Bug 1250125: Make a 0 security.sandbox.content.level turn off the content process sandbox. r=TimAbraldes

This also fixes a bug where we weren't setting parts of the policy correctly for levels 3 to 9.

MozReview-Commit-ID: IXsg2nGOqoa

--HG--
extra : rebase_source : 65c76a581dcd498c7d7d5b01e4f4e140acdb244f

ipc/glue/GeckoChildProcessHost.cpp

@@ -987,7 +987,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   switch (mProcessType) {
     case GeckoProcessType_Content:
 #if defined(MOZ_CONTENT_SANDBOX)
-      if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+      if (mSandboxLevel > 0 &&
+          !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
         mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -111,7 +111,7 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
     accessTokenLevel = sandbox::USER_LIMITED;
     initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
     delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
-  } else if (aSandboxLevel == 2) {
+  } else if (aSandboxLevel >= 2) {
     jobLevel = sandbox::JOB_INTERACTIVE;
     accessTokenLevel = sandbox::USER_INTERACTIVE;
     initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
@@ -122,10 +122,8 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
     initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
     delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
   } else {
-    jobLevel = sandbox::JOB_NONE;
-    accessTokenLevel = sandbox::USER_NON_ADMIN;
-    initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
-    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+    MOZ_ASSERT_UNREACHABLE("Should not be called with aSandboxLevel < 1");
+    return false;
   }
 
   sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
@@ -146,24 +144,22 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
     ret = ret && (sandbox::SBOX_ALL_OK == result);
   }
 
-  if (aSandboxLevel >= 1) {
-    sandbox::MitigationFlags mitigations =
-      sandbox::MITIGATION_BOTTOM_UP_ASLR |
-      sandbox::MITIGATION_HEAP_TERMINATE |
-      sandbox::MITIGATION_SEHOP |
-      sandbox::MITIGATION_DEP_NO_ATL_THUNK |
-      sandbox::MITIGATION_DEP;
+  sandbox::MitigationFlags mitigations =
+    sandbox::MITIGATION_BOTTOM_UP_ASLR |
+    sandbox::MITIGATION_HEAP_TERMINATE |
+    sandbox::MITIGATION_SEHOP |
+    sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+    sandbox::MITIGATION_DEP;
 
-    result = mPolicy->SetProcessMitigations(mitigations);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  result = mPolicy->SetProcessMitigations(mitigations);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-    mitigations =
-      sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
-      sandbox::MITIGATION_DLL_SEARCH_ORDER;
+  mitigations =
+    sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
+    sandbox::MITIGATION_DLL_SEARCH_ORDER;
 
-    result = mPolicy->SetDelayedProcessMitigations(mitigations);
-    ret = ret && (sandbox::SBOX_ALL_OK == result);
-  }
+  result = mPolicy->SetDelayedProcessMitigations(mitigations);
+  ret = ret && (sandbox::SBOX_ALL_OK == result);
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with