAction(
result, *ipc->client_info, *name, attributes, desired_access,
share_access, open_options, &handle, &nt_status, &io_information)) {
ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
return true;
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
@@ -75,19 +75,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre
CountedParameterSet<OpenFile> params;
const wchar_t* name_ptr = name.get();
params[OpenFile::NAME] = ParamPickerMake(name_ptr);
params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IpcTag::NTCREATEFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
// The following call must match in the parameters with
// FilesystemDispatcher::ProcessNtCreateFile.
ResultCode code =
CrossCall(ipc, IpcTag::NTCREATEFILE, name.get(), attributes,
desired_access_uint32, file_attributes, sharing, disposition,
options_uint32, &answer);
@@ -160,19 +157,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF
const wchar_t* name_ptr = name.get();
CountedParameterSet<OpenFile> params;
params[OpenFile::NAME] = ParamPickerMake(name_ptr);
params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
- if (!QueryBroker(IpcTag::NTOPENFILE, params.GetBase()))
- break;
-
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code =
CrossCall(ipc, IpcTag::NTOPENFILE, name.get(), attributes,
desired_access_uint32, sharing, options_uint32, &answer);
if (SBOX_ALL_OK != code)
break;

2
security/sandbox/chromium-shim/patches/after_update/patch_order.txt
View File

@ -1,8 +1,6 @@
add_interception_logging.patch
allow_rules_for_network_drive_and_non_file_devices.patch
add_WOW64_flags_to_allowed_registry_read_flags.patch
consult_PermissionsService_for_file_access.patch
allow_flash_temporary_files.patch
arm64_set_LoaderThreads.patch
change_to_DCHECK_in_CloseHandleWrapper.patch
move_shared_memory_duplication_after_initialization.patch

