Bug 1137166: Change the Content moreStrict sandbox pref to an integer to indicate the level of sandboxing. r=tabraldes

browser/app/profile/firefox.js

@@ -1202,9 +1202,14 @@ pref("security.sandbox.windows.log", false);
 pref("dom.ipc.plugins.sandbox-level.default", 0);
 
 #if defined(MOZ_CONTENT_SANDBOX)
-// This controls whether the Windows content process sandbox is using a more
-// strict sandboxing policy.  This will require a restart.
-pref("security.sandbox.windows.content.moreStrict", false);
+// This controls the strength of the Windows content process sandbox for testing
+// purposes. This will require a restart.
+// On windows these levels are:
+// 0 - sandbox with USER_NON_ADMIN access token level
+// 1 - a more strict sandbox, which causes problems in specific areas
+// 2 - a policy that we can reasonably call an effective sandbox
+// 3 - an equivalent basic policy to the Chromium renderer processes
+pref("security.sandbox.content.level", 0);
 
 #if defined(MOZ_STACKWALKING)
 // This controls the depth of stack trace that is logged when Windows sandbox
@@ -1225,7 +1230,7 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
 // This setting is read when the content process is started. On Mac the content
 // process is killed when all windows are closed, so a change will take effect
 // when the 1st window is opened.
-pref("security.sandbox.macos.content.level", 0);
+pref("security.sandbox.content.level", 0);
 #endif
 
 // This pref governs whether we attempt to work around problems caused by

dom/ipc/ContentChild.cpp

@@ -1065,8 +1065,10 @@ SetUpSandboxEnvironment()
 void
 ContentChild::CleanUpSandboxEnvironment()
 {
-    // Sandbox environment is only currently set up with the more strict sandbox.
-    if (!Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
+    // Sandbox environment is only currently a low integrity temp, which only
+    // makes sense for sandbox pref level 1 (and will eventually not be needed
+    // at all, once all file access is via chrome/broker process).
+    if (Preferences::GetInt("security.sandbox.content.level") != 1) {
         return;
     }
 
@@ -1207,7 +1209,10 @@ ContentChild::RecvSetProcessSandbox()
     SetContentProcessSandbox();
 #elif defined(XP_WIN)
     mozilla::SandboxTarget::Instance()->StartSandbox();
-    if (Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
+    // Sandbox environment is only currently a low integrity temp, which only
+    // makes sense for sandbox pref level 1 (and will eventually not be needed
+    // at all, once all file access is via chrome/broker process).
+    if (Preferences::GetInt("security.sandbox.content.level") == 1) {
         SetUpSandboxEnvironment();
     }
 #elif defined(XP_MACOSX)

ipc/glue/GeckoChildProcessHost.cpp

@@ -98,7 +98,6 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
 #if defined(MOZ_SANDBOX) && defined(XP_WIN)
     mEnableSandboxLogging(false),
     mSandboxLevel(0),
-    mMoreStrictSandbox(false),
 #endif
     mChildProcessHandle(0)
 #if defined(MOZ_WIDGET_COCOA)
@@ -271,8 +270,7 @@ GeckoChildProcessHost::PrepareLaunch()
 #if defined(MOZ_CONTENT_SANDBOX)
   // We need to get the pref here as the process is launched off main thread.
   if (mProcessType == GeckoProcessType_Content) {
-    mMoreStrictSandbox =
-      Preferences::GetBool("security.sandbox.windows.content.moreStrict");
+    mSandboxLevel = Preferences::GetInt("security.sandbox.content.level");
     mEnableSandboxLogging =
       Preferences::GetBool("security.sandbox.windows.log");
   }
@@ -809,7 +807,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
     case GeckoProcessType_Content:
 #if defined(MOZ_CONTENT_SANDBOX)
       if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
-        mSandboxBroker.SetSecurityLevelForContentProcess(mMoreStrictSandbox);
+        mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
       }

ipc/glue/GeckoChildProcessHost.h

@@ -174,7 +174,6 @@ protected:
   std::vector<std::wstring> mAllowedFilesReadWrite;
   bool mEnableSandboxLogging;
   int32_t mSandboxLevel;
-  bool mMoreStrictSandbox;
 #endif
 #endif // XP_WIN
 

security/sandbox/mac/Sandbox.mm

@@ -308,7 +308,7 @@ bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage)
   }
   else if (aInfo.type == MacSandboxType_Content) {
     profile.AppendPrintf(contentSandboxRules,
-                         Preferences::GetInt("security.sandbox.macos.content.level"),
+                         Preferences::GetInt("security.sandbox.content.level"),
                          nsCocoaFeatures::OSXVersionMajor(),
                          nsCocoaFeatures::OSXVersionMinor(),
                          aInfo.appPath.get(),

