1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
6
7 #define MOZ_USE_LAUNCHER_ERROR
8
9 #include "LauncherProcessWin.h"
10
11 #include <string.h>
12
13 #include "mozilla/Attributes.h"
14 #include "mozilla/CmdLineAndEnvUtils.h"
15 #include "mozilla/DebugOnly.h"
16 #include "mozilla/DynamicallyLinkedFunctionPtr.h"
17 #include "mozilla/glue/Debug.h"
18 #include "mozilla/Maybe.h"
19 #include "mozilla/SafeMode.h"
20 #include "mozilla/UniquePtr.h"
21 #include "mozilla/WindowsConsole.h"
22 #include "mozilla/WindowsVersion.h"
23 #include "mozilla/WinHeaderOnlyUtils.h"
24 #include "nsWindowsHelpers.h"
25
26 #include <windows.h>
27 #include <processthreadsapi.h>
28
29 #include "DllBlocklistInit.h"
30 #include "ErrorHandler.h"
31 #include "LaunchUnelevated.h"
32 #include "ProcThreadAttributes.h"
33
34 #if defined(MOZ_LAUNCHER_PROCESS)
35 # include "mozilla/LauncherRegistryInfo.h"
36 # include "SameBinary.h"
37 #endif // defined(MOZ_LAUNCHER_PROCESS)
38
39 /**
40 * At this point the child process has been created in a suspended state. Any
41 * additional startup work (eg, blocklist setup) should go here.
42 *
43 * @return Ok if browser startup should proceed
44 */
PostCreationSetup(const wchar_t * aFullImagePath,HANDLE aChildProcess,HANDLE aChildMainThread,const bool aIsSafeMode)45 static mozilla::LauncherVoidResult PostCreationSetup(
46 const wchar_t* aFullImagePath, HANDLE aChildProcess,
47 HANDLE aChildMainThread, const bool aIsSafeMode) {
48 return mozilla::InitializeDllBlocklistOOPFromLauncher(aFullImagePath,
49 aChildProcess);
50 }
51
52 /**
53 * Create a new Job object and assign |aProcess| to it. If something fails
54 * in this function, we return nullptr but continue without recording
55 * a launcher failure because it's not a critical problem to launch
56 * the browser process.
57 */
CreateJobAndAssignProcess(HANDLE aProcess)58 static nsReturnRef<HANDLE> CreateJobAndAssignProcess(HANDLE aProcess) {
59 nsAutoHandle empty;
60 nsAutoHandle job(::CreateJobObjectW(nullptr, nullptr));
61
62 // Set JOB_OBJECT_LIMIT_BREAKAWAY_OK to allow the browser process
63 // to put child processes into a job on Win7, which does not support
64 // nested jobs. See CanUseJob() in sandboxBroker.cpp.
65 JOBOBJECT_EXTENDED_LIMIT_INFORMATION jobInfo = {};
66 jobInfo.BasicLimitInformation.LimitFlags =
67 JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE | JOB_OBJECT_LIMIT_BREAKAWAY_OK;
68 if (!::SetInformationJobObject(job.get(), JobObjectExtendedLimitInformation,
69 &jobInfo, sizeof(jobInfo))) {
70 return empty.out();
71 }
72
73 if (!::AssignProcessToJobObject(job.get(), aProcess)) {
74 return empty.out();
75 }
76
77 return job.out();
78 }
79
80 #if !defined( \
81 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
82 # define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON \
83 (0x00000001ULL << 60)
84 #endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
85
86 #if !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
87 # define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF \
88 (0x00000002ULL << 40)
89 #endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
90
91 #if (_WIN32_WINNT < 0x0602)
92 BOOL WINAPI
93 SetProcessMitigationPolicy(PROCESS_MITIGATION_POLICY aMitigationPolicy,
94 PVOID aBuffer, SIZE_T aBufferLen);
95 #endif // (_WIN32_WINNT >= 0x0602)
96
97 /**
98 * Any mitigation policies that should be set on the browser process should go
99 * here.