181
security/sandbox/chromium-shim/sandbox/win/permissionsService.cpp
View File

@ -1,181 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* SandboxPermissions.cpp - Special permissions granted to sandboxed processes */
#include "permissionsService.h"
#include <algorithm>
#include <string>
#include <winternl.h>
namespace mozilla {
namespace sandboxing {
static const std::wstring ZONE_IDENTIFIER_STR(L":ZONE.IDENTIFIER");
static const std::wstring ZONE_ID_DATA_STR(L":ZONE.IDENTIFIER:$DATA");
// Generic name we use for all Flash temp files.
static const std::wstring FLASH_TEMP_FILENAME(L"FLASHTMP0.TMP");
bool
StringEndsWith(const std::wstring& str, const std::wstring& strEnding)
{
if (strEnding.size() > str.size()) {
return false;
}
return std::equal(strEnding.rbegin(), strEnding.rend(), str.rbegin());
}
// Returns true if aFilename describes a Flash temp file. If aFolder is
// non-null then it is filled with the name of the folder containing
// the file (with trailing slash).
bool
IsFlashTempFile(std::wstring aFilename, std::wstring* aFolder=nullptr)
{
// Assume its a flash file if the base name begins with "FlashTmp",
// ends with ".tmp" and has an int in-between them.
size_t slashIdx = aFilename.find_last_of(L'\\');
if (slashIdx != std::wstring::npos) {
if (aFolder) {
*aFolder = aFilename.substr(0, slashIdx + 1);
}
aFilename = aFilename.substr(slashIdx + 1);
} else {
*aFolder = L"\\";
}
if (aFilename.compare(0, 8, L"FLASHTMP") != 0) {
return false;
}
int idx = 8;
int len = aFilename.length();
while (idx < len && isdigit(aFilename[idx])) {
++idx;
}
return (len-idx == 4) && aFilename.compare(idx, 4, L".TMP") == 0;
}
// Converts NT device internal filenames to normal user-space by stripping
// the prefixes and suffixes from the file name. Returns containing
// folder (with trailing slash) in aFolder if non-null.
std::wstring
GetPlainFileName(const wchar_t* aNTFileName, std::wstring* aFolder=nullptr)
{
while (*aNTFileName == L'\\' || *aNTFileName == L'.' ||
*aNTFileName == L'?' || *aNTFileName == L':' ) {
++aNTFileName;
}
std::wstring nameCopy(aNTFileName);
std::transform(nameCopy.begin(), nameCopy.end(), nameCopy.begin(), towupper);
if (StringEndsWith(nameCopy, ZONE_ID_DATA_STR)) {
nameCopy = nameCopy.substr(0, nameCopy.size() - ZONE_ID_DATA_STR.size());
} else if (StringEndsWith(nameCopy, ZONE_IDENTIFIER_STR)) {
nameCopy = nameCopy.substr(0, nameCopy.size() - ZONE_IDENTIFIER_STR.size());
}
if (IsFlashTempFile(nameCopy, aFolder) && aFolder) {
return *aFolder + FLASH_TEMP_FILENAME;
}
return nameCopy;
}
/* static */
PermissionsService* PermissionsService::GetInstance() {
static PermissionsService sPermissionsService;
return &sPermissionsService;
}
PermissionsService::PermissionsService() :
mFileAccessViolationFunc(nullptr)
{
}
void
PermissionsService::GrantFileAccess(uint32_t aProcessId,
const wchar_t* aFilename,
bool aPermitWrite)
{
FilePermissionMap& permissions = mProcessFilePermissions[aProcessId];
std::wstring containingFolder;
std::wstring filename = GetPlainFileName(aFilename, &containingFolder);
permissions[filename] |= aPermitWrite;
if (aPermitWrite) {
// Also grant write permission to FLASH_TEMP_FILENAME in the same folder.
permissions[containingFolder + FLASH_TEMP_FILENAME] = true;
}
}
void
PermissionsService::SetFileAccessViolationFunc(FileAccessViolationFunc aFavFunc)
{
mFileAccessViolationFunc = aFavFunc;
}
void
PermissionsService::ReportBlockedFile(bool aNeedsWrite)
{
if (mFileAccessViolationFunc) {
mFileAccessViolationFunc(aNeedsWrite);
}
}
bool
PermissionsService::UserGrantedFileAccess(uint32_t aProcessId,
const wchar_t* aFilename,
uint32_t aAccess,
uint32_t aDisposition)
{
// There are 3 types of permissions:
// * Those available w/ read-only permission
// * Those available w/ read-only AND read-write permission
// * Those always forbidden.
const uint32_t FORBIDDEN_FLAGS =
FILE_EXECUTE | FILE_LIST_DIRECTORY | FILE_TRAVERSE | STANDARD_RIGHTS_EXECUTE;
const uint32_t NEEDS_WRITE_FLAGS =
FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA |
DELETE | STANDARD_RIGHTS_WRITE;
bool needsWrite =
(aAccess & NEEDS_WRITE_FLAGS) || (aDisposition != FILE_OPEN);
if (aAccess & FORBIDDEN_FLAGS) {
ReportBlockedFile(needsWrite);
return false;
}
auto permissions = mProcessFilePermissions.find(aProcessId);
if (permissions == mProcessFilePermissions.end()) {
ReportBlockedFile(needsWrite);
return false; // process has no special file access at all
}
std::wstring filename = GetPlainFileName(aFilename);
auto itPermission = permissions->second.find(filename);
if (itPermission == permissions->second.end()) {
ReportBlockedFile(needsWrite);
return false; // process has no access to this file
}
// We have read permission. Check for write permission if requested.
if (!needsWrite || itPermission->second) {
return true;
}
// We needed write access but didn't have it.
ReportBlockedFile(needsWrite);
return false;
}
void
PermissionsService::RemovePermissionsForProcess(uint32_t aProcessId)
{
mProcessFilePermissions.erase(aProcessId);
}
} // namespace sandboxing
} // namespace mozilla

78
security/sandbox/chromium-shim/sandbox/win/permissionsService.h
View File

@ -1,78 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_sandboxing_permissionsService_h
#define mozilla_sandboxing_permissionsService_h
#include <unordered_map>
namespace mozilla {
namespace sandboxing {
/*
* Represents additional permissions granted to sandboxed processes.
* The members are virtual so that the object can be created in any
* library that links with libsandbox_s and then shared with and used
* by libXUL, which does not link with libsandbox_s.
*/
class PermissionsService
{
public:
static PermissionsService* GetInstance();
/*
* Allow future access to aFilename by the plugin process.
*/
virtual void GrantFileAccess(uint32_t aProcessId, const wchar_t* aFilename,
bool aPermitWrite);
/*
* Type of callback function that the sandbox uses to report file
* accesses that were denied.
* Parameter is a boolean indicating the access request was read-only
* (false) or read-write (true)
*/
typedef void (*FileAccessViolationFunc)(bool);
/*
* Sets the callback function that is called whenever a file access is
* denied by the sandbox.
*/
virtual void SetFileAccessViolationFunc(FileAccessViolationFunc aFavFunc);
/*
* Returns true if the user has granted the sandboxed plugin process the
* requested permission to open the file.
* Calls aFavFunc with file info if the file access was blocked.
*/
virtual bool UserGrantedFileAccess(uint32_t aProcessId, const wchar_t* aFilename,
uint32_t aAccess, uint32_t aDisposition);
/*
* Clears all special file access for the given plugin process.
*/
virtual void RemovePermissionsForProcess(uint32_t aProcessId);
private:
PermissionsService();
void ReportBlockedFile(bool aNeedsWrite);
// Maps from filenames to a boolean indicating read-only permission (false) or
// read-write permission (true).
typedef std::unordered_map<std::wstring, bool> FilePermissionMap;
// Maps from process ID to map of user-granted file permissions for
// that process.
typedef std::unordered_map<uint32_t, FilePermissionMap> ProcessFilePermissionMap;
ProcessFilePermissionMap mProcessFilePermissions;
FileAccessViolationFunc mFileAccessViolationFunc;
};
} // namespace sandboxing
} // namespace mozilla
#endif // mozilla_sandboxing_permissionsService_h

