summaryrefslogtreecommitdiffstats
path: root/security/sandbox/win
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/win')
-rw-r--r--security/sandbox/win/SandboxInitialization.cpp81
-rw-r--r--security/sandbox/win/SandboxInitialization.h47
-rw-r--r--security/sandbox/win/src/sandboxbroker/moz.build33
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp595
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.h63
-rw-r--r--security/sandbox/win/src/sandboxtarget/moz.build20
-rw-r--r--security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp21
-rw-r--r--security/sandbox/win/src/sandboxtarget/sandboxTarget.h83
-rw-r--r--security/sandbox/win/wow_helper/Makefile.in47
-rw-r--r--security/sandbox/win/wow_helper/moz.build30
10 files changed, 1020 insertions, 0 deletions
diff --git a/security/sandbox/win/SandboxInitialization.cpp b/security/sandbox/win/SandboxInitialization.cpp
new file mode 100644
index 000000000..e587c2598
--- /dev/null
+++ b/security/sandbox/win/SandboxInitialization.cpp
@@ -0,0 +1,81 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "SandboxInitialization.h"
+
+#include "sandbox/win/src/sandbox_factory.h"
+
+namespace mozilla {
+namespace sandboxing {
+
+static sandbox::TargetServices*
+InitializeTargetServices()
+{
+ sandbox::TargetServices* targetServices =
+ sandbox::SandboxFactory::GetTargetServices();
+ if (!targetServices) {
+ return nullptr;
+ }
+
+ if (targetServices->Init() != sandbox::SBOX_ALL_OK) {
+ return nullptr;
+ }
+
+ return targetServices;
+}
+
+sandbox::TargetServices*
+GetInitializedTargetServices()
+{
+ static sandbox::TargetServices* sInitializedTargetServices =
+ InitializeTargetServices();
+
+ return sInitializedTargetServices;
+}
+
+void
+LowerSandbox()
+{
+ GetInitializedTargetServices()->LowerToken();
+}
+
+static sandbox::BrokerServices*
+InitializeBrokerServices()
+{
+ sandbox::BrokerServices* brokerServices =
+ sandbox::SandboxFactory::GetBrokerServices();
+ if (!brokerServices) {
+ return nullptr;
+ }
+
+ if (brokerServices->Init() != sandbox::SBOX_ALL_OK) {
+ return nullptr;
+ }
+
+ // Comment below copied from Chromium code.
+ // Precreate the desktop and window station used by the renderers.
+ // IMPORTANT: This piece of code needs to run as early as possible in the
+ // process because it will initialize the sandbox broker, which requires
+ // the process to swap its window station. During this time all the UI
+ // will be broken. This has to run before threads and windows are created.
+ sandbox::TargetPolicy* policy = brokerServices->CreatePolicy();
+ sandbox::ResultCode result = policy->CreateAlternateDesktop(true);
+ policy->Release();
+
+ return brokerServices;
+}
+
+sandbox::BrokerServices*
+GetInitializedBrokerServices()
+{
+ static sandbox::BrokerServices* sInitializedBrokerServices =
+ InitializeBrokerServices();
+
+ return sInitializedBrokerServices;
+}
+
+} // sandboxing
+} // mozilla
diff --git a/security/sandbox/win/SandboxInitialization.h b/security/sandbox/win/SandboxInitialization.h
new file mode 100644
index 000000000..e5be08904
--- /dev/null
+++ b/security/sandbox/win/SandboxInitialization.h
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_sandboxing_SandboxInitialization_h
+#define mozilla_sandboxing_SandboxInitialization_h
+
+namespace sandbox {
+class BrokerServices;
+class TargetServices;
+}
+
+// Things that use this file will probably want access to the IsSandboxedProcess
+// function defined in one of the Chromium sandbox cc files.
+extern "C" bool IsSandboxedProcess();
+
+namespace mozilla {
+// Note the Chromium code just uses a bare sandbox namespace, which makes using
+// sandbox for our namespace painful.
+namespace sandboxing {
+
+/**
+ * Initializes (if required) and returns the Chromium sandbox TargetServices.
+ *
+ * @return the TargetServices or null if the creation or initialization failed.
