diff options
Diffstat (limited to 'security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch')
-rw-r--r-- | security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch new file mode 100644 index 0000000000..b147e5f9fe --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/allow_read_only_all_paths_rule.patch @@ -0,0 +1,142 @@ +# HG changeset patch +# User Bob Owen <bobowencode@gmail.com> +# Date 1490686576 -3600 +# Tue Mar 28 08:36:16 2017 +0100 +# Node ID 698d43688097e19ac64db71a094905035cac4891 +# Parent 96707276b26997ea2a8e9fd8fdacc0c863717e7b +Allow a special all paths rule in the Windows process sandbox when using semantics FILES_ALLOW_READONLY. r=jimm + +This also changes the read only related status checks in filesystem_interception.cc +to include STATUS_NETWORK_OPEN_RESTRICTION (0xC0000201), which gets returned in +some cases and fails because we never ask the broker. + +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc +@@ -11,16 +11,20 @@ + #include "sandbox/win/src/ipc_tags.h" + #include "sandbox/win/src/policy_params.h" + #include "sandbox/win/src/policy_target.h" + #include "sandbox/win/src/sandbox_factory.h" + #include "sandbox/win/src/sandbox_nt_util.h" + #include "sandbox/win/src/sharedmem_ipc_client.h" + #include "sandbox/win/src/target_services.h" + ++// This status occurs when trying to access a network share on the machine from ++// which it is shared. ++#define STATUS_NETWORK_OPEN_RESTRICTION ((NTSTATUS)0xC0000201L) ++ + namespace sandbox { + + NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile, + PHANDLE file, + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + PIO_STATUS_BLOCK io_status, + PLARGE_INTEGER allocation_size, +@@ -29,17 +33,18 @@ NTSTATUS WINAPI TargetNtCreateFile(NtCre + ULONG disposition, + ULONG options, + PVOID ea_buffer, + ULONG ea_length) { + // Check if the process can open it first. + NTSTATUS status = orig_CreateFile( + file, desired_access, object_attributes, io_status, allocation_size, + file_attributes, sharing, disposition, options, ea_buffer, ea_length); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) +@@ -106,17 +111,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + ACCESS_MASK desired_access, + POBJECT_ATTRIBUTES object_attributes, + PIO_STATUS_BLOCK io_status, + ULONG sharing, + ULONG options) { + // Check if the process can open it first. + NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes, + io_status, sharing, options); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file, sizeof(HANDLE), WRITE)) +@@ -176,17 +182,18 @@ NTSTATUS WINAPI TargetNtOpenFile(NtOpenF + } + + NTSTATUS WINAPI + TargetNtQueryAttributesFile(NtQueryAttributesFileFunction orig_QueryAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_BASIC_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE)) +@@ -232,17 +239,18 @@ TargetNtQueryAttributesFile(NtQueryAttri + + NTSTATUS WINAPI TargetNtQueryFullAttributesFile( + NtQueryFullAttributesFileFunction orig_QueryFullAttributes, + POBJECT_ATTRIBUTES object_attributes, + PFILE_NETWORK_OPEN_INFORMATION file_attributes) { + // Check if the process can query it first. + NTSTATUS status = + orig_QueryFullAttributes(object_attributes, file_attributes); +- if (STATUS_ACCESS_DENIED != status) ++ if (STATUS_ACCESS_DENIED != status && ++ STATUS_NETWORK_OPEN_RESTRICTION != status) + return status; + + // We don't trust that the IPC can work this early. + if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled()) + return status; + + do { + if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION), +diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +--- a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc ++++ b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc +@@ -77,17 +77,21 @@ namespace sandbox { + bool FileSystemPolicy::GenerateRules(const wchar_t* name, + TargetPolicy::Semantics semantics, + LowLevelPolicy* policy) { + std::wstring mod_name(name); + if (mod_name.empty()) { + return false; + } + +- if (!PreProcessName(&mod_name)) { ++ // Don't pre-process the path name and check for reparse points if it is the ++ // special case of allowing read access to all paths. ++ if (!(semantics == TargetPolicy::FILES_ALLOW_READONLY ++ && mod_name.compare(L"*") == 0) ++ && !PreProcessName(&mod_name)) { + // The path to be added might contain a reparse point. + NOTREACHED(); + return false; + } + + // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the + // infrastructure to normalize names. In any case we need to escape the + // question marks. |