├── .gitignore ├── LICENSE ├── README.md ├── Tupfile.ini ├── bin └── Tupfile ├── include ├── ArrayLength.h ├── MakeUniqueLen.h ├── UniqueHandle.h ├── WindowsSandbox.h ├── dacl.h ├── sid.h └── sidattrs.h ├── lib └── Tupfile ├── obj ├── comtest │ └── Tupfile ├── itest │ └── Tupfile ├── proto │ └── Tupfile └── sandbox │ └── Tupfile └── src ├── compatibility.manifest ├── comtest ├── comarshal.cpp ├── comarshal.h ├── comtest.cpp ├── handoff.cpp ├── handoff.h ├── interceptor.h └── mscom.h ├── itest ├── ITest.def └── Test.idl ├── proto └── proto.cpp └── sandbox ├── WindowsSandbox.cpp ├── dacl.cpp ├── sid.cpp └── sidattrs.cpp /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files 2 | *.slo 3 | *.lo 4 | *.o 5 | 6 | # Compiled Dynamic libraries 7 | *.so 8 | *.dylib 9 | 10 | # Compiled Static libraries 11 | *.lai 12 | *.la 13 | *.a 14 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License, version 2.0 2 | 3 | 1. Definitions 4 | 5 | 1.1. “Contributor” 6 | 7 | means each individual or legal entity that creates, contributes to the 8 | creation of, or owns Covered Software. 9 | 10 | 1.2. “Contributor Version” 11 | 12 | means the combination of the Contributions of others (if any) used by a 13 | Contributor and that particular Contributor’s Contribution. 14 | 15 | 1.3. “Contribution” 16 | 17 | means Covered Software of a particular Contributor. 18 | 19 | 1.4. “Covered Software” 20 | 21 | means Source Code Form to which the initial Contributor has attached the 22 | notice in Exhibit A, the Executable Form of such Source Code Form, and 23 | Modifications of such Source Code Form, in each case including portions 24 | thereof. 25 | 26 | 1.5. “Incompatible With Secondary Licenses” 27 | means 28 | 29 | a. that the initial Contributor has attached the notice described in 30 | Exhibit B to the Covered Software; or 31 | 32 | b. that the Covered Software was made available under the terms of version 33 | 1.1 or earlier of the License, but not also under the terms of a 34 | Secondary License. 35 | 36 | 1.6. “Executable Form” 37 | 38 | means any form of the work other than Source Code Form. 39 | 40 | 1.7. “Larger Work” 41 | 42 | means a work that combines Covered Software with other material, in a separate 43 | file or files, that is not Covered Software. 44 | 45 | 1.8. “License” 46 | 47 | means this document. 48 | 49 | 1.9. “Licensable” 50 | 51 | means having the right to grant, to the maximum extent possible, whether at the 52 | time of the initial grant or subsequently, any and all of the rights conveyed by 53 | this License. 54 | 55 | 1.10. “Modifications” 56 | 57 | means any of the following: 58 | 59 | a. any file in Source Code Form that results from an addition to, deletion 60 | from, or modification of the contents of Covered Software; or 61 | 62 | b. any new file in Source Code Form that contains any Covered Software. 63 | 64 | 1.11. “Patent Claims” of a Contributor 65 | 66 | means any patent claim(s), including without limitation, method, process, 67 | and apparatus claims, in any patent Licensable by such Contributor that 68 | would be infringed, but for the grant of the License, by the making, 69 | using, selling, offering for sale, having made, import, or transfer of 70 | either its Contributions or its Contributor Version. 71 | 72 | 1.12. “Secondary License” 73 | 74 | means either the GNU General Public License, Version 2.0, the GNU Lesser 75 | General Public License, Version 2.1, the GNU Affero General Public 76 | License, Version 3.0, or any later versions of those licenses. 77 | 78 | 1.13. “Source Code Form” 79 | 80 | means the form of the work preferred for making modifications. 81 | 82 | 1.14. “You” (or “Your”) 83 | 84 | means an individual or a legal entity exercising rights under this 85 | License. For legal entities, “You” includes any entity that controls, is 86 | controlled by, or is under common control with You. For purposes of this 87 | definition, “control” means (a) the power, direct or indirect, to cause 88 | the direction or management of such entity, whether by contract or 89 | otherwise, or (b) ownership of more than fifty percent (50%) of the 90 | outstanding shares or beneficial ownership of such entity. 91 | 92 | 93 | 2. License Grants and Conditions 94 | 95 | 2.1. Grants 96 | 97 | Each Contributor hereby grants You a world-wide, royalty-free, 98 | non-exclusive license: 99 | 100 | a. under intellectual property rights (other than patent or trademark) 101 | Licensable by such Contributor to use, reproduce, make available, 102 | modify, display, perform, distribute, and otherwise exploit its 103 | Contributions, either on an unmodified basis, with Modifications, or as 104 | part of a Larger Work; and 105 | 106 | b. under Patent Claims of such Contributor to make, use, sell, offer for 107 | sale, have made, import, and otherwise transfer either its Contributions 108 | or its Contributor Version. 109 | 110 | 2.2. Effective Date 111 | 112 | The licenses granted in Section 2.1 with respect to any Contribution become 113 | effective for each Contribution on the date the Contributor first distributes 114 | such Contribution. 115 | 116 | 2.3. Limitations on Grant Scope 117 | 118 | The licenses granted in this Section 2 are the only rights granted under this 119 | License. No additional rights or licenses will be implied from the distribution 120 | or licensing of Covered Software under this License. Notwithstanding Section 121 | 2.1(b) above, no patent license is granted by a Contributor: 122 | 123 | a. for any code that a Contributor has removed from Covered Software; or 124 | 125 | b. for infringements caused by: (i) Your and any other third party’s 126 | modifications of Covered Software, or (ii) the combination of its 127 | Contributions with other software (except as part of its Contributor 128 | Version); or 129 | 130 | c. under Patent Claims infringed by Covered Software in the absence of its 131 | Contributions. 132 | 133 | This License does not grant any rights in the trademarks, service marks, or 134 | logos of any Contributor (except as may be necessary to comply with the 135 | notice requirements in Section 3.4). 136 | 137 | 2.4. Subsequent Licenses 138 | 139 | No Contributor makes additional grants as a result of Your choice to 140 | distribute the Covered Software under a subsequent version of this License 141 | (see Section 10.2) or under the terms of a Secondary License (if permitted 142 | under the terms of Section 3.3). 143 | 144 | 2.5. Representation 145 | 146 | Each Contributor represents that the Contributor believes its Contributions 147 | are its original creation(s) or it has sufficient rights to grant the 148 | rights to its Contributions conveyed by this License. 149 | 150 | 2.6. Fair Use 151 | 152 | This License is not intended to limit any rights You have under applicable 153 | copyright doctrines of fair use, fair dealing, or other equivalents. 154 | 155 | 2.7. Conditions 156 | 157 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in 158 | Section 2.1. 159 | 160 | 161 | 3. Responsibilities 162 | 163 | 3.1. Distribution of Source Form 164 | 165 | All distribution of Covered Software in Source Code Form, including any 166 | Modifications that You create or to which You contribute, must be under the 167 | terms of this License. You must inform recipients that the Source Code Form 168 | of the Covered Software is governed by the terms of this License, and how 169 | they can obtain a copy of this License. You may not attempt to alter or 170 | restrict the recipients’ rights in the Source Code Form. 171 | 172 | 3.2. Distribution of Executable Form 173 | 174 | If You distribute Covered Software in Executable Form then: 175 | 176 | a. such Covered Software must also be made available in Source Code Form, 177 | as described in Section 3.1, and You must inform recipients of the 178 | Executable Form how they can obtain a copy of such Source Code Form by 179 | reasonable means in a timely manner, at a charge no more than the cost 180 | of distribution to the recipient; and 181 | 182 | b. You may distribute such Executable Form under the terms of this License, 183 | or sublicense it under different terms, provided that the license for 184 | the Executable Form does not attempt to limit or alter the recipients’ 185 | rights in the Source Code Form under this License. 186 | 187 | 3.3. Distribution of a Larger Work 188 | 189 | You may create and distribute a Larger Work under terms of Your choice, 190 | provided that You also comply with the requirements of this License for the 191 | Covered Software. If the Larger Work is a combination of Covered Software 192 | with a work governed by one or more Secondary Licenses, and the Covered 193 | Software is not Incompatible With Secondary Licenses, this License permits 194 | You to additionally distribute such Covered Software under the terms of 195 | such Secondary License(s), so that the recipient of the Larger Work may, at 196 | their option, further distribute the Covered Software under the terms of 197 | either this License or such Secondary License(s). 198 | 199 | 3.4. Notices 200 | 201 | You may not remove or alter the substance of any license notices (including 202 | copyright notices, patent notices, disclaimers of warranty, or limitations 203 | of liability) contained within the Source Code Form of the Covered 204 | Software, except that You may alter any license notices to the extent 205 | required to remedy known factual inaccuracies. 206 | 207 | 3.5. Application of Additional Terms 208 | 209 | You may choose to offer, and to charge a fee for, warranty, support, 210 | indemnity or liability obligations to one or more recipients of Covered 211 | Software. However, You may do so only on Your own behalf, and not on behalf 212 | of any Contributor. You must make it absolutely clear that any such 213 | warranty, support, indemnity, or liability obligation is offered by You 214 | alone, and You hereby agree to indemnify every Contributor for any 215 | liability incurred by such Contributor as a result of warranty, support, 216 | indemnity or liability terms You offer. You may include additional 217 | disclaimers of warranty and limitations of liability specific to any 218 | jurisdiction. 219 | 220 | 4. Inability to Comply Due to Statute or Regulation 221 | 222 | If it is impossible for You to comply with any of the terms of this License 223 | with respect to some or all of the Covered Software due to statute, judicial 224 | order, or regulation then You must: (a) comply with the terms of this License 225 | to the maximum extent possible; and (b) describe the limitations and the code 226 | they affect. Such description must be placed in a text file included with all 227 | distributions of the Covered Software under this License. Except to the 228 | extent prohibited by statute or regulation, such description must be 229 | sufficiently detailed for a recipient of ordinary skill to be able to 230 | understand it. 231 | 232 | 5. Termination 233 | 234 | 5.1. The rights granted under this License will terminate automatically if You 235 | fail to comply with any of its terms. However, if You become compliant, 236 | then the rights granted under this License from a particular Contributor 237 | are reinstated (a) provisionally, unless and until such Contributor 238 | explicitly and finally terminates Your grants, and (b) on an ongoing basis, 239 | if such Contributor fails to notify You of the non-compliance by some 240 | reasonable means prior to 60 days after You have come back into compliance. 241 | Moreover, Your grants from a particular Contributor are reinstated on an 242 | ongoing basis if such Contributor notifies You of the non-compliance by 243 | some reasonable means, this is the first time You have received notice of 244 | non-compliance with this License from such Contributor, and You become 245 | compliant prior to 30 days after Your receipt of the notice. 246 | 247 | 5.2. If You initiate litigation against any entity by asserting a patent 248 | infringement claim (excluding declaratory judgment actions, counter-claims, 249 | and cross-claims) alleging that a Contributor Version directly or 250 | indirectly infringes any patent, then the rights granted to You by any and 251 | all Contributors for the Covered Software under Section 2.1 of this License 252 | shall terminate. 253 | 254 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user 255 | license agreements (excluding distributors and resellers) which have been 256 | validly granted by You or Your distributors under this License prior to 257 | termination shall survive termination. 258 | 259 | 6. Disclaimer of Warranty 260 | 261 | Covered Software is provided under this License on an “as is” basis, without 262 | warranty of any kind, either expressed, implied, or statutory, including, 263 | without limitation, warranties that the Covered Software is free of defects, 264 | merchantable, fit for a particular purpose or non-infringing. The entire 265 | risk as to the quality and performance of the Covered Software is with You. 266 | Should any Covered Software prove defective in any respect, You (not any 267 | Contributor) assume the cost of any necessary servicing, repair, or 268 | correction. This disclaimer of warranty constitutes an essential part of this 269 | License. No use of any Covered Software is authorized under this License 270 | except under this disclaimer. 