+ */
+sandbox::TargetServices* GetInitializedTargetServices();
+
+/**
+ * Lowers the permissions on the process sandbox.
+ * Provided because the GMP sandbox needs to be lowered from the executable.
+ */
+void LowerSandbox();
+
+/**
+ * Initializes (if required) and returns the Chromium sandbox BrokerServices.
+ *
+ * @return the BrokerServices or null if the creation or initialization failed.
+ */
+sandbox::BrokerServices* GetInitializedBrokerServices();
+
+} // sandboxing
+} // mozilla
+
+#endif // mozilla_sandboxing_SandboxInitialization_h
diff --git a/security/sandbox/win/src/sandboxbroker/moz.build b/security/sandbox/win/src/sandboxbroker/moz.build
new file mode 100644
index 000000000..4a9d01cc5
--- /dev/null
+++ b/security/sandbox/win/src/sandboxbroker/moz.build
@@ -0,0 +1,33 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SOURCES += [
+ 'sandboxBroker.cpp',
+]
+
+EXPORTS += [
+ 'sandboxBroker.h',
+]
+
+for var in ('UNICODE', '_UNICODE', 'SANDBOX_EXPORTS'):
+ DEFINES[var] = True
+
+LOCAL_INCLUDES += [
+ '/security/sandbox/chromium',
+]
+
+DISABLE_STL_WRAPPING = True
+
+OS_LIBS += [
+ 'dbghelp',
+]
+
+if CONFIG['_MSC_VER']:
+ CXXFLAGS += [
+ '-wd4275', # non dll-interface class exception used as base for dll-interface class
+ ]
+
+FINAL_LIBRARY = 'xul'
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
new file mode 100644
index 000000000..10b796268
--- /dev/null
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -0,0 +1,595 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "sandboxBroker.h"
+
+#include "base/win/windows_version.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Logging.h"
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/security_level.h"
+
+namespace mozilla
+{
+
+sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
+
+static LazyLogModule sSandboxBrokerLog("SandboxBroker");
+
+#define LOG_E(...) MOZ_LOG(sSandboxBrokerLog, LogLevel::Error, (__VA_ARGS__))
+
+/* static */
+void
+SandboxBroker::Initialize(sandbox::BrokerServices* aBrokerServices)
+{
+ sBrokerService = aBrokerServices;
+}
+
+SandboxBroker::SandboxBroker()
+{
+ if (sBrokerService) {
+ mPolicy = sBrokerService->CreatePolicy();
+ } else {
+ mPolicy = nullptr;
+ }
+}
+
+bool
+SandboxBroker::LaunchApp(const wchar_t *aPath,
+ const wchar_t *aArguments,
+ const bool aEnableLogging,
+ void **aProcessHandle)
+{
+ if (!sBrokerService || !mPolicy) {
+ return false;
+ }
+
+ // Set stdout and stderr, to allow inheritance for logging.
+ mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
+ mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
+
+ // If logging enabled, set up the policy.
+ if (aEnableLogging) {
+ ApplyLoggingPolicy();
+ }
+
+#if defined(DEBUG)
+ // Allow write access to TEMP directory in debug builds for logging purposes.
+ // The path from GetTempPathW can have a length up to MAX_PATH + 1, including
+ // the null, so we need MAX_PATH + 2, so we can add an * to the end.
+ wchar_t tempPath[MAX_PATH + 2];
+ uint32_t pathLen = ::GetTempPathW(MAX_PATH + 1, tempPath);
+ if (pathLen > 0) {
+ // GetTempPath path ends with \ and returns the length without the null.
+ tempPath[pathLen] = L'*';
+ tempPath[pathLen + 1] = L'\0';
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY, tempPath);
+ }
+#endif
+
+ // Ceate the sandboxed process
+ PROCESS_INFORMATION targetInfo = {0};
+ sandbox::ResultCode result;
+ result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo);
+ if (sandbox::SBOX_ALL_OK != result) {
+ return false;
+ }
+
+ // The sandboxed process is started in a suspended state, resume it now that
+ // we've set things up.