100 */
SetMitigationPolicies(mozilla::ProcThreadAttributes & aAttrs,const bool aIsSafeMode)101 static void SetMitigationPolicies(mozilla::ProcThreadAttributes& aAttrs,
102 const bool aIsSafeMode) {
103 if (mozilla::IsWin10AnniversaryUpdateOrLater()) {
104 aAttrs.AddMitigationPolicy(
105 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON);
106 }
107
108 #if defined(_M_ARM64)
109 // Disable CFG on older versions of ARM64 Windows to avoid a crash in COM.
110 if (!mozilla::IsWin10Sep2018UpdateOrLater()) {
111 aAttrs.AddMitigationPolicy(
112 PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF);
113 }
114 #endif // defined(_M_ARM64)
115 }
116
ProcessCmdLine(int & aArgc,wchar_t * aArgv[])117 static mozilla::LauncherFlags ProcessCmdLine(int& aArgc, wchar_t* aArgv[]) {
118 mozilla::LauncherFlags result = mozilla::LauncherFlags::eNone;
119
120 if (mozilla::CheckArg(aArgc, aArgv, L"wait-for-browser",
121 static_cast<const wchar_t**>(nullptr),
122 mozilla::CheckArgFlag::RemoveArg) ==
123 mozilla::ARG_FOUND ||
124 mozilla::CheckArg(aArgc, aArgv, L"marionette",
125 static_cast<const wchar_t**>(nullptr),
126 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
127 mozilla::CheckArg(aArgc, aArgv, L"backgroundtask",
128 static_cast<const wchar_t**>(nullptr),
129 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
130 mozilla::CheckArg(aArgc, aArgv, L"headless",
131 static_cast<const wchar_t**>(nullptr),
132 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
133 mozilla::CheckArg(aArgc, aArgv, L"remote-debugging-port",
134 static_cast<const wchar_t**>(nullptr),
135 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
136 mozilla::EnvHasValue("MOZ_AUTOMATION") ||
137 mozilla::EnvHasValue("MOZ_HEADLESS")) {
138 result |= mozilla::LauncherFlags::eWaitForBrowser;
139 }
140
141 if (mozilla::CheckArg(aArgc, aArgv, L"no-deelevate") == mozilla::ARG_FOUND) {
142 result |= mozilla::LauncherFlags::eNoDeelevate;
143 }
144
145 return result;
146 }
147
MaybeBreakForBrowserDebugging()148 static void MaybeBreakForBrowserDebugging() {
149 if (mozilla::EnvHasValue("MOZ_DEBUG_BROWSER_PROCESS")) {
150 ::DebugBreak();
151 return;
152 }
153
154 const wchar_t* pauseLenS = _wgetenv(L"MOZ_DEBUG_BROWSER_PAUSE");
155 if (!pauseLenS || !(*pauseLenS)) {
156 return;
157 }
158
159 DWORD pauseLenMs = wcstoul(pauseLenS, nullptr, 10) * 1000;
160 printf_stderr("\n\nBROWSERBROWSERBROWSERBROWSER\n debug me @ %lu\n\n",
161 ::GetCurrentProcessId());
162 ::Sleep(pauseLenMs);
163 }
164
DoLauncherProcessChecks(int & argc,wchar_t ** argv)165 static bool DoLauncherProcessChecks(int& argc, wchar_t** argv) {
166 // NB: We run all tests in this function instead of returning early in order
167 // to ensure that all side effects take place, such as clearing environment
168 // variables.
169 bool result = false;
170
171 #if defined(MOZ_LAUNCHER_PROCESS)
172 // We still prefer to compare file ids. Comparing NT paths i.e. passing
173 // CompareNtPathsOnly to IsSameBinaryAsParentProcess is much faster, but
174 // we're not 100% sure that NT path comparison perfectly prevents the
175 // launching loop of the launcher process.
