From 79d4cf6e8eb569ec039c33e407fab787cc1a687f Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 31 Oct 2019 11:28:09 +0100
Subject: Enable Windows sandbox

Enable sandboxing on Windows. Enable heterogeneous sandbox symbol
resolution and statically link the sandboxing code into the helper
process. This means we have two copies of the sandboxing code,
one statically linked in the executable and one in the shared
library. Since they are not exported they don't conflict, but
we need to take to initialize the right version in the helper process
binary, and pass its sandbox interface to shared library using it.

For sandbox debug output, we also need to initialize the second copy
of the commandlineparser and logging system.

Fixes: QTBUG-51170
Change-Id: I8f503c8d6b40674465f32772ef906817dad2b449
Reviewed-by: Kirill Burtsev <kirill.burtsev@qt.io>
---
 src/core/web_engine_context.cpp | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'src/core/web_engine_context.cpp')

diff --git a/src/core/web_engine_context.cpp b/src/core/web_engine_context.cpp
index a4ceb3a97..69769bdf1 100644
--- a/src/core/web_engine_context.cpp
+++ b/src/core/web_engine_context.cpp
@@ -182,6 +182,18 @@ void dummyGetPluginCallback(const std::vector<content::WebPluginInfo>&)
 
 namespace QtWebEngineCore {
 
+#if defined(Q_OS_WIN)
+sandbox::SandboxInterfaceInfo *staticSandboxInterfaceInfo(sandbox::SandboxInterfaceInfo *info)
+{
+    static sandbox::SandboxInterfaceInfo *g_info = nullptr;
+    if (info) {
+        Q_ASSERT(g_info == nullptr);
+        g_info = info;
+    }
+    return g_info;
+}
+#endif
+
 extern std::unique_ptr<base::MessagePump> messagePumpFactory();
 
 bool usingSoftwareDynamicGL()
@@ -455,9 +467,7 @@ WebEngineContext::WebEngineContext()
     // Enable sandboxing on OS X and Linux (Desktop / Embedded) by default.
     bool disable_sandbox = qEnvironmentVariableIsSet(kDisableSandboxEnv);
     if (!disable_sandbox) {
-#if defined(Q_OS_WIN)
-        parsedCommandLine->AppendSwitch(service_manager::switches::kNoSandbox);
-#elif defined(Q_OS_LINUX)
+#if defined(Q_OS_LINUX)
         parsedCommandLine->AppendSwitch(service_manager::switches::kDisableSetuidSandbox);
 #endif
     } else {
@@ -656,9 +666,12 @@ WebEngineContext::WebEngineContext()
 
     content::ContentMainParams contentMainParams(m_mainDelegate.get());
 #if defined(OS_WIN)
+    contentMainParams.sandbox_info = staticSandboxInterfaceInfo();
     sandbox::SandboxInterfaceInfo sandbox_info = {0};
-    content::InitializeSandboxInfo(&sandbox_info);
-    contentMainParams.sandbox_info = &sandbox_info;
+    if (!contentMainParams.sandbox_info) {
+        content::InitializeSandboxInfo(&sandbox_info);
+        contentMainParams.sandbox_info = &sandbox_info;
+    }
 #endif
     m_contentRunner->Initialize(contentMainParams);
 
-- 
cgit v1.2.3