271 | 272 | 7. Limitation of Liability 273 | 274 | Under no circumstances and under no legal theory, whether tort (including 275 | negligence), contract, or otherwise, shall any Contributor, or anyone who 276 | distributes Covered Software as permitted above, be liable to You for any 277 | direct, indirect, special, incidental, or consequential damages of any 278 | character including, without limitation, damages for lost profits, loss of 279 | goodwill, work stoppage, computer failure or malfunction, or any and all 280 | other commercial damages or losses, even if such party shall have been 281 | informed of the possibility of such damages. This limitation of liability 282 | shall not apply to liability for death or personal injury resulting from such 283 | party’s negligence to the extent applicable law prohibits such limitation. 284 | Some jurisdictions do not allow the exclusion or limitation of incidental or 285 | consequential damages, so this exclusion and limitation may not apply to You. 286 | 287 | 8. Litigation 288 | 289 | Any litigation relating to this License may be brought only in the courts of 290 | a jurisdiction where the defendant maintains its principal place of business 291 | and such litigation shall be governed by laws of that jurisdiction, without 292 | reference to its conflict-of-law provisions. Nothing in this Section shall 293 | prevent a party’s ability to bring cross-claims or counter-claims. 294 | 295 | 9. Miscellaneous 296 | 297 | This License represents the complete agreement concerning the subject matter 298 | hereof. If any provision of this License is held to be unenforceable, such 299 | provision shall be reformed only to the extent necessary to make it 300 | enforceable. Any law or regulation which provides that the language of a 301 | contract shall be construed against the drafter shall not be used to construe 302 | this License against a Contributor. 303 | 304 | 305 | 10. Versions of the License 306 | 307 | 10.1. New Versions 308 | 309 | Mozilla Foundation is the license steward. Except as provided in Section 310 | 10.3, no one other than the license steward has the right to modify or 311 | publish new versions of this License. Each version will be given a 312 | distinguishing version number. 313 | 314 | 10.2. Effect of New Versions 315 | 316 | You may distribute the Covered Software under the terms of the version of 317 | the License under which You originally received the Covered Software, or 318 | under the terms of any subsequent version published by the license 319 | steward. 320 | 321 | 10.3. Modified Versions 322 | 323 | If you create software not governed by this License, and you want to 324 | create a new license for such software, you may create and use a modified 325 | version of this License if you rename the license and remove any 326 | references to the name of the license steward (except to note that such 327 | modified license differs from this License). 328 | 329 | 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses 330 | If You choose to distribute Source Code Form that is Incompatible With 331 | Secondary Licenses under the terms of this version of the License, the 332 | notice described in Exhibit B of this License must be attached. 333 | 334 | Exhibit A - Source Code Form License Notice 335 | 336 | This Source Code Form is subject to the 337 | terms of the Mozilla Public License, v. 338 | 2.0. If a copy of the MPL was not 339 | distributed with this file, You can 340 | obtain one at 341 | http://mozilla.org/MPL/2.0/. 342 | 343 | If it is not possible or desirable to put the notice in a particular file, then 344 | You may include the notice in a location (such as a LICENSE file in a relevant 345 | directory) where a recipient would be likely to look for such a notice. 346 | 347 | You may add additional accurate notices of copyright ownership. 348 | 349 | Exhibit B - “Incompatible With Secondary Licenses” Notice 350 | 351 | This Source Code Form is “Incompatible 352 | With Secondary Licenses”, as defined by 353 | the Mozilla Public License, v. 2.0. 354 | 355 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | sandbox-win32 2 | ============= 3 | 4 | This is a testbed for researching the behaviour of code when running under a 5 | sandboxed Win32 process. At its core, it implements the ideas behind David 6 | LeBlanc's excellent series [[1](https://blogs.msdn.microsoft.com/david_leblanc/2007/07/27/practical-windows-sandboxing-part-1/)][[2](https://blogs.msdn.microsoft.com/david_leblanc/2007/07/30/practical-windows-sandboxing-part-2/)][[3](https://blogs.msdn.microsoft.com/david_leblanc/2007/07/31/practical-windows-sandboxing-part-3/)] 7 | of blog posts on the topic. As both the blog posts and the original revision of 8 | this code are rather dated at this point (2007 and 2013, respectively), I have 9 | continued to update the sandbox with additional features as Windows' security 10 | features continue to evolve. 11 | 12 | The sandbox consists of two classes: `WindowsSandbox` and 13 | `WindowsSandboxLauncher`. 14 | 15 | Any implementation of a sandboxed process needs to derive from `WindowsSandbox` 16 | and implement its virtual functions. `OnPrivInit` is executed while the 17 | sandboxed process is running with an impersonation token, imbuing the process 18 | with additional rights. Once `OnPrivInit` has finished executing, the sandbox 19 | reverts to its restricted token, adds itself to a job object, and then runs 20 | `OnInit`, which is where untrusted initialization code should be run. `OnFini` 21 | may also be implemented for cleanup code. 22 | 23 | `WindowsSandboxLauncher` is used to prepare and launch the sandboxed process. 24 | `WindowsSandbox` does not provide sandboxing on its own, but only when used in 25 | tandem with `WindowsSandboxLauncher`. 26 | 27 | ### Included Programs 28 | 29 | `proto` was an experimental implementation of a sandbox for EME (now known as 30 | GMP) plug-ins. Its job was to load an untrusted DLL as a data file, verify that 31 | its entry point was set to NULL, and then run its (de)initialization routines. 32 | 33 | `comtest` is the newest experiment to determine the behaviour of COM over RPC 34 | when communicating between a parent process with normal privileges and a 35 | sandboxed child process. 36 | 37 | ## Building this software 38 | 39 | This repository uses [`tup`](http://gittup.org/tup/) as its build system. 40 | Provided that the `tup` binaries are installed and available on your system 41 | `PATH`, you should be able to run `tup` from the repository's root directory and 42 | be able to build the binaries. 43 | 44 | This code was written and successfully built using Visual C++ 2013 Community 45 | Edition. It requires Windows SDK version 10.0.10586.0 in order to correctly 46 | build with the latest Windows 10 security features. 47 | -------------------------------------------------------------------------------- /Tupfile.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dblohm7/sandbox-win32/c129245058f3209241b22c37723a53f545fc170e/Tupfile.ini -------------------------------------------------------------------------------- /bin/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | WIN32LIBS = advapi32.lib delayimp.lib ole32.lib pathcch.lib rpcrt4.lib shell32.lib user32.lib 3 | SANDBOXPDB = ../obj/sandbox/*.pdb 4 | : ../obj/comtest/*.obj ../lib/sandbox.lib ../obj/itest/Test_i.obj | ../obj/comtest/*.pdb ../obj/itest/Test_i.pdb $(SANDBOXPDB) |> cl -nologo -Zi -MD %f $(WIN32LIBS) -Fd%O.pdb -Fe%o -link -delayload:ole32.dll -delayload:user32.dll -delayload:shell32.dll && mt -nologo -manifest ../src/compatibility.manifest -outputresource:%o;#1 |> comtest.exe | %O.pdb %O.ilk 5 | : ../obj/proto/*.obj ../lib/sandbox.lib | ../obj/proto/*.pdb $(SANDBOXPDB) |> cl -nologo -Zi -MD %f $(WIN32LIBS) -Fd%O.pdb -Fe%o -link -delayload:ole32.dll -delayload:user32.dll -delayload:shell32.dll && mt -nologo -manifest ../src/compatibility.manifest -outputresource:%o;#1 |> proto.exe | %O.pdb %O.ilk 6 | : ../obj/itest/*.obj | ../src/itest/ITest.def ../obj/itest/*.pdb $(SANDBOXPDB) |> cl -nologo -Zi -MD -LD %f rpcrt4.lib -Fd%O.pdb -Fe%o -link -def:../src/itest/ITest.def |> ITest.dll | %O.pdb %O.ilk %O.exp %O.lib 7 | -------------------------------------------------------------------------------- /include/ArrayLength.h: -------------------------------------------------------------------------------- 1 | #ifndef __ARRAYLENGTH_H 2 | #define __ARRAYLENGTH_H 3 | 4 | template 5 | inline /* constexpr */ size_t ArrayLength(T (&)[N]) 6 | { 7 | return N; 8 | } 9 | 10 | #endif // __ARRAYLENGTH_H 11 | 12 | -------------------------------------------------------------------------------- /include/MakeUniqueLen.h: -------------------------------------------------------------------------------- 1 | #ifndef __ASPK_MAKEUNIQUELEN_H 2 | #define __ASPK_MAKEUNIQUELEN_H 3 | 4 | #include 5 | #include 6 | 7 | #define DECLARE_UNIQUE_LEN(type, name) \ 8 | std::unique_ptr name##Bytes; \ 9 | type name = nullptr 10 | #define ALLOC_UNIQUE_LEN(name, numBytes) \ 11 | name##Bytes = std::make_unique(numBytes); \ 12 | name = reinterpret_cast(name##Bytes.get()) 13 | #define MAKE_UNIQUE_LEN(type, name, numBytes) \ 14 | auto name##Bytes(std::make_unique(numBytes)); \ 15 | auto name = reinterpret_cast(name##Bytes.get()) 16 | 17 | #endif // __ASPK_MAKEUNIQUELEN_H 18 | 19 | -------------------------------------------------------------------------------- /include/UniqueHandle.h: -------------------------------------------------------------------------------- 1 | #ifndef __ASPK_UNIQUEHANDLE_H 2 | #define __ASPK_UNIQUEHANDLE_H 3 | 4 | #include 5 | #include 6 | 7 | #ifdef _WIN32_WINNT 8 | 9 | namespace detail { 10 | 11 | struct KernelHandleDeleter 12 | { 13 | typedef HANDLE pointer; 14 | void operator()(pointer aHandle) { ::CloseHandle(aHandle); } 15 | }; 16 | 17 | struct ModuleHandleDeleter 18 | { 19 | typedef HMODULE pointer; 20 | void operator()(pointer aModule) { ::FreeLibrary(aModule); } 21 | }; 22 | 23 | struct CoTaskMemFreeDeleter 24 | { 25 | void operator()(void* aPtr) { ::CoTaskMemFree(aPtr); } 26 | }; 27 | 28 | template 29 | struct MappedFileViewDeleter 30 | { 31 | void operator()(T* aPtr) { ::UnmapViewOfFile(aPtr); } 32 | }; 33 | 34 | struct ProcAttributeListDeleter 35 | { 36 | void operator()(LPPROC_THREAD_ATTRIBUTE_LIST aProcAttrList) { 37 | ::DeleteProcThreadAttributeList(aProcAttrList); 38 | } 39 | }; 40 | 41 | } // namespace detail 42 | 43 | using UniqueKernelHandle = std::unique_ptr::type, detail::KernelHandleDeleter>; 44 | using UniqueModuleHandle = std::unique_ptr::type, detail::ModuleHandleDeleter>; 45 | using UniqueCOMAllocatedString = std::unique_ptr::type, detail::CoTaskMemFreeDeleter>; 46 | template 47 | using UniqueMappedFileView = std::unique_ptr::type, detail::MappedFileViewDeleter>; 48 | using UniqueProcAttributeList = std::unique_ptr::type, detail::ProcAttributeListDeleter>; 49 | 50 | #endif // _WIN32_WINNT 51 | 52 | #endif // __ASPK_UNIQUEHANDLE_H 53 | 54 | -------------------------------------------------------------------------------- /include/WindowsSandbox.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef __WINDOWSSANDBOX_H 8 | #define __WINDOWSSANDBOX_H 9 | 10 | #include 11 | #include "Dacl.h" 12 | #include "Sid.h" 13 | #include "UniqueHandle.h" 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | namespace mozilla { 21 | 22 | class WindowsSandbox 23 | { 24 | public: 25 | WindowsSandbox() {} 26 | virtual ~WindowsSandbox() {} 27 | 28 | bool Init(int aArgc, wchar_t* aArgv[]); 29 | void Fini(); 30 | 31 | static const std::wstring DESKTOP_NAME; 32 | static const std::wstring_view SWITCH_JOB_HANDLE; 33 | 34 | protected: 35 | virtual DWORD64 GetDeferredMitigationPolicies() { return 0; } 36 | virtual bool OnPrivInit() = 0; 37 | virtual bool OnInit() = 0; 38 | virtual void OnFini() = 0; 39 | 40 | private: 41 | bool ValidateJobHandle(HANDLE aJob); 42 | bool SetMitigations(const DWORD64 aMitigations); 43 | bool DropProcessIntegrityLevel(); 44 | }; 45 | 46 | class WindowsSandboxLauncher 47 | { 48 | public: 49 | WindowsSandboxLauncher(); 50 | virtual ~WindowsSandboxLauncher(); 51 | 52 | enum InitFlags 53 | { 54 | eInitNormal = 0, 55 | eInitNoSeparateWindowStation = 1 56 | }; 57 | 58 | bool Init(InitFlags aInitFlags = eInitNormal, 59 | DWORD64 aMitigationPolicies = DEFAULT_MITIGATION_POLICIES); 60 | 61 | inline void AddHandleToInherit(HANDLE aHandle) 62 | { 63 | if (aHandle) { 64 | mHandlesToInherit.push_back(aHandle); 65 | } 66 | } 67 | bool Launch(const std::wstring_view aExecutablePath, const std::wstring_view aBaseCmdLine); 68 | bool Wait(unsigned int aTimeoutMs) const; 69 | bool IsSandboxRunning() const; 70 | bool GetInheritableSecurityDescriptor(SECURITY_ATTRIBUTES& aSa, 71 | const BOOL aInheritable = TRUE); 72 | 73 | static const DWORD64 DEFAULT_MITIGATION_POLICIES; 74 | 75 | protected: 76 | virtual bool PreResume() { return true; } 77 | 78 | private: 79 | bool CreateTokens(const Sid& aCustomSid, UniqueKernelHandle& aRestrictedToken, 80 | UniqueKernelHandle& aImpersonationToken, Sid& aLogonSid); 81 | HWINSTA CreateWindowStation(); 82 | std::optional GetWindowStationName(HWINSTA aWinsta); 83 | HDESK CreateDesktop(HWINSTA aWinsta, const Sid& aCustomSid); 84 | bool CreateJob(UniqueKernelHandle& aJob); 85 | std::optional GetWorkingDirectory(UniqueKernelHandle& aToken); 86 | std::optional CreateAbsolutePath(const std::wstring_view aInputPath); 87 | bool BuildInheritableSecurityDescriptor(const Sid& aLogonSid); 88 | 89 | InitFlags mInitFlags; 90 | std::vector mHandlesToInherit; 91 | bool mHasWin8APIs; 92 | bool mHasWin10APIs; 93 | DWORD64 mMitigationPolicies; 94 | HANDLE mProcess; 95 | HWINSTA mWinsta; 96 | HDESK mDesktop; 97 | Dacl mInheritableDacl; 98 | SECURITY_DESCRIPTOR mInheritableSd; 99 | }; 100 | 101 | } // namespace mozilla 102 | 103 | #endif // __WINDOWSSANDBOX_H 104 | 105 | -------------------------------------------------------------------------------- /include/dacl.