+ ResumeThread(targetInfo.hThread);
+ CloseHandle(targetInfo.hThread);
+
+ // Return the process handle to the caller
+ *aProcessHandle = targetInfo.hProcess;
+
+ return true;
+}
+
+#if defined(MOZ_CONTENT_SANDBOX)
+void
+SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
+{
+ MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
+
+ sandbox::JobLevel jobLevel;
+ sandbox::TokenLevel accessTokenLevel;
+ sandbox::IntegrityLevel initialIntegrityLevel;
+ sandbox::IntegrityLevel delayedIntegrityLevel;
+
+ // The setting of these levels is pretty arbitrary, but they are a useful (if
+ // crude) tool while we are tightening the policy. Gaps are left to try and
+ // avoid changing their meaning.
+ MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1");
+ if (aSandboxLevel >= 20) {
+ jobLevel = sandbox::JOB_LOCKDOWN;
+ accessTokenLevel = sandbox::USER_LOCKDOWN;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
+ } else if (aSandboxLevel >= 10) {
+ jobLevel = sandbox::JOB_RESTRICTED;
+ accessTokenLevel = sandbox::USER_LIMITED;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ } else if (aSandboxLevel >= 2) {
+ jobLevel = sandbox::JOB_INTERACTIVE;
+ accessTokenLevel = sandbox::USER_INTERACTIVE;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ } else if (aSandboxLevel == 1) {
+ jobLevel = sandbox::JOB_NONE;
+ accessTokenLevel = sandbox::USER_NON_ADMIN;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ }
+
+ sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
+ 0 /* ui_exceptions */);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?");
+
+ // If the delayed access token is not restricted we don't want the initial one
+ // to be either, because it can interfere with running from a network drive.
+ sandbox::TokenLevel initialAccessTokenLevel =
+ (accessTokenLevel == sandbox::USER_UNPROTECTED ||
+ accessTokenLevel == sandbox::USER_NON_ADMIN)
+ ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS;
+
+ result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS");
+
+ result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "SetIntegrityLevel should never fail, what happened?");
+ result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "SetDelayedIntegrityLevel should never fail, what happened?");
+
+ if (aSandboxLevel > 2) {
+ result = mPolicy->SetAlternateDesktop(true);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "Failed to create alternate desktop for sandbox.");
+ }
+
+ sandbox::MitigationFlags mitigations =
+ sandbox::MITIGATION_BOTTOM_UP_ASLR |
+ sandbox::MITIGATION_HEAP_TERMINATE |
+ sandbox::MITIGATION_SEHOP |
+ sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+ sandbox::MITIGATION_DEP;
+
+ result = mPolicy->SetProcessMitigations(mitigations);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "Invalid flags for SetProcessMitigations.");
+
+ mitigations =
+ sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
+ sandbox::MITIGATION_DLL_SEARCH_ORDER;
+
+ result = mPolicy->SetDelayedProcessMitigations(mitigations);
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "Invalid flags for SetDelayedProcessMitigations.");
+
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\chrome.*");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // Add the policy for the client side of the crash server pipe.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\gecko-crash-server-pipe.*");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // The content process needs to be able to duplicate named pipes back to the
+ // broker process, which are File type handles.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_BROKER,
+ L"File");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // The content process needs to be able to duplicate shared memory handles,
+ // which are Section handles, to the broker process and other child processes.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_BROKER,
+ L"Section");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, what happened?");
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_ANY,
+ L"Section");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "With these static arguments AddRule should never fail, what happened?");
+}
+#endif
+
+#define SANDBOX_ENSURE_SUCCESS(result, message) \
+ do { \
+ MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \
+ if (sandbox::SBOX_ALL_OK != result) \
+ return false; \
+ } while (0)
+
+bool
+SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
+{
+ if (!mPolicy) {
+ return false;
+ }
+
+ sandbox::JobLevel jobLevel;
+ sandbox::TokenLevel accessTokenLevel;
+ sandbox::IntegrityLevel initialIntegrityLevel;
+ sandbox::IntegrityLevel delayedIntegrityLevel;
+
+ if (aSandboxLevel > 2) {
+ jobLevel = sandbox::JOB_UNPROTECTED;
+ accessTokenLevel = sandbox::USER_LIMITED;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ } else if (aSandboxLevel == 2) {
+ jobLevel = sandbox::JOB_UNPROTECTED;
+ accessTokenLevel = sandbox::USER_INTERACTIVE;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
+ } else {
+ jobLevel = sandbox::JOB_NONE;
+ accessTokenLevel = sandbox::USER_NON_ADMIN;
+ initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+ delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
+ }
+
+ sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
+ 0 /* ui_exceptions */);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?");
+
+ result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+ accessTokenLevel);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS");
+
+ result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "SetIntegrityLevel should never fail, what happened?");