176 mozilla::LauncherResult<bool> isSame = mozilla::IsSameBinaryAsParentProcess();
177 if (isSame.isOk()) {
178 result = !isSame.unwrap();
179 } else {
180 HandleLauncherError(isSame.unwrapErr());
181 }
182 #endif // defined(MOZ_LAUNCHER_PROCESS)
183
184 if (mozilla::EnvHasValue("MOZ_LAUNCHER_PROCESS")) {
185 mozilla::SaveToEnv("MOZ_LAUNCHER_PROCESS=");
186 result = true;
187 }
188
189 result |= mozilla::CheckArg(
190 argc, argv, L"launcher", static_cast<const wchar_t**>(nullptr),
191 mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
192
193 return result;
194 }
195
196 #if defined(MOZ_LAUNCHER_PROCESS)
RunAsLauncherProcess(mozilla::LauncherRegistryInfo & aRegInfo,int & argc,wchar_t ** argv)197 static mozilla::Maybe<bool> RunAsLauncherProcess(
198 mozilla::LauncherRegistryInfo& aRegInfo, int& argc, wchar_t** argv) {
199 #else
200 static mozilla::Maybe<bool> RunAsLauncherProcess(int& argc, wchar_t** argv) {
201 #endif // defined(MOZ_LAUNCHER_PROCESS)
202 bool runAsLauncher = DoLauncherProcessChecks(argc, argv);
203
204 #if defined(MOZ_LAUNCHER_PROCESS)
205 bool forceLauncher =
206 runAsLauncher &&
207 mozilla::CheckArg(argc, argv, L"force-launcher",
208 static_cast<const wchar_t**>(nullptr),
209 mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
210
211 mozilla::LauncherRegistryInfo::ProcessType desiredType =
212 runAsLauncher ? mozilla::LauncherRegistryInfo::ProcessType::Launcher
213 : mozilla::LauncherRegistryInfo::ProcessType::Browser;
214
215 mozilla::LauncherRegistryInfo::CheckOption checkOption =
216 forceLauncher ? mozilla::LauncherRegistryInfo::CheckOption::Force
217 : mozilla::LauncherRegistryInfo::CheckOption::Default;
218
219 mozilla::LauncherResult<mozilla::LauncherRegistryInfo::ProcessType>
220 runAsType = aRegInfo.Check(desiredType, checkOption);
221
222 if (runAsType.isErr()) {
223 mozilla::HandleLauncherError(runAsType);
224 return mozilla::Nothing();
225 }
226
227 runAsLauncher = runAsType.unwrap() ==
228 mozilla::LauncherRegistryInfo::ProcessType::Launcher;
229 #endif // defined(MOZ_LAUNCHER_PROCESS)
230
231 if (!runAsLauncher) {
232 // In this case, we will be proceeding to run as the browser.
233 // We should check MOZ_DEBUG_BROWSER_* env vars.
234 MaybeBreakForBrowserDebugging();
235 }
236
237 return mozilla::Some(runAsLauncher);
238 }
239
240 namespace mozilla {
241
242 Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
243 const StaticXREAppData& aAppData) {
244 // Note: keep in sync with nsBrowserApp.
245 const wchar_t* acceptableParams[] = {L"url", L"private-window", nullptr};
246 EnsureCommandlineSafe(argc, argv, acceptableParams);
247
248 SetLauncherErrorAppData(aAppData);
249
250 if (CheckArg(argc, argv, L"log-launcher-error",
251 static_cast<const wchar_t**>(nullptr),
252 mozilla::CheckArgFlag::RemoveArg) == ARG_FOUND) {
253 SetLauncherErrorForceEventLog();
254 }
255
256 // return fast when we're a child process.
257 // (The remainder of this function has some side effects that are
258 // undesirable for content processes)
259 if (mozilla::CheckArg(argc, argv, L"contentproc",
260 static_cast<const wchar_t**>(nullptr),
261 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND) {
262 // A child process should not instantiate LauncherRegistryInfo.
