Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-10 20:05:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out changeset 8a71f6e05783 (bug 1393287) for Hazard Build Bustage. r=backout on a CLOSED TREE

Browse Source
This commit is contained in:
Csoregi Natalia 2017-12-19 02:49:50 +02:00
parent c9ff031c33
commit 0393c9235f
2 changed files with 26 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
security/sandbox/linux/Sandbox.cpp
View File

@ -78,7 +78,7 @@ __sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);
#endif // MOZ_ASAN
// Signal number used to enable seccomp on each thread.
mozilla::Atomic<int> gSeccompTsyncBroadcastSignum(0);
int gSeccompTsyncBroadcastSignum = 0;
namespace mozilla {
@ -336,7 +336,6 @@ BroadcastSetThreadSandbox(const sock_fprog* aFilter)
// itself, repeat iterating over all threads until we find none
// that are still privileged.
bool sandboxProgress;
const int tsyncSignum = gSeccompTsyncBroadcastSignum;
do {
sandboxProgress = false;
// For each thread...
@ -353,11 +352,11 @@ BroadcastSetThreadSandbox(const sock_fprog* aFilter)
continue;
}
MOZ_RELEASE_ASSERT(tsyncSignum != 0);
MOZ_RELEASE_ASSERT(gSeccompTsyncBroadcastSignum != 0);
// Reset the futex cell and signal.
gSetSandboxDone = 0;
if (syscall(__NR_tgkill, pid, tid, tsyncSignum) != 0) {
if (syscall(__NR_tgkill, pid, tid, gSeccompTsyncBroadcastSignum) != 0) {
if (errno == ESRCH) {
SANDBOX_LOG_ERROR("Thread %d unexpectedly exited.", tid);
// Rescan threads, in case it forked before exiting.
@ -429,14 +428,14 @@ BroadcastSetThreadSandbox(const sock_fprog* aFilter)
} while (sandboxProgress);
void (*oldHandler)(int);
oldHandler = signal(tsyncSignum, SIG_DFL);
oldHandler = signal(gSeccompTsyncBroadcastSignum, SIG_DFL);
gSeccompTsyncBroadcastSignum = 0;
if (oldHandler != SetThreadSandboxHandler) {
// See the comment on FindFreeSignalNumber about race conditions.
SANDBOX_LOG_ERROR("handler for signal %d was changed to %p!",
tsyncSignum, oldHandler);
gSeccompTsyncBroadcastSignum, oldHandler);
MOZ_CRASH();
}
gSeccompTsyncBroadcastSignum = 0;
Unused << closedir(taskdp);
// And now, deprivilege the main thread:
SetThreadSandbox();
@ -586,19 +585,18 @@ SandboxEarlyInit(GeckoProcessType aType)
// If TSYNC is not supported, set up signal handler
// used to enable seccomp on each thread.
if (!info.Test(SandboxInfo::kHasSeccompTSync)) {
const int tsyncSignum = FindFreeSignalNumber();
if (tsyncSignum == 0) {
gSeccompTsyncBroadcastSignum = FindFreeSignalNumber();
if (gSeccompTsyncBroadcastSignum == 0) {
SANDBOX_LOG_ERROR("No available signal numbers!");
MOZ_CRASH();
}
gSeccompTsyncBroadcastSignum = tsyncSignum;
void (*oldHandler)(int);
oldHandler = signal(tsyncSignum, SetThreadSandboxHandler);
oldHandler = signal(gSeccompTsyncBroadcastSignum, SetThreadSandboxHandler);
if (oldHandler != SIG_DFL) {
// See the comment on FindFreeSignalNumber about race conditions.
SANDBOX_LOG_ERROR("signal %d in use by handler %p!\n",
tsyncSignum, oldHandler);
gSeccompTsyncBroadcastSignum, oldHandler);
MOZ_CRASH();
}
}

69
security/sandbox/linux/SandboxHooks.cpp
View File

@ -4,52 +4,26 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mozilla/Atomics.h"
#include "mozilla/Types.h"
#include <dlfcn.h>
#include <signal.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/inotify.h>
// Signal number used to enable seccomp on each thread.
extern mozilla::Atomic<int> gSeccompTsyncBroadcastSignum;
static bool
SigSetNeedsFixup(const sigset_t* aSet)
{
int tsyncSignum = gSeccompTsyncBroadcastSignum;
return aSet != nullptr &&
(sigismember(aSet, SIGSYS) ||
(tsyncSignum != 0 &&
sigismember(aSet, tsyncSignum)));
}
static void
SigSetFixup(sigset_t* aSet)
{
int tsyncSignum = gSeccompTsyncBroadcastSignum;
int rv = sigdelset(aSet, SIGSYS);
MOZ_RELEASE_ASSERT(rv == 0);
if (tsyncSignum != 0) {
rv = sigdelset(aSet, tsyncSignum);
MOZ_RELEASE_ASSERT(rv == 0);
}
}
extern int gSeccompTsyncBroadcastSignum;
// This file defines a hook for sigprocmask() and pthread_sigmask().
// Bug 1176099: some threads block SIGSYS signal which breaks our seccomp-bpf
// sandbox. To avoid this, we intercept the call and remove SIGSYS.
//
// ENOSYS indicates an error within the hook function itself.
static int
HandleSigset(int (*aRealFunc)(int, const sigset_t*, sigset_t*),
int aHow, const sigset_t* aSet,
sigset_t* aOldSet, bool aUseErrno)
static int HandleSigset(int (*aRealFunc)(int, const sigset_t*, sigset_t*),
int aHow, const sigset_t* aSet,
sigset_t* aOldSet, bool aUseErrno)
{
if (!aRealFunc) {
if (aUseErrno) {
@ -61,12 +35,22 @@ HandleSigset(int (*aRealFunc)(int, const sigset_t*, sigset_t*),
}
// Avoid unnecessary work
if (aHow == SIG_UNBLOCK || !SigSetNeedsFixup(aSet)) {
if (aSet == nullptr || aHow == SIG_UNBLOCK) {
return aRealFunc(aHow, aSet, aOldSet);
}
sigset_t newSet = *aSet;
SigSetFixup(&newSet);
if (sigdelset(&newSet, SIGSYS) != 0 ||
(gSeccompTsyncBroadcastSignum &&
sigdelset(&newSet, gSeccompTsyncBroadcastSignum) != 0)) {
if (aUseErrno) {
errno = ENOSYS;
return -1;
}
return ENOSYS;
}
return aRealFunc(aHow, &newSet, aOldSet);
}
@ -88,27 +72,6 @@ pthread_sigmask(int how, const sigset_t* set, sigset_t* oldset)
return HandleSigset(sRealFunc, how, set, oldset, false);
}
extern "C" MOZ_EXPORT int
sigaction(int signum, const struct sigaction* act, struct sigaction* oldact)
{
static auto sRealFunc =
(int (*)(int, const struct sigaction*, struct sigaction*))
dlsym(RTLD_NEXT, "sigaction");
if (!sRealFunc) {
errno = ENOSYS;
return -1;
}
if (act == nullptr || !SigSetNeedsFixup(&act->sa_mask)) {
return sRealFunc(signum, act, oldact);
}
struct sigaction newact = *act;
SigSetFixup(&newact.sa_mask);
return sRealFunc(signum, &newact, oldact);
}
extern "C" MOZ_EXPORT int
inotify_init(void)
{