| blob | 2b4e613d75371bf3aa5e524564b1f89a32d97d4d |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
9 #if defined(ACCESSIBILITY) && \
10 (defined(MOZILLA_INTERNAL_API) || defined(MOZ_HAS_MOZGLUE))
13 // defined(MOZ_HAS_MOZGLUE))
25 #if defined(MOZILLA_INTERNAL_API)
27 # if defined(MOZ_SANDBOX)
32 #include <accctrl.h>
33 #include <aclapi.h>
34 #include <objbase.h>
35 #include <objidl.h>
37 // This API from oleaut32.dll is not declared in Windows SDK headers
45 #if defined(MOZILLA_INTERNAL_API)
58 #if defined(ACCESSIBILITY)
59 # if defined(MOZILLA_INTERNAL_API)
60 // If we're inside XUL, and we're the parent process, then we trust that
61 // this has already been initialized for us prior to XUL being loaded.
62 // Only required in the child if the Resource ID has been passed down.
66 }
67 # elif defined(MOZ_HAS_MOZGLUE)
68 // If we're here, then we're in mozglue and initializing this for the parent
69 // process.
72 # endif
75 #if defined(MOZILLA_INTERNAL_API)
80 /**
81 * From this point forward, all threads in this process are implicitly
82 * members of the multi-threaded apartment, with the following exceptions:
83 * 1. If any Win32 GUI APIs were called on the current thread prior to
84 * executing this constructor, then this thread has already been implicitly
85 * initialized as the process's main STA thread; or
86 * 2. A thread explicitly and successfully calls CoInitialize(Ex) to specify
87 * otherwise.
88 */
91 // We only assert that the implicit MTA precondition holds when not running
92 // as the Gecko parent process.
95 isCurThreadImplicitMTA);
97 # if defined(MOZ_SANDBOX)
100 // If our process is running under Win32k lockdown, we cannot initialize
101 // COM with a single-threaded apartment. This is because STAs create a hidden
102 // window, which implicitly requires user32 and Win32k, which are blocked.
103 // Instead we start the multi-threaded apartment and conduct our process-wide
104 // COM initialization there.
106 // Make sure we're still running with the sandbox's privileged impersonation
107 // token.
108 HANDLE rawCurThreadImpToken;
113 }
116 // Ensure that our current token is still an impersonation token (ie, we
117 // have not yet called RevertToSelf() on this thread).
118 DWORD len;
119 TOKEN_TYPE tokenType;
125 // Ideally we want our current thread to be running implicitly inside the
126 // MTA, but if for some wacky reason we did not end up with that, we may
127 // compensate by completing initialization via EnsureMTA's persistent
128 // thread.
132 }
133 }
139 // It can happen that we are not the outermost COM initialization on this
140 // thread. In fact it should regularly be the case that the outermost
141 // initialization occurs from outside of XUL, before we show the skeleton UI,
142 // at which point we still need to run some things here from within XUL.
145 #if defined(MOZILLA_INTERNAL_API)
148 // This is unexpected unless we're GeckoBrowserParent
150 }
152 ProcessInitLock lock;
154 // Is another instance of ProcessRuntime responsible for the outer
155 // initialization?
161 }
164 }
169 }
171 #if defined(MOZILLA_INTERNAL_API)
172 # if defined(MOZ_SANDBOX)
174 // In locked-down child processes, defer PostInit until priv drop
176 // Ensure that we're still live and the init was successful before
177 // calling PostInit()
180 }
181 });
183 }
188 }
190 #if defined(MOZILLA_INTERNAL_API)
194 }
196 # if defined(MOZ_SANDBOX)
199 // Create an impersonation token based on the current thread's token
205 }
208 // Impersonate and initialize.
215 }
219 },
224 }
230 // This is a security risk if it fails, so we release assert
233 },
236 // Ensure that we're still live and the init was successful before
237 // calling PostInit()
240 }
241 });
242 }
246 /* static */
254 // If Win32k is not locked down then we probably still need STA.
255 // We disable DDE since that is not usable from child processes.
257 COINIT_DISABLE_OLE1DDE);
258 }
263 }
264 }
267 ProcessInitLock lock;
270 // COM has already been initialized by a previous ProcessRuntime instance
273 }
276 // We are required to initialize security prior to configuring global
277 // options.
281 // Even though this isn't great, we should try to proceed even when
282 // CoInitializeSecurity has previously been called: the additional settings
283 // we want to change are important enough that we don't want to skip them.
286 }
289 }
299 }
301 // Disable COM's catch-all exception handler
303 COMGLB_EXCEPTION_DONOT_HANDLE_ANY);
307 }
310 }
312 // Disable the BSTR cache (as it never invalidates, thus leaking memory)
313 // (This function is itself idempotent, so we do not concern ourselves with
314 // tracking whether or not we've already called it.)
318 }
320 #if defined(MOZILLA_INTERNAL_API)
321 /**
322 * Guaranteed to run *after* the COM (and possible sandboxing) initialization
323 * has successfully completed and stabilized. This method MUST BE IDEMPOTENT!
324 */
326 // Currently "roughed-in" but unused.
327 }
330 /* static */
331 DWORD
333 DWORD callerTid;
335 // Don't return callerTid unless the call succeeded and returned S_FALSE,
336 // indicating that the caller originates from a different process.
339 }
342 }
344 /* static */
345 HRESULT
351 }
359 }
366 }
373 }
382 }
384 SECURITY_DESCRIPTOR sd;
387 }
394 }
401 }
413 }
414 }
416 // Grant access to SYSTEM, Administrators, the user, and when running as the
417 // browser process on Windows 8+, all app containers.
422 COM_RIGHTS_EXECUTE,
423 GRANT_ACCESS,
424 NO_INHERITANCE,
429 COM_RIGHTS_EXECUTE,
430 GRANT_ACCESS,
431 NO_INHERITANCE,
436 COM_RIGHTS_EXECUTE,
437 GRANT_ACCESS,
438 NO_INHERITANCE,
445 GRANT_ACCESS,
446 NO_INHERITANCE,
448 TRUSTEE_IS_WELL_KNOWN_GROUP,
450 }
453 win32Error =
457 }
463 }
467 }
470 FALSE)) {
472 }
477 }