Bug 1423296 - Don't use MITIGATION_IMAGE_LOAD_NO_LOW_LABEL when runni…

…ng from a network drive. r=jimm, a=jcristau --HG-- extra : source : 3a5a8818db5af9993407439a97bf3c4638fb34fb
dkotin11 · Dec 8, 2017 · 9925ecb · 9925ecb
1 parent 01aa5d1
commit 9925ecb
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -485,11 +485,12 @@ SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
   }
 
   if (aSandboxLevel > 3) {
-    mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     // If we're running from a network drive then we can't block loading from
-    // remote locations.
+    // remote locations. Strangely using MITIGATION_IMAGE_LOAD_NO_LOW_LABEL in
+    // this situation also means the process fails to start (bug 1423296).
     if (!sRunningFromNetworkDrive) {
-      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE;
+      mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+                     sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
     }
   }