summaryrefslogtreecommitdiffstats
path: root/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h')
-rw-r--r--security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h75
1 files changed, 75 insertions, 0 deletions
diff --git a/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h b/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
new file mode 100644
index 0000000000..bb02470e0e
--- /dev/null
+++ b/security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
@@ -0,0 +1,75 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef __REMOTE_SANDBOXBROKER_H__
+#define __REMOTE_SANDBOXBROKER_H__
+
+#include "sandboxBroker.h"
+#include "RemoteSandboxBrokerParent.h"
+
+#include "mozilla/Result.h"
+#include "mozilla/ipc/LaunchError.h"
+
+namespace mozilla {
+
+// To make sandboxing an x86 plugin-container process on Windows on ARM64,
+// we launch an x86 child process which in turn launches and sandboxes the x86
+// plugin-container child. This means the sandbox broker (in the remote
+// x86 sandbox launcher process) can be same-arch with the process that it's
+// sandboxing, which means all the sandbox's assumptions about things being
+// same arch still hold.
+class RemoteSandboxBroker : public AbstractSandboxBroker {
+ public:
+ explicit RemoteSandboxBroker(uint32_t aLaunchArch);
+
+ void Shutdown() override;
+
+ // Note: This should be called on the IPC launch thread, and this spins
+ // the event loop. So this means potentially another IPC launch could occur
+ // re-entrantly while calling this.
+ Result<Ok, mozilla::ipc::LaunchError> LaunchApp(
+ const wchar_t* aPath, const wchar_t* aArguments,
+ base::EnvironmentMap& aEnvironment, GeckoProcessType aProcessType,
+ const bool aEnableLogging, const IMAGE_THUNK_DATA*,
+ void** aProcessHandle) override;
+
+ // Security levels for different types of processes
+ void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
+ bool aIsFileProcess) override;
+ void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) override;
+ bool SetSecurityLevelForRDDProcess() override;
+ bool SetSecurityLevelForSocketProcess() override;
+ bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
+ bool aIsRemoteLaunch = false) override;
+ bool SetSecurityLevelForUtilityProcess(
+ mozilla::ipc::SandboxingKind aSandbox) override;
+ bool AllowReadFile(wchar_t const* file) override;
+ void AddHandleToShare(HANDLE aHandle) override;
+
+ bool IsWin32kLockedDown() final { return false; };
+
+ private:
+ virtual ~RemoteSandboxBroker();
+
+ // Parameters that we use to launch the child process.
+ LaunchParameters mParameters;
+
+ RefPtr<RemoteSandboxBrokerParent> mParent;
+
+ // We bind the RemoteSandboxBrokerParent to the IPC launch thread.
+ // As such, we must close its channel on the same thread. So we save
+ // a reference to the IPC launch thread here.
+ nsCOMPtr<nsISerialEventTarget> mIPCLaunchThread;
+
+ // True if we've been shutdown.
+ bool mShutdown = false;
+
+ uint32_t mLaunchArch;
+};
+
+} // namespace mozilla
+
+#endif // __REMOTE_SANDBOXBROKER_H__