Bug 925571 - Initial Windows content process sandbox broker code. r=aklotz
authorBrian R. Bondy <netzen@gmail.com>
Wed, 30 Oct 2013 16:58:52 -0700
changeset 167618 f997b62e129056b859eee14ac9bc2585bfa4b93f
parent 167617 7915aa34a9d8cf5b84692c34bbf2746cf0139876
child 167619 401ddfc06cab40be834c0ba81fc319d1b061374a
push id3224
push userlsblakk@mozilla.com
push dateTue, 04 Feb 2014 01:06:49 +0000
treeherdermozilla-beta@60c04d0987f1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs925571
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 925571 - Initial Windows content process sandbox broker code. r=aklotz
ipc/glue/GeckoChildProcessHost.cpp
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -1,16 +1,20 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "GeckoChildProcessHost.h"
 
+#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+#include "sandboxBroker.h"
+#endif
+
 #include "base/command_line.h"
 #include "base/path_service.h"
 #include "base/string_util.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/process_watcher.h"
 #ifdef MOZ_WIDGET_COCOA
 #include "chrome/common/mach_ipc_mac.h"
 #include "base/rand_util.h"
@@ -751,17 +755,25 @@ GeckoChildProcessHost::PerformAsyncLaunc
 #if defined(MOZ_CRASHREPORTER)
   cmdLine.AppendLooseValue(
     UTF8ToWide(CrashReporter::GetChildNotificationPipe()));
 #endif
 
   // Process type
   cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
 
+#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+  mozilla::SandboxBroker sandboxBroker;
+  sandboxBroker.LaunchApp(cmdLine.program().c_str(),
+                          cmdLine.command_line_string().c_str(),
+                          &process);
+#else
   base::LaunchApp(cmdLine, false, false, &process);
+#endif
+
 
 #else
 #  error Sorry
 #endif
 
   if (!process) {
     MonitorAutoLock lock(mMonitor);
     mProcessState = PROCESS_ERROR;
new file mode 100644
--- /dev/null
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -0,0 +1,70 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "sandboxBroker.h"
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_factory.h"
+
+namespace mozilla
+{
+
+SandboxBroker::SandboxBroker() :
+  mBrokerService(nullptr)
+{
+}
+
+bool
+SandboxBroker::LaunchApp(const wchar_t *aPath,
+                           const wchar_t *aArguments,
+                           void **aProcessHandle)
+{
+  sandbox::ResultCode result;
+
+  // If the broker service isn't already initialized, do it now
+  if (!mBrokerService) {
+    mBrokerService = sandbox::SandboxFactory::GetBrokerServices();
+    if (!mBrokerService) {
+      return false;
+    }
+
+    result = mBrokerService->Init();
+    if (result != sandbox::SBOX_ALL_OK) {
+      return false;
+    }
+  }
+
+  // Setup the sandbox policy, this is initially:
+  // Medium integrity, unrestricted, in the same window station, within the
+  // same desktop, and has no job object.
+  // We'll start to increase the restrictions over time.
+  sandbox::TargetPolicy *policy = mBrokerService->CreatePolicy();
+  policy->SetJobLevel(sandbox::JOB_NONE, 0);
+  policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                        sandbox::USER_RESTRICTED_SAME_ACCESS);
+  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+
+  // Ceate the sandboxed process
+  PROCESS_INFORMATION targetInfo;
+  result = mBrokerService->SpawnTarget(aPath, aArguments, policy, &targetInfo);
+
+  // The sandboxed process is started in a suspended state, resumeit now that
+  // we'eve set things up.
+  ResumeThread(targetInfo.hThread);
+  CloseHandle(targetInfo.hThread);
+
+  // Return the process handle to the caller
+  *aProcessHandle = targetInfo.hProcess;
+
+  policy->Release();
+
+  return true;
+}
+
+SandboxBroker::~SandboxBroker()
+{
+}
+
+}
new file mode 100644
--- /dev/null
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
+#define __SECURITY_SANDBOX_SANDBOXBROKER_H__
+
+#ifdef SANDBOX_EXPORTS
+#define SANDBOX_EXPORT __declspec(dllexport)
+#else
+#define SANDBOX_EXPORT __declspec(dllimport)
+#endif
+
+namespace sandbox {
+  class BrokerServices;
+}
+
+namespace mozilla {
+
+class SANDBOX_EXPORT SandboxBroker
+{
+public:
+  SandboxBroker();
+  bool LaunchApp(const wchar_t *aPath, const wchar_t *aArguments,
+                 void **aProcessHandle);
+  virtual ~SandboxBroker();
+
+private:
+  sandbox::BrokerServices *mBrokerService;
+};
+
+} // mozilla
+
+#endif