Update the OOP JIT RPC interface bring up to support receiving security descriptors on both the server and the client.

This is necessary to be able to establish an RPC connection to a JIT process that is in another app container.

In addition we will not have access to the OpenProcess API for a process in another AppContainer, so we need to get a handle provided to us to be able to share the process handle across the RPC boundary.

Build/Chakra.Build.Default.props

@@ -7,5 +7,18 @@
 
     <!-- Always use Platform SDK for core builds -->
     <EventManifestXmlPath>$(WindowsSDK80Path)Include\um</EventManifestXmlPath>    
-  </PropertyGroup>    
+  </PropertyGroup>
+
+  <!-- Common build settings -->
+  <PropertyGroup>
+    <OptimizedBuild />
+    <OptimizedBuild Condition="'$(Configuration)'=='Release' or '$(Configuration)'=='Test'">true</OptimizedBuild>
+    <NtTargetVersion>$(NtTargetVersion_Win7)</NtTargetVersion>
+
+    <!-- On ARM we depend an API that was added in Win8 timeframe, specifically GetCurrentThreadLimits.
+         Note that for ARM we don't need to support running on Win7, so it's fine to require Win8 as minimum. -->
+    <NtTargetVersion Condition="'$(Platform)'=='ARM' or '$(Platform)'=='Arm64'">$(NtTargetVersion_Win8)</NtTargetVersion>
+
+    <WindowsSDKDesktopARMSupport Condition="'$(Platform)'=='ARM'">true</WindowsSDKDesktopARMSupport>
+  </PropertyGroup>
 </Project>

Build/Common.Build.Default.props

@@ -24,18 +24,6 @@
     <Import Project="$(ChakraDevConfigDir)\Chakra.Build.user.props" Condition="exists('$(ChakraDevConfigDir)\Chakra.Build.user.props')"/>
   </ImportGroup>
 
-  <!-- Common build settings -->
-  <PropertyGroup>
-    <OptimizedBuild />
-    <OptimizedBuild Condition="'$(Configuration)'=='Release' or '$(Configuration)'=='Test'">true</OptimizedBuild>
-    <NtTargetVersion>$(NtTargetVersion_Win7)</NtTargetVersion>
-
-    <!-- On ARM we depend an API that was added in Win8 timeframe, specifically GetCurrentThreadLimits.
-         Note that for ARM we don't need to support running on Win7, so it's fine to require Win8 as minimum. -->
-    <NtTargetVersion Condition="'$(Platform)'=='ARM' or '$(Platform)'=='Arm64'">$(NtTargetVersion_Win8)</NtTargetVersion>
-
-    <WindowsSDKDesktopARMSupport Condition="'$(Platform)'=='ARM'">true</WindowsSDKDesktopARMSupport>
-  </PropertyGroup>
   <PropertyGroup Label="Configuration">
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>

lib/JITClient/JITManager.cpp

@@ -23,7 +23,6 @@ JITManager JITManager::s_jitManager = JITManager();
 JITManager::JITManager() :
     m_rpcBindingHandle(nullptr),
     m_rpcServerProcessHandle(nullptr),
-    m_jitProcessId(0),
     m_oopJitEnabled(false),
     m_jitConnectionId()
 {
@@ -46,24 +45,35 @@ JITManager::GetJITManager()
 HRESULT
 JITManager::CreateBinding(
     __in HANDLE serverProcessHandle,
+    __in void * serverSecurityDescriptor,
     __in UUID * connectionUuid,
     __out RPC_BINDING_HANDLE * bindingHandle)
 {
     Assert(JITManager::IsOOPJITEnabled());
 
     RPC_STATUS status;
-    RPC_SECURITY_QOS_V4 securityQOS; // TODO: V5???
     DWORD attemptCount = 0;
     DWORD sleepInterval = 100; // in milliseconds
     RPC_BINDING_HANDLE localBindingHandle;
     RPC_BINDING_HANDLE_TEMPLATE_V1 bindingTemplate;
     RPC_BINDING_HANDLE_SECURITY_V1_W bindingSecurity;
 
