Bug 925571 - Initial Windows content process sandbox broker code. r=aklotz

ipc/glue/GeckoChildProcessHost.cpp

@@ -6,6 +6,10 @@
 
 #include "GeckoChildProcessHost.h"
 
+#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+#include "sandboxBroker.h"
+#endif
+
 #include "base/command_line.h"
 #include "base/path_service.h"
 #include "base/string_util.h"
@@ -756,7 +760,15 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   // Process type
   cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
 
+#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+  mozilla::SandboxBroker sandboxBroker;
+  sandboxBroker.LaunchApp(cmdLine.program().c_str(),
+                          cmdLine.command_line_string().c_str(),
+                          &process);
+#else
   base::LaunchApp(cmdLine, false, false, &process);
+#endif
+
 
 #else
 #  error Sorry

security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

@@ -0,0 +1,70 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "sandboxBroker.h"
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_factory.h"
+
+namespace mozilla
+{
+
+SandboxBroker::SandboxBroker() :
+  mBrokerService(nullptr)
+{
+}
+
+bool
+SandboxBroker::LaunchApp(const wchar_t *aPath,
+                           const wchar_t *aArguments,
+                           void **aProcessHandle)
+{
+  sandbox::ResultCode result;
+
+  // If the broker service isn't already initialized, do it now
+  if (!mBrokerService) {
+    mBrokerService = sandbox::SandboxFactory::GetBrokerServices();
+    if (!mBrokerService) {
+      return false;
+    }
+
+    result = mBrokerService->Init();
+    if (result != sandbox::SBOX_ALL_OK) {
+      return false;
+    }
+  }
+
+  // Setup the sandbox policy, this is initially:
+  // Medium integrity, unrestricted, in the same window station, within the
+  // same desktop, and has no job object.
+  // We'll start to increase the restrictions over time.
+  sandbox::TargetPolicy *policy = mBrokerService->CreatePolicy();
+  policy->SetJobLevel(sandbox::JOB_NONE, 0);
+  policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                        sandbox::USER_RESTRICTED_SAME_ACCESS);
+  policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+
+  // Ceate the sandboxed process
+  PROCESS_INFORMATION targetInfo;
+  result = mBrokerService->SpawnTarget(aPath, aArguments, policy, &targetInfo);
+
+  // The sandboxed process is started in a suspended state, resumeit now that
+  // we'eve set things up.
+  ResumeThread(targetInfo.hThread);
+  CloseHandle(targetInfo.hThread);
+
+  // Return the process handle to the caller
+  *aProcessHandle = targetInfo.hProcess;
+
+  policy->Release();
+
+  return true;
+}
+
+SandboxBroker::~SandboxBroker()
+{
+}
+
+}

security/sandbox/win/src/sandboxbroker/sandboxBroker.h

@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
+#define __SECURITY_SANDBOX_SANDBOXBROKER_H__
+
+#ifdef SANDBOX_EXPORTS
+#define SANDBOX_EXPORT __declspec(dllexport)
+#else
+#define SANDBOX_EXPORT __declspec(dllimport)
+#endif
+
+namespace sandbox {
+  class BrokerServices;
+}
+
+namespace mozilla {
+
+class SANDBOX_EXPORT SandboxBroker
+{
+public:
+  SandboxBroker();
+  bool LaunchApp(const wchar_t *aPath, const wchar_t *aArguments,
+                 void **aProcessHandle);
+  virtual ~SandboxBroker();
+
+private:
+  sandbox::BrokerServices *mBrokerService;
+};
+
+} // mozilla
+
+#endif