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef __DACL_H 8 | #define __DACL_H 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | 15 | namespace mozilla { 16 | 17 | class Sid; 18 | 19 | class Dacl final 20 | { 21 | public: 22 | Dacl(); 23 | ~Dacl(); 24 | 25 | void Clear(); 26 | 27 | void AddAllowedAce(const Sid& aSid, ACCESS_MASK aAccessMask); 28 | void AddDeniedAce(const Sid& aSid, ACCESS_MASK aAccessMask); 29 | bool Merge(PACL aAcl); 30 | 31 | operator PACL(); 32 | explicit operator bool() { return (PACL)(*this) != nullptr; } 33 | 34 | Dacl(const Dacl&) = delete; 35 | Dacl(Dacl&&) = delete; 36 | Dacl& operator=(const Dacl&) = delete; 37 | Dacl& operator=(Dacl&&) = delete; 38 | 39 | private: 40 | void AddAce(const Sid& aSid, ACCESS_MODE aAccessMode, ACCESS_MASK aAccessMask); 41 | 42 | PACL mAcl; 43 | bool mModified; 44 | std::vector mAces; 45 | }; 46 | 47 | } // namespace mozilla 48 | 49 | #endif // __DACL_H 50 | 51 | -------------------------------------------------------------------------------- /include/sid.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef __SID_H 8 | #define __SID_H 9 | 10 | #include 11 | #include 12 | 13 | namespace mozilla { 14 | 15 | class Sid final 16 | { 17 | public: 18 | Sid(); 19 | explicit Sid(const WELL_KNOWN_SID_TYPE aSidType); 20 | Sid(const Sid& aOther); 21 | Sid(Sid&& aOther); 22 | ~Sid(); 23 | 24 | Sid& operator=(const Sid& aOther); 25 | Sid& operator=(Sid&& aOther); 26 | 27 | bool Init(SID_IDENTIFIER_AUTHORITY& aAuth, DWORD aRid0, DWORD aRid1 = 0, 28 | DWORD aRid2 = 0, DWORD aRid3 = 0, DWORD aRid4 = 0, DWORD aRid5 = 0, 29 | DWORD aRid6 = 0, DWORD aRid7 = 0); 30 | bool Init(const WELL_KNOWN_SID_TYPE aSidType); 31 | bool Init(const PSID aSid); 32 | 33 | bool InitCustom(); 34 | 35 | bool IsValid() const { return !!mSid; } 36 | void GetTrustee(TRUSTEE& aTrustee) const; 37 | 38 | operator PSID() const { return mSid; } 39 | bool operator== (PSID aOther) const; 40 | bool operator== (const Sid& aOther) const; 41 | 42 | static const Sid& GetAdministrators(); 43 | static const Sid& GetLocalSystem(); 44 | static const Sid& GetEveryone(); 45 | static const Sid& GetRestricted(); 46 | static const Sid& GetUsers(); 47 | static const Sid& GetIntegrityUntrusted(); 48 | static const Sid& GetIntegrityLow(); 49 | static const Sid& GetIntegrityMedium(); 50 | static const Sid& GetIntegrityHigh(); 51 | static const Sid& GetIntegritySystem(); 52 | 53 | private: 54 | void Clear(); 55 | 56 | PSID mSid; 57 | bool mSelfAllocated; 58 | }; 59 | 60 | } // namespace mozilla 61 | 62 | #endif // __SID_H 63 | 64 | -------------------------------------------------------------------------------- /include/sidattrs.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef __SIDATTRS_H 8 | #define __SIDATTRS_H 9 | 10 | #include 11 | #include "Sid.h" 12 | 13 | namespace mozilla { 14 | 15 | class SidAttributes final 16 | { 17 | public: 18 | SidAttributes() = default; 19 | 20 | enum SidListFilterFlag 21 | { 22 | FILTER_NOTHING = 0, 23 | FILTER_INTEGRITY = 1, 24 | FILTER_RESTRICTED_DISABLE = 2, 25 | FILTER_ADD_RESTRICTED = 4 26 | }; 27 | 28 | bool CreateFromTokenGroups(HANDLE aToken, unsigned int aFilterFlags, 29 | Sid* aLogonSid = nullptr); 30 | 31 | size_t Count() const { return mSidAttrs.size(); } 32 | operator PSID_AND_ATTRIBUTES() { return &mSidAttrs[0]; } 33 | 34 | SidAttributes(const SidAttributes&) = delete; 35 | SidAttributes(SidAttributes&&) = delete; 36 | SidAttributes& operator=(const SidAttributes&) = delete; 37 | SidAttributes& operator=(SidAttributes&&) = delete; 38 | 39 | private: 40 | void Push(const Sid& aSid, const DWORD aAttrs = 0); 41 | 42 | std::vector mSidAttrs; 43 | std::vector mSids; 44 | }; 45 | 46 | } // namespace mozilla 47 | 48 | #endif // __SIDATTRS_H 49 | 50 | -------------------------------------------------------------------------------- /lib/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | : ../obj/sandbox/*.obj |> lib -nologo %f -out:sandbox.lib |> sandbox.lib 3 | -------------------------------------------------------------------------------- /obj/comtest/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | : foreach ../../src/comtest/*.cpp | ../itest/Test.h |> cl -nologo -Zi -EHsc -MD -std:c++17 -D_WIN32_WINNT=0x0A00 -DUNICODE -D_UNICODE -I../../include -I../itest -c %f -Fd%B.pdb -Fo%o |> %B.obj | %B.pdb 3 | -------------------------------------------------------------------------------- /obj/itest/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | : ../../src/itest/Test.idl |> midl -nologo -x64 -Oicf %f |> %B.h %B_p.c %B_i.c dlldata.c 3 | : foreach *.c | Test.h |> cl -nologo -Zi -EHsc -MD -std:c++17 -DWIN32 -D_WIN32_WINNT=0x0A00 -DUNICODE -D_UNICODE -DREGISTER_PROXY_DLL -c %f -Fd%B.pdb -Fo%o |> %B.obj | %B.pdb 4 | -------------------------------------------------------------------------------- /obj/proto/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | 3 | ifndef INIT_FUNCTION 4 | INIT_FUNCTION=INITIALIZE_CDM_MODULE 5 | endif 6 | 7 | ifndef DEINIT_FUNCTION 8 | DEINIT_FUNCTION=DeinitializeCdmModule 9 | endif 10 | 11 | : foreach ../../src/proto/*.cpp |> cl -nologo -Zi -EHsc -MD -std:c++17 -D_WIN32_WINNT=0x0A00 -DUNICODE -D_UNICODE -DINIT_FUNCTION_NAME="\"$(INIT_FUNCTION)\"" -DDEINIT_FUNCTION_NAME="\"$(DEINIT_FUNCTION)\"" -I../../include -c %f -Fd%B.pdb -Fo%o |> %B.obj | %B.pdb 12 | -------------------------------------------------------------------------------- /obj/sandbox/Tupfile: -------------------------------------------------------------------------------- 1 | .gitignore 2 | : foreach ../../src/sandbox/*.cpp |> cl -nologo -Zi -EHsc -MD -std:c++17 -D_WIN32_WINNT=0x0A00 -DUNICODE -D_UNICODE -I../../include -c %f -Fd%B.pdb -Fo%o |> %B.obj | %B.pdb 3 | -------------------------------------------------------------------------------- /src/compatibility.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/comtest/comarshal.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "comarshal.h" 8 | #include "mscom.h" 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | namespace { 15 | 16 | template 17 | class DynamicallyLinkedFunctionPtr; 18 | 19 | template 20 | class DynamicallyLinkedFunctionPtr 21 | { 22 | typedef R (__stdcall* FunctionPtrT)(Args...); 23 | 24 | public: 25 | DynamicallyLinkedFunctionPtr(const wchar_t* aLibName, const char* aFuncName) 26 | : mModule(NULL) 27 | , mFunction(nullptr) 28 | { 29 | mModule = ::LoadLibraryW(aLibName); 30 | if (mModule) { 31 | mFunction = reinterpret_cast( 32 | ::GetProcAddress(mModule, aFuncName)); 33 | } 34 | } 35 | 36 | DynamicallyLinkedFunctionPtr(const DynamicallyLinkedFunctionPtr&) = delete; 37 | DynamicallyLinkedFunctionPtr& operator=(const DynamicallyLinkedFunctionPtr&) = delete; 38 | 39 | DynamicallyLinkedFunctionPtr(DynamicallyLinkedFunctionPtr&&) = delete; 40 | DynamicallyLinkedFunctionPtr& operator=(DynamicallyLinkedFunctionPtr&&) = delete; 41 | 42 | ~DynamicallyLinkedFunctionPtr() 43 | { 44 | if (mModule) { 45 | ::FreeLibrary(mModule); 46 | } 47 | } 48 | 49 | // TODO: s/std::forward/mozilla::Forward/ 50 | R operator()(Args... args) 51 | { 52 | return mFunction(std::forward(args)...); 53 | } 54 | 55 | bool operator!() const 56 | { 57 | return !mFunction; 58 | } 59 | 60 | private: 61 | HMODULE mModule; 62 | FunctionPtrT mFunction; 63 | }; 64 | 65 | } // anonymous namespace 66 | 67 | namespace mozilla { 68 | 69 | // GetBuffer() fails with this variant, but that's okay because we're just 70 | // reconstructing the stream from a buffer anyway. 71 | ProxyStream::ProxyStream(const BYTE* aInitBuf, const int aInitBufSize) 72 | : mStream(Init(aInitBuf, static_cast(aInitBufSize))) 73 | , mGlobalLockedBuf(nullptr, ::GlobalUnlock) 74 | , mBufSize(aInitBufSize) 75 | { 76 | } 77 | 78 | IStream* 79 | ProxyStream::Init(const BYTE* aInitBuf, const UINT aInitBufSize) 80 | { 81 | // Need to link to this as ordinal 12 for Windows XP 82 | static DynamicallyLinkedFunctionPtr 83 | pSHCreateMemStream(L"shlwapi.dll", reinterpret_cast(12)); 84 | if (!pSHCreateMemStream) { 85 | return nullptr; 86 | } 87 | return pSHCreateMemStream(aInitBuf, aInitBufSize); 88 | } 89 | 90 | ProxyStream::ProxyStream(ProxyStream&& aOther) 91 | : mGlobalLockedBuf(nullptr, &::GlobalUnlock) 92 | { 93 | // TODO: s/std::move/mozilla::Move/ 94 | *this = std::move(aOther); 95 | } 96 | 97 | ProxyStream& 98 | ProxyStream::operator=(ProxyStream&& aOther) 99 | { 100 | mStream = aOther.mStream; 101 | // TODO: s/std::move/mozilla::Move/ 102 | mGlobalLockedBuf = std::move(aOther.mGlobalLockedBuf); 103 | mBufSize = aOther.mBufSize; 104 | return *this; 105 | } 106 | 107 | ProxyStream::~ProxyStream() 108 | { 109 | } 110 | 111 | const char* 112 | ProxyStream::GetBuffer(int& aReturnedBufSize) const 113 | { 114 | aReturnedBufSize = 0; 115 | if (!mStream) { 116 | return nullptr; 117 | } 118 | if (!mGlobalLockedBuf) { 119 | return nullptr; 120 | } 121 | aReturnedBufSize = mBufSize; 122 | return reinterpret_cast(mGlobalLockedBuf.get()); 123 | } 124 | 125 | /** 126 | * This is a "one-shot" call: once the interface has been retrieved, you cannot 127 | * invoke this function successfully anymore. 128 | */ 129 | bool 130 | ProxyStream::GetInterface(REFIID aIID, void** aOutInterface) 131 | { 132 | // We should not have a locked buffer on this side 133 | MOZ_ASSERT(!mGlobalLockedBuf); 134 | HRESULT hr = ::CoGetInterfaceAndReleaseStream(mStream.Detach(), aIID, 135 | aOutInterface); 136 | return SUCCEEDED(hr); 137 | } 138 | 139 | // TODO: CoMarshalInterface must be called on a MTA thread! 140 | ProxyStream::ProxyStream(REFIID aIID, IUnknown* aObject) 141 | : mGlobalLockedBuf(nullptr, &::GlobalUnlock) 142 | , mBufSize(0) 143 | { 144 | MTARegion mtaRegion; 145 | // CoMarshalInterface *must* be called on a MTA thread! 146 | MOZ_ASSERT(!!mtaRegion); 147 | if (!mtaRegion) { 148 | return; 149 | } 150 | 151 | IStreamPtr stream; 152 | HRESULT hr = ::CreateStreamOnHGlobal(nullptr, TRUE, &stream); 153 | if (FAILED(hr)) { 154 | return; 155 | } 156 | 157 | hr = ::CoMarshalInterface(stream, aIID, aObject, MSHCTX_LOCAL, nullptr, 158 | MSHLFLAGS_NORMAL); 159 | if (FAILED(hr)) { 160 | return; 161 | } 162 | 163 | HGLOBAL hglobal = NULL; 164 | hr = ::GetHGlobalFromStream(stream, &hglobal); 165 | if (FAILED(hr)) { 166 | return; 167 | } 168 | 169 | mStream = stream; 170 | mGlobalLockedBuf.reset(::GlobalLock(hglobal)); 171 | mBufSize = static_cast(::GlobalSize(hglobal)); 172 | } 173 | 174 | } // namespace mozilla 175 | 176 | -------------------------------------------------------------------------------- /src/comtest/comarshal.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef mozilla_comarshal_h 8 | #define mozilla_comarshal_h 9 | 10 | // #include "ipc/IPCMessageUtils.h" 11 | 12 | #if defined(MOZILLA_INTERNAL_API) 13 | #include "mozilla/UniquePtr.h" 14 | #else 15 | #include 16 | #endif 17 | 18 | // For smart pointer and associated macros 19 | #include 20 | 21 | #if !defined(__IPC_GLUE_IPCMESSAGEUTILS_H__) 22 | namespace IPC { 23 | template 24 | struct ParamTraits; 25 | } // namespace IPC 26 | #endif 27 | 28 | namespace mozilla { 29 | 30 | _COM_SMARTPTR_TYPEDEF(IStream, __uuidof(IStream)); 31 | 32 | class ProxyStream 33 | { 34 | public: 35 | ProxyStream(REFIID aIID, IUnknown* aObject); 36 | ProxyStream(const BYTE* aInitBuf, const int aInitBufSize); 37 | 38 | ~ProxyStream(); 39 | 40 | // Not copyable because this can mess up COM marshaling. If we wanted this 41 | // to be copyable, we could call ::CoMarshalInterface() with the 42 | // MSHLFLAGS_TABLESTRONG flag, but it's more work to track references. 43 | ProxyStream(const ProxyStream& aOther) = delete; 44 | ProxyStream& operator=(const ProxyStream& aOther) = delete; 45 | 46 | ProxyStream(ProxyStream&& aOther); 47 | ProxyStream& operator=(ProxyStream&& aOther); 48 | 49 | inline bool IsValid() const { return !!mStream; } 50 | 51 | bool GetInterface(REFIID aIID, void** aOutInterface); 52 | 53 | private: 54 | IStream* Init(const BYTE* aInitBuf, const UINT aInitBufSize); 55 | 56 | // GetBuffer should not be called outside of IPDL serializer 57 | friend struct IPC::ParamTraits; 58 | #if !defined(MOZILLA_INTERNAL_API) 59 | public: 60 | #endif 61 | const char* GetBuffer(int& aReturnedBufSize) const; 62 | 63 | private: 64 | // TODO: s/std::unique_ptr/mozilla::UniquePtr/ 65 | typedef std::unique_ptr GlobalLockedPtr; 66 | 67 | private: 68 | IStreamPtr mStream; 69 | GlobalLockedPtr mGlobalLockedBuf; 70 | int mBufSize; 71 | }; 72 | 73 | } // namespace mozilla 74 | 75 | #if defined(__IPC_GLUE_IPCMESSAGEUTILS_H__) 76 | 77 | namespace IPC { 78 | 79 | template<> 80 | struct ParamTraits 81 | { 82 | typedef mozilla::ProxyStream paramType; 83 | 84 | static void Write(Message* aMsg, const paramType& aParam) 85 | { 86 | int bufLen; 87 | const PBYTE buf = aParam.GetBuffer(bufLen); 88 | MOZ_ASSERT(buf); 89 | aMsg->WriteData(reinterpret_cast(buf), bufLen); 90 | } 91 | 92 | static bool Read(const Message* aMsg, void** aIter, paramType* aResult) 93 | { 94 | int length; 95 | const char* buf; 96 | if (!aMsg->ReadData(aIter, &buf, &length)) { 97 | return false; 98 | } 99 | *aResult = paramType(reinterpret_cast(buf), length); 100 | return true; 101 | } 102 | }; 103 | 104 | } // namespace IPC 105 | 106 | #endif // defined(__IPC_GLUE_IPCMESSAGEUTILS_H__) 107 | 108 | #endif // mozilla_comarshal_h 109 | -------------------------------------------------------------------------------- /src/comtest/comtest.