Bug 1339105 Part 3: Move NPAPI windows process sandbox file rules into SandboxBroker. r=jimm

This also removes a rule that was added for sandboxing the Java plugin,
which we never did and we now only allow Flash anyway.

dom/plugins/ipc/PluginProcessParent.cpp

@@ -14,10 +14,6 @@
 #include "mozilla/Telemetry.h"
 #include "nsThreadUtils.h"
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-#include "nsDirectoryServiceDefs.h"
-#endif
-
 using std::vector;
 using std::string;
 
@@ -56,82 +52,12 @@ PluginProcessParent::~PluginProcessParent()
 #endif
 }
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-static void
-AddSandboxAllowedFile(vector<std::wstring>& aAllowedFiles, nsIProperties* aDirSvc,
-                      const char* aDir, const nsAString& aSuffix = EmptyString())
-{
-    nsCOMPtr<nsIFile> userDir;
-    nsresult rv = aDirSvc->Get(aDir, NS_GET_IID(nsIFile), getter_AddRefs(userDir));
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-        return;
-    }
-
-    nsAutoString userDirPath;
-    rv = userDir->GetPath(userDirPath);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-        return;
-    }
-
-    if (!aSuffix.IsEmpty()) {
-        userDirPath.Append(aSuffix);
-    }
-    aAllowedFiles.push_back(std::wstring(userDirPath.get()));
-    return;
-}
-
-static void
-AddSandboxAllowedFiles(int32_t aSandboxLevel,
-                       vector<std::wstring>& aAllowedFilesRead,
-                       vector<std::wstring>& aAllowedFilesReadWrite,
-                       vector<std::wstring>& aAllowedDirectories)
-{
-    if (aSandboxLevel < 2) {
-        return;
-    }
-
-    nsresult rv;
-    nsCOMPtr<nsIProperties> dirSvc =
-        do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-        return;
-    }
-
-    // Level 2 and above is now using low integrity, so we need to give write
-    // access to the Flash directories.
-    // This should be made Flash specific (Bug 1171396).
-    AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
-    AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
-    AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Adobe\\Flash Player\\*"));
-
-    // Access also has to be given to create the parent directories as they may
-    // not exist.
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia"));
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia"));
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Adobe"));
-    AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
-                          NS_LITERAL_STRING("\\Adobe\\Flash Player"));
-}
-#endif
-
 bool
 PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask,
                             int32_t aSandboxLevel)
 {
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
     mSandboxLevel = aSandboxLevel;
-    AddSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead,
-                           mAllowedFilesReadWrite, mAllowedDirectories);
 #else
     if (aSandboxLevel != 0) {
         MOZ_ASSERT(false,

ipc/glue/GeckoChildProcessHost.cpp

@@ -1028,18 +1028,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
          ++it) {
       mSandboxBroker.AllowReadFile(it->c_str());
     }
-
-    for (auto it = mAllowedFilesReadWrite.begin();
-         it != mAllowedFilesReadWrite.end();
-         ++it) {
-      mSandboxBroker.AllowReadWriteFile(it->c_str());
-    }
-
-    for (auto it = mAllowedDirectories.begin();
-         it != mAllowedDirectories.end();
-         ++it) {
-      mSandboxBroker.AllowDirectory(it->c_str());
-    }
   }
 #endif // XP_WIN && MOZ_SANDBOX
 

ipc/glue/GeckoChildProcessHost.h

@@ -157,8 +157,6 @@ protected:
 #ifdef MOZ_SANDBOX
   SandboxBroker mSandboxBroker;
   std::vector<std::wstring> mAllowedFilesRead;
-  std::vector<std::wstring> mAllowedFilesReadWrite;
-  std::vector<std::wstring> mAllowedDirectories;
   bool mEnableSandboxLogging;
   int32_t mSandboxLevel;
 #endif

