1 files changed, 91 insertions, 0 deletions

diff --git a/mozglue/misc/WindowsProcessMitigations.cpp b/mozglue/misc/WindowsProcessMitigations.cpp
new file mode 100644
index 0000000000..f528738b77
--- /dev/null
+++ b/mozglue/misc/WindowsProcessMitigations.cpp
@@ -0,0 +1,91 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/WindowsProcessMitigations.h"
+
+#include <processthreadsapi.h>
+
+#include "mozilla/Assertions.h"
+#include "mozilla/DynamicallyLinkedFunctionPtr.h"
+
+static_assert(sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY) == 4);
+
+#if (_WIN32_WINNT < 0x0602)
+BOOL WINAPI GetProcessMitigationPolicy(
+    HANDLE hProcess, PROCESS_MITIGATION_POLICY MitigationPolicy, PVOID lpBuffer,
+    SIZE_T dwLength);
+#endif  // (_WIN32_WINNT < 0x0602)
+
+namespace mozilla {
+
+static decltype(&::GetProcessMitigationPolicy)
+FetchGetProcessMitigationPolicyFunc() {
+  static const StaticDynamicallyLinkedFunctionPtr<
+      decltype(&::GetProcessMitigationPolicy)>
+      pGetProcessMitigationPolicy(L"kernel32.dll",
+                                  "GetProcessMitigationPolicy");
+  return pGetProcessMitigationPolicy;
+}
+
+static bool sWin32kLockedDownInPolicy = false;
+
+MFBT_API bool IsWin32kLockedDown() {
+  static bool sWin32kLockedDown = []() {
+    auto pGetProcessMitigationPolicy = FetchGetProcessMitigationPolicyFunc();
+
+    PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY polInfo;
+    if (!pGetProcessMitigationPolicy ||
+        !pGetProcessMitigationPolicy(::GetCurrentProcess(),
+                                     ProcessSystemCallDisablePolicy, &polInfo,
+                                     sizeof(polInfo))) {
+      // We failed to get pointer to GetProcessMitigationPolicy or the call
+      // to it failed, so just return what the sandbox policy says.
+      return sWin32kLockedDownInPolicy;
+    }
+
+    return !!polInfo.DisallowWin32kSystemCalls;
+  }();
+
+  return sWin32kLockedDown;
+}
+
+MFBT_API void SetWin32kLockedDownInPolicy() {
+  sWin32kLockedDownInPolicy = true;
+}
+
+MFBT_API bool IsDynamicCodeDisabled() {
+  auto pGetProcessMitigationPolicy = FetchGetProcessMitigationPolicyFunc();
+  if (!pGetProcessMitigationPolicy) {
+    return false;
+  }
+
+  PROCESS_MITIGATION_DYNAMIC_CODE_POLICY polInfo;
+  if (!pGetProcessMitigationPolicy(::GetCurrentProcess(),
+                                   ProcessDynamicCodePolicy, &polInfo,
+                                   sizeof(polInfo))) {
+    return false;
+  }
+
+  return polInfo.ProhibitDynamicCode;
+}
+
+MFBT_API bool IsEafPlusEnabled() {
+  auto pGetProcessMitigationPolicy = FetchGetProcessMitigationPolicyFunc();
+  if (!pGetProcessMitigationPolicy) {
+    return false;
+  }
+
+  PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY polInfo;
+  if (!pGetProcessMitigationPolicy(::GetCurrentProcess(),
+                                   ProcessPayloadRestrictionPolicy, &polInfo,
+                                   sizeof(polInfo))) {
+    return false;
+  }
+
+  return polInfo.EnableExportAddressFilterPlus;
+}
+
+}  // namespace mozilla