Bug 1488439: Part 1 - Replace Windows temp folder in sandboxed plugin process (r=bobowen,erahm)

The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes. Differential Revision: https://phabricator.services.mozilla.com/D7532 --HG-- extra : moz-landing-system : lando
2024-11-28 15:23:51 +00:00 · 2018-10-12 17:40:10 +00:00 · 2018-10-12 17:40:10 +00:00 · 1ad569c6b1
commit 1ad569c6b1
parent edbc4c6715
7 changed files with 184 additions and 39 deletions
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1099,12 +1099,15 @@ pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet recvfd sen
 #endif
 #endif

-#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
+#if defined(MOZ_SANDBOX)
+#if defined(MOZ_CONTENT_SANDBOX)
 // ID (a UUID when set by gecko) that is used to form the name of a
 // sandbox-writable temporary directory to be used by content processes
 // when a temporary writable file is required in a level 1 sandbox.
 pref("security.sandbox.content.tempDirSuffix", "");
 #endif
+pref("security.sandbox.plugin.tempDirSuffix", "");
+#endif

 #if defined(MOZ_SANDBOX)
 // This pref determines if messages relevant to sandbox violations are
--- a/dom/plugins/ipc/PluginProcessChild.cpp
+++ b/dom/plugins/ipc/PluginProcessChild.cpp
@ -29,6 +29,8 @@ extern "C" CGError CGSSetDebugOptions(int options);
 #ifdef XP_WIN
 #if defined(MOZ_SANDBOX)
 #include "mozilla/sandboxTarget.h"
+#include "ProcessUtils.h"
+#include "nsDirectoryService.h"
 #endif
 #endif

@ -41,6 +43,21 @@ using mozilla::ipc::IOThreadChild;
 namespace mozilla {
 namespace plugins {

+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+static void
+SetSandboxTempPath(const std::wstring& aFullTmpPath)
+{
+  // Save the TMP environment variable so that is is picked up by GetTempPath().
+  // Note that we specifically write to the TMP variable, as that is the first
+  // variable that is checked by GetTempPath() to determine its output.
+  Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TMP", aFullTmpPath.c_str()));
+
+  // We also set TEMP in case there is naughty third-party code that is
+  // referencing the environment variable directly.
+  Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TEMP", aFullTmpPath.c_str()));
+}
+#endif
+
 bool
 PluginProcessChild::Init(int aArgc, char* aArgv[])
 {
@ -119,6 +136,9 @@ PluginProcessChild::Init(int aArgc, char* aArgv[])
        CommandLine::ForCurrentProcess()->GetLooseValues();
    MOZ_ASSERT(values.size() >= 1, "not enough loose args");

+    // parameters are:
+    // values[0] is path to plugin DLL
+    // values[1] is path to folder that should be used for temp files
    pluginFilename = WideToUTF8(values[0]);

    // We don't initialize XPCOM but we need the thread manager and the
@ -130,6 +150,12 @@ PluginProcessChild::Init(int aArgc, char* aArgv[])
    nsThreadManager::get().Init();

 #if defined(MOZ_SANDBOX)
+    MOZ_ASSERT(values.size() >= 2, "not enough loose args for sandboxed plugin process");
+
+    // The sandbox closes off the default location temp file location so we set
+    // a new one here (regardless of whether or not we are sandboxing).
+    SetSandboxTempPath(values[1]);
+
    // This is probably the earliest we would want to start the sandbox.
    // As we attempt to tighten the sandbox, we may need to consider moving this
    // to later in the plugin initialization.
--- a/dom/plugins/ipc/PluginProcessParent.cpp
+++ b/dom/plugins/ipc/PluginProcessParent.cpp
@ -9,6 +9,11 @@
 #include "base/string_util.h"
 #include "base/process_util.h"