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include // For IAccessible 14 | #include 15 | 16 | #include "dacl.h" 17 | #include "sid.h" 18 | #include "UniqueHandle.h" 19 | #include "WindowsSandbox.h" 20 | 21 | #include "comarshal.h" 22 | #include "mscom.h" 23 | #include "handoff.h" 24 | 25 | using std::wcout; 26 | using std::wcerr; 27 | using std::endl; 28 | using std::wostringstream; 29 | using mozilla::WindowsSandboxLauncher; 30 | using mozilla::mscom::Handoff; 31 | 32 | namespace { 33 | 34 | struct BufDescriptor 35 | { 36 | int mLen; 37 | BYTE mData[0]; 38 | }; 39 | 40 | class TestAccessible : public IAccessible 41 | { 42 | public: 43 | // IUnknown 44 | STDMETHODIMP QueryInterface(REFIID riid, void** ppv) override; 45 | STDMETHODIMP_(ULONG) AddRef() override; 46 | STDMETHODIMP_(ULONG) Release() override; 47 | 48 | // IAccessible 49 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accParent( 50 | /* [retval][out] */ IDispatch __RPC_FAR *__RPC_FAR *ppdispParent) override 51 | { return E_NOTIMPL; } 52 | 53 | 54 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accChildCount( 55 | /* [retval][out] */ long __RPC_FAR *pcountChildren) override 56 | { return E_NOTIMPL; } 57 | 58 | 59 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accChild( 60 | /* [in] */ VARIANT varChild, 61 | /* [retval][out] */ IDispatch __RPC_FAR *__RPC_FAR *ppdispChild) override 62 | { return E_NOTIMPL; } 63 | 64 | 65 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accName( 66 | /* [optional][in] */ VARIANT varChild, 67 | /* [retval][out] */ BSTR __RPC_FAR *pszName) override 68 | { return E_NOTIMPL; } 69 | 70 | 71 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accValue( 72 | /* [optional][in] */ VARIANT varChild, 73 | /* [retval][out] */ BSTR __RPC_FAR *pszValue) override 74 | { return E_NOTIMPL; } 75 | 76 | 77 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accDescription( 78 | /* [optional][in] */ VARIANT varChild, 79 | /* [retval][out] */ BSTR __RPC_FAR *pszDescription) override 80 | { return E_NOTIMPL; } 81 | 82 | 83 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accRole( 84 | /* [optional][in] */ VARIANT varChild, 85 | /* [retval][out] */ VARIANT __RPC_FAR *pvarRole) override 86 | { return E_NOTIMPL; } 87 | 88 | 89 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accState( 90 | /* [optional][in] */ VARIANT varChild, 91 | /* [retval][out] */ VARIANT __RPC_FAR *pvarState) override 92 | { return E_NOTIMPL; } 93 | 94 | 95 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accHelp( 96 | /* [optional][in] */ VARIANT varChild, 97 | /* [retval][out] */ BSTR __RPC_FAR *pszHelp) override 98 | { return E_NOTIMPL; } 99 | 100 | 101 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accHelpTopic( 102 | /* [out] */ BSTR __RPC_FAR *pszHelpFile, 103 | /* [optional][in] */ VARIANT varChild, 104 | /* [retval][out] */ long __RPC_FAR *pidTopic) override 105 | { return E_NOTIMPL; } 106 | 107 | 108 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accKeyboardShortcut( 109 | /* [optional][in] */ VARIANT varChild, 110 | /* [retval][out] */ BSTR __RPC_FAR *pszKeyboardShortcut) override 111 | { return E_NOTIMPL; } 112 | 113 | 114 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accFocus( 115 | /* [retval][out] */ VARIANT __RPC_FAR *pvarChild) override 116 | { return E_NOTIMPL; } 117 | 118 | 119 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accSelection( 120 | /* [retval][out] */ VARIANT __RPC_FAR *pvarChildren) override 121 | { return E_NOTIMPL; } 122 | 123 | 124 | virtual /* [id][propget] */ HRESULT STDMETHODCALLTYPE get_accDefaultAction( 125 | /* [optional][in] */ VARIANT varChild, 126 | /* [retval][out] */ BSTR __RPC_FAR *pszDefaultAction) override 127 | { return E_NOTIMPL; } 128 | 129 | 130 | virtual /* [id] */ HRESULT STDMETHODCALLTYPE accSelect( 131 | /* [in] */ long flagsSelect, 132 | /* [optional][in] */ VARIANT varChild) override 133 | { return E_NOTIMPL; } 134 | 135 | 136 | virtual /* [id] */ HRESULT STDMETHODCALLTYPE accLocation( 137 | /* [out] */ long __RPC_FAR *pxLeft, 138 | /* [out] */ long __RPC_FAR *pyTop, 139 | /* [out] */ long __RPC_FAR *pcxWidth, 140 | /* [out] */ long __RPC_FAR *pcyHeight, 141 | /* [optional][in] */ VARIANT varChild) override 142 | { return E_NOTIMPL; } 143 | 144 | 145 | virtual /* [id] */ HRESULT STDMETHODCALLTYPE accNavigate( 146 | /* [in] */ long navDir, 147 | /* [optional][in] */ VARIANT varStart, 148 | /* [retval][out] */ VARIANT __RPC_FAR *pvarEndUpAt) override 149 | { return E_NOTIMPL; } 150 | 151 | 152 | virtual /* [id] */ HRESULT STDMETHODCALLTYPE accHitTest( 153 | /* [in] */ long xLeft, 154 | /* [in] */ long yTop, 155 | /* [retval][out] */ VARIANT __RPC_FAR *pvarChild) override; 156 | 157 | 158 | virtual /* [id] */ HRESULT STDMETHODCALLTYPE accDoDefaultAction( 159 | /* [optional][in] */ VARIANT varChild) override 160 | { return E_NOTIMPL; } 161 | 162 | 163 | virtual /* [id][propput] */ HRESULT STDMETHODCALLTYPE put_accName( 164 | /* [optional][in] */ VARIANT varChild, 165 | /* [in] */ BSTR szName) override 166 | { return E_NOTIMPL; } 167 | 168 | 169 | virtual /* [id][propput] */ HRESULT STDMETHODCALLTYPE put_accValue( 170 | /* [optional][in] */ VARIANT varChild, 171 | /* [in] */ BSTR szValue) override 172 | { return E_NOTIMPL; } 173 | 174 | 175 | // IDispatch (support of scripting languages like VB) 176 | virtual HRESULT STDMETHODCALLTYPE GetTypeInfoCount(UINT *pctinfo) override 177 | { return E_NOTIMPL; } 178 | 179 | 180 | virtual HRESULT STDMETHODCALLTYPE GetTypeInfo(UINT iTInfo, LCID lcid, 181 | ITypeInfo **ppTInfo) override 182 | { return E_NOTIMPL; } 183 | 184 | 185 | virtual HRESULT STDMETHODCALLTYPE GetIDsOfNames(REFIID riid, 186 | LPOLESTR *rgszNames, 187 | UINT cNames, 188 | LCID lcid, 189 | DISPID *rgDispId) override 190 | { return E_NOTIMPL; } 191 | 192 | 193 | virtual HRESULT STDMETHODCALLTYPE Invoke(DISPID dispIdMember, REFIID riid, 194 | LCID lcid, WORD wFlags, 195 | DISPPARAMS *pDispParams, 196 | VARIANT *pVarResult, 197 | EXCEPINFO *pExcepInfo, 198 | UINT *puArgErr) override 199 | { return E_NOTIMPL; } 200 | 201 | 202 | 203 | static HRESULT Create(HANDLE aEvent, REFIID riid, void** ppv); 204 | 205 | private: 206 | explicit TestAccessible(HANDLE aEvent); 207 | virtual ~TestAccessible(); 208 | 209 | private: 210 | ULONG mRefCnt; 211 | HANDLE mEvent; 212 | }; 213 | 214 | TestAccessible::TestAccessible(HANDLE aEvent) 215 | : mRefCnt(1) 216 | , mEvent(aEvent) 217 | { 218 | } 219 | 220 | TestAccessible::~TestAccessible() 221 | { 222 | } 223 | 224 | HRESULT 225 | TestAccessible::Create(HANDLE aEvent, REFIID riid, void** ppv) 226 | { 227 | if (!ppv) { 228 | return E_INVALIDARG; 229 | } 230 | *ppv = nullptr; 231 | TestAccessible* imp = new TestAccessible(aEvent); 232 | if (!imp) { 233 | return E_OUTOFMEMORY; 234 | } 235 | HRESULT hr = imp->QueryInterface(riid, ppv); 236 | imp->Release(); 237 | return hr; 238 | } 239 | 240 | HRESULT 241 | TestAccessible::QueryInterface(REFIID riid, void** ppv) 242 | { 243 | IUnknown* punk = nullptr; 244 | if (!ppv) { 245 | return E_INVALIDARG; 246 | } 247 | 248 | if (riid == IID_IUnknown) { 249 | punk = static_cast(this); 250 | } else if (riid == IID_IDispatch) { 251 | punk = static_cast(this); 252 | } else if (riid == IID_IAccessible) { 253 | punk = static_cast(this); 254 | } 255 | 256 | *ppv = punk; 257 | if (!punk) { 258 | return E_NOINTERFACE; 259 | } 260 | 261 | punk->AddRef(); 262 | return S_OK; 263 | } 264 | 265 | ULONG 266 | TestAccessible::AddRef() 267 | { 268 | return (ULONG) InterlockedIncrement((LONG*)&mRefCnt); 269 | } 270 | 271 | ULONG 272 | TestAccessible::Release() 273 | { 274 | ULONG newRefCnt = (ULONG) InterlockedDecrement((LONG*)&mRefCnt); 275 | if (newRefCnt == 0) { 276 | delete this; 277 | } 278 | return newRefCnt; 279 | } 280 | 281 | HRESULT STDMETHODCALLTYPE 282 | TestAccessible::accHitTest( 283 | /* [in] */ long xLeft, 284 | /* [in] */ long yTop, 285 | /* [retval][out] */ VARIANT __RPC_FAR *pvarChild) 286 | { 287 | bool inOk = xLeft == 7 && yTop == 248; 288 | pvarChild->vt = VT_I4; 289 | pvarChild->lVal = CHILDID_SELF; 290 | ::SetEvent(mEvent); 291 | return inOk ? S_OK : E_FAIL; 292 | } 293 | 294 | const WCHAR gSectionName[] = L"comtest-shm"; 295 | const WCHAR gEventName[] = L"comtest-evt"; 296 | 297 | class COMTestSandbox : public mozilla::WindowsSandbox 298 | { 299 | public: 300 | explicit COMTestSandbox() 301 | {} 302 | virtual ~COMTestSandbox() 303 | { 304 | Fini(); 305 | } 306 | 307 | protected: 308 | virtual bool OnPrivInit(); 309 | virtual bool OnInit(); 310 | virtual void OnFini(); 311 | 312 | private: 313 | UniqueKernelHandle mSection; 314 | UniqueMappedFileView mSharedBuffer; 315 | 316 | UniqueKernelHandle mEvent; 317 | }; 318 | 319 | bool 320 | COMTestSandbox::OnPrivInit() 321 | { 322 | mSection.reset(::OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, gSectionName)); 323 | if (!mSection) { 324 | return false; 325 | } 326 | mSharedBuffer.reset(reinterpret_cast( 327 | ::MapViewOfFile(mSection.get(), FILE_MAP_ALL_ACCESS, 0, 328 | 0, 0))); 329 | if (!mSharedBuffer) { 330 | return false; 331 | } 332 | mEvent.reset(::OpenEvent(EVENT_MODIFY_STATE, FALSE, gEventName)); 333 | if (!mEvent) { 334 | return false; 335 | } 336 | 337 | mozilla::MTARegion comrgn; 338 | 339 | // Get the CLSID of the proxy/stub marshaler DLL 340 | CLSID psClsid; 341 | HRESULT hr = ::CoGetPSClsid(IID_IAccessible, &psClsid); 342 | if (FAILED(hr)) { 343 | return false; 344 | } 345 | // Now look up the DLL's location via the registry 346 | LPOLESTR strClsid = nullptr; 347 | hr = ::StringFromCLSID(psClsid, &strClsid); 348 | if (FAILED(hr)) { 349 | return false; 350 | } 351 | wostringstream oss; 352 | oss << L"CLSID\\"; 353 | oss << strClsid; 354 | oss << L"\\InProcServer32"; 355 | ::CoTaskMemFree(strClsid); 356 | 357 | wchar_t proxyDllPath[MAX_PATH + 1] = {0}; 358 | DWORD proxyDllPathNumBytes = sizeof(proxyDllPath); 359 | LONG regOk = ::RegGetValue(HKEY_CLASSES_ROOT, oss.str().c_str(), nullptr, 360 | RRF_RT_REG_SZ, nullptr, proxyDllPath, 361 | &proxyDllPathNumBytes); 362 | if (regOk != ERROR_SUCCESS) { 363 | return false; 364 | } 365 | // Now proxyDllPath contains the location of the proxy DLL; we need to 366 | // allow the sandbox to access it. Let's just leak a LoadLibrary call. 367 | HMODULE proxyDll = ::LoadLibrary(proxyDllPath); 368 | return !!proxyDll; 369 | } 370 | 371 | bool 372 | COMTestSandbox::OnInit() 373 | { 374 | if (FAILED(::CoInitializeEx(nullptr, COINIT_MULTITHREADED))) { 375 | return false; 376 | } 377 | 378 | UniqueKernelHandle callEvent(::CreateEvent(nullptr, FALSE, FALSE, nullptr)); 379 | if (!callEvent) { 380 | return false; 381 | } 382 | IAccessiblePtr test; 383 | if (FAILED(TestAccessible::Create(callEvent.get(), IID_IAccessible, (void**)&test))) { 384 | return false; 385 | } 386 | IAccessiblePtr replacement; 387 | if (FAILED(Handoff::WrapInterface(::GetCurrentThread(), test, 388 | &replacement))) { 389 | return false; 390 | } 391 | mozilla::ProxyStream outStream(IID_IAccessible, replacement); 392 | if (!outStream.IsValid()) { 393 | return false; 394 | } 395 | int len = 0; 396 | const char* buf = outStream.GetBuffer(len); 397 | mSharedBuffer->mLen = len; 398 | memcpy(&mSharedBuffer->mData[0], buf, len); 399 | ::SetEvent(mEvent.get()); 400 | while (::WaitForSingleObjectEx(callEvent.get(), INFINITE, TRUE) != WAIT_OBJECT_0) {} 401 | return true; 402 | } 403 | 404 | void 405 | COMTestSandbox::OnFini() 406 | { 407 | ::CoUninitialize(); 408 | } 409 | 410 | } 411 | 412 | static UniqueKernelHandle gSection; 413 | static UniqueKernelHandle gEvent; 414 | static const DWORD SHM_TIMEOUT = 10000U; 415 | 416 | static BufDescriptor* 417 | CreateSharedSection() 418 | { 419 | SECURITY_ATTRIBUTES sa = {sizeof(sa), nullptr, FALSE}; 420 | gSection.reset(CreateFileMapping(NULL, &sa, PAGE_READWRITE, 0, 0x4000, 421 | gSectionName)); 422 | if (!gSection) { 423 | return false; 424 | } 425 | gEvent.reset(CreateEvent(&sa, FALSE, FALSE, gEventName)); 426 | return reinterpret_cast(MapViewOfFile(gSection.get(), 427 | FILE_MAP_ALL_ACCESS, 0, 0, 0)); 428 | } 429 | 430 | int wmain(int argc, wchar_t* argv[]) 431 | { 432 | if (argc == 1) { 433 | WindowsSandboxLauncher sboxLauncher; 434 | if (!sboxLauncher.Init(WindowsSandboxLauncher::eInitNoSeparateWindowStation, 435 | WindowsSandboxLauncher::DEFAULT_MITIGATION_POLICIES ^ 436 | PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)) { 437 | wcout << L"WindowsSandboxLauncher::Init failed" << endl; 438 | return EXIT_FAILURE; 439 | } 440 | 441 | UniqueMappedFileView sharedBuf(CreateSharedSection()); 442 | if (!sharedBuf) { 443 | wcout << L"Failed to create shared section data" << endl; 444 | return EXIT_FAILURE; 445 | } 446 | 447 | if (!sboxLauncher.Launch(argv[0], L"")) { 448 | wcerr << L"Failed to launch" << endl; 449 | return EXIT_FAILURE; 450 | } 451 | 452 | if (WaitForSingleObject(gEvent.get(), ::IsDebuggerPresent() ? INFINITE : SHM_TIMEOUT) != WAIT_OBJECT_0) { 453 | wcout << L"Failure or timeout waiting for population of shared memory" << endl; 454 | return EXIT_FAILURE; 455 | } 456 | 457 | mozilla::STARegion mtargn; 458 | 459 | // OK, we should have bytes of the interface 460 | mozilla::ProxyStream stream(sharedBuf->mData, sharedBuf->mLen); 461 | if (!stream.IsValid()) { 462 | wcout << L"ProxyStream creation failed" << endl; 463 | return EXIT_FAILURE; 464 | } 465 | 466 | IAccessiblePtr test; 467 | if (!stream.GetInterface(IID_IAccessible, (void**)&test)) { 468 | wcout << L"ProxyStream::GetInterface failed" << endl; 469 | return EXIT_FAILURE; 470 | } 471 | 472 | VARIANT outVal; 473 | HRESULT hr = test->accHitTest(7, 248, &outVal); 474 | if (FAILED(hr) || outVal.vt != VT_I4 || outVal.lVal != CHILDID_SELF) { 475 | wcout << L"IAccessible::accHitTest failed" << endl; 476 | return EXIT_FAILURE; 477 | } 478 | wcout << L"IAccessible::accHitTest succeeded!" << endl; 479 | 480 | if (!sboxLauncher.Wait(INFINITE)) { 481 | return EXIT_FAILURE; 482 | } 483 | 484 | return EXIT_SUCCESS; 485 | } 486 | 487 | COMTestSandbox sb; 488 | if (!sb.Init(argc, argv)) { 489 | return EXIT_FAILURE; 490 | } 491 | return EXIT_SUCCESS; 492 | } 493 | 494 | -------------------------------------------------------------------------------- /src/comtest/handoff.