Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-22 18:32:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1797769: For MSIX installs add the packageContents capability. r=handyman

Browse Source 
This gives the LPAC access to our binary files to launch the child process.

Differential Revision: https://phabricator.services.mozilla.com/D192614
This commit is contained in:
Bob Owen 2023-11-06 09:21:03 +00:00
parent 955f525b95
commit d38cab7dd8
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -615,6 +615,12 @@ static void HexEncode(const Span<const uint8_t>& aBytes, nsACString& aEncoded) {
// reason and yet the LPAC permission is already granted. So returning success
// or failure isn't really that useful.
static void EnsureLpacPermsissionsOnBinDir() {
// For MSIX packages we get access through the packageContents capability and
// we probably won't have access to add the permission either way.
if (widget::WinUtils::HasPackageIdentity()) {
return;
}
BYTE sidBytes[SECURITY_MAX_SID_SIZE];
PSID lpacFirefoxInstallFilesSid = static_cast<PSID>(sidBytes);
if (!sBrokerService->DeriveCapabilitySidFromName(kLpacFirefoxInstallFiles,
@ -1484,6 +1490,11 @@ struct UtilityMfMediaEngineCdmSandboxProps : public UtilitySandboxProps {
kLpacFirefoxInstallFiles,
L"lpacDeviceAccess",
};
// For MSIX packages we need access to the package contents.
if (widget::WinUtils::HasPackageIdentity()) {
mNamedCapabilites.AppendElement(L"packageContents");
}
}
mUseWin32kLockdown = false;
mDelayedMitigations = sandbox::MITIGATION_DLL_SEARCH_ORDER;