50
security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
View File

@ -17,8 +17,6 @@
#include "sandbox/win/src/sandbox.h"
#include "sandbox/win/src/sandbox_nt_util.h"
#include "mozilla/sandboxing/permissionsService.h"
namespace sandbox {
FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
@ -111,16 +109,6 @@ bool FilesystemDispatcher::NtCreateFile(IPCInfo* ipc,
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTCREATEFILE, params.GetBase());
// If the policies forbid access (any result other than ASK_BROKER),
// then check for user-granted access to file.
if (ASK_BROKER != result &&
mozilla::sandboxing::PermissionsService::GetInstance()->
UserGrantedFileAccess(ipc->client_info->process_id, filename,
desired_access, create_disposition)) {
result = ASK_BROKER;
}
HANDLE handle;
ULONG_PTR io_information = 0;
NTSTATUS nt_status;
@ -165,16 +153,6 @@ bool FilesystemDispatcher::NtOpenFile(IPCInfo* ipc,
// knows what to do.
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTOPENFILE, params.GetBase());
// If the policies forbid access (any result other than ASK_BROKER),
// then check for user-granted access to file.
if (ASK_BROKER != result &&
mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess(
ipc->client_info->process_id, filename,
desired_access, create_disposition)) {
result = ASK_BROKER;
}
HANDLE handle;
ULONG_PTR io_information = 0;
NTSTATUS nt_status;
@ -215,15 +193,6 @@ bool FilesystemDispatcher::NtQueryAttributesFile(IPCInfo* ipc,
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase());
// If the policies forbid access (any result other than ASK_BROKER),
// then check for user-granted access to file.
if (ASK_BROKER != result &&
mozilla::sandboxing::PermissionsService::GetInstance()->
UserGrantedFileAccess(ipc->client_info->process_id, filename,
0, 0)) {
result = ASK_BROKER;
}
FILE_BASIC_INFORMATION* information =
reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer());
NTSTATUS nt_status;
@ -263,15 +232,6 @@ bool FilesystemDispatcher::NtQueryFullAttributesFile(IPCInfo* ipc,
EvalResult result = policy_base_->EvalPolicy(
IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase());
// If the policies forbid access (any result other than ASK_BROKER),
// then check for user-granted access to file.
if (ASK_BROKER != result &&
mozilla::sandboxing::PermissionsService::GetInstance()->
UserGrantedFileAccess(ipc->client_info->process_id, filename,
0, 0)) {
result = ASK_BROKER;
}
FILE_NETWORK_OPEN_INFORMATION* information =
reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer());
NTSTATUS nt_status;
@ -324,16 +284,6 @@ bool FilesystemDispatcher::NtSetInformationFile(IPCInfo* ipc,
EvalResult result =
policy_base_->EvalPolicy(IpcTag::NTSETINFO_RENAME, params.GetBase());
// If the policies forbid access (any result other than ASK_BROKER),
// then check for user-granted write access to file. We only permit
// the FileRenameInformation action.
if (ASK_BROKER != result && info_class == FileRenameInformation &&
mozilla::sandboxing::PermissionsService::GetInstance()->
UserGrantedFileAccess(ipc->client_info->process_id, filename,
FILE_WRITE_ATTRIBUTES, 0)) {
result = ASK_BROKER;
}
IO_STATUS_BLOCK* io_status =
reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer());
NTSTATUS nt_status;