263 return Nothing();
264 }
265
266 #if defined(MOZ_LAUNCHER_PROCESS)
267 LauncherRegistryInfo regInfo;
268 Maybe<bool> runAsLauncher = RunAsLauncherProcess(regInfo, argc, argv);
269 #else
270 Maybe<bool> runAsLauncher = RunAsLauncherProcess(argc, argv);
271 #endif // defined(MOZ_LAUNCHER_PROCESS)
272 if (!runAsLauncher || !runAsLauncher.value()) {
273 #if defined(MOZ_LAUNCHER_PROCESS)
274 // Update the registry as Browser
275 LauncherVoidResult commitResult = regInfo.Commit();
276 if (commitResult.isErr()) {
277 mozilla::HandleLauncherError(commitResult);
278 }
279 #endif // defined(MOZ_LAUNCHER_PROCESS)
280 return Nothing();
281 }
282
283 // Make sure that the launcher process itself has image load policies set
284 if (IsWin10AnniversaryUpdateOrLater()) {
285 static const StaticDynamicallyLinkedFunctionPtr<
286 decltype(&SetProcessMitigationPolicy)>
287 pSetProcessMitigationPolicy(L"kernel32.dll",
288 "SetProcessMitigationPolicy");
289 if (pSetProcessMitigationPolicy) {
290 PROCESS_MITIGATION_IMAGE_LOAD_POLICY imgLoadPol = {};
291 imgLoadPol.PreferSystem32Images = 1;
292
293 DebugOnly<BOOL> setOk = pSetProcessMitigationPolicy(
294 ProcessImageLoadPolicy, &imgLoadPol, sizeof(imgLoadPol));
295 MOZ_ASSERT(setOk);
296 }
297 }
298
299 mozilla::UseParentConsole();
300
301 if (!SetArgv0ToFullBinaryPath(argv)) {
302 HandleLauncherError(LAUNCHER_ERROR_GENERIC());
303 return Nothing();
304 }
305
306 LauncherFlags flags = ProcessCmdLine(argc, argv);
307
308 nsAutoHandle mediumIlToken;
309 LauncherResult<ElevationState> elevationState =
310 GetElevationState(argv[0], flags, mediumIlToken);
311 if (elevationState.isErr()) {
312 HandleLauncherError(elevationState);
313 return Nothing();
314 }
315
316 // If we're elevated, we should relaunch ourselves as a normal user.
317 // Note that we only call LaunchUnelevated when we don't need to wait for the
318 // browser process.
319 if (elevationState.unwrap() == ElevationState::eElevated &&
320 !(flags &
321 (LauncherFlags::eWaitForBrowser | LauncherFlags::eNoDeelevate)) &&
322 !mediumIlToken.get()) {
323 LauncherVoidResult launchedUnelevated = LaunchUnelevated(argc, argv);
324 bool failed = launchedUnelevated.isErr();
325 if (failed) {
326 HandleLauncherError(launchedUnelevated);
327 return Nothing();
328 }
329
330 return Some(0);
331 }
332
333 #if defined(MOZ_LAUNCHER_PROCESS)
334 // Update the registry as Launcher
335 LauncherVoidResult commitResult = regInfo.Commit();
336 if (commitResult.isErr()) {
337 mozilla::HandleLauncherError(commitResult);
338 return Nothing();
339 }
340 #endif // defined(MOZ_LAUNCHER_PROCESS)
341
342 // Now proceed with setting up the parameters for process creation
343 UniquePtr<wchar_t[]> cmdLine(MakeCommandLine(argc, argv));
344 if (!cmdLine) {
345 HandleLauncherError(LAUNCHER_ERROR_GENERIC());
346 return Nothing();
347 }
348
349 const Maybe<bool> isSafeMode =
350 IsSafeModeRequested(argc, argv, SafeModeFlag::NoKeyPressCheck);
351 if (!isSafeMode) {
352 HandleLauncherError(LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_PARAMETER));
353 return Nothing();
354 }
355
356 ProcThreadAttributes attrs;
357 SetMitigationPolicies(attrs, isSafeMode.value());
358
359 HANDLE stdHandles[] = {::GetStdHandle(STD_INPUT_HANDLE),
360 ::GetStdHandle(STD_OUTPUT_HANDLE),
361 ::GetStdHandle(STD_ERROR_HANDLE)};
362
363 attrs.AddInheritableHandles(stdHandles);
364
365 DWORD creationFlags = CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT;
366
367 STARTUPINFOEXW siex;
368 LauncherResult<bool> attrsOk = attrs.AssignTo(siex);
369 if (attrsOk.isErr()) {
370 HandleLauncherError(attrsOk);
371 return Nothing();
372 }
373
374 BOOL inheritHandles = FALSE;
375
376 if (attrsOk.unwrap()) {
377 creationFlags |= EXTENDED_STARTUPINFO_PRESENT;
378
379 if (attrs.HasInheritableHandles()) {
380 siex.StartupInfo.dwFlags |= STARTF_USESTDHANDLES;
381 siex.StartupInfo.hStdInput = stdHandles[0];
382 siex.StartupInfo.hStdOutput = stdHandles[1];
383 siex.StartupInfo.hStdError = stdHandles[2];
384
385 // Since attrsOk == true, we have successfully set the handle inheritance
386 // whitelist policy, so only the handles added to attrs will be inherited.
