summaryrefslogtreecommitdiffstats
path: root/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
blob: 462e4b4b524f883f253fafc363f154f62426a0ec (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
#define __SECURITY_SANDBOX_SANDBOXBROKER_H__

#include <stdint.h>
#include <windows.h>

#include "build/build_config.h"
#include "mozilla/ipc/EnvironmentMap.h"
#include "nsCOMPtr.h"
#include "nsXULAppAPI.h"
#include "nsISupportsImpl.h"

#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/ipc/LaunchError.h"
#include "mozilla/Result.h"

namespace sandbox {
class BrokerServices;
class TargetPolicy;
}  // namespace sandbox

namespace mozilla {

class AbstractSandboxBroker {
 public:
  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(AbstractSandboxBroker)

  virtual void Shutdown() = 0;
  virtual Result<Ok, mozilla::ipc::LaunchError> LaunchApp(
      const wchar_t* aPath, const wchar_t* aArguments,
      base::EnvironmentMap& aEnvironment, GeckoProcessType aProcessType,
      const bool aEnableLogging, const IMAGE_THUNK_DATA* aCachedNtdllThunk,
      void** aProcessHandle) = 0;

  // Security levels for different types of processes
  virtual void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
                                                 bool aIsFileProcess) = 0;

  virtual void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) = 0;
  virtual bool SetSecurityLevelForRDDProcess() = 0;
  virtual bool SetSecurityLevelForSocketProcess() = 0;
  virtual bool SetSecurityLevelForUtilityProcess(
      mozilla::ipc::SandboxingKind aSandbox) = 0;

  enum SandboxLevel { LockDown, Restricted };
  virtual bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
                                           bool aIsRemoteLaunch = false) = 0;

  // File system permissions
  virtual bool AllowReadFile(wchar_t const* file) = 0;

  /**
   * Share a HANDLE with the child process. The HANDLE will be made available
   * in the child process at the memory address
   * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility
   * to communicate this address to the child.
   */
  virtual void AddHandleToShare(HANDLE aHandle) = 0;

  /**
   * @return true if policy has win32k locked down, otherwise false
   */
  virtual bool IsWin32kLockedDown() = 0;

 protected:
  virtual ~AbstractSandboxBroker() {}
};

class SandboxBroker : public AbstractSandboxBroker {
 public:
  SandboxBroker();

  static void Initialize(sandbox::BrokerServices* aBrokerServices,
                         const nsAString& aBinDir);

  void Shutdown() override {}

  /**
   * Do initialization that depends on parts of the Gecko machinery having been
   * created first.
   */
  static void GeckoDependentInitialize();

  Result<Ok, mozilla::ipc::LaunchError> LaunchApp(
      const wchar_t* aPath, const wchar_t* aArguments,
      base::EnvironmentMap& aEnvironment, GeckoProcessType aProcessType,
      const bool aEnableLogging, const IMAGE_THUNK_DATA* aCachedNtdllThunk,
      void** aProcessHandle) override;
  virtual ~SandboxBroker();

  // Security levels for different types of processes
  void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
                                         bool aIsFileProcess) override;

  void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) override;
  bool SetSecurityLevelForRDDProcess() override;
  bool SetSecurityLevelForSocketProcess() override;
  bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
                                   bool aIsRemoteLaunch = false) override;
  bool SetSecurityLevelForUtilityProcess(
      mozilla::ipc::SandboxingKind aSandbox) override;

  // File system permissions
  bool AllowReadFile(wchar_t const* file) override;

  /**
   * Exposes AddTargetPeer from broker services, so that non-sandboxed
   * processes can be added as handle duplication targets.
   */
  static bool AddTargetPeer(HANDLE aPeerProcess);

  /**
   * Share a HANDLE with the child process. The HANDLE will be made available
   * in the child process at the memory address
   * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility
   * to communicate this address to the child.
   */
  void AddHandleToShare(HANDLE aHandle) override;

  bool IsWin32kLockedDown() final;

  // Set up dummy interceptions via the broker, so we can log calls.
  void ApplyLoggingPolicy();

 private:
  static bool sRunningFromNetworkDrive;
  sandbox::TargetPolicy* mPolicy;
};

}  // namespace mozilla

#endif