Bug 1837079 - [4/10] Create WINDOWS_FILE_DIALOG utility process type r=gerard-majax,ipc-reviewers,fluent-reviewers,bobowen,handyman,nika

Create a new utility-process type for the sole use of out-of-process instantiation of the Windows file dialog. We do not sandbox this process type, as in certain test environments sandboxing has been found to prevent the child process from interacting with any other windows on the desktop -- including the parent process window which it will need to assign as the parent of the file dialog. Technically, no functional changes, as this commit adds no uses of this type. (That will come later in the patchset.) Differential Revision: https://phabricator.services.mozilla.com/D180341
2023-10-26 18:21:28 +00:00 · 2023-10-26 18:21:28 +00:00 · 8cd437b72d
--- a/dom/chrome-webidl/ChromeUtils.webidl
+++ b/dom/chrome-webidl/ChromeUtils.webidl
@ -795,6 +795,7 @@ enum WebIDLUtilityActorName {
  "mfMediaEngineCDM",
  "jSOracle",
  "windowsUtils",
+  "windowsFileDialog",
 };

 dictionary UtilityActorsDictionary {
--- a/ipc/glue/UtilityProcessSandboxing.cpp
+++ b/ipc/glue/UtilityProcessSandboxing.cpp
@ -27,6 +27,21 @@ std::vector<std::string> split(const std::string& str, char s) {
 }

 bool IsUtilitySandboxEnabled(const char* envVar, SandboxingKind aKind) {
+#ifdef XP_WIN
+  // Sandboxing the Windows file dialog is probably not useful.
+  //
+  // (Additionally, it causes failures in our test environments: when running
+  // tests on windows-11-2009-qr machines, sandboxed child processes can't see
+  // or interact with any other process's windows -- which means they can't
+  // select a window from the parent process as the file dialog's parent. This
+  // occurs regardless of the sandbox preferences, which is why we disable
+  // sandboxing entirely rather than use a maximally permissive preference-set.
+  // This behavior has not been seen in user-facing environments.)
+  if (aKind == SandboxingKind::WINDOWS_FILE_DIALOG) {
+    return false;
+  }
+#endif
+
  if (envVar == nullptr) {
    return true;
  }
--- a/ipc/glue/UtilityProcessSandboxing.h
+++ b/ipc/glue/UtilityProcessSandboxing.h
@ -29,6 +29,7 @@ enum SandboxingKind : uint64_t {
 #endif
 #ifdef XP_WIN
  WINDOWS_UTILS,
+  WINDOWS_FILE_DIALOG,
 #endif

  COUNT,
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -1682,6 +1682,11 @@ bool SandboxBroker::SetSecurityLevelForUtilityProcess(
 #endif
    case mozilla::ipc::SandboxingKind::WINDOWS_UTILS:
      return BuildUtilitySandbox(mPolicy, WindowsUtilitySandboxProps());
+    case mozilla::ipc::SandboxingKind::WINDOWS_FILE_DIALOG:
+      // This process type is not sandboxed. (See commentary in
+      // `ipc::IsUtilitySandboxEnabled()`.)
+      MOZ_ASSERT_UNREACHABLE("No sandboxing for this process type");
+      return false;
    default:
      MOZ_ASSERT_UNREACHABLE("Unknown sandboxing value");
      return false;
--- a/toolkit/components/aboutprocesses/content/aboutProcesses.js
+++ b/toolkit/components/aboutprocesses/content/aboutProcesses.js
@ -885,6 +885,10 @@ var View = {
        fluentName = "about-processes-utility-actor-windows-utils";
        break;

+      case "windowsFileDialog":
+        fluentName = "about-processes-utility-actor-windows-file-dialog";
+        break;
+
      default:
        fluentName = "about-processes-utility-actor-unknown";
        break;
--- a/toolkit/components/processtools/ProcInfo_common.cpp
+++ b/toolkit/components/processtools/ProcInfo_common.cpp
@ -57,6 +57,8 @@ nsCString GetUtilityActorName(const UtilityActorName aActorName) {
      return "js-oracle"_ns;
    case UtilityActorName::WindowsUtils:
      return "windows-utils"_ns;
+    case UtilityActorName::WindowsFileDialog:
+      return "windows-file-dialog"_ns;
    default:
      return "unknown"_ns;
  }
--- a/toolkit/locales/en-US/toolkit/about/aboutProcesses.ftl
+++ b/toolkit/locales/en-US/toolkit/about/aboutProcesses.ftl
@ -132,6 +132,7 @@ about-processes-utility-actor-mf-media-engine = Windows Media Foundation Media E
 # "Oracle" refers to an internal Firefox process and should be kept in English
 about-processes-utility-actor-js-oracle = JavaScript Oracle
 about-processes-utility-actor-windows-utils = Windows Utils
+about-processes-utility-actor-windows-file-dialog = Windows File Dialog

 ## Displaying CPU (percentage and total)
 ## Variables:
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@ -6039,9 +6039,12 @@ bool XRE_UseNativeEventProcessing() {
 #  if defined(XP_WIN)
      auto upc = mozilla::ipc::UtilityProcessChild::Get();
      MOZ_ASSERT(upc);
-      // WindowsUtils is for Windows APIs, which typically require a Windows
-      // native event loop.
-      return upc->mSandbox == mozilla::ipc::SandboxingKind::WINDOWS_UTILS;
+
+      using SboxKind = mozilla::ipc::SandboxingKind;
+      // These processes are used as external hosts for accessing Windows
+      // APIs which (may) require a Windows native event loop.
+      return upc->mSandbox == SboxKind::WINDOWS_UTILS ||
+             upc->mSandbox == SboxKind::WINDOWS_FILE_DIALOG;
 #  else
      return false;
 #  endif  // defined(XP_WIN)