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "handoff.h" 8 | 9 | namespace { 10 | 11 | class ThreadHandoffInfo 12 | { 13 | public: 14 | explicit ThreadHandoffInfo(ICallFrame* aCallFrame, 15 | IUnknown* aTargetInterface) 16 | : mCallFrame(aCallFrame) 17 | , mTargetInterface(aTargetInterface) 18 | , mIsDone(::CreateEvent(nullptr, FALSE, FALSE, nullptr)) 19 | , mResult(E_UNEXPECTED) 20 | { 21 | } 22 | 23 | ~ThreadHandoffInfo() 24 | { 25 | if (mIsDone) { 26 | ::CloseHandle(mIsDone); 27 | } 28 | } 29 | 30 | bool IsDone() const 31 | { 32 | return ::WaitForSingleObject(mIsDone, INFINITE) == WAIT_OBJECT_0; 33 | } 34 | 35 | void Invoke() 36 | { 37 | mResult = mCallFrame->Invoke(mTargetInterface); 38 | ::SetEvent(mIsDone); 39 | } 40 | 41 | HRESULT GetResult() const 42 | { 43 | return mResult; 44 | } 45 | 46 | private: 47 | ICallFrame* mCallFrame; 48 | IUnknown* mTargetInterface; 49 | HANDLE mIsDone; 50 | HRESULT mResult; 51 | }; 52 | 53 | } // anonymous namespace 54 | 55 | namespace mozilla { 56 | namespace mscom { 57 | 58 | /* static */ HRESULT 59 | Handoff::Create(HANDLE aTargetThread, IUnknown* aTargetInterface, 60 | ICallFrameEvents** aOutput) 61 | { 62 | *aOutput = nullptr; 63 | Handoff* handoff = new Handoff(aTargetThread, aTargetInterface); 64 | HRESULT hr = handoff->QueryInterface(IID_ICallFrameEvents, (void**) aOutput); 65 | handoff->Release(); 66 | return hr; 67 | } 68 | 69 | Handoff::Handoff(HANDLE aTargetThread, void* aTargetInterface) 70 | : mRefCnt(1) 71 | , mTargetThread(NULL) 72 | , mTargetInterface(static_cast(aTargetInterface)) 73 | { 74 | mTargetInterface->AddRef(); 75 | // TODO ASK: Assert DuplicateHandle's return value 76 | ::DuplicateHandle(::GetCurrentProcess(), aTargetThread, 77 | ::GetCurrentProcess(), &mTargetThread, 78 | 0, FALSE, DUPLICATE_SAME_ACCESS); 79 | } 80 | 81 | Handoff::~Handoff() 82 | { 83 | if (mTargetThread) { 84 | ::CloseHandle(mTargetThread); 85 | } 86 | if (mTargetInterface) { 87 | mTargetInterface->Release(); 88 | } 89 | } 90 | 91 | HRESULT 92 | Handoff::QueryInterface(REFIID riid, void** ppv) 93 | { 94 | IUnknown* punk = nullptr; 95 | if (!ppv) { 96 | return E_INVALIDARG; 97 | } 98 | 99 | if (riid == IID_IUnknown) { 100 | punk = static_cast(static_cast(this)); 101 | } else if (riid == IID_ICallFrameEvents) { 102 | punk = static_cast(this); 103 | } else if (riid == IID_ICallFrameWalker) { 104 | punk = static_cast(this); 105 | } 106 | 107 | *ppv = punk; 108 | if (!punk) { 109 | return E_NOINTERFACE; 110 | } 111 | 112 | punk->AddRef(); 113 | return S_OK; 114 | } 115 | 116 | ULONG 117 | Handoff::AddRef() 118 | { 119 | return (ULONG) InterlockedIncrement((LONG*)&mRefCnt); 120 | } 121 | 122 | ULONG 123 | Handoff::Release() 124 | { 125 | ULONG newRefCnt = (ULONG) InterlockedDecrement((LONG*)&mRefCnt); 126 | if (newRefCnt == 0) { 127 | delete this; 128 | } 129 | return newRefCnt; 130 | } 131 | 132 | VOID CALLBACK 133 | Handoff::TargetAPC(ULONG_PTR aContext) 134 | { 135 | ThreadHandoffInfo* info = (ThreadHandoffInfo*)aContext; 136 | info->Invoke(); 137 | } 138 | 139 | HRESULT 140 | Handoff::OnCall(ICallFrame* aFrame) 141 | { 142 | ThreadHandoffInfo handoffInfo(aFrame, mTargetInterface); 143 | DWORD queueOk = ::QueueUserAPC(&TargetAPC, mTargetThread, 144 | reinterpret_cast(&handoffInfo)); 145 | if (!queueOk) { 146 | return E_UNEXPECTED; 147 | } 148 | if (!handoffInfo.IsDone()) { 149 | return E_UNEXPECTED; 150 | } 151 | HRESULT hr = handoffInfo.GetResult(); 152 | if (FAILED(hr)) { 153 | return hr; 154 | } 155 | hr = aFrame->GetReturnValue(); 156 | if (FAILED(hr)) { 157 | return hr; 158 | } 159 | // Scan the outputs looking for any outparam interfaces that need wrapping 160 | hr = aFrame->WalkFrame(CALLFRAME_WALK_OUT, this); 161 | if (FAILED(hr)) { 162 | return hr; 163 | } 164 | // NOTE: Any logging for profiling purposes should go here. 165 | return S_OK; 166 | } 167 | 168 | HRESULT 169 | Handoff::OnWalkInterface(REFIID aIid, PVOID* aInterface, BOOL aIsInParam, 170 | BOOL aIsOutParam) 171 | { 172 | if (!aInterface || !aIsOutParam) { 173 | return E_UNEXPECTED; 174 | } 175 | IUnknown* origInterface = static_cast(*aInterface); 176 | if (!origInterface) { 177 | // nullptr doesn't need wrapping 178 | return S_OK; 179 | } 180 | 181 | detail::ICallFrameEventsPtr handoff; 182 | HRESULT hr = Handoff::Create(mTargetThread, origInterface, &handoff); 183 | if (FAILED(hr)) { 184 | return hr; 185 | } 186 | 187 | void* replacementInterface = nullptr; 188 | hr = CreateInterceptor(aIid, handoff, &replacementInterface); 189 | if (FAILED(hr)) { 190 | return hr; 191 | } 192 | 193 | // handoff has taken a strong reference to origInterface, so we should release 194 | // it here before we replace *aInterface. 195 | origInterface->Release(); 196 | // Now we can replace it with replacementInterface, whose refcount should 197 | // already be correct. 198 | *aInterface = replacementInterface; 199 | return S_OK; 200 | } 201 | 202 | } // namespace mscom 203 | } // namespace mozilla 204 | -------------------------------------------------------------------------------- /src/comtest/handoff.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef mozilla_handoff_h 8 | #define mozilla_handoff_h 9 | 10 | #include "interceptor.h" 11 | 12 | namespace mozilla { 13 | namespace mscom { 14 | 15 | namespace detail { 16 | 17 | _COM_SMARTPTR_TYPEDEF(ICallFrameEvents, IID_ICallFrameEvents); 18 | 19 | } // namespace detail 20 | 21 | class Handoff : public ICallFrameEvents 22 | , public ICallFrameWalker 23 | { 24 | public: 25 | static HRESULT Create(HANDLE aTargetThread, IUnknown* aTargetInterface, 26 | ICallFrameEvents** aOutput); 27 | 28 | template 29 | static HRESULT WrapInterface(HANDLE aTargetThread, 30 | InterfaceT* aTargetInterface, 31 | InterfaceT** aOutInterface) 32 | { 33 | detail::ICallFrameEventsPtr handoff; 34 | HRESULT hr = Handoff::Create(aTargetThread, aTargetInterface, &handoff); 35 | if (FAILED(hr)) { 36 | return hr; 37 | } 38 | return CreateInterceptor(aTargetInterface, handoff, aOutInterface); 39 | } 40 | 41 | // IUnknown 42 | STDMETHODIMP QueryInterface(REFIID riid, void** ppv) override; 43 | STDMETHODIMP_(ULONG) AddRef() override; 44 | STDMETHODIMP_(ULONG) Release() override; 45 | 46 | // ICallFrameEvents 47 | STDMETHODIMP OnCall(ICallFrame* aFrame) override; 48 | 49 | // ICallFrameWalker 50 | STDMETHODIMP OnWalkInterface(REFIID aIid, PVOID* aInterface, BOOL aIsInParam, 51 | BOOL aIsOutParam) override; 52 | 53 | private: 54 | Handoff(HANDLE aTargetThread, void* aTargetInterface); 55 | ~Handoff(); 56 | 57 | static VOID CALLBACK TargetAPC(ULONG_PTR aContext); 58 | 59 | private: 60 | 61 | private: 62 | ULONG mRefCnt; 63 | HANDLE mTargetThread; 64 | IUnknown* mTargetInterface; 65 | }; 66 | 67 | } // namespace mscom 68 | } // namespace mozilla 69 | 70 | #endif // mozilla_handoff_h 71 | -------------------------------------------------------------------------------- /src/comtest/interceptor.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef mozilla_interceptor_h 8 | #define mozilla_interceptor_h 9 | 10 | #include 11 | #include 12 | 13 | namespace mozilla { 14 | namespace mscom { 15 | 16 | namespace detail { 17 | 18 | _COM_SMARTPTR_TYPEDEF(ICallInterceptor, IID_ICallInterceptor); 19 | 20 | } // namespace detail 21 | 22 | inline HRESULT 23 | CreateInterceptor(REFIID aIidTarget, ICallFrameEvents* aEventSink, 24 | void** aOutInterface) 25 | { 26 | if (!aEventSink || !aOutInterface) { 27 | return E_INVALIDARG; 28 | } 29 | *aOutInterface = nullptr; 30 | 31 | detail::ICallInterceptorPtr interceptor; 32 | HRESULT hr = ::CoGetInterceptor(aIidTarget, nullptr, IID_ICallInterceptor, 33 | (void**)&interceptor); 34 | if (FAILED(hr)) { 35 | return hr; 36 | } 37 | 38 | hr = interceptor->RegisterSink(aEventSink); 39 | if (FAILED(hr)) { 40 | return hr; 41 | } 42 | 43 | return interceptor->QueryInterface(aIidTarget, aOutInterface); 44 | } 45 | 46 | template 47 | inline HRESULT 48 | CreateInterceptor(InterfaceT* aTargetInterface, ICallFrameEvents* aEventSink, 49 | InterfaceT** aOutInterface) 50 | { 51 | if (!aTargetInterface || !aEventSink) { 52 | return E_INVALIDARG; 53 | } 54 | 55 | REFIID iidTarget = __uuidof(aTargetInterface); 56 | 57 | return CreateInterceptor(iidTarget, aEventSink, (void**)aOutInterface); 58 | } 59 | 60 | } // namespace mscom 61 | } // namespace mozilla 62 | 63 | #endif // mozilla_interceptor_h 64 | -------------------------------------------------------------------------------- /src/comtest/mscom.h: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #ifndef mozilla_mscom_h 8 | #define mozilla_mscom_h 9 | 10 | #include 11 | 12 | // TODO: Replace these with real definitions 13 | #define MOZ_RAII 14 | #define MOZ_ASSERT(a) 15 | 16 | namespace mozilla { 17 | 18 | template 19 | class MOZ_RAII COMApartmentRegion 20 | { 21 | public: 22 | COMApartmentRegion() 23 | : mInitResult(::CoInitializeEx(nullptr, T)) 24 | { 25 | // If this fires then we're probably mixing apartments on the same thread 26 | MOZ_ASSERT(SUCCEEDED(mInitResult)); 27 | } 28 | 29 | ~COMApartmentRegion() 30 | { 31 | if (SUCCEEDED(mInitResult)) { 32 | ::CoUninitialize(); 33 | } 34 | } 35 | 36 | bool operator!() const 37 | { 38 | return FAILED(mInitResult); 39 | } 40 | 41 | private: 42 | COMApartmentRegion(const COMApartmentRegion&) = delete; 43 | COMApartmentRegion& operator=(const COMApartmentRegion&) = delete; 44 | COMApartmentRegion(COMApartmentRegion&&) = delete; 45 | COMApartmentRegion& operator=(COMApartmentRegion&&) = delete; 46 | 47 | HRESULT mInitResult; 48 | }; 49 | 50 | typedef COMApartmentRegion STARegion; 51 | typedef COMApartmentRegion MTARegion; 52 | 53 | } // namespace mozilla 54 | 55 | #endif // mozilla_mscom_h 56 | 57 | -------------------------------------------------------------------------------- /src/itest/ITest.def: -------------------------------------------------------------------------------- 1 | LIBRARY itest.dll 2 | 3 | EXPORTS 4 | DllGetClassObject PRIVATE 5 | DllCanUnloadNow PRIVATE 6 | DllRegisterServer PRIVATE 7 | DllUnregisterServer PRIVATE 8 | 9 | -------------------------------------------------------------------------------- /src/itest/Test.idl: -------------------------------------------------------------------------------- 1 | import "unknwn.idl"; 2 | 3 | [object, uuid(e7199d1b-14ff-4dc8-b76e-3d0c860f1f4b)] 4 | interface ITest : IUnknown 5 | { 6 | HRESULT Foo([in] long aParam, [out] long *aOutVal); 7 | }; 8 | -------------------------------------------------------------------------------- /src/proto/proto.