Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-25 13:51:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1399787 - Part 9. Sandbox the PDFium process. r=bobowen,jwatt

Browse Source 
MozReview-Commit-ID: 6ED7EPZvOMR

--HG--
extra : rebase_source : d8ddd2bb3551cf25c0f18151c4340e1f48d659ca
extra : intermediate-source : d90c5064d88a6468c1209f4a78ec7631592eec98
extra : source : 91b761e38efd28a69647c38531f5418fffee8f50
This commit is contained in:
cku 2017-10-18 20:52:45 +08:00
parent ac4237baad
commit 07e7f9f727
5 changed files with 118 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ipc/glue/GeckoChildProcessHost.cpp
View File

@ -940,6 +940,17 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
shouldSandboxCurrentProcess = true;
}
break;
#ifdef MOZ_ENABLE_SKIA_PDF
case GeckoProcessType_PDFium:
if (!PR_GetEnv("MOZ_DISABLE_PDFIUM_SANDBOX")) {
bool ok = mSandboxBroker.SetSecurityLevelForPDFiumProcess();
if (!ok) {
return false;
}
shouldSandboxCurrentProcess = true;
}
break;
#endif
case GeckoProcessType_IPDLUnitTest:
// XXX: We don't sandbox this process type yet
break;

79
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
View File

@ -848,6 +848,85 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
return true;
}
#ifdef MOZ_ENABLE_SKIA_PDF
bool
SandboxBroker::SetSecurityLevelForPDFiumProcess()
{
if (!mPolicy) {
return false;
}
auto result = SetJobLevel(mPolicy, sandbox::JOB_LOCKDOWN,
0 /* ui_exceptions */);
SANDBOX_ENSURE_SUCCESS(result,
"SetJobLevel should never fail with these arguments, what happened?");
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LOCKDOWN);
SANDBOX_ENSURE_SUCCESS(result,
"SetTokenLevel should never fail with these arguments, what happened?");
result = mPolicy->SetAlternateDesktop(true);
SANDBOX_ENSURE_SUCCESS(result,
"Failed to create alternate desktop for sandbox.");
result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
MOZ_ASSERT(sandbox::SBOX_ALL_OK == result,
"SetIntegrityLevel should never fail with these arguments, what happened?");
result =
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
SANDBOX_ENSURE_SUCCESS(result,
"SetIntegrityLevel should never fail with these arguments, what happened?");
// XXX bug 1412933
// We should also disables win32k for the PDFium process by adding
// MITIGATION_WIN32K_DISABLE flag here after fixing bug 1412933.
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR |
sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP |
sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_DEP |
sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
if (!sRunningFromNetworkDrive) {
mitigations |= sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE;
}
result = mPolicy->SetProcessMitigations(mitigations);
SANDBOX_ENSURE_SUCCESS(result,
"Invalid flags for SetProcessMitigations.");
mitigations =
sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
result = mPolicy->SetDelayedProcessMitigations(mitigations);
SANDBOX_ENSURE_SUCCESS(result,
"Invalid flags for SetDelayedProcessMitigations.");
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\chrome.*");
SANDBOX_ENSURE_SUCCESS(result,
"With these static arguments AddRule should never fail, what happened?");
// The PDFium process needs to be able to duplicate shared memory handles,
// which are Section handles, to the broker process.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
sandbox::TargetPolicy::HANDLES_DUP_BROKER,
L"Section");
MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
"With these static arguments AddRule should never fail, hat happened?");
return true;
}
#endif
bool
SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel)
{

3
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
View File

@ -48,6 +48,9 @@ public:
void SetSecurityLevelForGPUProcess(int32_t aSandboxLevel);
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
#ifdef MOZ_ENABLE_SKIA_PDF
bool SetSecurityLevelForPDFiumProcess();
#endif
enum SandboxLevel {
LockDown,
Restricted

22
widget/windows/PDFiumProcessChild.cpp
View File

@ -9,6 +9,9 @@
#include "mozilla/BackgroundHangMonitor.h"
#include "mozilla/dom/ContentChild.h"
#include "mozilla/dom/ContentParent.h"
#if defined(MOZ_SANDBOX)
#include "mozilla/sandboxTarget.h"
#endif
using mozilla::ipc::IOThreadChild;
@ -17,17 +20,36 @@ namespace widget {
PDFiumProcessChild::PDFiumProcessChild(ProcessId aParentPid)
: ProcessChild(aParentPid)
#if defined(MOZ_SANDBOX)
, mPDFium(nullptr)
#endif
{
}
PDFiumProcessChild::~PDFiumProcessChild()
{
#if defined(MOZ_SANDBOX)
if (mPDFium) {
PR_UnloadLibrary(mPDFium);
}
#endif
}
bool
PDFiumProcessChild::Init(int aArgc, char* aArgv[])
{
BackgroundHangMonitor::Startup();
#if defined(MOZ_SANDBOX)
// XXX bug 1417000
// We really should load "pdfium.dll" after calling StartSandbox(). For
// an unknown reason, "pdfium.dll" can not be loaded correctly after
// StartSandbox() been called. Temporary preload this library until we fix
// bug 1417000.
mPDFium = PR_LoadLibrary("pdfium.dll");
mozilla::SandboxTarget::Instance()->StartSandbox();
#endif
mPDFiumActor.Init(ParentPid(),IOThreadChild::message_loop(),
IOThreadChild::channel());

3
widget/windows/PDFiumProcessChild.h
View File

@ -33,6 +33,9 @@ private:
DISALLOW_COPY_AND_ASSIGN(PDFiumProcessChild);
PDFiumChild mPDFiumActor;
#if defined(MOZ_SANDBOX)
PRLibrary* mPDFium;
#endif
};
} // namespace widget