+
+ result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "SetDelayedIntegrityLevel should never fail, what happened?");
+
+ sandbox::MitigationFlags mitigations =
+ sandbox::MITIGATION_BOTTOM_UP_ASLR |
+ sandbox::MITIGATION_HEAP_TERMINATE |
+ sandbox::MITIGATION_SEHOP |
+ sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+ sandbox::MITIGATION_DEP;
+
+ result = mPolicy->SetProcessMitigations(mitigations);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Invalid flags for SetProcessMitigations.");
+
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // Add the policy for the client side of the crash server pipe.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\gecko-crash-server-pipe.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // The NPAPI process needs to be able to duplicate shared memory to the
+ // content process and broker process, which are Section type handles.
+ // Content and broker are for e10s and non-e10s cases.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_ANY,
+ L"Section");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_BROKER,
+ L"Section");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // The following is required for the Java plugin.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\jpi2_pid*_pipe*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // These register keys are used by the file-browser dialog box. They
+ // remember the most-recently-used folders.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_ANY,
+ L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU\\*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_ANY,
+ L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRULegacy\\*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ return true;
+}
+
+bool
+SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel)
+{
+ if (!mPolicy) {
+ return false;
+ }
+
+ auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "SetJobLevel should never fail with these arguments, what happened?");
+ auto level = (aLevel == Restricted) ?
+ sandbox::USER_RESTRICTED : sandbox::USER_LOCKDOWN;
+ result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, level);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "SetTokenLevel should never fail with these arguments, what happened?");
+
+ result = mPolicy->SetAlternateDesktop(true);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Failed to create alternate desktop for sandbox.");
+
+ result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+ MOZ_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "SetIntegrityLevel should never fail with these arguments, what happened?");
+
+ result =
+ mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "SetIntegrityLevel should never fail with these arguments, what happened?");
+
+ sandbox::MitigationFlags mitigations =
+ sandbox::MITIGATION_BOTTOM_UP_ASLR |
+ sandbox::MITIGATION_HEAP_TERMINATE |
+ sandbox::MITIGATION_SEHOP |
+ sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+ sandbox::MITIGATION_DEP;
+
+ result = mPolicy->SetProcessMitigations(mitigations);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Invalid flags for SetProcessMitigations.");
+
+ mitigations =
+ sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
+ sandbox::MITIGATION_DLL_SEARCH_ORDER;
+
+ result = mPolicy->SetDelayedProcessMitigations(mitigations);
+ SANDBOX_ENSURE_SUCCESS(result,
+ "Invalid flags for SetDelayedProcessMitigations.");
+
+ // Add the policy for the client side of a pipe. It is just a file
+ // in the \pipe\ namespace. We restrict it to pipes that start with
+ // "chrome." so the sandboxed process cannot connect to system services.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\chrome.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // Add the policy for the client side of the crash server pipe.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ L"\\??\\pipe\\gecko-crash-server-pipe.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+#ifdef DEBUG
+ // The plugin process can't create named events, but we'll
+ // make an exception for the events used in logging. Removing
+ // this will break EME in debug builds.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
+ sandbox::TargetPolicy::EVENTS_ALLOW_ANY,
+ L"ChromeIPCLog.*");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+#endif
+
+ // The following rules were added because, during analysis of an EME
+ // plugin during development, these registry keys were accessed when
+ // loading the plugin. Commenting out these policy exceptions caused
+ // plugin loading to fail, so they are necessary for proper functioning
+ // of at least one EME plugin.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER\\Control Panel\\Desktop");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+
+ // The following rules were added because, during analysis of an EME
+ // plugin during development, these registry keys were accessed when
+ // loading the plugin. Commenting out these policy exceptions did not
+ // cause anything to break during initial testing, but might cause
+ // unforeseen issues down the road.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+ // The following rules were added to allow a GMP to be loaded when any
+ // AppLocker DLL rules are specified. If the rules specifically block the DLL
+ // then it will not load.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+ L"\\Device\\SrpDevice");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+ // On certain Windows versions there is a double slash before GP in the path.
