Bug 1401062 - Avoid doing sandbox-related things to unsandboxed child processes. r=gcp

This is a small piece of cleanup that turned out to not be strictly
necessary for the rest of this, so I've made it a separate commit.

Sandbox-related launch adjustments (currently, interposing libc
functions and providing a file descriptor for the syscall reporter)
are no longer applied to processes that won't be sandboxed.  The
MOZ_SANDBOXED environment variable communicates this to the child
process, which allows SandboxEarlyInit to be skipped in that case as
well.  The idea is that disabling sandboxing for a process type, as part
of troubleshooting, should disable everything sandbox-related.

As a side-effect, this also skips some very minor but unnecessary
overhead for NPAPI process startup.

MozReview-Commit-ID: D0KxsRIIRN

--HG--
extra : rebase_source : 89836bea80d0a171324a8e3ff15c6b8e2a163ea9

security/sandbox/linux/Sandbox.cpp

@@ -476,6 +476,10 @@ static const Array<const char*, 1> kLibsThatWillCrash {
 
 void
 SandboxEarlyInit() {
+  if (PR_GetEnv("MOZ_SANDBOXED") == nullptr) {
+    return;
+  }
+
   // If TSYNC is not supported, set up signal handler
   // used to enable seccomp on each thread.
   if (!SandboxInfo::Get().Test(SandboxInfo::kHasSeccompTSync)) {

security/sandbox/linux/SandboxReporterClient.cpp

@@ -16,6 +16,7 @@
 
 #include "mozilla/Assertions.h"
 #include "mozilla/PodOperations.h"
+#include "prenv.h"
 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
 #ifdef ANDROID
 #include "sandbox/linux/system_headers/linux_ucontext.h"
@@ -37,6 +38,12 @@ SandboxReporterClient::SandboxReporterClient(SandboxReport::ProcType aProcType,
   // so it's probably okay to skip it here.
 }
 
+SandboxReporterClient::SandboxReporterClient(SandboxReport::ProcType aProcType)
+  : SandboxReporterClient(aProcType, kSandboxReporterFileDesc)
+{
+  MOZ_RELEASE_ASSERT(PR_GetEnv("MOZ_SANDBOXED") != nullptr);
+}
+
 SandboxReport
 SandboxReporterClient::MakeReport(const void* aContext)
 {

security/sandbox/linux/SandboxReporterClient.h

@@ -19,8 +19,11 @@ public:
   // Note: this does not take ownership of the file descriptor; if
   // it's not kSandboxReporterFileDesc (e.g., for unit testing), the
   // caller will need to close it to avoid leaks.
-  explicit SandboxReporterClient(SandboxReport::ProcType aProcType,
-                                 int aFd = kSandboxReporterFileDesc);
+  SandboxReporterClient(SandboxReport::ProcType aProcType, int aFd);
+
+  // This constructor uses the default fd (kSandboxReporterFileDesc)
+  // for a sandboxed child process.
+  explicit SandboxReporterClient(SandboxReport::ProcType aProcType);
 
   // Constructs a report from a signal context (the ucontext_t* passed
   // as void* to an sa_sigaction handler); uses the caller's pid and tid.

security/sandbox/linux/launch/SandboxLaunch.cpp

@@ -115,9 +115,6 @@ void
 SandboxLaunchPrepare(GeckoProcessType aType,
 		     base::LaunchOptions* aOptions)
 {
-  PreloadSandboxLib(&aOptions->env_map);
-  AttachSandboxReporter(&aOptions->fds_to_remap);
-
   auto info = SandboxInfo::Get();
 
   // We won't try any kind of sandboxing without seccomp-bpf.
@@ -131,6 +128,13 @@ SandboxLaunchPrepare(GeckoProcessType aType,
     return;
   }
 
+  // At this point, we know we'll be using sandboxing; generic
+  // sandboxing support goes here.  The MOZ_SANDBOXED env var tells
+  // the child process whether this is the case.
+  aOptions->env_map["MOZ_SANDBOXED"] = "1";
+  PreloadSandboxLib(&aOptions->env_map);
+  AttachSandboxReporter(&aOptions->fds_to_remap);
+
   // Anything below this requires unprivileged user namespaces.
   if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
     return;