+#include "nsAppDirectoryServiceDefs.h"
+#include "nsDirectoryServiceDefs.h"
+#include "nsIProperties.h"
+#include "nsServiceManagerUtils.h"
+
 #include "mozilla/ipc/BrowserProcessSubThread.h"
 #include "mozilla/plugins/PluginMessageUtils.h"
 #include "mozilla/Telemetry.h"
@ -88,6 +93,27 @@ PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchComple
            args.push_back("-flashSandboxLogging");
        }
    }
+#elseif defined(XP_WIN) && defined(MOZ_SANDBOX)
+    nsresult rv;
+    nsCOMPtr<nsIProperties> dirSvc =
+      do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
+    if (NS_FAILED(rv)) {
+      MOZ_ASSERT(false, "Failed to get directory service.");
+      return false;
+    }
+
+    nsCOMPtr<nsIFile> dir;
+    rv =
+      dirSvc->Get(NS_APP_PLUGIN_PROCESS_TEMP_DIR, NS_GET_IID(nsIFile),
+                  getter_AddRefs(dir));
+    if (NS_FAILED(rv)) {
+      NS_WARNING("Failed to get plugin process temp directory.");
+      return false;
+    }
+
+    nsAutoString tempDir;
+    MOZ_ALWAYS_SUCCEEDS(dir->GetPath(tempDir));
+    args.push_back(NS_ConvertUTF16toUTF8(tempDir).get());
 #endif

    bool result = AsyncLaunch(args);
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@ -44,6 +44,7 @@ bool SandboxBroker::sRunningFromNetworkDrive = false;
 static UniquePtr<nsString> sBinDir;
 static UniquePtr<nsString> sProfileDir;
 static UniquePtr<nsString> sContentTempDir;
+static UniquePtr<nsString> sPluginTempDir;
 static UniquePtr<nsString> sRoamingAppDataDir;
 static UniquePtr<nsString> sLocalAppDataDir;
 static UniquePtr<nsString> sUserExtensionsDevDir;
@ -115,6 +116,7 @@ SandboxBroker::GeckoDependentInitialize()
  CacheDirAndAutoClear(dirSvc, NS_GRE_DIR, &sBinDir);
  CacheDirAndAutoClear(dirSvc, NS_APP_USER_PROFILE_50_DIR, &sProfileDir);
  CacheDirAndAutoClear(dirSvc, NS_APP_CONTENT_PROCESS_TEMP_DIR, &sContentTempDir);
+  CacheDirAndAutoClear(dirSvc, NS_APP_PLUGIN_PROCESS_TEMP_DIR, &sPluginTempDir);
  CacheDirAndAutoClear(dirSvc, NS_WIN_APPDATA_DIR, &sRoamingAppDataDir);
  CacheDirAndAutoClear(dirSvc, NS_WIN_LOCAL_APPDATA_DIR, &sLocalAppDataDir);
  CacheDirAndAutoClear(dirSvc, XRE_USER_SYS_EXTENSION_DEV_DIR, &sUserExtensionsDevDir);
@ -699,11 +701,6 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
    delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
  }

-#ifndef NIGHTLY_BUILD
-  // We are experimenting with using restricting SIDs in the nightly builds
-  mPolicy->SetDoNotUseRestrictingSIDs();
-#endif
-
  sandbox::ResultCode result = SetJobLevel(mPolicy, jobLevel,
                                           0 /* ui_exceptions */);
  SANDBOX_ENSURE_SUCCESS(result,
@ -749,6 +746,15 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
  SANDBOX_ENSURE_SUCCESS(result,
                         "Invalid flags for SetDelayedProcessMitigations.");

+#ifndef NIGHTLY_BUILD
+  // We are experimenting with using restricting SIDs in the nightly builds
+  mPolicy->SetDoNotUseRestrictingSIDs();
+#else
+  // Add rule to allow read / write access to a special plugin temp dir.
+  AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY,
+                   sPluginTempDir, NS_LITERAL_STRING("\\*"));
+#endif
+
  if (aSandboxLevel >= 2) {
    // Level 2 and above uses low integrity, so we need to give write access to
    // the Flash directories.
--- a/toolkit/xre/nsXREDirProvider.cpp
+++ b/toolkit/xre/nsXREDirProvider.cpp
@ -82,11 +82,11 @@
 #define PREF_OVERRIDE_DIRNAME "preferences"

