1# HG changeset patch 2# User David Parks <dparks@mozilla.com> 3# Date 1484929677 28800 4# Fri Jan 20 08:27:57 2017 -0800 5# Node ID d6a40d4bae2bdce74539e2606d0ead89c091a089 6# Parent b14dffc51edda918dbaadf2ece96d0ecdd9f6f25 7Add mechanism to libsandbox_s to track names of files that have been given special sandbox access permissions (PermissionsService). r=bobowen 8 9Hook this into the browser via the XREAppData. This patch contains only the changes to Chromium source code. 10 11Originally landed in changeset: 12https://hg.mozilla.org/mozilla-central/rev/6ecd19d25822 13 14diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc 15--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc 16+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc 17@@ -12,16 +12,18 @@ 18 #include "sandbox/win/src/interception.h" 19 #include "sandbox/win/src/interceptors.h" 20 #include "sandbox/win/src/ipc_tags.h" 21 #include "sandbox/win/src/policy_broker.h" 22 #include "sandbox/win/src/policy_params.h" 23 #include "sandbox/win/src/sandbox.h" 24 #include "sandbox/win/src/sandbox_nt_util.h" 25 26+#include "mozilla/sandboxing/permissionsService.h" 27+ 28 namespace sandbox { 29 30 FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base) 31 : policy_base_(policy_base) { 32 static const IPCCall create_params = { 33 {IPC_NTCREATEFILE_TAG, 34 {WCHAR_TYPE, 35 UINT32_TYPE, 36@@ -110,16 +112,26 @@ bool FilesystemDispatcher::NtCreateFile( 37 params[OpenFile::OPTIONS] = ParamPickerMake(create_options); 38 params[OpenFile::BROKER] = ParamPickerMake(broker); 39 40 // To evaluate the policy we need to call back to the policy object. We 41 // are just middlemen in the operation since is the FileSystemPolicy which 42 // knows what to do. 43 EvalResult result = 44 policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG, params.GetBase()); 45+ 46+ // If the policies forbid access (any result other than ASK_BROKER), 47+ // then check for user-granted access to file. 48+ if (ASK_BROKER != result && 49+ mozilla::sandboxing::PermissionsService::GetInstance()-> 50+ UserGrantedFileAccess(ipc->client_info->process_id, filename, 51+ desired_access, create_disposition)) { 52+ result = ASK_BROKER; 53+ } 54+ 55 HANDLE handle; 56 ULONG_PTR io_information = 0; 57 NTSTATUS nt_status; 58 if (!FileSystemPolicy::CreateFileAction( 59 result, *ipc->client_info, *name, attributes, desired_access, 60 file_attributes, share_access, create_disposition, create_options, 61 &handle, &nt_status, &io_information)) { 62 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; 63@@ -157,16 +169,26 @@ bool FilesystemDispatcher::NtOpenFile(IP 64 params[OpenFile::OPTIONS] = ParamPickerMake(open_options); 65 params[OpenFile::BROKER] = ParamPickerMake(broker); 66 67 // To evaluate the policy we need to call back to the policy object. We 68 // are just middlemen in the operation since is the FileSystemPolicy which 69 // knows what to do. 70 EvalResult result = 71 policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG, params.GetBase()); 72+ 73+ // If the policies forbid access (any result other than ASK_BROKER), 74+ // then check for user-granted access to file. 75+ if (ASK_BROKER != result && 76+ mozilla::sandboxing::PermissionsService::GetInstance()->UserGrantedFileAccess( 77+ ipc->client_info->process_id, filename, 78+ desired_access, create_disposition)) { 79+ result = ASK_BROKER; 80+ } 81+ 82 HANDLE handle; 83 ULONG_PTR io_information = 0; 84 NTSTATUS nt_status; 85 if (!FileSystemPolicy::OpenFileAction( 86 result, *ipc->client_info, *name, attributes, desired_access, 87 share_access, open_options, &handle, &nt_status, &io_information)) { 88 ipc->return_info.nt_status = STATUS_ACCESS_DENIED; 89 return true; 90diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc 91--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc 92+++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc 93@@ -70,19 +70,16 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre 94 CountedParameterSet<OpenFile> params; 95 const wchar_t* name_ptr = name.get(); 96 params[OpenFile::NAME] = ParamPickerMake(name_ptr); 97 params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32); 98 params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32); 99 params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32); 100 params[OpenFile::BROKER] = ParamPickerMake(broker); 101 102- if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase())) 103- break; 104- 105 SharedMemIPCClient ipc(memory); 106 CrossCallReturn answer = {0}; 107 // The following call must match in the parameters with 108 // FilesystemDispatcher::ProcessNtCreateFile. 109 ResultCode code = 110 CrossCall(ipc, IPC_NTCREATEFILE_TAG, name.get(), attributes, 111 desired_access_uint32, file_attributes, sharing, disposition, 112 options_uint32, &answer); 113@@ -154,19 +151,16 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF 114 CountedParameterSet<OpenFile> params; 115 const wchar_t* name_ptr = name.get(); 116 params[OpenFile::NAME] = ParamPickerMake(name_ptr); 117 params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32); 118 params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32); 119 params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32); 120 params[OpenFile::BROKER] = ParamPickerMake(broker); 121 122- if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase())) 123- break; 124- 125 SharedMemIPCClient ipc(memory); 126 CrossCallReturn answer = {0}; 127 ResultCode code = 128 CrossCall(ipc, IPC_NTOPENFILE_TAG, name.get(), attributes, 129 desired_access_uint32, sharing, options_uint32, &answer); 130 if (SBOX_ALL_OK != code) 131 break; 132 133