Bug 1365257 - Further consolidate the configuration of the content sandbox; r=gcp

This patch moves handling of the "MOZ_DISABLE_CONTENT_SANDBOX" environment
variable into GetEffectiveContentSandboxLevel. It also introduces
IsContentSandboxEnabled and ports many users of GetEffectiveContentSandboxLevel
to use it.

MozReview-Commit-ID: 4CsOf89vlRB

--HG--
extra : rebase_source : b9130f522e860e6a582933799a9bac07b771139b

dom/ipc/ContentParent.cpp

@@ -2384,8 +2384,7 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
   // purpose. If the decision is made to permanently rely on the pref, this
   // should be changed so that it is required to restart firefox for the change
   // of value to take effect.
-  shouldSandbox = (GetEffectiveContentSandboxLevel() > 0) &&
-    !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
+  shouldSandbox = IsContentSandboxEnabled();
 
 #ifdef XP_LINUX
   if (shouldSandbox) {

dom/ipc/ContentProcess.cpp

@@ -28,14 +28,6 @@ namespace mozilla {
 namespace dom {
 
 #if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
-static bool
-IsSandboxTempDirRequired()
-{
-  // On Windows, a sandbox-writable temp directory is only used
-  // when sandbox pref level >= 1.
-  return GetEffectiveContentSandboxLevel() >= 1;
-}
-
 static void
 SetTmpEnvironmentVariable(nsIFile* aValue)
 {
@@ -55,13 +47,6 @@ SetTmpEnvironmentVariable(nsIFile* aValue)
 #endif
 
 #if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-static bool
-IsSandboxTempDirRequired()
-{
-  // On OSX, use the sandbox-writable temp when the pref level >= 1.
-  return (GetEffectiveContentSandboxLevel() >= 1);
-}
-
 static void
 SetTmpEnvironmentVariable(nsIFile* aValue)
 {
@@ -81,7 +66,9 @@ SetUpSandboxEnvironment()
   MOZ_ASSERT(nsDirectoryService::gService,
     "SetUpSandboxEnvironment relies on nsDirectoryService being initialized");
 
-  if (!IsSandboxTempDirRequired()) {
+  // On macOS and Windows, a sandbox-writable temp directory is used whenever
+  // the sandbox is enabled.
+  if (!IsContentSandboxEnabled()) {
     return;
   }
 

ipc/glue/GeckoChildProcessHost.cpp

@@ -950,8 +950,7 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   switch (mProcessType) {
     case GeckoProcessType_Content:
 #  if defined(MOZ_CONTENT_SANDBOX)
-      if (mSandboxLevel > 0 &&
-          !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+      if (mSandboxLevel > 0) {
         // For now we treat every failure as fatal in SetSecurityLevelForContentProcess
         // and just crash there right away. Should this change in the future then we
         // should also handle the error here.

security/sandbox/common/SandboxSettings.cpp

@@ -9,9 +9,14 @@
 #include "mozilla/ModuleUtils.h"
 #include "mozilla/Preferences.h"
 
+#include "prenv.h"
+
 namespace mozilla {
 
 int GetEffectiveContentSandboxLevel() {
+  if (PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+    return 0;
+  }
   int level = Preferences::GetInt("security.sandbox.content.level");
 // On Windows and macOS, enforce a minimum content sandbox level of 1 (except on
 // Nightly, where it can be set to 0).
@@ -23,6 +28,10 @@ int GetEffectiveContentSandboxLevel() {
   return level;
 }
 
+bool IsContentSandboxEnabled() {
+  return GetEffectiveContentSandboxLevel() > 0;
+}
+
 class SandboxSettings final : public mozISandboxSettings
 {
 public:

security/sandbox/common/SandboxSettings.h

@@ -10,8 +10,12 @@ namespace mozilla {
 
 // Return the current sandbox level. This is the
 // "security.sandbox.content.level" preference, but rounded up to the current
-// minimum allowed level.
+// minimum allowed level. Returns 0 (disabled) if the env var
+// MOZ_DISABLE_CONTENT_SANDBOX is set.
 int GetEffectiveContentSandboxLevel();
 
+// Checks whether the effective content sandbox level is > 0.
+bool IsContentSandboxEnabled();
+
 }
 #endif // mozilla_SandboxPolicies_h

security/sandbox/linux/Sandbox.h

@@ -22,7 +22,7 @@ MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);
 
 #ifdef MOZ_CONTENT_SANDBOX
 // Call only if SandboxInfo::CanSandboxContent() returns true.
-// (No-op if MOZ_DISABLE_CONTENT_SANDBOX is set.)
+// (No-op if the sandbox is disabled.)
 // aBrokerFd is the filesystem broker client file descriptor,
 // or -1 to allow direct filesystem access.
 // isFileProcess determines whether we allow system wide file reads.

security/sandbox/linux/SandboxInfo.cpp

@@ -19,6 +19,7 @@
 #include "base/posix/eintr_wrapper.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/SandboxSettings.h"
 #include "sandbox/linux/system_headers/linux_seccomp.h"
 #include "sandbox/linux/system_headers/linux_syscalls.h"
 
@@ -226,6 +227,9 @@ SandboxInfo::SandboxInfo() {
   }
 
 #ifdef MOZ_CONTENT_SANDBOX
+  // We can't use mozilla::IsContentSandboxEnabled() here because a)
+  // libmozsandbox can't depend on libxul, and b) this is called in a static
+  // initializer before the prefences service is ready.
   if (!getenv("MOZ_DISABLE_CONTENT_SANDBOX")) {
     flags |= kEnabledForContent;
   }

security/sandbox/linux/SandboxInfo.h

@@ -25,7 +25,8 @@ public:
   enum Flags {
     // System call filtering; kernel config option CONFIG_SECCOMP_FILTER.
     kHasSeccompBPF     = 1 << 0,
-    // Config flag MOZ_CONTENT_SANDBOX; env var MOZ_DISABLE_CONTENT_SANDBOX.
+    // Config flag MOZ_CONTENT_SANDBOX; runtime
+    // mozilla::IsContentSandboxEnabled().
     kEnabledForContent = 1 << 1,
     // Config flag MOZ_GMP_SANDBOX; env var MOZ_DISABLE_GMP_SANDBOX.
     kEnabledForMedia   = 1 << 2,

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

@@ -403,7 +403,7 @@ SandboxBrokerPolicyFactory::GetContentPolicy(int aPid, bool aFileProcess)
 
   MOZ_ASSERT(NS_IsMainThread());
   // File broker usage is controlled through a pref.
-  if (GetEffectiveContentSandboxLevel() <= 1) {
+  if (!IsContentSandboxEnabled()) {
     return nullptr;
   }
 

toolkit/xre/nsXREDirProvider.cpp

@@ -710,7 +710,7 @@ nsXREDirProvider::LoadContentProcessTempDir()
 static bool
 IsContentSandboxDisabled()
 {
-  return !BrowserTabsRemoteAutostart() || (GetEffectiveContentSandboxLevel() < 1);
+  return !BrowserTabsRemoteAutostart() || (!IsContentSandboxEnabled());
 }
 
 //