 #if defined(MOZ_CONTENT_SANDBOX)
-static already_AddRefed<nsIFile> GetContentProcessSandboxTempDir();
+static already_AddRefed<nsIFile> GetProcessSandboxTempDir(GeckoProcessType type);
 static nsresult DeleteDirIfExists(nsIFile *dir);
 static bool IsContentSandboxDisabled();
-static const char* GetContentProcessTempBaseDirKey();
-static already_AddRefed<nsIFile> CreateContentProcessSandboxTempDir();
+static const char* GetProcessTempBaseDirKey();
+static already_AddRefed<nsIFile> CreateProcessSandboxTempDir(GeckoProcessType procType);
 #endif

 nsXREDirProvider* gDirServiceProvider = nullptr;
@ -526,7 +526,15 @@ nsXREDirProvider::GetFile(const char* aProperty, bool* aPersistent,
    }
    rv = mContentTempDir->Clone(getter_AddRefs(file));
  }
-#endif // defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+#endif // defined(MOZ_CONTENT_SANDBOX)
+#if defined(MOZ_SANDBOX)
+  else if (0 == strcmp(aProperty, NS_APP_PLUGIN_PROCESS_TEMP_DIR)) {
+    if (!mPluginTempDir && NS_FAILED((rv = LoadPluginProcessTempDir()))) {
+      return rv;
+    }
+    rv = mPluginTempDir->Clone(getter_AddRefs(file));
+  }
+#endif // defined(MOZ_SANDBOX)
  else if (NS_SUCCEEDED(GetProfileStartupDir(getter_AddRefs(file)))) {
    // We need to allow component, xpt, and chrome registration to
    // occur prior to the profile-after-change notification.
@ -666,10 +674,10 @@ nsXREDirProvider::GetFiles(const char* aProperty, nsISimpleEnumerator** aResult)
  return NS_SUCCESS_AGGREGATE_RESULT;
 }

-#if defined(MOZ_CONTENT_SANDBOX)
+#if defined(MOZ_SANDBOX)

 static const char*
-GetContentProcessTempBaseDirKey()
+GetProcessTempBaseDirKey()
 {
 #if defined(XP_WIN)
  return NS_WIN_LOW_INTEGRITY_TEMP_BASE;
@ -678,6 +686,7 @@ GetContentProcessTempBaseDirKey()
 #endif
 }

+#if defined(MOZ_CONTENT_SANDBOX)
 //
 // Sets mContentTempDir so that it refers to the appropriate temp dir.
 // If the sandbox is enabled, NS_APP_CONTENT_PROCESS_TEMP_DIR, otherwise
@ -688,10 +697,14 @@ nsXREDirProvider::LoadContentProcessTempDir()
 {
  // The parent is responsible for creating the sandbox temp dir.
  if (XRE_IsParentProcess()) {
-    mContentProcessSandboxTempDir = CreateContentProcessSandboxTempDir();
+    mContentProcessSandboxTempDir =
+      CreateProcessSandboxTempDir(GeckoProcessType_Content);
    mContentTempDir = mContentProcessSandboxTempDir;
  } else {
-    mContentTempDir = GetContentProcessSandboxTempDir();
+    mContentTempDir =
+      !IsContentSandboxDisabled() ?
+        GetProcessSandboxTempDir(GeckoProcessType_Content) :
+        nullptr;
  }

  if (!mContentTempDir) {
@ -713,6 +726,45 @@ nsXREDirProvider::LoadContentProcessTempDir()

  return NS_OK;
 }
+#endif
+
+//
+// Sets mPluginTempDir so that it refers to the appropriate temp dir.
+// If NS_APP_PLUGIN_PROCESS_TEMP_DIR fails for any reason, NS_OS_TEMP_DIR
+// is used.
+//
+nsresult
+nsXREDirProvider::LoadPluginProcessTempDir()
+{
+  // The parent is responsible for creating the sandbox temp dir.
+  if (XRE_IsParentProcess()) {
+    mPluginProcessSandboxTempDir =
+      CreateProcessSandboxTempDir(GeckoProcessType_Plugin);
+    mPluginTempDir = mPluginProcessSandboxTempDir;
+  } else {
+    MOZ_ASSERT(XRE_IsPluginProcess());
+    mPluginTempDir = GetProcessSandboxTempDir(GeckoProcessType_Plugin);
+  }
+
+  if (!mPluginTempDir) {
+    nsresult rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR,
+                                         getter_AddRefs(mPluginTempDir));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return rv;
+    }
+  }
+
+#if defined(XP_WIN)
+  // The temp dir is used in sandbox rules, so we need to make sure
+  // it doesn't contain any junction points or symlinks or the sandbox will
+  // reject those rules.
+  if (!mozilla::widget::WinUtils::ResolveJunctionPointsAndSymLinks(mPluginTempDir)) {
+    NS_WARNING("Failed to resolve plugin temp dir.");
+  }
+#endif
+
+  return NS_OK;
+}