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #include "dacl.h" 14 | #include "sid.h" 15 | #include "WindowsSandbox.h" 16 | 17 | using std::wcout; 18 | using std::wcerr; 19 | using std::endl; 20 | using std::hex; 21 | using mozilla::WindowsSandbox; 22 | using mozilla::WindowsSandboxLauncher; 23 | 24 | namespace { 25 | 26 | inline PIMAGE_DOS_HEADER 27 | HMODULEToPtr(HMODULE aModule) 28 | { 29 | // LoadLibraryEx can set the lower two bits as indicator flags (see MSDN docs) 30 | const UINT_PTR mask = 3; 31 | return reinterpret_cast(reinterpret_cast(aModule) 32 | & ~mask); 33 | } 34 | 35 | template inline T 36 | RVAToPtr(PVOID aBase, R aRva) 37 | { 38 | return reinterpret_cast(reinterpret_cast(aBase) + aRva); 39 | } 40 | 41 | typedef void (*INITFUNC)(); 42 | typedef void (*DEINITFUNC)(); 43 | 44 | } // anonymous namespace 45 | 46 | class PrototypeSandbox : public WindowsSandbox 47 | { 48 | public: 49 | explicit PrototypeSandbox(const wchar_t *aLibPath) 50 | :mLibPath(aLibPath), 51 | mLib(nullptr), 52 | mDeinit(nullptr) 53 | {} 54 | virtual ~PrototypeSandbox() {} 55 | 56 | protected: 57 | virtual bool OnPrivInit(); 58 | virtual bool OnInit(); 59 | virtual void OnFini(); 60 | private: 61 | const wchar_t* mLibPath; 62 | HMODULE mLib; 63 | DEINITFUNC mDeinit; 64 | }; 65 | 66 | bool 67 | PrototypeSandbox::OnPrivInit() 68 | { 69 | HMODULE vlib = ::LoadLibraryEx(mLibPath, nullptr, 70 | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE); 71 | if (!vlib) { 72 | return false; 73 | } 74 | PIMAGE_DOS_HEADER mzHeader = HMODULEToPtr(vlib); 75 | PIMAGE_NT_HEADERS peHeader = RVAToPtr(mzHeader, 76 | mzHeader->e_lfanew); 77 | if (peHeader->OptionalHeader.AddressOfEntryPoint == 0) { 78 | // Library was linked with /NOENTRY, proceed 79 | mLib = ::LoadLibrary(mLibPath); 80 | } 81 | ::FreeLibrary(vlib); 82 | return !!mLib; 83 | } 84 | 85 | bool 86 | PrototypeSandbox::OnInit() 87 | { 88 | INITFUNC init = (INITFUNC) ::GetProcAddress(mLib, INIT_FUNCTION_NAME); 89 | mDeinit = (DEINITFUNC) ::GetProcAddress(mLib, DEINIT_FUNCTION_NAME); 90 | if (!init || !mDeinit) { 91 | return false; 92 | } 93 | init(); 94 | return true; 95 | } 96 | 97 | void 98 | PrototypeSandbox::OnFini() 99 | { 100 | if (mDeinit) { 101 | mDeinit(); 102 | mDeinit = nullptr; 103 | } 104 | if (mLib) { 105 | ::FreeLibrary(mLib); 106 | mLib = nullptr; 107 | } 108 | } 109 | 110 | int wmain(int argc, wchar_t* argv[]) 111 | { 112 | if (argc > 2) 113 | { 114 | PrototypeSandbox sb(argv[1]); 115 | if (!sb.Init(argc, argv)) { 116 | return EXIT_FAILURE; 117 | } 118 | sb.Fini(); 119 | } else if (argc == 2) { 120 | WindowsSandboxLauncher sboxLauncher; 121 | sboxLauncher.Init(); 122 | if (!sboxLauncher.Launch(argv[0], argv[1])) { 123 | wcerr << L"Failed to launch" << endl; 124 | return EXIT_FAILURE; 125 | } 126 | if (!sboxLauncher.Wait(INFINITE)) { 127 | return EXIT_FAILURE; 128 | } 129 | } else { 130 | wcout << L"Usage: " << argv[0] << " " << endl; 131 | return EXIT_FAILURE; 132 | } 133 | 134 | return EXIT_SUCCESS; 135 | } 136 | 137 | -------------------------------------------------------------------------------- /src/sandbox/WindowsSandbox.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "WindowsSandbox.h" 8 | #include "ArrayLength.h" 9 | #include "dacl.h" 10 | #include "MakeUniqueLen.h" 11 | #include "sidattrs.h" 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | using namespace ::std::literals::string_literals; 22 | using namespace ::std::literals::string_view_literals; 23 | using std::wistringstream; 24 | using std::wostringstream; 25 | using std::hex; 26 | 27 | namespace mozilla { 28 | 29 | const std::wstring WindowsSandbox::DESKTOP_NAME = L"moz-sandbox"s; 30 | const std::wstring_view WindowsSandbox::SWITCH_JOB_HANDLE = L"--job"sv; 31 | 32 | bool 33 | WindowsSandbox::DropProcessIntegrityLevel() 34 | { 35 | HANDLE processToken = nullptr; 36 | if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, 37 | &processToken)) { 38 | return false; 39 | } 40 | 41 | TOKEN_MANDATORY_LABEL il; 42 | ZeroMemory(&il, sizeof(il)); 43 | il.Label.Sid = mozilla::Sid::GetIntegrityLow(); 44 | bool result = !!::SetTokenInformation(processToken, TokenIntegrityLevel, 45 | &il, sizeof(il)); 46 | ::CloseHandle(processToken); 47 | return result; 48 | } 49 | 50 | bool 51 | WindowsSandbox::SetMitigations(const DWORD64 aMitigations) 52 | { 53 | const DWORD64 kDEPPolicies = 54 | PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE | 55 | PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE 56 | ; 57 | const DWORD64 kASLRPolicies = 58 | PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS | 59 | #if defined(_M_X64) 60 | PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON | 61 | #endif 62 | PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON 63 | ; 64 | // Not all mitigations can be set at runtime 65 | const DWORD64 kAvailableMitigations = 66 | kDEPPolicies | 67 | kASLRPolicies | 68 | PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON | 69 | PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON | 70 | #if _WIN32_WINNT >= 0x0A00 71 | PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON | 72 | #endif 73 | PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON 74 | ; 75 | if ((aMitigations & ~kAvailableMitigations) != 0) { 76 | return false; 77 | } 78 | auto pSetProcessMitigationPolicy = 79 | reinterpret_cast(::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), 80 | "SetProcessMitigationPolicy")); 81 | if (!pSetProcessMitigationPolicy) { 82 | // Not available 83 | return true; 84 | } 85 | BOOL ok = TRUE; 86 | if (aMitigations & kDEPPolicies) { 87 | PROCESS_MITIGATION_DEP_POLICY depPolicy = {0}; 88 | if (aMitigations & PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE) { 89 | depPolicy.Enable = 1; 90 | } 91 | if (aMitigations & PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE) { 92 | depPolicy.DisableAtlThunkEmulation = 1; 93 | } 94 | ok &= pSetProcessMitigationPolicy(ProcessDEPPolicy, &depPolicy, 95 | sizeof(depPolicy)); 96 | } 97 | if (aMitigations & kASLRPolicies) { 98 | PROCESS_MITIGATION_ASLR_POLICY aslrPolicy = {0}; 99 | if (aMitigations & 100 | PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS) { 101 | aslrPolicy.EnableForceRelocateImages = 1; 102 | aslrPolicy.DisallowStrippedImages = 1; 103 | } 104 | if (aMitigations & 105 | PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON) { 106 | aslrPolicy.EnableBottomUpRandomization = 1; 107 | } 108 | #if defined(_M_X64) 109 | if (aMitigations & 110 | PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON) { 111 | aslrPolicy.EnableHighEntropy = 1; 112 | } 113 | #endif 114 | ok &= pSetProcessMitigationPolicy(ProcessASLRPolicy, &aslrPolicy, 115 | sizeof(aslrPolicy)); 116 | } 117 | if (aMitigations & 118 | PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON) { 119 | PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY handleChkPolicy = {0}; 120 | handleChkPolicy.RaiseExceptionOnInvalidHandleReference = 1; 121 | handleChkPolicy.HandleExceptionsPermanentlyEnabled = 1; 122 | ok &= pSetProcessMitigationPolicy(ProcessStrictHandleCheckPolicy, 123 | &handleChkPolicy, sizeof(handleChkPolicy)); 124 | } 125 | if (aMitigations & 126 | PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON) { 127 | PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY win32kPolicy = {0}; 128 | win32kPolicy.DisallowWin32kSystemCalls = 1; 129 | ok &= pSetProcessMitigationPolicy(ProcessSystemCallDisablePolicy, 130 | &win32kPolicy, sizeof(win32kPolicy)); 131 | } 132 | #if _WIN32_WINNT >= 0x0A00 133 | if (IsWindows10OrGreater() && (aMitigations & 134 | PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON)) { 135 | PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY signPolicy = {0}; 136 | signPolicy.MicrosoftSignedOnly = 1; 137 | ok &= pSetProcessMitigationPolicy(ProcessSignaturePolicy, 138 | &signPolicy, sizeof(signPolicy)); 139 | } 140 | #endif 141 | if (aMitigations & 142 | PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON) { 143 | PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY dllPolicy = {0}; 144 | dllPolicy.DisableExtensionPoints = 1; 145 | ok &= pSetProcessMitigationPolicy(ProcessExtensionPointDisablePolicy, 146 | &dllPolicy, sizeof(dllPolicy)); 147 | } 148 | return !!ok; 149 | } 150 | 151 | bool 152 | WindowsSandbox::ValidateJobHandle(HANDLE aJob) 153 | { 154 | JOBOBJECT_BASIC_ACCOUNTING_INFORMATION info; 155 | BOOL ok = ::QueryInformationJobObject(aJob, 156 | JobObjectBasicAccountingInformation, 157 | &info, sizeof(info), nullptr); 158 | #ifdef DEBUG 159 | if (!ok) { 160 | DebugBreak(); 161 | } 162 | #endif 163 | return !!ok; 164 | } 165 | 166 | bool 167 | WindowsSandbox::Init(int aArgc, wchar_t* aArgv[]) 168 | { 169 | UniqueKernelHandle job; 170 | for (int i = 1; i < aArgc; ++i) { 171 | if (SWITCH_JOB_HANDLE == aArgv[i] && i + 1 < aArgc) { 172 | uintptr_t uijob; 173 | std::wistringstream iss(aArgv[++i]); 174 | iss >> hex >> uijob; 175 | if (!iss) { 176 | return false; 177 | } 178 | 179 | job.reset(reinterpret_cast(uijob)); 180 | } 181 | } 182 | 183 | bool ok = ValidateJobHandle(job.get()); 184 | ok = ok && OnPrivInit(); 185 | ok = ok && ::RevertToSelf(); 186 | ok = ok && DropProcessIntegrityLevel(); 187 | ok = ok && ::AssignProcessToJobObject(job.get(), ::GetCurrentProcess()); 188 | ok = ok && SetMitigations(GetDeferredMitigationPolicies()); 189 | if (!ok) { 190 | return ok; 191 | } 192 | 193 | job.reset(); 194 | return OnInit(); 195 | } 196 | 197 | void 198 | WindowsSandbox::Fini() 199 | { 200 | OnFini(); 201 | } 202 | 203 | const DWORD64 WindowsSandboxLauncher::DEFAULT_MITIGATION_POLICIES = 204 | PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE | 205 | PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE | 206 | PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE | 207 | PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS | 208 | PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON | 209 | PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON | 210 | #if defined(_M_X64) 211 | PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON | 212 | #endif 213 | PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON | 214 | #if _WIN32_WINNT >= 0x0A00 215 | PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON | 216 | #endif 217 | PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON 218 | ; 219 | 220 | bool 221 | WindowsSandboxLauncher::CreateTokens(const Sid& aCustomSid, 222 | UniqueKernelHandle& aRestrictedToken, 223 | UniqueKernelHandle& aImpersonationToken, 224 | Sid& aLogonSid) 225 | { 226 | // 1. Open the process's token and create a restricted token based on it 227 | HANDLE tmp = nullptr; 228 | if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_DEFAULT | 229 | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY, 230 | &tmp)) { 231 | return false; 232 | } 233 | UniqueKernelHandle processToken(tmp); 234 | 235 | SidAttributes toDisable; 236 | if (!toDisable.CreateFromTokenGroups(processToken.get(), 237 | SidAttributes::FILTER_RESTRICTED_DISABLE, 238 | &aLogonSid)) { 239 | return false; 240 | } 241 | 242 | // Now that we have aLogonSid, build a security descriptor that can be used 243 | // for securable objects that need to be inherited by the sandboxed process. 244 | if (!BuildInheritableSecurityDescriptor(aLogonSid)) { 245 | return false; 246 | } 247 | 248 | // Create the restricted token... 249 | SID_AND_ATTRIBUTES toRestrict[] = {{mozilla::Sid::GetEveryone()}, 250 | {mozilla::Sid::GetUsers()}, 251 | {mozilla::Sid::GetRestricted()}, 252 | {aLogonSid}, 253 | {const_cast(aCustomSid)}}; 254 | tmp = nullptr; 255 | bool result = !!::CreateRestrictedToken(processToken.get(), 256 | DISABLE_MAX_PRIVILEGE | SANDBOX_INERT, 257 | toDisable.Count(), toDisable, 0, 258 | nullptr, ArrayLength(toRestrict), 259 | toRestrict, &tmp); 260 | aRestrictedToken.reset(tmp); 261 | if (!result) { 262 | return false; 263 | } 264 | 265 | // The restricted token needs an updated default DACL 266 | Dacl dacl; 267 | dacl.AddAllowedAce(mozilla::Sid::GetLocalSystem(), GENERIC_ALL); 268 | dacl.AddAllowedAce(mozilla::Sid::GetAdministrators(), GENERIC_ALL); 269 | dacl.AddAllowedAce(aLogonSid, GENERIC_ALL); 270 | 271 | TOKEN_DEFAULT_DACL tokenDacl; 272 | ZeroMemory(&tokenDacl, sizeof(tokenDacl)); 273 | tokenDacl.DefaultDacl = (PACL)dacl; 274 | if (!tokenDacl.DefaultDacl) { 275 | return false; 276 | } 277 | 278 | if (!::SetTokenInformation(aRestrictedToken.get(), TokenDefaultDacl, 279 | &tokenDacl, sizeof(tokenDacl))) { 280 | return false; 281 | } 282 | 283 | // 2. Duplicate the process token for impersonation. 284 | // This will allow the sandbox to temporarily masquerade as a more 285 | // privileged process until it reverts to self. 286 | 287 | // NOTE: FILTER_ADD_RESTRICTED needed here because CreateRestrictedToken 288 | // always requires the Restricted SID as part of the SidsToRestrict 289 | // parameter. 290 | SidAttributes toRestrictImp; 291 | if (!toRestrictImp.CreateFromTokenGroups(processToken.get(), 292 | SidAttributes::FILTER_INTEGRITY | 293 | SidAttributes::FILTER_ADD_RESTRICTED)) { 294 | return false; 295 | } 296 | 297 | tmp = nullptr; 298 | result = !!::CreateRestrictedToken(processToken.get(), SANDBOX_INERT, 0, 299 | nullptr, 0, nullptr, toRestrictImp.Count(), 300 | toRestrictImp, &tmp); 301 | UniqueKernelHandle tmpImpToken(tmp); 302 | tmp = nullptr; 303 | 304 | // We need to duplicate the impersonation token to raise its impersonation 305 | // level to SecurityImpersonation, or else impersonation won't work. 306 | SECURITY_ATTRIBUTES sa = {sizeof(sa), nullptr, TRUE}; 307 | result = !!::DuplicateTokenEx(tmpImpToken.get(), TOKEN_IMPERSONATE | TOKEN_QUERY, 308 | &sa, SecurityImpersonation, 309 | TokenImpersonation, &tmp); 310 | if (!result) { 311 | return false; 312 | } 313 | 314 | aImpersonationToken.reset(tmp); 315 | return true; 316 | } 317 | 318 | HWINSTA 319 | WindowsSandboxLauncher::CreateWindowStation() 320 | { 321 | PACL pdacl = nullptr; 322 | PSECURITY_DESCRIPTOR psd = nullptr; 323 | if (::GetSecurityInfo(::GetProcessWindowStation(), SE_WINDOW_OBJECT, 324 | DACL_SECURITY_INFORMATION, nullptr, nullptr, &pdacl, 325 | nullptr, &psd) != ERROR_SUCCESS) { 326 | return nullptr; 327 | } 328 | 329 | SECURITY_ATTRIBUTES sa = {sizeof(sa), psd, FALSE}; 330 | DWORD desiredAccess = GENERIC_READ | WINSTA_CREATEDESKTOP; 331 | HWINSTA winsta = ::CreateWindowStation(nullptr, 0, 332 | desiredAccess, &sa); 333 | ::LocalFree(psd); 334 | return winsta; 335 | } 336 | 337 | std::optional 338 | WindowsSandboxLauncher::GetWindowStationName(HWINSTA aWinsta) 339 | { 340 | DWORD lenBytes = 0; 341 | if (!::GetUserObjectInformation(aWinsta, UOI_NAME, nullptr, lenBytes, &lenBytes) && 342 | ::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 343 | return {}; 344 | } 345 | 346 | auto name = std::make_optional( 347 | static_cast((lenBytes+1)/sizeof(std::wstring::value_type)), 348 | std::wstring::value_type(0)); 349 | if (!::GetUserObjectInformation(aWinsta, UOI_NAME, name.value().data(), 350 | name.value().length() * sizeof(std::wstring::value_type), 351 | nullptr)) { 352 | return {}; 353 | } 354 | 355 | // Chop off terminator 356 | name.value().pop_back(); 357 | 358 | return name; 359 | } 360 | 361 | HDESK 362 | WindowsSandboxLauncher::CreateDesktop(HWINSTA aWinsta, const Sid& aCustomSid) 363 | { 364 | // 3. Create a new desktop for the sandbox. 