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -31,6 +31,8 @@ sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
 static UniquePtr<nsString> sBinDir;
 static UniquePtr<nsString> sProfileDir;
 static UniquePtr<nsString> sContentTempDir;
+static UniquePtr<nsString> sRoamingAppDataDir;
+static UniquePtr<nsString> sLocalAppDataDir;
 
 static LazyLogModule sSandboxBrokerLog("SandboxBroker");
 
@@ -86,6 +88,8 @@ SandboxBroker::CacheRulesDirectories()
   CacheDirAndAutoClear(dirSvc, NS_GRE_DIR, &sBinDir);
   CacheDirAndAutoClear(dirSvc, NS_APP_USER_PROFILE_50_DIR, &sProfileDir);
   CacheDirAndAutoClear(dirSvc, NS_APP_CONTENT_PROCESS_TEMP_DIR, &sContentTempDir);
+  CacheDirAndAutoClear(dirSvc, NS_WIN_APPDATA_DIR, &sRoamingAppDataDir);
+  CacheDirAndAutoClear(dirSvc, NS_WIN_LOCAL_APPDATA_DIR, &sLocalAppDataDir);
 }
 
 SandboxBroker::SandboxBroker()
@@ -565,6 +569,41 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
   SANDBOX_ENSURE_SUCCESS(result,
                          "Invalid flags for SetProcessMitigations.");
 
+  if (aSandboxLevel >= 2) {
+    // Level 2 and above uses low integrity, so we need to give write access to
+    // the Flash directories.
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                     sLocalAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Adobe\\Flash Player\\*"));
+
+    // Access also has to be given to create the parent directories as they may
+    // not exist.
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sLocalAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sLocalAppDataDir,
+                     NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Adobe"));
+    AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+                     sRoamingAppDataDir,
+                     NS_LITERAL_STRING("\\Adobe\\Flash Player"));
+  }
+
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
@@ -596,13 +635,6 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
   SANDBOX_ENSURE_SUCCESS(result,
                          "With these static arguments AddRule should never fail, what happened?");
 
-  // The following is required for the Java plugin.
-  result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                            sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                            L"\\??\\pipe\\jpi2_pid*_pipe*");
-  SANDBOX_ENSURE_SUCCESS(result,
-                         "With these static arguments AddRule should never fail, what happened?");
-
   // These register keys are used by the file-browser dialog box.  They
   // remember the most-recently-used folders.
   result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
@@ -798,45 +830,6 @@ SandboxBroker::AllowReadFile(wchar_t const *file)
   return true;
 }
 
-bool
-SandboxBroker::AllowReadWriteFile(wchar_t const *file)
-{
-  if (!mPolicy) {
-    return false;
-  }
-
-  auto result =
-    mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                     sandbox::TargetPolicy::FILES_ALLOW_ANY,
-                     file);
-  if (sandbox::SBOX_ALL_OK != result) {
-    LOG_E("Failed (ResultCode %d) to add read/write access to: %S",
-          result, file);
-    return false;
-  }
-
-  return true;
-}
-
-bool
-SandboxBroker::AllowDirectory(wchar_t const *dir)
-{
-  if (!mPolicy) {
-    return false;
-  }
-
-  auto result =
-    mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                     sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
-                     dir);
-  if (sandbox::SBOX_ALL_OK != result) {
-    LOG_E("Failed (ResultCode %d) to add directory access to: %S", result, dir);
-    return false;
-  }
-
-  return true;
-}
-
 bool
 SandboxBroker::AddTargetPeer(HANDLE aPeerProcess)
 {

security/sandbox/win/src/sandboxbroker/sandboxBroker.h

@@ -55,8 +55,6 @@ public:
 
   // File system permissions
   bool AllowReadFile(wchar_t const *file);
-  bool AllowReadWriteFile(wchar_t const *file);
-  bool AllowDirectory(wchar_t const *dir);
 
   // Exposes AddTargetPeer from broker services, so that none sandboxed
   // processes can be added as handle duplication targets.