15
security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
View File

@ -80,6 +80,9 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
if (!QueryBroker(IpcTag::NTCREATEFILE, params.GetBase()))
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
// The following call must match in the parameters with
@ -162,6 +165,9 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile,
params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
params[OpenFile::BROKER] = ParamPickerMake(broker);
if (!QueryBroker(IpcTag::NTOPENFILE, params.GetBase()))
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code =
@ -232,6 +238,9 @@ TargetNtQueryAttributesFile(NtQueryAttributesFileFunction orig_QueryAttributes,
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
if (!QueryBroker(IpcTag::NTQUERYATTRIBUTESFILE, params.GetBase()))
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYATTRIBUTESFILE, name.get(),
@ -294,6 +303,9 @@ NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
if (!QueryBroker(IpcTag::NTQUERYFULLATTRIBUTESFILE, params.GetBase()))
break;
SharedMemIPCClient ipc(memory);
CrossCallReturn answer = {0};
ResultCode code = CrossCall(ipc, IpcTag::NTQUERYFULLATTRIBUTESFILE,
@ -373,6 +385,9 @@ TargetNtSetInformationFile(NtSetInformationFileFunction orig_SetInformationFile,
params[FileName::NAME] = ParamPickerMake(name_ptr);
params[FileName::BROKER] = ParamPickerMake(broker);
if (!QueryBroker(IpcTag::NTSETINFO_RENAME, params.GetBase()))
break;
InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));
// This is actually not an InOut buffer, only In, but using InOut facility
// really helps to simplify the code.

3
security/sandbox/moz.build
View File

@ -28,14 +28,12 @@ elif CONFIG["OS_ARCH"] == "WINNT":
DIRS += [
"win/src/remotesandboxbroker",
"win/src/sandboxbroker",
"win/src/sandboxpermissions",
"win/src/sandboxtarget",
]
EXPORTS.mozilla.sandboxing += [
"chromium-shim/sandbox/win/loggingCallbacks.h",
"chromium-shim/sandbox/win/loggingTypes.h",
"chromium-shim/sandbox/win/permissionsService.h",
"chromium-shim/sandbox/win/sandboxLogging.h",
"win/SandboxInitialization.h",
]
@ -47,7 +45,6 @@ elif CONFIG["OS_ARCH"] == "WINNT":
"chromium-shim/base/logging.cpp",
"chromium-shim/base/process/memory_win.cpp",
"chromium-shim/base/win/win_util.cpp",
"chromium-shim/sandbox/win/permissionsService.cpp",
"chromium-shim/sandbox/win/sandboxLogging.cpp",
"chromium-shim/sandbox/win/src/line_break_dispatcher.cc",
"chromium-shim/sandbox/win/src/line_break_interception.cc",

5
security/sandbox/win/SandboxInitialization.cpp
View File

@ -11,7 +11,6 @@
#include "sandbox/win/src/process_mitigations.h"
#include "sandbox/win/src/sandbox_factory.h"
#include "mozilla/DebugOnly.h"
#include "mozilla/sandboxing/permissionsService.h"
#include "mozilla/WindowsProcessMitigations.h"
namespace mozilla {
@ -191,10 +190,6 @@ sandbox::BrokerServices* GetInitializedBrokerServices() {
return sInitializedBrokerServices;
}
PermissionsService* GetPermissionsService() {
return PermissionsService::GetInstance();
}
void ApplyParentProcessMitigations() {
// The main reason for this call is for the token hardening, but chromium code
// also ensures DEP without ATL thunk so we do the same.

4
security/sandbox/win/SandboxInitialization.h
View File

@ -21,8 +21,6 @@ namespace mozilla {
// sandbox for our namespace painful.
namespace sandboxing {
class PermissionsService;
/**
* Initializes (if required) and returns the Chromium sandbox TargetServices.
*
@ -43,8 +41,6 @@ void LowerSandbox();
*/
sandbox::BrokerServices* GetInitializedBrokerServices();
PermissionsService* GetPermissionsService();
/**
* Apply mitigations for parent processes.
*/

22
security/sandbox/win/src/sandboxpermissions/moz.build
View File

@ -1,22 +0,0 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
SOURCES += [
"sandboxPermissions.cpp",
]
EXPORTS += [
"sandboxPermissions.h",
]
for var in ("UNICODE", "_UNICODE"):
DEFINES[var] = True
LOCAL_INCLUDES += [
"/security/sandbox/win",
]
FINAL_LIBRARY = "xul"