+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\\\GP\\");
+ SANDBOX_ENSURE_SUCCESS(result,
+ "With these static arguments AddRule should never fail, what happened?");
+
+
+ return true;
+}
+#undef SANDBOX_ENSURE_SUCCESS
+
+bool
+SandboxBroker::AllowReadFile(wchar_t const *file)
+{
+ if (!mPolicy) {
+ return false;
+ }
+
+ auto result =
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_READONLY,
+ file);
+ if (sandbox::SBOX_ALL_OK != result) {
+ LOG_E("Failed (ResultCode %d) to add read access to: %S", result, file);
+ return false;
+ }
+
+ return true;
+}
+
+bool
+SandboxBroker::AllowReadWriteFile(wchar_t const *file)
+{
+ if (!mPolicy) {
+ return false;
+ }
+
+ auto result =
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_ANY,
+ file);
+ if (sandbox::SBOX_ALL_OK != result) {
+ LOG_E("Failed (ResultCode %d) to add read/write access to: %S",
+ result, file);
+ return false;
+ }
+
+ return true;
+}
+
+bool
+SandboxBroker::AllowDirectory(wchar_t const *dir)
+{
+ if (!mPolicy) {
+ return false;
+ }
+
+ auto result =
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
+ sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
+ dir);
+ if (sandbox::SBOX_ALL_OK != result) {
+ LOG_E("Failed (ResultCode %d) to add directory access to: %S", result, dir);
+ return false;
+ }
+
+ return true;
+}
+
+bool
+SandboxBroker::AddTargetPeer(HANDLE aPeerProcess)
+{
+ if (!sBrokerService) {
+ return false;
+ }
+
+ sandbox::ResultCode result = sBrokerService->AddTargetPeer(aPeerProcess);
+ return (sandbox::SBOX_ALL_OK == result);
+}
+
+void
+SandboxBroker::ApplyLoggingPolicy()
+{
+ MOZ_ASSERT(mPolicy);
+
+ // Add dummy rules, so that we can log in the interception code.
+ // We already have a file interception set up for the client side of pipes.
+ // Also, passing just "dummy" for file system policy causes win_utils.cc
+ // IsReparsePoint() to loop.
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
+ sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"dummy");
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
+ sandbox::TargetPolicy::PROCESS_MIN_EXEC, L"dummy");
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
+ sandbox::TargetPolicy::REG_ALLOW_READONLY,
+ L"HKEY_CURRENT_USER\\dummy");
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
+ sandbox::TargetPolicy::EVENTS_ALLOW_READONLY, L"dummy");
+ mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
+ sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"dummy");
+}
+
+SandboxBroker::~SandboxBroker()
+{
+ if (mPolicy) {
+ mPolicy->Release();
+ mPolicy = nullptr;
+ }
+}
+
+}
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
new file mode 100644
index 000000000..3f73ec890
--- /dev/null
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -0,0 +1,63 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
+#define __SECURITY_SANDBOX_SANDBOXBROKER_H__
+
+#include <stdint.h>
+#include <windows.h>
+
+namespace sandbox {
+ class BrokerServices;
+ class TargetPolicy;
+}
+
+namespace mozilla {
+
+class SandboxBroker
+{
+public:
+ SandboxBroker();
+
+ static void Initialize(sandbox::BrokerServices* aBrokerServices);
+
+ bool LaunchApp(const wchar_t *aPath,
+ const wchar_t *aArguments,
+ const bool aEnableLogging,
+ void **aProcessHandle);
+ virtual ~SandboxBroker();
+
+ // Security levels for different types of processes
+#if defined(MOZ_CONTENT_SANDBOX)
+ void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
+#endif
+ bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
+ enum SandboxLevel {
+ LockDown,
+ Restricted
+ };
+ bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel);
+
+ // File system permissions
+ bool AllowReadFile(wchar_t const *file);
+ bool AllowReadWriteFile(wchar_t const *file);
+ bool AllowDirectory(wchar_t const *dir);
+
+ // Exposes AddTargetPeer from broker services, so that none sandboxed
+ // processes can be added as handle duplication targets.