365 | // 3a. Get the current desktop's DACL and Mandatory Label 366 | HDESK curDesktop = ::GetThreadDesktop(::GetCurrentThreadId()); 367 | if (!curDesktop) { 368 | return nullptr; 369 | } 370 | 371 | SECURITY_INFORMATION curDesktopSecInfo = DACL_SECURITY_INFORMATION | 372 | LABEL_SECURITY_INFORMATION; 373 | DWORD curDesktopSdSize = 0; 374 | if (!::GetUserObjectSecurity(curDesktop, &curDesktopSecInfo, nullptr, 375 | curDesktopSdSize, &curDesktopSdSize) && 376 | ::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 377 | return nullptr; 378 | } 379 | 380 | MAKE_UNIQUE_LEN(PSECURITY_DESCRIPTOR, curDesktopSd, curDesktopSdSize); 381 | if (!::GetUserObjectSecurity(curDesktop, &curDesktopSecInfo, curDesktopSd, 382 | curDesktopSdSize, &curDesktopSdSize)) { 383 | return nullptr; 384 | } 385 | 386 | // 3b. Convert security descriptor from self-relative to absolute so that we 387 | // can modify it. 388 | DWORD curDesktopDaclSize = 0; 389 | DWORD curDesktopSaclSize = 0; 390 | DWORD curDesktopOwnerSize = 0; 391 | DWORD curDesktopPrimaryGroupSize = 0; 392 | if(!::MakeAbsoluteSD(curDesktopSd, nullptr, &curDesktopSdSize, 393 | nullptr, &curDesktopDaclSize, nullptr, 394 | &curDesktopSaclSize, nullptr, &curDesktopOwnerSize, 395 | nullptr, &curDesktopPrimaryGroupSize) && 396 | ::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 397 | return nullptr; 398 | } 399 | 400 | MAKE_UNIQUE_LEN(PSECURITY_DESCRIPTOR, modifiedCurDesktopSd, curDesktopSdSize); 401 | MAKE_UNIQUE_LEN(PACL, curDesktopDacl, curDesktopDaclSize); 402 | MAKE_UNIQUE_LEN(PACL, curDesktopSacl, curDesktopSaclSize); 403 | MAKE_UNIQUE_LEN(PSID, curDesktopOwner, curDesktopOwnerSize); 404 | MAKE_UNIQUE_LEN(PSID, curDesktopPrimaryGroup, curDesktopPrimaryGroupSize); 405 | 406 | // This call is effectively making a copy of curDesktopSd (which is self- 407 | // relative) as an absolute security descriptor which we will modify. These 408 | // modifications are applied to the *current* desktop's DACL, not the new 409 | // desktop's DACL! 410 | bool result; 411 | result = !!::MakeAbsoluteSD(curDesktopSd, modifiedCurDesktopSd, &curDesktopSdSize, 412 | curDesktopDacl, &curDesktopDaclSize, curDesktopSacl, 413 | &curDesktopSaclSize, curDesktopOwner, 414 | &curDesktopOwnerSize, curDesktopPrimaryGroup, 415 | &curDesktopPrimaryGroupSize); 416 | if (!result) { 417 | return nullptr; 418 | } 419 | 420 | // 3c. Add aCustomSid to the default desktop's DACL to finish plugging the 421 | // SetThreadDesktop security hole. 422 | mozilla::Dacl modifiedCurDesktopDacl; 423 | modifiedCurDesktopDacl.AddDeniedAce(aCustomSid, GENERIC_ALL); 424 | result = modifiedCurDesktopDacl.Merge(curDesktopDacl); 425 | if (!result) { 426 | return nullptr; 427 | } 428 | 429 | // 3d. Set the security descriptor for the current desktop 430 | if (!::SetSecurityDescriptorDacl(modifiedCurDesktopSd, TRUE, 431 | modifiedCurDesktopDacl, FALSE)) { 432 | return nullptr; 433 | } 434 | 435 | curDesktopSecInfo = DACL_SECURITY_INFORMATION; 436 | result = !!::SetUserObjectSecurity(curDesktop, &curDesktopSecInfo, 437 | modifiedCurDesktopSd); 438 | if (!result) { 439 | return nullptr; 440 | } 441 | 442 | // 3e. Temporarily set the window station to the sandbox window station 443 | HWINSTA curWinsta = ::GetProcessWindowStation(); 444 | if (aWinsta) { 445 | if (!::SetProcessWindowStation(aWinsta)) { 446 | return nullptr; 447 | } 448 | } 449 | 450 | // 3f. Create the new desktop using the absolute security descriptor 451 | SECURITY_ATTRIBUTES newDesktopSa = {sizeof(newDesktopSa), curDesktopSd, FALSE}; 452 | HDESK desktop = ::CreateDesktop(WindowsSandbox::DESKTOP_NAME.c_str(), nullptr, 453 | nullptr, 0, DESKTOP_CREATEWINDOW, 454 | &newDesktopSa); 455 | // 3g. Revert to our previous window station 456 | if (aWinsta) { 457 | if (!::SetProcessWindowStation(curWinsta)) { 458 | return nullptr; 459 | } 460 | } 461 | 462 | return desktop; 463 | } 464 | 465 | bool 466 | WindowsSandboxLauncher::CreateJob(UniqueKernelHandle& aJob) 467 | { 468 | // 4. Create the job object 469 | SECURITY_ATTRIBUTES jobSa; 470 | if (!GetInheritableSecurityDescriptor(jobSa)) { 471 | return false; 472 | } 473 | 474 | aJob.reset(::CreateJobObject(&jobSa, nullptr)); 475 | if (!aJob) { 476 | return false; 477 | } 478 | 479 | // 4a. Assign basic limits. This will prevent the sandboxed process from 480 | // creating any new processes. 481 | JOBOBJECT_BASIC_LIMIT_INFORMATION basicLimits; 482 | ZeroMemory(&basicLimits, sizeof(basicLimits)); 483 | basicLimits.LimitFlags = JOB_OBJECT_LIMIT_ACTIVE_PROCESS; 484 | basicLimits.ActiveProcessLimit = 1; 485 | if (!::SetInformationJobObject(aJob.get(), JobObjectBasicLimitInformation, 486 | &basicLimits, sizeof(basicLimits))) { 487 | return false; 488 | } 489 | 490 | // 4b. Assign all UI limits. 491 | // To explicitly grant user handles, call UserHandleGrantAccess 492 | JOBOBJECT_BASIC_UI_RESTRICTIONS uiLimits; 493 | ZeroMemory(&uiLimits, sizeof(uiLimits)); 494 | uiLimits.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP | 495 | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS | 496 | JOB_OBJECT_UILIMIT_EXITWINDOWS | 497 | JOB_OBJECT_UILIMIT_GLOBALATOMS | 498 | JOB_OBJECT_UILIMIT_HANDLES | 499 | JOB_OBJECT_UILIMIT_READCLIPBOARD | 500 | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | 501 | JOB_OBJECT_UILIMIT_WRITECLIPBOARD; 502 | if (!::SetInformationJobObject(aJob.get(), JobObjectBasicUIRestrictions, 503 | &uiLimits, sizeof(uiLimits))) { 504 | return false; 505 | } 506 | 507 | return true; 508 | } 509 | 510 | WindowsSandboxLauncher::WindowsSandboxLauncher() 511 | : mInitFlags(eInitNormal) 512 | , mHasWin8APIs(false) 513 | , mHasWin10APIs(false) 514 | , mMitigationPolicies(0) 515 | , mProcess(nullptr) 516 | , mWinsta(nullptr) 517 | , mDesktop(nullptr) 518 | { 519 | ZeroMemory(&mInheritableSd, sizeof(mInheritableSd)); 520 | } 521 | 522 | WindowsSandboxLauncher::~WindowsSandboxLauncher() 523 | { 524 | if (mProcess) { 525 | ::CloseHandle(mProcess); 526 | } 527 | if (mDesktop) { 528 | ::CloseDesktop(mDesktop); 529 | } 530 | if (mWinsta) { 531 | ::CloseWindowStation(mWinsta); 532 | } 533 | } 534 | 535 | bool 536 | WindowsSandboxLauncher::Init(InitFlags aInitFlags, DWORD64 aMitigationPolicies) 537 | { 538 | mInitFlags = aInitFlags; 539 | OSVERSIONINFO osv = {sizeof(osv)}; 540 | if (!::GetVersionEx(&osv)) { 541 | return false; 542 | } 543 | mHasWin8APIs = osv.dwMajorVersion > 6 || 544 | osv.dwMajorVersion == 6 && osv.dwMinorVersion >= 2; 545 | mHasWin10APIs = osv.dwMajorVersion >= 10; 546 | mMitigationPolicies = aMitigationPolicies; 547 | #if _WIN32_WINNT >= 0x0A00 548 | if (!mHasWin10APIs) { 549 | mMitigationPolicies &= 550 | ~PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON; 551 | } 552 | #endif 553 | return true; 554 | } 555 | 556 | bool 557 | WindowsSandboxLauncher::Wait(unsigned int aTimeoutMs) const 558 | { 559 | return mProcess && 560 | ::WaitForSingleObject(mProcess, aTimeoutMs) == WAIT_OBJECT_0; 561 | } 562 | 563 | bool 564 | WindowsSandboxLauncher::IsSandboxRunning() const 565 | { 566 | return mProcess && ::WaitForSingleObject(mProcess, 0) == WAIT_TIMEOUT; 567 | } 568 | 569 | std::optional 570 | WindowsSandboxLauncher::GetWorkingDirectory(UniqueKernelHandle& aToken) 571 | { 572 | if (!aToken) { 573 | return {}; 574 | } 575 | 576 | PWSTR shWorkingDir = nullptr; 577 | if (FAILED(::SHGetKnownFolderPath(FOLDERID_LocalAppDataLow, 0, aToken.get(), 578 | &shWorkingDir))) { 579 | return {}; 580 | } 581 | UniqueCOMAllocatedString shWorkingDirUniq(shWorkingDir); 582 | 583 | return std::make_optional(shWorkingDir); 584 | } 585 | 586 | std::optional 587 | WindowsSandboxLauncher::CreateAbsolutePath(const std::wstring_view aInputPath) 588 | { 589 | wchar_t buf[MAX_PATH + 1] = {}; 590 | if (!_wfullpath(buf, std::wstring(aInputPath).c_str(), ArrayLength(buf))) { 591 | return {}; 592 | } 593 | 594 | HRESULT hr = ::PathCchAddExtension(buf, ArrayLength(buf), L"exe"); 595 | if (FAILED(hr)) { 596 | return {}; 597 | } 598 | 599 | return std::make_optional(buf); 600 | } 601 | 602 | bool 603 | WindowsSandboxLauncher::Launch(const std::wstring_view aExecutablePath, 604 | const std::wstring_view aBaseCmdLine) 605 | { 606 | auto absExePath = CreateAbsolutePath(aExecutablePath); 607 | if (!absExePath) { 608 | return false; 609 | } 610 | 611 | // customSid guards against the SetThreadDesktop() security hole 612 | mozilla::Sid customSid; 613 | if (!customSid.InitCustom()) { 614 | return false; 615 | } 616 | 617 | mozilla::Sid logonSid; 618 | UniqueKernelHandle restrictedToken; 619 | UniqueKernelHandle impersonationToken; 620 | if (!CreateTokens(customSid, restrictedToken, impersonationToken, logonSid)) { 621 | return false; 622 | } 623 | 624 | if (!(mInitFlags & eInitNoSeparateWindowStation)) { 625 | mWinsta = CreateWindowStation(); 626 | if (!mWinsta) { 627 | return false; 628 | } 629 | } 630 | 631 | mDesktop = CreateDesktop(mWinsta, customSid); 632 | if (!mDesktop) { 633 | return false; 634 | } 635 | 636 | UniqueKernelHandle job; 637 | if (!CreateJob(job)) { 638 | return false; 639 | } 640 | 641 | // 5. Build the command line string 642 | wostringstream oss; 643 | oss << absExePath.value(); 644 | oss << L" "sv; 645 | oss << aBaseCmdLine; 646 | oss << L" "sv; 647 | oss << WindowsSandbox::SWITCH_JOB_HANDLE; 648 | oss << L" "sv; 649 | oss << hex << job.get(); 650 | 651 | // 6. Set the working directory. With low integrity levels on Vista most 652 | // directories are inaccessible. 653 | auto workingDir = GetWorkingDirectory(restrictedToken); 654 | if (!workingDir) { 655 | return false; 656 | } 657 | 658 | // 7. Initialize the explicit list of handles to inherit (Vista+). 659 | bool result = false; 660 | DECLARE_UNIQUE_LEN(LPPROC_THREAD_ATTRIBUTE_LIST, attrList); 661 | std::unique_ptr inheritableHandles; 662 | SIZE_T attrListSize = 0; 663 | 664 | /* PROC_THREAD_ATTRIBUTE_HANDLE_LIST and 665 | * PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY 666 | */ 667 | const DWORD attrCount = 2; 668 | if (!::InitializeProcThreadAttributeList(nullptr, attrCount, 0, 669 | &attrListSize) && 670 | GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 671 | return false; 672 | } 673 | 674 | ALLOC_UNIQUE_LEN(attrList, attrListSize); 675 | if (!::InitializeProcThreadAttributeList(attrList, attrCount, 0, 676 | &attrListSize)) { 677 | return false; 678 | } 679 | 680 | UniqueProcAttributeList listDeleter(attrList); 681 | size_t handleCount = mHandlesToInherit.size(); 682 | inheritableHandles = std::make_unique(handleCount + 2); 683 | memcpy(inheritableHandles.get(), &mHandlesToInherit[0], 684 | handleCount * sizeof(HANDLE)); 685 | inheritableHandles[handleCount++] = impersonationToken.get(); 686 | inheritableHandles[handleCount++] = job.get(); 687 | result = !!::UpdateProcThreadAttribute(attrList, 0, 688 | PROC_THREAD_ATTRIBUTE_HANDLE_LIST, 689 | inheritableHandles.get(), 690 | handleCount * sizeof(HANDLE), nullptr, 691 | nullptr); 692 | if (!result) { 693 | return false; 694 | } 695 | 696 | result = !!::UpdateProcThreadAttribute(attrList, 0, 697 | PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, 698 | &mMitigationPolicies, 699 | sizeof(DWORD64), nullptr, nullptr); 700 | if (!result) { 701 | return false; 702 | } 703 | 704 | // 8. Create the process using the restricted token 705 | std::wstring desktop; 706 | if (mWinsta) { 707 | auto winstaName = GetWindowStationName(mWinsta); 708 | if (!winstaName) { 709 | return false; 710 | } 711 | desktop = winstaName.value(); 712 | desktop += L"\\"sv; 713 | } 714 | desktop += WindowsSandbox::DESKTOP_NAME; 715 | 716 | STARTUPINFOEX siex = {}; 717 | siex.StartupInfo.lpDesktop = (LPWSTR)desktop.c_str(); 718 | 719 | DWORD creationFlags = CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT; 720 | siex.StartupInfo.cb = sizeof(STARTUPINFOEX); 721 | siex.lpAttributeList = attrList; 722 | 723 | if (!mHasWin8APIs) { 724 | // Job objects don't nest until Windows 8. To create a process that is to be 725 | // part of a job, we need to create it as a "breakaway" process. 