summaryrefslogtreecommitdiffstats
path: root/security/sandbox/win/src/sandboxbroker
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-05-02 21:58:04 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-05-02 21:58:04 +0200
commit755e1020782fb42863e97d58a3e44d2eca760bb0 (patch)
treea632ffe4c847b06e4109069b48f8081415e55772 /security/sandbox/win/src/sandboxbroker
parent04c8f8f8bc2d2dccb6675bd1ed9912f098e76739 (diff)
downloadUXP-755e1020782fb42863e97d58a3e44d2eca760bb0.tar
UXP-755e1020782fb42863e97d58a3e44d2eca760bb0.tar.gz
UXP-755e1020782fb42863e97d58a3e44d2eca760bb0.tar.lz
UXP-755e1020782fb42863e97d58a3e44d2eca760bb0.tar.xz
UXP-755e1020782fb42863e97d58a3e44d2eca760bb0.zip
Remove content process sandbox code.
Diffstat (limited to 'security/sandbox/win/src/sandboxbroker')
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp124
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.h3
2 files changed, 0 insertions, 127 deletions
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
index 10b796268..d3aab815f 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -90,130 +90,6 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
return true;
}
-#if defined(MOZ_CONTENT_SANDBOX)
-void
-SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
-{
- MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
-
- sandbox::JobLevel jobLevel;
- sandbox::TokenLevel accessTokenLevel;
- sandbox::IntegrityLevel initialIntegrityLevel;
- sandbox::IntegrityLevel delayedIntegrityLevel;
-
- // The setting of these levels is pretty arbitrary, but they are a useful (if
- // crude) tool while we are tightening the policy. Gaps are left to try and
- // avoid changing their meaning.
- MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1");
- if (aSandboxLevel >= 20) {
- jobLevel = sandbox::JOB_LOCKDOWN;
- accessTokenLevel = sandbox::USER_LOCKDOWN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
- } else if (aSandboxLevel >= 10) {
- jobLevel = sandbox::JOB_RESTRICTED;
- accessTokenLevel = sandbox::USER_LIMITED;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel >= 2) {
- jobLevel = sandbox::JOB_INTERACTIVE;
- accessTokenLevel = sandbox::USER_INTERACTIVE;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel == 1) {
- jobLevel = sandbox::JOB_NONE;
- accessTokenLevel = sandbox::USER_NON_ADMIN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- }
-
- sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
- 0 /* ui_exceptions */);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?");
-
- // If the delayed access token is not restricted we don't want the initial one
- // to be either, because it can interfere with running from a network drive.
- sandbox::TokenLevel initialAccessTokenLevel =
- (accessTokenLevel == sandbox::USER_UNPROTECTED ||
- accessTokenLevel == sandbox::USER_NON_ADMIN)
- ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS;
-
- result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS");
-
- result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "SetIntegrityLevel should never fail, what happened?");
- result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "SetDelayedIntegrityLevel should never fail, what happened?");
-
- if (aSandboxLevel > 2) {
- result = mPolicy->SetAlternateDesktop(true);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Failed to create alternate desktop for sandbox.");
- }
-
- sandbox::MitigationFlags mitigations =
- sandbox::MITIGATION_BOTTOM_UP_ASLR |
- sandbox::MITIGATION_HEAP_TERMINATE |
- sandbox::MITIGATION_SEHOP |
- sandbox::MITIGATION_DEP_NO_ATL_THUNK |
- sandbox::MITIGATION_DEP;
-
- result = mPolicy->SetProcessMitigations(mitigations);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Invalid flags for SetProcessMitigations.");
-
- mitigations =
- sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
- sandbox::MITIGATION_DLL_SEARCH_ORDER;
-
- result = mPolicy->SetDelayedProcessMitigations(mitigations);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Invalid flags for SetDelayedProcessMitigations.");
-
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\chrome.*");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // Add the policy for the client side of the crash server pipe.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\gecko-crash-server-pipe.*");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The content process needs to be able to duplicate named pipes back to the
- // broker process, which are File type handles.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER,
- L"File");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The content process needs to be able to duplicate shared memory handles,
- // which are Section handles, to the broker process and other child processes.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER,
- L"Section");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_ANY,
- L"Section");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-}
-#endif
-
#define SANDBOX_ENSURE_SUCCESS(result, message) \
do { \
MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
index 3f73ec890..7f1f1597f 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -31,9 +31,6 @@ public:
virtual ~SandboxBroker();
// Security levels for different types of processes
-#if defined(MOZ_CONTENT_SANDBOX)
- void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
-#endif
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
enum SandboxLevel {
LockDown,