summaryrefslogtreecommitdiffstats
path: root/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
blob: aee84ee43de42f2ecf24f5e34371a8d79044642f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */

#ifndef __REMOTE_SANDBOXBROKER_H__
#define __REMOTE_SANDBOXBROKER_H__

#include "sandboxBroker.h"
#include "RemoteSandboxBrokerParent.h"

namespace mozilla {

// To make sandboxing an x86 plugin-container process on Windows on ARM64,
// we launch an x86 child process which in turn launches and sandboxes the x86
// plugin-container child. This means the sandbox broker (in the remote
// x86 sandbox launcher process) can be same-arch with the process that it's
// sandboxing, which means all the sandbox's assumptions about things being
// same arch still hold.
class RemoteSandboxBroker : public AbstractSandboxBroker {
 public:
  RemoteSandboxBroker();

  void Shutdown() override;

  // Note: This should be called on the IPC launch thread, and this spins
  // the event loop. So this means potentially another IPC launch could occur
  // re-entrantly while calling this.
  bool LaunchApp(const wchar_t* aPath, const wchar_t* aArguments,
                 base::EnvironmentMap& aEnvironment,
                 GeckoProcessType aProcessType, const bool aEnableLogging,
                 const IMAGE_THUNK_DATA*, void** aProcessHandle) override;

  // Security levels for different types of processes
  void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
                                         bool aIsFileProcess) override;
  void SetSecurityLevelForGPUProcess(
      int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) override;
  bool SetSecurityLevelForRDDProcess() override;
  bool SetSecurityLevelForSocketProcess() override;
  bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
                                   bool aIsRemoteLaunch = false) override;
  bool SetSecurityLevelForUtilityProcess(
      mozilla::ipc::SandboxingKind aSandbox) override;
  bool AllowReadFile(wchar_t const* file) override;
  void AddHandleToShare(HANDLE aHandle) override;

  bool IsWin32kLockedDown() final { return false; };

 private:
  virtual ~RemoteSandboxBroker();

  // Parameters that we use to launch the child process.
  LaunchParameters mParameters;

  RemoteSandboxBrokerParent mParent;

  // We bind the RemoteSandboxBrokerParent to the IPC launch thread.
  // As such, we must close its channel on the same thread. So we save
  // a reference to the IPC launch thread here.
  nsCOMPtr<nsISerialEventTarget> mIPCLaunchThread;

  // True if we've been shutdown.
  bool mShutdown = false;
};

}  // namespace mozilla

#endif  // __REMOTE_SANDBOXBROKER_H__