726 | creationFlags |= CREATE_BREAKAWAY_FROM_JOB; 727 | } 728 | 729 | SECURITY_ATTRIBUTES sa = {sizeof(sa), nullptr, FALSE}; 730 | 731 | PROCESS_INFORMATION procInfo; 732 | result = !!::CreateProcessAsUser(restrictedToken.get(), absExePath.value().c_str(), 733 | const_cast(oss.str().c_str()), &sa, 734 | &sa, TRUE, creationFlags, L"", workingDir.value().c_str(), 735 | &siex.StartupInfo, &procInfo); 736 | 737 | UniqueKernelHandle childProcess(procInfo.hProcess); 738 | UniqueKernelHandle mainThread(procInfo.hThread); 739 | if (!result) { 740 | return false; 741 | } 742 | 743 | if (!::SetThreadToken(&procInfo.hThread, impersonationToken.get())) { 744 | ::TerminateProcess(procInfo.hProcess, 1); 745 | return false; 746 | } 747 | 748 | if (!PreResume()) { 749 | ::TerminateProcess(procInfo.hProcess, 1); 750 | return false; 751 | } 752 | 753 | if (::ResumeThread(mainThread.get()) == static_cast(-1)) { 754 | ::TerminateProcess(procInfo.hProcess, 1); 755 | return false; 756 | } 757 | 758 | mProcess = childProcess.release(); 759 | return true; 760 | } 761 | 762 | bool 763 | WindowsSandboxLauncher::BuildInheritableSecurityDescriptor(const Sid& aLogonSid) 764 | { 765 | mInheritableDacl.Clear(); 766 | mInheritableDacl.AddAllowedAce(mozilla::Sid::GetLocalSystem(), GENERIC_ALL); 767 | mInheritableDacl.AddAllowedAce(mozilla::Sid::GetAdministrators(), GENERIC_ALL); 768 | mInheritableDacl.AddAllowedAce(aLogonSid, GENERIC_ALL); 769 | 770 | if (!::InitializeSecurityDescriptor(&mInheritableSd, 771 | SECURITY_DESCRIPTOR_REVISION)) { 772 | mInheritableDacl.Clear(); 773 | return false; 774 | } 775 | 776 | PACL pacl = (PACL) mInheritableDacl; 777 | if (!pacl) { 778 | mInheritableDacl.Clear(); 779 | return false; 780 | } 781 | 782 | if (!::SetSecurityDescriptorDacl(&mInheritableSd, TRUE, pacl, FALSE)) { 783 | mInheritableDacl.Clear(); 784 | return false; 785 | } 786 | 787 | return true; 788 | } 789 | 790 | bool 791 | WindowsSandboxLauncher::GetInheritableSecurityDescriptor(SECURITY_ATTRIBUTES &aSa, 792 | const BOOL aInheritable) 793 | { 794 | PACL pacl = (PACL) mInheritableDacl; 795 | if (!pacl) { 796 | return false; 797 | } 798 | 799 | aSa = {sizeof(aSa), &mInheritableSd, aInheritable}; 800 | return true; 801 | } 802 | 803 | } // namespace mozilla 804 | 805 | -------------------------------------------------------------------------------- /src/sandbox/dacl.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "dacl.h" 8 | #include "sid.h" 9 | 10 | #include 11 | 12 | namespace mozilla { 13 | 14 | Dacl::Dacl() 15 | : mAcl(nullptr), 16 | mModified(false) 17 | { 18 | } 19 | 20 | Dacl::~Dacl() 21 | { 22 | Clear(); 23 | } 24 | 25 | void 26 | Dacl::Clear() 27 | { 28 | if (mAcl) { 29 | ::LocalFree(mAcl); 30 | mAcl = nullptr; 31 | } 32 | } 33 | 34 | void 35 | Dacl::AddAllowedAce(const Sid& aSid, ACCESS_MASK aAccessMask) 36 | { 37 | return AddAce(aSid, GRANT_ACCESS, aAccessMask); 38 | } 39 | 40 | void 41 | Dacl::AddDeniedAce(const Sid& aSid, ACCESS_MASK aAccessMask) 42 | { 43 | return AddAce(aSid, DENY_ACCESS, aAccessMask); 44 | } 45 | 46 | void 47 | Dacl::AddAce(const Sid& aSid, ACCESS_MODE aAccessMode, ACCESS_MASK aAccessMask) 48 | { 49 | EXPLICIT_ACCESS ea; 50 | ::memset(&ea, 0, sizeof(ea)); 51 | ea.grfAccessPermissions = aAccessMask; 52 | ea.grfAccessMode = aAccessMode; 53 | ea.grfInheritance = NO_INHERITANCE; 54 | aSid.GetTrustee(ea.Trustee); 55 | mAces.push_back(ea); 56 | mModified = true; 57 | } 58 | 59 | Dacl::operator PACL() 60 | { 61 | if (!mModified) { 62 | return mAcl; 63 | } 64 | if (!Merge(mAcl)) { 65 | return nullptr; 66 | } 67 | return mAcl; 68 | } 69 | 70 | bool 71 | Dacl::Merge(PACL aAcl) 72 | { 73 | PACL newAcl = nullptr; 74 | DWORD err = ::SetEntriesInAcl((ULONG)mAces.size(), &mAces[0], aAcl, &newAcl); 75 | if (ERROR_SUCCESS != err) { 76 | return false; 77 | } 78 | 79 | Clear(); 80 | mAcl = newAcl; 81 | mModified = false; 82 | return true; 83 | } 84 | 85 | } // namespace mozilla 86 | 87 | -------------------------------------------------------------------------------- /src/sandbox/sid.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "sid.h" 8 | #include 9 | 10 | namespace mozilla { 11 | 12 | Sid::Sid() 13 | : mSid(nullptr), 14 | mSelfAllocated(false) 15 | { 16 | } 17 | 18 | Sid::Sid(const WELL_KNOWN_SID_TYPE aSidType) 19 | : mSid(nullptr), 20 | mSelfAllocated(false) 21 | { 22 | Init(aSidType); 23 | } 24 | 25 | Sid::Sid(const Sid& aOther) 26 | : mSid(nullptr), 27 | mSelfAllocated(false) 28 | { 29 | *this = aOther; 30 | } 31 | 32 | Sid::Sid(Sid&& aOther) 33 | : mSid(aOther.mSid), 34 | mSelfAllocated(aOther.mSelfAllocated) 35 | { 36 | aOther.mSid = nullptr; 37 | aOther.mSelfAllocated = false; 38 | } 39 | 40 | Sid::~Sid() 41 | { 42 | Clear(); 43 | } 44 | 45 | void 46 | Sid::Clear() 47 | { 48 | if (mSid) { 49 | if (mSelfAllocated) { 50 | ::free(mSid); 51 | } else { 52 | ::FreeSid(mSid); 53 | } 54 | mSid = nullptr; 55 | mSelfAllocated = false; 56 | } 57 | } 58 | 59 | Sid& Sid::operator=(const Sid& aOther) 60 | { 61 | Clear(); 62 | Init((PSID)aOther); 63 | return *this; 64 | } 65 | 66 | Sid& Sid::operator=(Sid&& aOther) 67 | { 68 | Clear(); 69 | mSid = aOther.mSid; 70 | mSelfAllocated = aOther.mSelfAllocated; 71 | aOther.mSid = nullptr; 72 | aOther.mSelfAllocated = false; 73 | return *this; 74 | } 75 | 76 | bool 77 | Sid::Init(SID_IDENTIFIER_AUTHORITY& aAuth, DWORD aRid0, DWORD aRid1, DWORD aRid2, 78 | DWORD aRid3, DWORD aRid4, DWORD aRid5, DWORD aRid6, DWORD aRid7) 79 | { 80 | if (mSid) { 81 | return false; 82 | } 83 | 84 | // RIDs listed backwards 85 | const DWORD ridVars[] = { 86 | aRid7, 87 | aRid6, 88 | aRid5, 89 | aRid4, 90 | aRid3, 91 | aRid2, 92 | aRid1, 93 | aRid0 94 | }; 95 | 96 | // Count how many trailing RIDs are zero and subtract them from the 97 | // sub-authority count. 98 | BYTE numSubAuthorities = 8; 99 | for (auto rid : ridVars) { 100 | if (rid) { 101 | break; 102 | } 103 | --numSubAuthorities; 104 | } 105 | 106 | if (!numSubAuthorities) { 107 | return false; 108 | } 109 | 110 | BOOL result = ::AllocateAndInitializeSid(&aAuth, numSubAuthorities, aRid0, 111 | aRid1, aRid2, aRid3, aRid4, aRid5, 112 | aRid6, aRid7, &mSid); 113 | return !!result; 114 | } 115 | 116 | bool 117 | Sid::Init(const WELL_KNOWN_SID_TYPE aSidType) 118 | { 119 | DWORD newSidLen = 0; 120 | if (!::CreateWellKnownSid(aSidType, nullptr, nullptr, &newSidLen) && 121 | ::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 122 | return false; 123 | } 124 | 125 | PSID newSid = (PSID) ::calloc(newSidLen, 1); 126 | if (!::CreateWellKnownSid(aSidType, nullptr, newSid, &newSidLen)) { 127 | ::free(newSid); 128 | return false; 129 | } 130 | 131 | mSid = newSid; 132 | mSelfAllocated = true; 133 | return true; 134 | } 135 | 136 | bool 137 | Sid::Init(const PSID aSid) 138 | { 139 | if (mSid || !aSid || !::IsValidSid(aSid)) { 140 | return false; 141 | } 142 | 143 | DWORD len = ::GetLengthSid(aSid); 144 | PSID newSid = ::calloc(len, 1); 145 | if (!::CopySid(len, newSid, aSid)) { 146 | ::free(newSid); 147 | return false; 148 | } 149 | 150 | mSid = newSid; 151 | mSelfAllocated = true; 152 | return true; 153 | } 154 | 155 | bool 156 | Sid::InitCustom() 157 | { 158 | UUID uuid; 159 | if (::UuidCreate(&uuid) != RPC_S_OK) { 160 | return false; 161 | } 162 | 163 | DWORD *subAuth = (DWORD*) &uuid; 164 | SID_IDENTIFIER_AUTHORITY auth = SECURITY_RESOURCE_MANAGER_AUTHORITY; 165 | return Init(auth, subAuth[0], subAuth[1], subAuth[2], subAuth[3]); 166 | } 167 | 168 | void 169 | Sid::GetTrustee(TRUSTEE& aTrustee) const 170 | { 171 | if (!mSid) { 172 | return; 173 | } 174 | 175 | ::BuildTrusteeWithSid(&aTrustee, mSid); 176 | } 177 | 178 | bool 179 | Sid::operator==(PSID aOther) const 180 | { 181 | if ((mSid == nullptr || aOther == nullptr) && mSid != aOther) { 182 | return false; 183 | } 184 | if (!::IsValidSid(aOther)) { 185 | return false; 186 | } 187 | 188 | return !!::EqualSid(mSid, aOther); 189 | } 190 | 191 | bool 192 | Sid::operator==(const Sid& aOther) const 193 | { 194 | if ((!mSid || !aOther.mSid) && mSid != aOther.mSid) { 195 | return false; 196 | } 197 | 198 | return !!::EqualSid(mSid, aOther.mSid); 199 | } 200 | 201 | /* static */ const Sid& 202 | Sid::GetAdministrators() 203 | { 204 | static const Sid sAdministrators(WinBuiltinAdministratorsSid); 205 | return sAdministrators; 206 | } 207 | 208 | /* static */ const Sid& 209 | Sid::GetLocalSystem() 210 | { 211 | static const Sid sLocalSystem(WinLocalSystemSid); 212 | return sLocalSystem; 213 | } 214 | 215 | /* static */ const Sid& 216 | Sid::GetEveryone() 217 | { 218 | static const Sid sEveryone(WinWorldSid); 219 | return sEveryone; 220 | } 221 | 222 | /* static */ const Sid& 223 | Sid::GetRestricted() 224 | { 225 | static const Sid sRestricted(WinRestrictedCodeSid); 226 | return sRestricted; 227 | } 228 | 229 | /* static */ const Sid& 230 | Sid::GetUsers() 231 | { 232 | static const Sid sUsers(WinBuiltinUsersSid); 233 | return sUsers; 234 | } 235 | 236 | /* static */ const Sid& 237 | Sid::GetIntegrityUntrusted() 238 | { 239 | static const Sid sIntegrityUntrusted(WinUntrustedLabelSid); 240 | return sIntegrityUntrusted; 241 | } 242 | 243 | /* static */ const Sid& 244 | Sid::GetIntegrityLow() 245 | { 246 | static const Sid sIntegrityLow(WinLowLabelSid); 247 | return sIntegrityLow; 248 | } 249 | 250 | /* static */ const Sid& 251 | Sid::GetIntegrityMedium() 252 | { 253 | static const Sid sIntegrityMedium(WinMediumLabelSid); 254 | return sIntegrityMedium; 255 | } 256 | 257 | /* static */ const Sid& 258 | Sid::GetIntegrityHigh() 259 | { 260 | static const Sid sIntegrityHigh(WinHighLabelSid); 261 | return sIntegrityHigh; 262 | } 263 | 264 | /* static */ const Sid& 265 | Sid::GetIntegritySystem() 266 | { 267 | static const Sid sIntegritySystem(WinSystemLabelSid); 268 | return sIntegritySystem; 269 | } 270 | 271 | } // namespace mozilla 272 | 273 | -------------------------------------------------------------------------------- /src/sandbox/sidattrs.cpp: -------------------------------------------------------------------------------- 1 | /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 | /* vim: set ts=8 sts=2 et sw=2 tw=80: */ 3 | /* This Source Code Form is subject to the terms of the Mozilla Public 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 | 7 | #include "sidattrs.h" 8 | #include "MakeUniqueLen.h" 9 | 10 | namespace mozilla { 11 | 12 | bool 13 | SidAttributes::CreateFromTokenGroups(HANDLE aToken, unsigned int aFilterFlags, 14 | Sid* aLogonSid) 15 | { 16 | if (!aToken || !mSidAttrs.empty() || !mSids.empty()) { 17 | return false; 18 | } 19 | 20 | // Get size 21 | DWORD reqdLen = 0; 22 | if (!::GetTokenInformation(aToken, TokenGroups, nullptr, 0, &reqdLen) && 23 | ::GetLastError() != ERROR_INSUFFICIENT_BUFFER) { 24 | return false; 25 | } 26 | 27 | // Allocate and retrieve 28 | MAKE_UNIQUE_LEN(PTOKEN_GROUPS, tokenGroups, reqdLen); 29 | if (!::GetTokenInformation(aToken, TokenGroups, tokenGroups, reqdLen, 30 | &reqdLen)) { 31 | return false; 32 | } 33 | 34 | // Pass 1: Figure out how many SID_AND_ATTRIBUTES we need 35 | DWORD sidCount = 0; 36 | for (DWORD i = 0; i < tokenGroups->GroupCount; ++i) { 37 | if (tokenGroups->Groups[i].Attributes & SE_GROUP_INTEGRITY) { 38 | if (aFilterFlags & FILTER_INTEGRITY) { 39 | continue; 40 | } 41 | } 42 | if (tokenGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID) { 43 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 44 | continue; 45 | } 46 | } 47 | if (mozilla::Sid::GetEveryone() == tokenGroups->Groups[i].Sid) { 48 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 49 | continue; 50 | } 51 | } 52 | if (mozilla::Sid::GetUsers() == tokenGroups->Groups[i].Sid) { 53 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 54 | continue; 55 | } 56 | } 57 | ++sidCount; 58 | } 59 | 60 | if (aFilterFlags & FILTER_ADD_RESTRICTED) { 61 | ++sidCount; 62 | } 63 | 64 | // Reserve space in the containers so that the vector's buffers don't get 65 | // reallocated. 66 | mSidAttrs.reserve(sidCount); 67 | mSids.reserve(sidCount); 68 | 69 | // Pass 2: Now populate the output 70 | DWORD sidIndex = 0; 71 | for (DWORD i = 0; i < tokenGroups->GroupCount; ++i) { 72 | if (tokenGroups->Groups[i].Attributes & SE_GROUP_INTEGRITY) { 73 | if (aFilterFlags & FILTER_INTEGRITY) { 74 | continue; 75 | } 76 | } 77 | 78 | if (tokenGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID) { 79 | if (aLogonSid) { 80 | aLogonSid->Init(tokenGroups->Groups[i].Sid); 81 | } 82 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 83 | continue; 84 | } 85 | } 86 | 87 | if (mozilla::Sid::GetEveryone() == tokenGroups->Groups[i].Sid) { 88 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 89 | continue; 90 | } 91 | } 92 | 93 | if (mozilla::Sid::GetUsers() == tokenGroups->Groups[i].Sid) { 94 | if (aFilterFlags & FILTER_RESTRICTED_DISABLE) { 95 | continue; 96 | } 97 | } 98 | 99 | Sid newSid; 100 | if (!newSid.Init(tokenGroups->Groups[i].Sid)) { 101 | return false; 102 | } 103 | 104 | Push(newSid); 105 | } 106 | 107 | if (aFilterFlags & FILTER_ADD_RESTRICTED) { 108 | Push(mozilla::Sid::GetRestricted()); 109 | } 110 | 111 | return true; 112 | } 113 | 114 | void 115 | SidAttributes::Push(const Sid& aSid, const DWORD aAttrs) 116 | { 117 | // DANGER: If the memory backing mSids hasn't been reserved ahead of time, 118 | // the pointers stored in mSidAttrs will be invalid when mSids 119 | // reallocates its buffer! 120 | mSids.push_back(aSid); 121 | SID_AND_ATTRIBUTES newSidAttr = { (PSID)mSids.back(), aAttrs }; 122 | mSidAttrs.push_back(newSidAttr); 123 | } 124 | 125 | } // namespace mozilla 126 | --------------------------------------------------------------------------------