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -69,38 +69,58 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
 
 #if defined(MOZ_CONTENT_SANDBOX)
 bool
-SandboxBroker::SetSecurityLevelForContentProcess(bool aMoreStrict)
+SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
 {
   if (!mPolicy) {
     return false;
   }
 
-  sandbox::ResultCode result;
-  bool ret;
-  if (aMoreStrict) {
-    result = mPolicy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0);
-    ret = (sandbox::SBOX_ALL_OK == result);
+  sandbox::JobLevel jobLevel;
+  sandbox::TokenLevel accessTokenLevel;
+  sandbox::IntegrityLevel initialIntegrityLevel;
+  sandbox::IntegrityLevel delayedIntegrityLevel;
 
-    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_INTERACTIVE);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
-
-    // If the delayed integrity level is lowered then SetUpSandboxEnvironment and
-    // CleanUpSandboxEnvironment in ContentChild should be changed or removed.
-    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
-
-    result = mPolicy->SetAlternateDesktop(true);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  if (aSandboxLevel > 2) {
+    jobLevel = sandbox::JOB_LOCKDOWN;
+    accessTokenLevel = sandbox::USER_LOCKDOWN;
+    initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
+  } else if (aSandboxLevel == 2) {
+    jobLevel = sandbox::JOB_RESTRICTED;
+    accessTokenLevel = sandbox::USER_LIMITED;
+    // Ideally we would have an initialIntegrityLevel of LOW here, but this
+    // immediately causes a problem with the way PBackground is initialized.
+    initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+  } else if (aSandboxLevel == 1) {
+    jobLevel = sandbox::JOB_INTERACTIVE;
+    accessTokenLevel = sandbox::USER_INTERACTIVE;
+    // INTEGRITY_LEVEL_LAST effectively means don't change from the integrity
+    // level of the broker process.
+    initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LAST;
+    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
   } else {
-    result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
-    ret = (sandbox::SBOX_ALL_OK == result);
+    jobLevel = sandbox::JOB_NONE;
+    accessTokenLevel = sandbox::USER_NON_ADMIN;
+    initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LAST;
+    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+  }
 
-    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                    sandbox::USER_NON_ADMIN);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
+                                                    0 /* ui_exceptions */);
+  bool ret = (sandbox::SBOX_ALL_OK == result);
 
-    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                  accessTokenLevel);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+  result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+  result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+  if (aSandboxLevel > 0) {
+    result = mPolicy->SetAlternateDesktop(true);
     ret = ret && (sandbox::SBOX_ALL_OK == result);
   }
 

security/sandbox/win/src/sandboxbroker/sandboxBroker.h

@@ -34,7 +34,7 @@ public:
 
   // Security levels for different types of processes
 #if defined(MOZ_CONTENT_SANDBOX)
-  bool SetSecurityLevelForContentProcess(bool aMoreStrict);
+  bool SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
 #endif
   bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
   bool SetSecurityLevelForIPDLUnitTestProcess();

testing/mochitest/runtests.py

@@ -1341,8 +1341,7 @@ class Mochitest(MochitestUtilsMixin):
             "browser.tabs.remote.autostart=%s" %
             ('true' if options.e10s else 'false'))
         if options.strictContentSandbox:
-            options.extraPrefs.append(
-                "security.sandbox.windows.content.moreStrict=true")
+            options.extraPrefs.append("security.sandbox.content.level=1")
         options.extraPrefs.append(
             "dom.ipc.tabs.nested.enabled=%s" %
             ('true' if options.nested_oop else 'false'))