From 771b8498b1bba5d3e991c0cd43fdf13ed883d104 Mon Sep 17 00:00:00 2001
From: Jed Davis <jld@mozilla.com>
Date: Mon, 29 Jun 2020 22:32:05 +0000
Subject: [PATCH] Bug 1644917 - Part 1: Construct content sandbox "common"
 policy lazily. r=gcp

When the SandboxBrokerPolicyFactory is constructed, prefs aren't
available, which constrains the cached subset of the content process
policy to entries that don't depend on prefs.  Delaying the computation
until a content process is started removes that restriction.

Differential Revision: https://phabricator.services.mozilla.com/D81423
---
 .../sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp    | 3 ++-
 security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h | 7 ++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 8f0023bc6db5..23acef689108 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -290,7 +290,7 @@ static void AddDynamicPathList(SandboxBroker::Policy* policy,
   }
 }
 
-SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() {
+void SandboxBrokerPolicyFactory::InitContentPolicy() {
   // Policy entries that are the same in every process go here, and
   // are cached over the lifetime of the factory.
   SandboxBroker::Policy* policy = new SandboxBroker::Policy;
@@ -523,6 +523,7 @@ UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
     return nullptr;
   }
 
+  std::call_once(mContentInited, [this] { InitContentPolicy(); });
   MOZ_ASSERT(mCommonContentPolicy);
   UniquePtr<SandboxBroker::Policy> policy(
       new SandboxBroker::Policy(*mCommonContentPolicy));
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
index eaeae071b7c6..828ca7bd0aa9 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
@@ -9,11 +9,13 @@
 
 #include "mozilla/SandboxBroker.h"
 
+#include <mutex>
+
 namespace mozilla {
 
 class SandboxBrokerPolicyFactory {
  public:
-  SandboxBrokerPolicyFactory();
+  SandboxBrokerPolicyFactory() = default;
 
   UniquePtr<SandboxBroker::Policy> GetContentPolicy(int aPid,
                                                     bool aFileProcess);
@@ -23,6 +25,9 @@ class SandboxBrokerPolicyFactory {
 
  private:
   UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;
+  std::once_flag mContentInited;
+
+  void InitContentPolicy();
 };
 
 }  // namespace mozilla