ike at apple.com
Tue Feb 1 15:11:02 PST 2011
On Jan 6, 2011, at 12:52 PM, Carlos Pizano wrote:
> Because CreateProcess or CreateProcessAsUser is one of those functions
> that do not fully undo the sandboxing applied to the calling process
> and thus the broker launched that way has not quite like the same
> token as the broker launched by a non sandboxed process. This leads to
> subtle process when for example accessing the digital cert store.
> At least for the kind of sandboxing we do which is both based on
> restricted token and low integrity level. I haven't explored the
> option of a pure low-IL sandbox because we want to keep supporting
> windows xp.
I lack any Windows background, but after doing some research, I'm still not sure I understand the problem you're discussing. The plugin process would initially launch as a normal, unrestricted user process. It stands to reason that it could launch other unrestricted processes (like the broker) before it calls NPN_EnterSandbox() and discards its initial token in favor of one that's locked down.
This seems to agree with the description of using the privileged token in the 'Target bootstrapping' section of the Chromium sandbox writeup at <https://sites.google.com/a/chromium.org/dev/developers/design-documents/sandbox>. Could you be more specific about your concern?
More information about the plugin-futures