 static bool
 IsContentSandboxDisabled()
@ -721,28 +773,30 @@ IsContentSandboxDisabled()
 }

 //
-// If a content process sandbox temp dir is to be used, returns an nsIFile
-// for the directory. Returns null if the content sandbox is disabled or
-// an error occurs.
+// If a process sandbox temp dir is to be used, returns an nsIFile
+// for the directory. Returns null if an error occurs.
 //
 static already_AddRefed<nsIFile>
-GetContentProcessSandboxTempDir()
+GetProcessSandboxTempDir(GeckoProcessType type)
 {
-  if (IsContentSandboxDisabled()) {
-    return nullptr;
-  }
-
  nsCOMPtr<nsIFile> localFile;

-  nsresult rv = NS_GetSpecialDirectory(GetContentProcessTempBaseDirKey(),
+  nsresult rv = NS_GetSpecialDirectory(GetProcessTempBaseDirKey(),
                                       getter_AddRefs(localFile));
  if (NS_WARN_IF(NS_FAILED(rv))) {
    return nullptr;
  }

+  MOZ_ASSERT((type == GeckoProcessType_Content) ||
+             (type == GeckoProcessType_Plugin));
+
+  const char* prefKey =
+    (type == GeckoProcessType_Content) ?
+      "security.sandbox.content.tempDirSuffix" :
+      "security.sandbox.plugin.tempDirSuffix";
+
  nsAutoString tempDirSuffix;
-  rv = Preferences::GetString("security.sandbox.content.tempDirSuffix",
-                              tempDirSuffix);
+  rv = Preferences::GetString(prefKey, tempDirSuffix);
  if (NS_WARN_IF(NS_FAILED(rv)) || tempDirSuffix.IsEmpty()) {
    return nullptr;
  }
@ -756,23 +810,33 @@ GetContentProcessSandboxTempDir()
 }

 //
-// Create a temporary directory for use from sandboxed content processes.
+// Create a temporary directory for use from sandboxed processes.
 // Only called in the parent. The path is derived from a UUID stored in a
-// pref which is available to content processes. Returns null if the
-// content sandbox is disabled or if an error occurs.
+// pref which is available to content and plugin processes. Returns null
+// if the content sandbox is disabled or if an error occurs.
 //
 static already_AddRefed<nsIFile>
-CreateContentProcessSandboxTempDir()
+CreateProcessSandboxTempDir(GeckoProcessType procType)
 {
-  if (IsContentSandboxDisabled()) {
+#if defined(MOZ_CONTENT_SANDBOX)
+  if ((procType == GeckoProcessType_Content) &&
+      IsContentSandboxDisabled()) {
    return nullptr;
  }
+#endif
+
+  MOZ_ASSERT((procType == GeckoProcessType_Content) ||
+             (procType == GeckoProcessType_Plugin));

  // Get (and create if blank) temp directory suffix pref.
+  const char* pref =
+    (procType == GeckoProcessType_Content) ?
+      "security.sandbox.content.tempDirSuffix" :
+      "security.sandbox.plugin.tempDirSuffix";
+
  nsresult rv;
  nsAutoString tempDirSuffix;
-  Preferences::GetString("security.sandbox.content.tempDirSuffix",
-                         tempDirSuffix);
+  Preferences::GetString(pref, tempDirSuffix);
  if (tempDirSuffix.IsEmpty()) {
    nsCOMPtr<nsIUUIDGenerator> uuidgen =
      do_GetService("@mozilla.org/uuid-generator;1", &rv);
@ -796,8 +860,7 @@ CreateContentProcessSandboxTempDir()
 #endif

