diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
| commit | d8bbc7858622b6d9c278469aab701ca0b609cddf (patch) | |
| tree | eff41dc61d9f714852212739e6b3738b82a2af87 /security/sandbox/chromium-shim | |
| parent | Releasing progress-linux version 125.0.3-1~progress7.99u1. (diff) | |
| download | firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip | |
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox/chromium-shim')
| -rwxr-xr-x | security/sandbox/chromium-shim/patches/with_update/patch_order.txt | 1 | ||||
| -rw-r--r-- | security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt index 028348a0f0..703be7a3cb 100755 --- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt +++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt @@ -31,3 +31,4 @@ add_loongarch_defines.patch block_NtImpersonateAnonymousToken_before_LowerToken.patch fix_broker_alive_mutex.patch fix_max_syscalls_linux_aarch64.patch +set_delayed_integrity_on_process_acl.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch new file mode 100644 index 0000000000..650c0e4f70 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch @@ -0,0 +1,39 @@ +# HG changeset patch +# User Bob Owen <bobowencode@gmail.com> +# Date 1709836178 0 +# Thu Mar 07 18:29:38 2024 +0000 +# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8 +# Parent f9c20c064d639a146ffa09ec832aee6dff44643d +Bug 1889932 p1: Set process ACL to the delayed integrity level in LowerToken. r=yjuglaret! + +This allows us to maintain the same access to our process when the integrity +level on our access token is dropped. + +Differential Revision: https://phabricator.services.mozilla.com/D206784 + +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +@@ -302,16 +302,22 @@ DWORD SetTokenIntegrityLevel(HANDLE toke + DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) { + // We don't check for an invalid level here because we'll just let it + // fail on the SetTokenIntegrityLevel call later on. + if (integrity_level == INTEGRITY_LEVEL_LAST) { + // No mandatory level specified, we don't change it. + return ERROR_SUCCESS; + } + ++ // Set integrity level for our process ACL, so we retain access to it. ++ // We ignore failures because this is not a security measure, but some ++ // functionality may fail later in the process. ++ SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"", ++ GetIntegrityLevelString(integrity_level)); ++ + HANDLE token_handle; + if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, + &token_handle)) + return ::GetLastError(); + + base::win::ScopedHandle token(token_handle); + + return SetTokenIntegrityLevel(token.Get(), integrity_level); |