+#ifndef NTBUILD
+    RPC_SECURITY_QOS_V4 securityQOS;
     ZeroMemory(&securityQOS, sizeof(RPC_SECURITY_QOS_V4));
     securityQOS.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
     securityQOS.IdentityTracking = RPC_C_QOS_IDENTITY_DYNAMIC;
     securityQOS.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY;
     securityQOS.Version = 4;
+#else
+    RPC_SECURITY_QOS_V5 securityQOS;
+    ZeroMemory(&securityQOS, sizeof(RPC_SECURITY_QOS_V5));
+    securityQOS.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
+    securityQOS.IdentityTracking = RPC_C_QOS_IDENTITY_DYNAMIC;
+    securityQOS.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY;
+    securityQOS.Version = 5;
+    securityQOS.ServerSecurityDescriptor = serverSecurityDescriptor;
+#endif // NTBUILD
 
     ZeroMemory(&bindingTemplate, sizeof(bindingTemplate));
     bindingTemplate.Version = 1;
@@ -183,7 +193,7 @@ JITManager::GetJITTargetHandle() const
 }
 
 HRESULT
-JITManager::ConnectRpcServer(DWORD proccessId, UUID connectionUuid)
+JITManager::ConnectRpcServer(__in HANDLE jitProcessHandle, __in_opt void* serverSecurityDescriptor, __in UUID connectionUuid)
 {
     Assert(JITManager::IsOOPJITEnabled());
 
@@ -192,7 +202,7 @@ JITManager::ConnectRpcServer(DWORD proccessId, UUID connectionUuid)
     WCHAR* connectionUuidString = nullptr;
     RPC_BINDING_HANDLE localBindingHandle;
 
-    if (IsConnected() && (proccessId != m_jitProcessId || connectionUuid != m_jitConnectionId))
+    if (IsConnected() && (connectionUuid != m_jitConnectionId))
     {
         return E_FAIL;
     }
@@ -203,9 +213,7 @@ JITManager::ConnectRpcServer(DWORD proccessId, UUID connectionUuid)
         return hr;
     }
 
-    localServerProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, proccessId);
-
-    hr = CreateBinding(localServerProcessHandle, &connectionUuid, &localBindingHandle);
+    hr = CreateBinding(jitProcessHandle, serverSecurityDescriptor, &connectionUuid, &localBindingHandle);
     if (FAILED(hr))
     {
         CloseHandle(localServerProcessHandle);
@@ -213,10 +221,9 @@ JITManager::ConnectRpcServer(DWORD proccessId, UUID connectionUuid)
     }
 
     HANDLE targetHandle;
-    HANDLE jitProcHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, proccessId);
     BOOL succeeded = DuplicateHandle(
         GetCurrentProcess(), GetCurrentProcess(),
-        jitProcHandle, &targetHandle,
+        jitProcessHandle, &targetHandle,
         NULL, FALSE, DUPLICATE_SAME_ACCESS);
 
     if (!succeeded)
@@ -224,14 +231,13 @@ JITManager::ConnectRpcServer(DWORD proccessId, UUID connectionUuid)
         CloseHandle(localServerProcessHandle);
         return HRESULT_FROM_WIN32(GetLastError());
     }
-    if (!CloseHandle(jitProcHandle))
+    if (!CloseHandle(jitProcessHandle))
     {
         return HRESULT_FROM_WIN32(GetLastError());
     }
     m_targetHandle = targetHandle;
     m_rpcBindingHandle = localBindingHandle;
     m_rpcServerProcessHandle = localServerProcessHandle;
-    m_jitProcessId = proccessId;
     m_jitConnectionId = connectionUuid;
 
     return hr;
@@ -279,7 +285,6 @@ JITManager::DisconnectRpcServer()
     m_targetHandle = nullptr;
     m_rpcBindingHandle = nullptr;
     m_rpcServerProcessHandle = nullptr;
-    m_jitProcessId = 0;
     m_jitConnectionId = {0};
 
     return hr;

lib/JITClient/JITManager.h

@@ -8,7 +8,7 @@
 class JITManager
 {
 public:
-    HRESULT ConnectRpcServer(__in DWORD processId, __in UUID connectionUuid);
+    HRESULT ConnectRpcServer(__in HANDLE jitProcessHandle, __in_opt void* serverSecurityDescriptor, __in UUID connectionUuid);
 
     bool IsConnected() const;
     bool IsOOPJITEnabled() const;
@@ -66,13 +66,13 @@ private:
 