    // Save the pref
-    rv = Preferences::SetString("security.sandbox.content.tempDirSuffix",
-                                tempDirSuffix);
+    rv = Preferences::SetString(pref, tempDirSuffix);
    if (NS_WARN_IF(NS_FAILED(rv))) {
      // If we fail to save the pref we don't want to create the temp dir,
      // because we won't be able to clean it up later.
@ -816,7 +879,7 @@ CreateContentProcessSandboxTempDir()
    }
  }

-  nsCOMPtr<nsIFile> sandboxTempDir = GetContentProcessSandboxTempDir();
+  nsCOMPtr<nsIFile> sandboxTempDir = GetProcessSandboxTempDir(procType);
  if (!sandboxTempDir) {
    NS_WARNING("Failed to determine sandbox temp dir path.");
    return nullptr;
@ -854,7 +917,7 @@ DeleteDirIfExists(nsIFile* dir)
  return NS_OK;
 }

-#endif // defined(MOZ_CONTENT_SANDBOX)
+#endif // defined(MOZ_SANDBOX)

 static const char *const kAppendPrefDir[] = { "defaults", "preferences", nullptr };

@ -1074,6 +1137,11 @@ nsXREDirProvider::DoStartup()
    if (!mContentTempDir) {
      mozilla::Unused << NS_WARN_IF(NS_FAILED(LoadContentProcessTempDir()));
    }
+#endif
+#if defined(MOZ_SANDBOX)
+    if (!mPluginTempDir) {
+      mozilla::Unused << NS_WARN_IF(NS_FAILED(LoadPluginProcessTempDir()));
+    }
 #endif
  }
  return NS_OK;
@ -1107,11 +1175,14 @@ nsXREDirProvider::DoShutdown()
    mProfileNotified = false;
  }

-#if defined(MOZ_CONTENT_SANDBOX)
  if (XRE_IsParentProcess()) {
+#if defined(MOZ_CONTENT_SANDBOX)
    Unused << DeleteDirIfExists(mContentProcessSandboxTempDir);
-  }
 #endif
+#if defined(MOZ_SANDBOX)
+    Unused << DeleteDirIfExists(mPluginProcessSandboxTempDir);
+#endif
+  }
 }

 #ifdef XP_WIN
--- a/toolkit/xre/nsXREDirProvider.h
+++ b/toolkit/xre/nsXREDirProvider.h
@ -129,6 +129,9 @@ protected:
  // Load the temp directory for sandboxed content processes
  nsresult LoadContentProcessTempDir();
 #endif
+#if defined(MOZ_SANDBOX)
+  nsresult LoadPluginProcessTempDir();
+#endif

  void Append(nsIFile* aDirectory);

@ -146,6 +149,10 @@ protected:
 #if defined(MOZ_CONTENT_SANDBOX)
  nsCOMPtr<nsIFile>      mContentTempDir;
  nsCOMPtr<nsIFile>      mContentProcessSandboxTempDir;
+#endif
+#if defined(MOZ_SANDBOX)
+  nsCOMPtr<nsIFile>      mPluginTempDir;
+  nsCOMPtr<nsIFile>      mPluginProcessSandboxTempDir;
 #endif
  nsCOMArray<nsIFile>    mAppBundleDirectories;
 };
--- a/xpcom/io/nsAppDirectoryServiceDefs.h
+++ b/xpcom/io/nsAppDirectoryServiceDefs.h
@ -103,6 +103,12 @@
 #else
 // Otherwise NS_APP_CONTENT_PROCESS_TEMP_DIR must match NS_OS_TEMP_DIR.
 #define NS_APP_CONTENT_PROCESS_TEMP_DIR         "TmpD"
-#endif // (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
+#endif // defined(MOZ_CONTENT_SANDBOX)
+
+#if defined(MOZ_SANDBOX)
+#define NS_APP_PLUGIN_PROCESS_TEMP_DIR          "PluginTmpD"
+#else
+#define NS_APP_PLUGIN_PROCESS_TEMP_DIR          "TmpD"
+#endif

 #endif // nsAppDirectoryServiceDefs_h___