+ bool AddTargetPeer(HANDLE aPeerProcess);
+
+ // Set up dummy interceptions via the broker, so we can log calls.
+ void ApplyLoggingPolicy();
+
+private:
+ static sandbox::BrokerServices *sBrokerService;
+ sandbox::TargetPolicy *mPolicy;
+};
+
+} // mozilla
+
+#endif
diff --git a/security/sandbox/win/src/sandboxtarget/moz.build b/security/sandbox/win/src/sandboxtarget/moz.build
new file mode 100644
index 000000000..7315a34ed
--- /dev/null
+++ b/security/sandbox/win/src/sandboxtarget/moz.build
@@ -0,0 +1,20 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+EXPORTS.mozilla += [
+ 'sandboxTarget.h',
+]
+
+SOURCES += [
+ 'sandboxTarget.cpp',
+]
+
+LOCAL_INCLUDES += [
+ '/security/sandbox/chromium',
+ '/security/sandbox/chromium-shim',
+]
+
+FINAL_LIBRARY = 'xul'
diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp b/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp
new file mode 100644
index 000000000..a989b3625
--- /dev/null
+++ b/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp
@@ -0,0 +1,21 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#define TARGET_SANDBOX_EXPORTS
+#include "sandboxTarget.h"
+
+namespace mozilla {
+
+// We need to define this function out of line so that clang-cl doesn't inline
+// it.
+/* static */ SandboxTarget*
+SandboxTarget::Instance()
+{
+ static SandboxTarget sb;
+ return &sb;
+}
+
+}
diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.h b/security/sandbox/win/src/sandboxtarget/sandboxTarget.h
new file mode 100644
index 000000000..f46a2ce70
--- /dev/null
+++ b/security/sandbox/win/src/sandboxtarget/sandboxTarget.h
@@ -0,0 +1,83 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __SECURITY_SANDBOX_SANDBOXTARGET_H__
+#define __SECURITY_SANDBOX_SANDBOXTARGET_H__
+
+#include <windows.h>
+
+#include "mozilla/Assertions.h"
+#include "base/MissingBasicTypes.h"
+#include "sandbox/win/src/sandbox.h"
+
+namespace mozilla {
+
+class SandboxTarget
+{
+public:
+ /**
+ * Obtains a pointer to the singleton instance
+ */
+ static SandboxTarget* Instance();
+
+ /**
+ * Used by the application to pass in the target services that provide certain
+ * functions to the sandboxed code.
+ * The target services must already be initialized.
+ *
+ * @param aTargetServices The target services that will be used
+ */
+ void SetTargetServices(sandbox::TargetServices* aTargetServices)
+ {
+ MOZ_ASSERT(aTargetServices);
+ MOZ_ASSERT(!mTargetServices,
+ "Sandbox TargetServices must only be set once.");
+
+ mTargetServices = aTargetServices;
+ }
+
+ /**
+ * Called by the library that wants to "start" the sandbox, i.e. change to the
+ * more secure delayed / lockdown policy.
+ */
+ void StartSandbox()
+ {
+ if (mTargetServices) {
+ mTargetServices->LowerToken();
+ }
+ }
+
+ /**
+ * Used to duplicate handles via the broker process. The permission for the
+ * handle type and target process has to have been set on the sandbox policy.
