Enhanced Protected Mode support

src/plugin/AdblockPlusClient.cpp

 #include "PluginStdAfx.h"
-
 #include "PluginSettings.h"
 #include "PluginSystem.h"
 #include "PluginFilter.h"
 #include "PluginClientFactory.h"
 #include "PluginMutex.h"
 #include "PluginClass.h"
 
 #include "AdblockPlusClient.h"
 
 #include "../shared/Utils.h"
 
 namespace
 {
   void SpawnAdblockPlusEngine()
   {
     std::wstring engineExecutablePath = GetDllDir() + L"AdblockPlusEngine.exe";
     CString params = L"AdblockPlusEngine.exe " + CPluginSystem::GetInstance()->GetBrowserLanguage();
 
     STARTUPINFO startupInfo = {};
     PROCESS_INFORMATION processInformation = {};
 
     HANDLE token;
     OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE | TOKEN_ADJUST_DEFAULT | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &token);
-    HANDLE newToken;
-    DuplicateTokenEx(token, 0, 0, SecurityImpersonation, TokenPrimary, &newToken);
 
-    if (!CreateProcessAsUserW(newToken, engineExecutablePath.c_str(),
-                              params.GetBuffer(params.GetLength() + 1),
-                              0, 0, 0, 0, 0, 0, &startupInfo, &processInformation))
+    TOKEN_APPCONTAINER_INFORMATION *acSid = NULL;

[Wladimir Palant, 2013/09/17 07:53:48]

Nit: that variable name also uses the Hungarian notation.

+    DWORD length = 0;
+
+    // Get AppContainer SID
+    if (!GetTokenInformation(token, TokenAppContainerSid, acSid, 0, &length) && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
     {
-      DWORD error = GetLastError();
+        acSid = (TOKEN_APPCONTAINER_INFORMATION*) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, length);
+        if (acSid != NULL)
+        {
+          GetTokenInformation(token, TokenAppContainerSid, acSid, length, &length);
+        }
+        else
+        {
+          throw std::runtime_error("Out of memory");
+        }
+    }
+
+    BOOL createProcRes = 0;
+    // Running inside AppContainer?
+    if (acSid != NULL && acSid->TokenAppContainer != NULL)
+    {
+      // Launch with default security. Registry entry will eat the user prompt
+      // See http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#wpm_elebp
+      LPWSTR stringSid;
+      ConvertSidToStringSidW(acSid->TokenAppContainer, &stringSid);
+      params.Append(L" ");
+      params.Append(stringSid);
+      LocalFree(stringSid);
+      createProcRes = CreateProcessW(engineExecutablePath.c_str(), params.GetBuffer(params.GetLength() + 1),
+                              0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);
+    }
+    else
+    {
+      // Launch with the same security token (Low Integrity) explicitly
+      HANDLE newToken;
+      DuplicateTokenEx(token, 0, 0, SecurityImpersonation, TokenPrimary, &newToken);
+
+      createProcRes = CreateProcessAsUser(newToken, engineExecutablePath.c_str(), params.GetBuffer(params.GetLength() + 1),

[Wladimir Palant, 2013/09/17 07:53:48]

Nit: This should be changed into CreateProcessAsUserW as well.

+                              0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);
+    }
+
+    if (!createProcRes)
+    {
       throw std::runtime_error("Failed to start Adblock Plus Engine");
     }
 
     CloseHandle(processInformation.hProcess);
     CloseHandle(processInformation.hThread);
   }
 
   Communication::Pipe* OpenEnginePipe()
   {
     try
@@ skipping 416 matching lines @@
 bool CAdblockPlusClient::TogglePluginEnabled()
 {
   DEBUG_GENERAL("TogglePluginEnabled");
   Communication::InputBuffer response;
   if (!CallEngine(Communication::PROC_TOGGLE_PLUGIN_ENABLED, response)) 
     return false;
   bool currentEnabledState;
   response >> currentEnabledState;
   return currentEnabledState;
 }