Closed Bug 1481635 Opened 6 years ago Closed 6 years ago

Launcher process improvements for automation and UAC-disabled configurations

Categories

(Firefox :: General, enhancement, P1)

Product:
Firefox
Component:
General
Platform:
Unspecified
Windows
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: bugzilla, Assigned: bugzilla)

References

Details

(Whiteboard: inj+)

Attachments

(1 file, 1 obsolete file)

Patch (r2)
13.43 KB, patch
molly
: review+
Details | Diff | Splinter Review 
There are a couple of cases that we need to handle for automation and general correctness. Since they are closely intermingled, I'm going to land this stuff in one bug.

1) The firefox process launched by automation is assumed to stay alive for the lifetime of the browsing session. I'm adding a command-line option that makes this happen, as well as an environment variable check (so that hopefully we don't need to go around modifying test harnesses all over the place).

2) I'm going to add a command-line option to prevent the launcher de-elevating the browser. Again, this is in case of potential automation issues.

3) If UAC is disabled and we're started at high integrity, I think that the current elevation code will cause an infinite loop -- the launcher will continuously restart itself using explorer, but explorer will never be a medium integrity user.

To fix this, I'm going to use a combination of TokenElevationType and TokenIntegrityLevel queries on the current token to determine UAC and integrity level.

If the token elevation type is TokenElevationTypeDefault, then UAC is disabled and we need to fall back to checking our integrity level.

Note that if we don't have UAC, the only way that we can drop our integrity level is by duplicating our token and dropping the IL there, then calling CreateProcessAsUser. We also need to use this method if the --wait-for-browser is specified, since we don't get a child process handle out of the remote ShellExecute call made via Explorer.
Attached patch Patch (obsolete) — Splinter Review 
See the bug description for more about what's going on with this patch.
Attachment #8998355 - Flags: review?(mhowell)
Attached patch Patch (r2)Splinter Review 
This rev propagates the browser's return code as the launcher's return code when --wait-for-browser is set.
Attachment #8998355 - Attachment is obsolete: true
Attachment #8998355 - Flags: review?(mhowell)
Attachment #8998370 - Flags: review?(mhowell)
Comment on attachment 8998370 [details] [diff] [review]
Patch (r2)

Review of attachment 8998370 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/app/winlauncher/LaunchUnelevated.cpp
@@ +228,3 @@
>  
> +      return Some(ElevationState::eElevated);
> +    default:

This is really a nit, but I'd be happier with an explicit check for TokenElevationTypeDefault and some sort of error handling for an unknown value, just for a little forward compatibility.
Attachment #8998370 - Flags: review?(mhowell) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/9e3106a824d27f327e5dd9178f7e00aa8703f731
Bug 1481635: Add option to allow the launcher process to wait for the browser before terminating, while properly handling UAC or high-integrity cases; r=mhowell
https://hg.mozilla.org/mozilla-central/rev/9e3106a824d2
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: