1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
8 #define __SECURITY_SANDBOX_SANDBOXBROKER_H__
9 
10 #include <stdint.h>
11 #include <windows.h>
12 
13 #include "build/build_config.h"
14 #include "mozilla/ipc/EnvironmentMap.h"
15 #include "nsXULAppAPI.h"
16 #include "nsISupportsImpl.h"
17 
18 namespace sandbox {
19 class BrokerServices;
20 class TargetPolicy;
21 }  // namespace sandbox
22 
23 namespace mozilla {
24 
25 class AbstractSandboxBroker {
26  public:
27   NS_INLINE_DECL_THREADSAFE_REFCOUNTING(AbstractSandboxBroker)
28 
29   static AbstractSandboxBroker* Create(GeckoProcessType aProcessType);
30 
31   virtual void Shutdown() = 0;
32   virtual bool LaunchApp(const wchar_t* aPath, const wchar_t* aArguments,
33                          base::EnvironmentMap& aEnvironment,
34                          GeckoProcessType aProcessType,
35                          const bool aEnableLogging,
36                          const IMAGE_THUNK_DATA* aCachedNtdllThunk,
37                          void** aProcessHandle) = 0;
38 
39   // Security levels for different types of processes
40   virtual void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
41                                                  bool aIsFileProcess) = 0;
42 
43   virtual void SetSecurityLevelForGPUProcess(
44       int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) = 0;
45   virtual bool SetSecurityLevelForRDDProcess() = 0;
46   virtual bool SetSecurityLevelForSocketProcess() = 0;
47 
48   virtual bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) = 0;
49   enum SandboxLevel { LockDown, Restricted };
50   virtual bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
51                                            bool aIsRemoteLaunch = false) = 0;
52 
53   // File system permissions
54   virtual bool AllowReadFile(wchar_t const* file) = 0;
55 
56   /**
57    * Share a HANDLE with the child process. The HANDLE will be made available
58    * in the child process at the memory address
59    * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility
60    * to communicate this address to the child.
61    */
62   virtual void AddHandleToShare(HANDLE aHandle) = 0;
63 
64  protected:
~AbstractSandboxBroker()65   virtual ~AbstractSandboxBroker() {}
66 };
67 
68 class SandboxBroker : public AbstractSandboxBroker {
69  public:
70   SandboxBroker();
71 
72   static void Initialize(sandbox::BrokerServices* aBrokerServices);
73 
Shutdown()74   void Shutdown() override {}
75 
76   /**
77    * Do initialization that depends on parts of the Gecko machinery having been
78    * created first.
79    */
80   static void GeckoDependentInitialize();
81 
82   bool LaunchApp(const wchar_t* aPath, const wchar_t* aArguments,
83                  base::EnvironmentMap& aEnvironment,
84                  GeckoProcessType aProcessType, const bool aEnableLogging,
85                  const IMAGE_THUNK_DATA* aCachedNtdllThunk,
86                  void** aProcessHandle) override;
87   virtual ~SandboxBroker();
88 
89   // Security levels for different types of processes
90   void SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
91                                          bool aIsFileProcess) override;
92 
93   void SetSecurityLevelForGPUProcess(
94       int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) override;
95   bool SetSecurityLevelForRDDProcess() override;
96   bool SetSecurityLevelForSocketProcess() override;
97 
98   bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel) override;
99   bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
100                                    bool aIsRemoteLaunch = false) override;
101 
102   // File system permissions
103   bool AllowReadFile(wchar_t const* file) override;
104 
105   /**
106    * Exposes AddTargetPeer from broker services, so that non-sandboxed
107    * processes can be added as handle duplication targets.
108    */
109   static bool AddTargetPeer(HANDLE aPeerProcess);
110 
111   /**
112    * Share a HANDLE with the child process. The HANDLE will be made available
113    * in the child process at the memory address
114    * |reinterpret_cast<uintptr_t>(aHandle)|. It is the caller's responsibility
115    * to communicate this address to the child.
116    */
117   void AddHandleToShare(HANDLE aHandle) override;
118 
119   // Set up dummy interceptions via the broker, so we can log calls.
120   void ApplyLoggingPolicy();
121 
122  private:
123   static sandbox::BrokerServices* sBrokerService;
124   static bool sRunningFromNetworkDrive;
125   sandbox::TargetPolicy* mPolicy;
126 };
127 
128 }  // namespace mozilla
129 
130 #endif
131