mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 03:15:11 +00:00
bug 1027906. Set delayed token level for GMP plugin processes to USER_RESTRICTED. Whitelist certain files and registry keys that are required for EME plugins to successfully load. r=bobowen. r=jesup. r=bent.
This commit is contained in:
parent
2fd2b1c2de
commit
ba6539ecd7
@ -9,6 +9,12 @@
|
||||
#include "base/string_util.h"
|
||||
#include "base/process_util.h"
|
||||
|
||||
#ifdef XP_WIN
|
||||
#include <codecvt>
|
||||
#endif
|
||||
|
||||
#include <string>
|
||||
|
||||
using std::vector;
|
||||
using std::string;
|
||||
|
||||
@ -43,6 +49,13 @@ GMPProcessParent::Launch(int32_t aTimeoutMs)
|
||||
{
|
||||
vector<string> args;
|
||||
args.push_back(mGMPPath);
|
||||
|
||||
#ifdef XP_WIN
|
||||
std::wstring_convert<std::codecvt_utf8<wchar_t>> converter;
|
||||
std::wstring wGMPPath = converter.from_bytes(mGMPPath.c_str());
|
||||
mAllowedFilesRead.push_back(wGMPPath + L"\\*");
|
||||
#endif
|
||||
|
||||
return SyncLaunch(args, aTimeoutMs, base::GetCurrentProcessArchitecture());
|
||||
}
|
||||
|
||||
|
@ -794,7 +794,16 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
|
||||
MOZ_CRASH("Bad process type in GeckoChildProcessHost");
|
||||
break;
|
||||
};
|
||||
#endif
|
||||
|
||||
if (shouldSandboxCurrentProcess) {
|
||||
for (auto it = mAllowedFilesRead.begin();
|
||||
it != mAllowedFilesRead.end();
|
||||
++it) {
|
||||
mSandboxBroker.AllowReadFile(it->c_str());
|
||||
}
|
||||
}
|
||||
|
||||
#endif // XP_WIN
|
||||
|
||||
// Add the application directory path (-appdir path)
|
||||
AddAppDirToCommandLine(cmdLine);
|
||||
|
@ -168,6 +168,7 @@ protected:
|
||||
|
||||
#ifdef MOZ_SANDBOX
|
||||
SandboxBroker mSandboxBroker;
|
||||
std::vector<std::wstring> mAllowedFilesRead;
|
||||
#endif
|
||||
#endif // XP_WIN
|
||||
|
||||
|
@ -67,12 +67,18 @@ SandboxBroker::SetSecurityLevelForContentProcess()
|
||||
return false;
|
||||
}
|
||||
|
||||
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
|
||||
mPolicy->SetAlternateDesktop(true);
|
||||
return true;
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
bool ret = (sandbox::SBOX_ALL_OK == result);
|
||||
result =
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
result =
|
||||
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
result = mPolicy->SetAlternateDesktop(true);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool
|
||||
@ -82,10 +88,12 @@ SandboxBroker::SetSecurityLevelForPluginProcess()
|
||||
return false;
|
||||
}
|
||||
|
||||
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
|
||||
sandbox::USER_UNPROTECTED);
|
||||
return true;
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
bool ret = (sandbox::SBOX_ALL_OK == result);
|
||||
result = mPolicy->SetTokenLevel(sandbox::USER_UNPROTECTED,
|
||||
sandbox::USER_UNPROTECTED);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool
|
||||
@ -95,10 +103,13 @@ SandboxBroker::SetSecurityLevelForIPDLUnitTestProcess()
|
||||
return false;
|
||||
}
|
||||
|
||||
mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
return true;
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
|
||||
bool ret = (sandbox::SBOX_ALL_OK == result);
|
||||
result =
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool
|
||||
@ -108,14 +119,129 @@ SandboxBroker::SetSecurityLevelForGMPlugin()
|
||||
return false;
|
||||
}
|
||||
|
||||
mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED_SAME_ACCESS);
|
||||
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
|
||||
mPolicy->SetAlternateDesktop(true);
|
||||
return true;
|
||||
auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
|
||||
bool ret = (sandbox::SBOX_ALL_OK == result);
|
||||
result =
|
||||
mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
|
||||
sandbox::USER_RESTRICTED);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->SetAlternateDesktop(true);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
// We can't use an alternate desktop/window station AND initially
|
||||
// set the process to low integrity. Upstream changes have been
|
||||
// made to allow this and we should uncomment this section once
|
||||
// we've rolled forward.
|
||||
// result =
|
||||
// mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
|
||||
// ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result =
|
||||
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
// Add the policy for the client side of a pipe. It is just a file
|
||||
// in the \pipe\ namespace. We restrict it to pipes that start with
|
||||
// "chrome." so the sandboxed process cannot connect to system services.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
L"\\??\\pipe\\chrome.*");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
#ifdef DEBUG
|
||||
// The plugin process can't create named events, but we'll
|
||||
// make an exception for the events used in logging. Removing
|
||||
// this will break EME in debug builds.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
|
||||
sandbox::TargetPolicy::EVENTS_ALLOW_ANY,
|
||||
L"ChromeIPCLog.*");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
#endif
|
||||
|
||||
// The following rules were added because, during analysis of an EME
|
||||
// plugin during development, these registry keys were accessed when
|
||||
// loading the plugin. Commenting out these policy exceptions caused
|
||||
// plugin loading to fail, so they are necessary for proper functioning
|
||||
// of at least one EME plugin.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_CURRENT_USER");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_CURRENT_USER\\Control Panel\\Desktop");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
|
||||
// The following rules were added because, during analysis of an EME
|
||||
// plugin during development, these registry keys were accessed when
|
||||
// loading the plugin. Commenting out these policy exceptions did not
|
||||
// cause anything to break during initial testing, but might cause
|
||||
// unforeseen issues down the road.
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
|
||||
sandbox::TargetPolicy::REG_ALLOW_READONLY,
|
||||
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest");
|
||||
ret = ret && (sandbox::SBOX_ALL_OK == result);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AllowReadFile(wchar_t const *file)
|
||||
{
|
||||
auto result =
|
||||
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_READONLY,
|
||||
file);
|
||||
return (sandbox::SBOX_ALL_OK == result);
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AllowReadWriteFile(wchar_t const *file)
|
||||
{
|
||||
auto result =
|
||||
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_ANY,
|
||||
file);
|
||||
return (sandbox::SBOX_ALL_OK == result);
|
||||
}
|
||||
|
||||
bool
|
||||
SandboxBroker::AllowDirectory(wchar_t const *dir)
|
||||
{
|
||||
auto result =
|
||||
mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
|
||||
sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
|
||||
dir);
|
||||
return (sandbox::SBOX_ALL_OK == result);
|
||||
}
|
||||
|
||||
SandboxBroker::~SandboxBroker()
|
||||
{
|
||||
|
@ -35,6 +35,11 @@ public:
|
||||
bool SetSecurityLevelForIPDLUnitTestProcess();
|
||||
bool SetSecurityLevelForGMPlugin();
|
||||
|
||||
// File system permissions
|
||||
bool AllowReadFile(wchar_t const *file);
|
||||
bool AllowReadWriteFile(wchar_t const *file);
|
||||
bool AllowDirectory(wchar_t const *dir);
|
||||
|
||||
private:
|
||||
static sandbox::BrokerServices *sBrokerService;
|
||||
sandbox::TargetPolicy *mPolicy;
|
||||
|
Loading…
Reference in New Issue
Block a user