37
security/sandbox/win/src/sandboxpermissions/sandboxPermissions.cpp
View File

@ -1,37 +0,0 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "sandboxPermissions.h"
#include "mozilla/Assertions.h"
#include "mozilla/sandboxing/permissionsService.h"
namespace mozilla {
sandboxing::PermissionsService* SandboxPermissions::sPermissionsService =
nullptr;
void SandboxPermissions::Initialize(
sandboxing::PermissionsService* aPermissionsService,
FileAccessViolationFunc aFileAccessViolationFunc) {
sPermissionsService = aPermissionsService;
sPermissionsService->SetFileAccessViolationFunc(aFileAccessViolationFunc);
}
void SandboxPermissions::GrantFileAccess(uint32_t aProcessId,
const wchar_t* aFilename,
bool aPermitWrite) {
MOZ_ASSERT(sPermissionsService, "Must initialize sandbox PermissionsService");
sPermissionsService->GrantFileAccess(aProcessId, aFilename, aPermitWrite);
}
void SandboxPermissions::RemovePermissionsForProcess(uint32_t aProcessId) {
if (!sPermissionsService) {
return; // No permissions service was initialized
}
sPermissionsService->RemovePermissionsForProcess(aProcessId);
}
} // namespace mozilla

56
security/sandbox/win/src/sandboxpermissions/sandboxPermissions.h
View File

@ -1,56 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_sandboxing_sandboxPermissions_h
#define mozilla_sandboxing_sandboxPermissions_h
#include <stdint.h>
#include <windows.h>
namespace mozilla {
namespace sandboxing {
class PermissionsService;
}
/*
* This object wraps a PermissionsService object. This object is available
* in libXUL but PermissionsService is not.
*/
class SandboxPermissions {
public:
/*
* Type of callback function that the sandbox uses to report file
* accesses that were denied.
* Parameter is a boolean indicating the access request was read-only
* (false) or read-write (true)
*/
typedef void (*FileAccessViolationFunc)(bool);
/*
* Prepare this object by providing it with the internal permissions service.
*/
static void Initialize(sandboxing::PermissionsService* aPermissionsService,
FileAccessViolationFunc aFileAccessViolationFunc);
/*
* Allow future access to aFilename by the process with the given ID.
*/
void GrantFileAccess(uint32_t aProcessId, const wchar_t* aFilename,
bool aPermitWrite);
/*
* Clears all special file access for the given process.
*/
void RemovePermissionsForProcess(uint32_t aProcessId);
private:
static sandboxing::PermissionsService* sPermissionsService;
};
} // namespace mozilla
#endif // mozilla_sandboxing_sandboxPermissions_h

7
toolkit/xre/Bootstrap.h
View File

@ -42,17 +42,10 @@ namespace mozilla {
struct StaticXREAppData;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
namespace sandboxing {
class PermissionsService;
}
#endif
struct BootstrapConfig {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
/* Chromium sandbox BrokerServices. */
sandbox::BrokerServices* sandboxBrokerServices;
sandboxing::PermissionsService* sandboxPermissionsService;
#endif
/* Pointer to static XRE AppData from application.ini.h */
const StaticXREAppData* appData;

6
toolkit/xre/nsAppRunner.cpp
View File

@ -236,7 +236,6 @@
# include "mozilla/SandboxInfo.h"
# elif defined(XP_WIN)
# include "sandboxBroker.h"
# include "sandboxPermissions.h"
# endif
#endif
@ -4239,10 +4238,6 @@ int XREMain::XRE_mainInit(bool* aExitFlag) {
"Failed to initialize broker services, sandboxed processes will "
"fail to start.");
}
if (mAppData->sandboxPermissionsService) {
SandboxPermissions::Initialize(mAppData->sandboxPermissionsService,
nullptr);
}
#endif
#ifdef XP_MACOSX
@ -5867,7 +5862,6 @@ int XREMain::XRE_main(int argc, char* argv[], const BootstrapConfig& aConfig) {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
mAppData->sandboxBrokerServices = aConfig.sandboxBrokerServices;
mAppData->sandboxPermissionsService = aConfig.sandboxPermissionsService;
#endif
// Once we unset the exception handler, we lose the ability to properly

6
xpcom/build/XREAppData.h
View File

@ -19,11 +19,6 @@
namespace sandbox {
class BrokerServices;
}
namespace mozilla {
namespace sandboxing {
class PermissionsService;
}
} // namespace mozilla
#endif
namespace mozilla {
@ -189,7 +184,6 @@ class XREAppData {
* Chromium sandbox BrokerServices.
*/
sandbox::BrokerServices* sandboxBrokerServices = nullptr;
mozilla::sandboxing::PermissionsService* sandboxPermissionsService;
#endif
// Returns a name suitable for DBUS services.