387 inheritHandles = TRUE;
388 }
389 }
390
391 // Pass on the path of the shortcut used to launch this process, if any.
392 STARTUPINFOW currentStartupInfo;
393 GetStartupInfoW(¤tStartupInfo);
394 if ((currentStartupInfo.dwFlags & STARTF_TITLEISLINKNAME) &&
395 currentStartupInfo.lpTitle) {
396 siex.StartupInfo.dwFlags |= STARTF_TITLEISLINKNAME;
397 siex.StartupInfo.lpTitle = currentStartupInfo.lpTitle;
398 }
399
400 PROCESS_INFORMATION pi = {};
401 BOOL createOk;
402
403 if (mediumIlToken.get()) {
404 createOk =
405 ::CreateProcessAsUserW(mediumIlToken.get(), argv[0], cmdLine.get(),
406 nullptr, nullptr, inheritHandles, creationFlags,
407 nullptr, nullptr, &siex.StartupInfo, &pi);
408 } else {
409 createOk = ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr,
410 inheritHandles, creationFlags, nullptr, nullptr,
411 &siex.StartupInfo, &pi);
412 }
413
414 if (!createOk) {
415 HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
416 return Nothing();
417 }
418
419 nsAutoHandle process(pi.hProcess);
420 nsAutoHandle mainThread(pi.hThread);
421
422 nsAutoHandle job;
423 if (flags & LauncherFlags::eWaitForBrowser) {
424 job = CreateJobAndAssignProcess(process.get());
425 }
426
427 LauncherVoidResult setupResult = PostCreationSetup(
428 argv[0], process.get(), mainThread.get(), isSafeMode.value());
429 if (setupResult.isErr()) {
430 HandleLauncherError(setupResult);
431 ::TerminateProcess(process.get(), 1);
432 return Nothing();
433 }
434
435 if (::ResumeThread(mainThread.get()) == static_cast<DWORD>(-1)) {
436 HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
437 ::TerminateProcess(process.get(), 1);
438 return Nothing();
439 }
440
441 if (flags & LauncherFlags::eWaitForBrowser) {
442 DWORD exitCode;
443 if (::WaitForSingleObject(process.get(), INFINITE) == WAIT_OBJECT_0 &&
444 ::GetExitCodeProcess(process.get(), &exitCode)) {
445 // Propagate the browser process's exit code as our exit code.
446 return Some(static_cast<int>(exitCode));
447 }
448 } else {
449 const DWORD timeout =
450 ::IsDebuggerPresent() ? INFINITE : kWaitForInputIdleTimeoutMS;
451
452 // Keep the current process around until the callback process has created
453 // its message queue, to avoid the launched process's windows being forced
454 // into the background.
455 mozilla::WaitForInputIdle(process.get(), timeout);
456 }
457
458 return Some(0);
459 }
460
461 } // namespace mozilla
462