mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-10 11:55:49 +00:00
Bug 1401062 - Avoid doing sandbox-related things to unsandboxed child processes. r=gcp
This is a small piece of cleanup that turned out to not be strictly necessary for the rest of this, so I've made it a separate commit. Sandbox-related launch adjustments (currently, interposing libc functions and providing a file descriptor for the syscall reporter) are no longer applied to processes that won't be sandboxed. The MOZ_SANDBOXED environment variable communicates this to the child process, which allows SandboxEarlyInit to be skipped in that case as well. The idea is that disabling sandboxing for a process type, as part of troubleshooting, should disable everything sandbox-related. As a side-effect, this also skips some very minor but unnecessary overhead for NPAPI process startup. MozReview-Commit-ID: D0KxsRIIRN --HG-- extra : rebase_source : 89836bea80d0a171324a8e3ff15c6b8e2a163ea9
This commit is contained in:
parent
6cc01043ce
commit
bba4ea8274
@ -476,6 +476,10 @@ static const Array<const char*, 1> kLibsThatWillCrash {
|
||||
|
||||
void
|
||||
SandboxEarlyInit() {
|
||||
if (PR_GetEnv("MOZ_SANDBOXED") == nullptr) {
|
||||
return;
|
||||
}
|
||||
|
||||
// If TSYNC is not supported, set up signal handler
|
||||
// used to enable seccomp on each thread.
|
||||
if (!SandboxInfo::Get().Test(SandboxInfo::kHasSeccompTSync)) {
|
||||
|
@ -16,6 +16,7 @@
|
||||
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/PodOperations.h"
|
||||
#include "prenv.h"
|
||||
#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
|
||||
#ifdef ANDROID
|
||||
#include "sandbox/linux/system_headers/linux_ucontext.h"
|
||||
@ -37,6 +38,12 @@ SandboxReporterClient::SandboxReporterClient(SandboxReport::ProcType aProcType,
|
||||
// so it's probably okay to skip it here.
|
||||
}
|
||||
|
||||
SandboxReporterClient::SandboxReporterClient(SandboxReport::ProcType aProcType)
|
||||
: SandboxReporterClient(aProcType, kSandboxReporterFileDesc)
|
||||
{
|
||||
MOZ_RELEASE_ASSERT(PR_GetEnv("MOZ_SANDBOXED") != nullptr);
|
||||
}
|
||||
|
||||
SandboxReport
|
||||
SandboxReporterClient::MakeReport(const void* aContext)
|
||||
{
|
||||
|
@ -19,8 +19,11 @@ public:
|
||||
// Note: this does not take ownership of the file descriptor; if
|
||||
// it's not kSandboxReporterFileDesc (e.g., for unit testing), the
|
||||
// caller will need to close it to avoid leaks.
|
||||
explicit SandboxReporterClient(SandboxReport::ProcType aProcType,
|
||||
int aFd = kSandboxReporterFileDesc);
|
||||
SandboxReporterClient(SandboxReport::ProcType aProcType, int aFd);
|
||||
|
||||
// This constructor uses the default fd (kSandboxReporterFileDesc)
|
||||
// for a sandboxed child process.
|
||||
explicit SandboxReporterClient(SandboxReport::ProcType aProcType);
|
||||
|
||||
// Constructs a report from a signal context (the ucontext_t* passed
|
||||
// as void* to an sa_sigaction handler); uses the caller's pid and tid.
|
||||
|
@ -115,9 +115,6 @@ void
|
||||
SandboxLaunchPrepare(GeckoProcessType aType,
|
||||
base::LaunchOptions* aOptions)
|
||||
{
|
||||
PreloadSandboxLib(&aOptions->env_map);
|
||||
AttachSandboxReporter(&aOptions->fds_to_remap);
|
||||
|
||||
auto info = SandboxInfo::Get();
|
||||
|
||||
// We won't try any kind of sandboxing without seccomp-bpf.
|
||||
@ -131,6 +128,13 @@ SandboxLaunchPrepare(GeckoProcessType aType,
|
||||
return;
|
||||
}
|
||||
|
||||
// At this point, we know we'll be using sandboxing; generic
|
||||
// sandboxing support goes here. The MOZ_SANDBOXED env var tells
|
||||
// the child process whether this is the case.
|
||||
aOptions->env_map["MOZ_SANDBOXED"] = "1";
|
||||
PreloadSandboxLib(&aOptions->env_map);
|
||||
AttachSandboxReporter(&aOptions->fds_to_remap);
|
||||
|
||||
// Anything below this requires unprivileged user namespaces.
|
||||
if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
|
||||
return;
|
||||
|
Loading…
Reference in New Issue
Block a user