1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* vim: set ts=2 et sw=2 tw=80: */ 3 /* This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__ 8 #define __SECURITY_SANDBOX_SANDBOXBROKER_H__ 9 10 #include <stdint.h> 11 #include <windows.h> 12 13 #include "build/build_config.h" 14 #include "mozilla/ipc/EnvironmentMap.h" 15 #include "nsXULAppAPI.h" 16 #include "nsISupportsImpl.h" 17 18 namespace sandbox { 19 class BrokerServices; 20 class TargetPolicy; 21 } // namespace sandbox 22 23 namespace mozilla { 24 25 class AbstractSandboxBroker { 26 public: 27 NS_INLINE_DECL_THREADSAFE_REFCOUNTING(AbstractSandboxBroker) 28 29 static AbstractSandboxBroker* Create(GeckoProcessType aProcessType); 30 31 virtual void Shutdown() = 0; 32 virtual bool LaunchApp(const wchar_t* aPath, const wchar_t* aArguments, 33 base::EnvironmentMap& aEnvironment, 34 GeckoProcessType aProcessType, 35 const bool aEnableLogging, 36 const IMAGE_THUNK_DATA* aCachedNtdllThunk, 37 void** aProcessHandle) = 0; 38 39 // Security levels for different types of processes 40 virtual void SetSecurityLevelForContentProcess(int32_t aSandboxLevel, 41 bool aIsFileProcess) = 0; 42 43 virtual void SetSecurityLevelForGPUProcess( 44 int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) = 0; 45 virtual bool SetSecurityLevelForRDDProcess() = 0; 46 virtual bool SetSecurityLevelForSocketProcess() = 0; 47 48 virtual bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) = 0; 49 enum SandboxLevel { LockDown, Restricted }; 50 virtual bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel, 51 bool aIsRemoteLaunch = false) = 0; 52 53 // File system permissions 54 virtual bool AllowReadFile(wchar_t const* file) = 0; 55 56 /** 57 * Share a HANDLE with the child process. The HANDLE will be made available 58 * in the child process at the memory address 59 * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility 60 * to communicate this address to the child. 61 */ 62 virtual void AddHandleToShare(HANDLE aHandle) = 0; 63 64 protected: ~AbstractSandboxBroker()65 virtual ~AbstractSandboxBroker() {} 66 }; 67 68 class SandboxBroker : public AbstractSandboxBroker { 69 public: 70 SandboxBroker(); 71 72 static void Initialize(sandbox::BrokerServices* aBrokerServices); 73 Shutdown()74 void Shutdown() override {} 75 76 /** 77 * Do initialization that depends on parts of the Gecko machinery having been 78 * created first. 79 */ 80 static void GeckoDependentInitialize(); 81 82 bool LaunchApp(const wchar_t* aPath, const wchar_t* aArguments, 83 base::EnvironmentMap& aEnvironment, 84 GeckoProcessType aProcessType, const bool aEnableLogging, 85 const IMAGE_THUNK_DATA* aCachedNtdllThunk, 86 void** aProcessHandle) override; 87 virtual ~SandboxBroker(); 88 89 // Security levels for different types of processes 90 void SetSecurityLevelForContentProcess(int32_t aSandboxLevel, 91 bool aIsFileProcess) override; 92 93 void SetSecurityLevelForGPUProcess( 94 int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) override; 95 bool SetSecurityLevelForRDDProcess() override; 96 bool SetSecurityLevelForSocketProcess() override; 97 98 bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) override; 99 bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel, 100 bool aIsRemoteLaunch = false) override; 101 102 // File system permissions 103 bool AllowReadFile(wchar_t const* file) override; 104 105 /** 106 * Exposes AddTargetPeer from broker services, so that non-sandboxed 107 * processes can be added as handle duplication targets. 108 */ 109 static bool AddTargetPeer(HANDLE aPeerProcess); 110 111 /** 112 * Share a HANDLE with the child process. The HANDLE will be made available 113 * in the child process at the memory address 114 * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility 115 * to communicate this address to the child. 116 */ 117 void AddHandleToShare(HANDLE aHandle) override; 118 119 // Set up dummy interceptions via the broker, so we can log calls. 120 void ApplyLoggingPolicy(); 121 122 private: 123 static sandbox::BrokerServices* sBrokerService; 124 static bool sRunningFromNetworkDrive; 125 sandbox::TargetPolicy* mPolicy; 126 }; 127 128 } // namespace mozilla 129 130 #endif 131