     HRESULT JITManager::CreateBinding(
         __in HANDLE serverProcessHandle,
+        __in void* serverSecurityDescriptor,
         __in UUID* connectionUuid,
         __out RPC_BINDING_HANDLE* bindingHandle);
 
     RPC_BINDING_HANDLE m_rpcBindingHandle;
     HANDLE m_rpcServerProcessHandle;
     HANDLE m_targetHandle;
-    DWORD m_jitProcessId;
     UUID m_jitConnectionId;
     bool m_oopJitEnabled;
 

lib/JITServer/JITServer.cpp

@@ -7,7 +7,9 @@
 
 __declspec(dllexport)
 HRESULT JsInitializeRpcServer(
-    __in UUID* connectionUuid)
+    __in UUID* connectionUuid,
+    __in_opt void* securityDescriptor,
+    __in_opt void* alpcSecurityDescriptor)
 {
     RPC_STATUS status;
     RPC_BINDING_VECTOR* bindingVector = NULL;
@@ -20,12 +22,13 @@ HRESULT JsInitializeRpcServer(
         L"ncalrpc",
         RPC_C_PROTSEQ_MAX_REQS_DEFAULT,
         NULL,
-        NULL);
+        alpcSecurityDescriptor);
     if (status != RPC_S_OK)
     {
         return status;
     }
 
+#ifndef NTBUILD
     status = RpcServerRegisterIf2(
         ServerIChakraJIT_v0_0_s_ifspec,
         NULL,
@@ -34,7 +37,17 @@ HRESULT JsInitializeRpcServer(
         RPC_C_LISTEN_MAX_CALLS_DEFAULT,
         (ULONG)-1,
         NULL);
-
+#else
+    status = RpcServerRegisterIf3(
+        ServerIChakraJIT_v0_0_s_ifspec,
+        NULL,
+        NULL,
+        RPC_IF_AUTOLISTEN,
+        RPC_C_LISTEN_MAX_CALLS_DEFAULT,
+        (ULONG)-1,
+        NULL,
+        securityDescriptor);
+#endif
     if (status != RPC_S_OK)
     {
         return status;

lib/Runtime/Base/ThreadContext.cpp

@@ -1910,7 +1910,7 @@ ThreadContext::IsInAsyncHostOperation() const
 #endif
 
 void
-ThreadContext::SetJITConnectionInfo(DWORD processId, UUID connectionId)
+ThreadContext::SetJITConnectionInfo(HANDLE processHandle, void* serverSecurityDescriptor, UUID connectionId)
 {
     Assert(JITManager::GetJITManager()->IsOOPJITEnabled());
     if (m_remoteThreadContextInfo)
@@ -1919,7 +1919,7 @@ ThreadContext::SetJITConnectionInfo(DWORD processId, UUID connectionId)
     }
     if (!JITManager::GetJITManager()->IsConnected())
     {
-        HRESULT hr = JITManager::GetJITManager()->ConnectRpcServer(processId, connectionId);
+        HRESULT hr = JITManager::GetJITManager()->ConnectRpcServer(processHandle, serverSecurityDescriptor, connectionId);
         if (FAILED(hr))
         {
             // TODO: michhol OOP JIT is this correct?

lib/Runtime/Base/ThreadContext.h

@@ -534,7 +534,7 @@ private:
     intptr_t m_remoteThreadContextInfo;
 
 public:
-    void SetJITConnectionInfo(DWORD processId, UUID connectionId);
+    void SetJITConnectionInfo(HANDLE processHandle, void* serverSecurityDescriptor, UUID connectionId);
 
     intptr_t GetRemoteThreadContextAddr() const
     {