diff options
Diffstat (limited to 'security/sandbox/win')
-rw-r--r-- | security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp | 124 | ||||
-rw-r--r-- | security/sandbox/win/src/sandboxbroker/sandboxBroker.h | 3 |
2 files changed, 0 insertions, 127 deletions
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp index 10b796268..d3aab815f 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -90,130 +90,6 @@ SandboxBroker::LaunchApp(const wchar_t *aPath, return true; } -#if defined(MOZ_CONTENT_SANDBOX) -void -SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) -{ - MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call."); - - sandbox::JobLevel jobLevel; - sandbox::TokenLevel accessTokenLevel; - sandbox::IntegrityLevel initialIntegrityLevel; - sandbox::IntegrityLevel delayedIntegrityLevel; - - // The setting of these levels is pretty arbitrary, but they are a useful (if - // crude) tool while we are tightening the policy. Gaps are left to try and - // avoid changing their meaning. - MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1"); - if (aSandboxLevel >= 20) { - jobLevel = sandbox::JOB_LOCKDOWN; - accessTokenLevel = sandbox::USER_LOCKDOWN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED; - } else if (aSandboxLevel >= 10) { - jobLevel = sandbox::JOB_RESTRICTED; - accessTokenLevel = sandbox::USER_LIMITED; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel >= 2) { - jobLevel = sandbox::JOB_INTERACTIVE; - accessTokenLevel = sandbox::USER_INTERACTIVE; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel == 1) { - jobLevel = sandbox::JOB_NONE; - accessTokenLevel = sandbox::USER_NON_ADMIN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } - - sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, - 0 /* ui_exceptions */); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); - - // If the delayed access token is not restricted we don't want the initial one - // to be either, because it can interfere with running from a network drive. - sandbox::TokenLevel initialAccessTokenLevel = - (accessTokenLevel == sandbox::USER_UNPROTECTED || - accessTokenLevel == sandbox::USER_NON_ADMIN) - ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS; - - result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); - - result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetIntegrityLevel should never fail, what happened?"); - result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetDelayedIntegrityLevel should never fail, what happened?"); - - if (aSandboxLevel > 2) { - result = mPolicy->SetAlternateDesktop(true); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Failed to create alternate desktop for sandbox."); - } - - sandbox::MitigationFlags mitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | - sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; - - result = mPolicy->SetProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetProcessMitigations."); - - mitigations = - sandbox::MITIGATION_STRICT_HANDLE_CHECKS | - sandbox::MITIGATION_DLL_SEARCH_ORDER; - - result = mPolicy->SetDelayedProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetDelayedProcessMitigations."); - - // Add the policy for the client side of a pipe. It is just a file - // in the \pipe\ namespace. We restrict it to pipes that start with - // "chrome." so the sandboxed process cannot connect to system services. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\chrome.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // Add the policy for the client side of the crash server pipe. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\gecko-crash-server-pipe.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate named pipes back to the - // broker process, which are File type handles. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"File"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate shared memory handles, - // which are Section handles, to the broker process and other child processes. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_ANY, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); -} -#endif - #define SANDBOX_ENSURE_SUCCESS(result, message) \ do { \ MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \ diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h index 3f73ec890..7f1f1597f 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h @@ -31,9 +31,6 @@ public: virtual ~SandboxBroker(); // Security levels for different types of processes -#if defined(MOZ_CONTENT_SANDBOX) - void SetSecurityLevelForContentProcess(int32_t aSandboxLevel); -#endif bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel); enum SandboxLevel { LockDown, |