Closed Bug 1132021 Opened 5 years ago Closed 5 years ago
_LIMITED access token level for the Windows NPAPI process sandboxing policy
As suggested by bbondy in Bug 1126402 Comment 5, this is an attempt to get a workable NPAPI sandbox (primarily for flash) using the USER_LIMITED access level token.
This patch adds a "level" 3 for the NPAPI, setting the access token to USER_LIMITED. This removes the user's own token from the process's access token, It adds rules to give read/write access to the two flash AppData directories and the Temp directory. It also adds read access to the User's home directory for file upload. Trying to improve any of the sandbox policy further seems to break at least some part of video/audio playback.
Comment on attachment 8562844 [details] [diff] [review] Add a new sandbox level for Windows NPAPI to use USER_LIMITED access token level. I'm skeptical that we could ever use this in a default environment, but I think it's worth having the options available!
Attachment #8562844 - Flags: review?(benjamin) → review+
(In reply to Benjamin Smedberg [:bsmedberg] from comment #2) > Comment on attachment 8562844 [details] [diff] [review] > Add a new sandbox level for Windows NPAPI to use USER_LIMITED access token > level. > > I'm skeptical that we could ever use this in a default environment, but I > think it's worth having the options available! Thanks. Yeah, this would need some thorough testing and at the very least it may restrict from where files can be uploaded. At least it gives different things to try if we get some sort of test suite. Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=8eb5933b6550
Attachment #8562844 - Flags: review?(netzen) → review+
You need to log in before you can comment on or make changes to this bug.