+ */
+ bool BrokerDuplicateHandle(HANDLE aSourceHandle, DWORD aTargetProcessId,
+ HANDLE* aTargetHandle, DWORD aDesiredAccess,
+ DWORD aOptions)
+ {
+ if (!mTargetServices) {
+ return false;
+ }
+
+ sandbox::ResultCode result =
+ mTargetServices->DuplicateHandle(aSourceHandle, aTargetProcessId,
+ aTargetHandle, aDesiredAccess, aOptions);
+ return (sandbox::SBOX_ALL_OK == result);
+ }
+
+protected:
+ SandboxTarget() :
+ mTargetServices(nullptr)
+ {
+ }
+
+ sandbox::TargetServices* mTargetServices;
+};
+
+
+} // mozilla
+
+#endif
diff --git a/security/sandbox/win/wow_helper/Makefile.in b/security/sandbox/win/wow_helper/Makefile.in
new file mode 100644
index 000000000..aee81f3fe
--- /dev/null
+++ b/security/sandbox/win/wow_helper/Makefile.in
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# We need to build a 64-bits binary during a 32-bits build. This requires
+# a different compiler and different library paths. Until the build system
+# supports this natively.
+
+# Some Make magic to avoid CXX and LIB being evaluated when nothing
+# is built in this directory
+lazy = $(if $(___$(1)),,$(eval ___$(1) := $(2)))$(___$(1))
+
+# We could use the `which` python module, but it needs more code to handle
+# the situation where CXX points to an absolute path. But using the shell
+# which returns a msys path, while we need a windows path. So force msys
+# to do the conversion for us by calling python with an environment variable
+# with the result of the call to `which`. Then munge that path to add the
+# x64 cross-compiler path.
+ifdef MOZ_USING_COMPILER_WRAPPER
+ORIG_CXX := cl
+else
+ORIG_CXX := $(CXX)
+endif
+CXX = $(call lazy,CXX,"$$(subst amd64_x86/x86_amd64/,amd64/,$$(shell CL=`which "$(ORIG_CXX)"` $(PYTHON) -c 'import os; print os.path.dirname(os.environ["CL"])')/x86_amd64/cl.exe)")
+
+MOZ_WINCONSOLE = 0
+
+include $(topsrcdir)/config/config.mk
+
+# Munge the LIB variable to contain paths to the x64 CRT and system libraries.
+# Unconveniently, none of the paths have the same convention, including the
+# compiler path above.
+LIB = $(call lazy,LIB,$$(shell python -c 'import os; print ";".join(s.lower().replace(os.sep, "/").replace("/vc/lib", "/vc/lib/amd64").replace("/um/x86", "/um/x64").replace("/ucrt/x86", "/ucrt/x64") for s in os.environ["LIB"].split(";"))'))
+
+CXXFLAGS := $(filter-out -arch:%,$(CXXFLAGS))
+
+# OS_COMPILE_CXXFLAGS includes mozilla-config.h, which contains x86-specific
+# defines breaking the build.
+OS_COMPILE_CXXFLAGS :=
+
+# LNK1246: '/SAFESEH' not compatible with 'x64' target machine
+LDFLAGS := $(filter-out -SAFESEH,$(LDFLAGS))
+
+# When targetting x64, we need to specify a subsystem of at least 5.02, because
+# the 5.01 value we inherit from the x86 parts is silently ignored, making the
+# linker default to 6.00 (Vista) as of VS2013.
+WIN32_GUI_EXE_LDFLAGS=-SUBSYSTEM:WINDOWS,5.02
diff --git a/security/sandbox/win/wow_helper/moz.build b/security/sandbox/win/wow_helper/moz.build
new file mode 100644
index 000000000..d9c307def
--- /dev/null
+++ b/security/sandbox/win/wow_helper/moz.build
@@ -0,0 +1,30 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Program('wow_helper')
+
+SOURCES += [ '../../chromium/sandbox/win/wow_helper/' + f for f in (
+ 'service64_resolver.cc',
+ 'target_code.cc',
+ 'wow_helper.cc',
+)]
+
+LOCAL_INCLUDES += [
+ '../../',
+ '../../../',
+ '../../chromium/',
+]
+
+DISABLE_STL_WRAPPING = True
+
+DEFINES['UNICODE'] = True
+
+USE_STATIC_LIBS = True
+
+# The rules in Makefile.in only force the use of the 64-bits compiler, not
+# the 64-bits linker, and the 32-bits linker can't do 64-bits compilation for
+# PGO, so disable PGO, which is not interesting for this small binary anyways.
+NO_PGO = True