mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 23:31:56 +00:00
Bug 1602635 - [macOS] Remove security.sandbox.content.mac.earlyinit and the old sandbox startup code paths r=spohl
Remove old content sandbox code paths that allowed the sandbox to be started later during content process startup when the SetProcessSandbox() message was received from the parent process. This older way of starting the sandbox was still in the tree to support WebReplay which is now being removed. With this fix, content processes always use the "earlyinit" sandbox startup like the RDD and GMP processes. Differential Revision: https://phabricator.services.mozilla.com/D64968 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Haik Aftandilian
parent
e5c3036681
commit
ce0541018a
@ -1048,10 +1048,6 @@ pref("dom.ipc.shims.enabledWarnings", false);
|
||||
#endif
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
// Start the Mac sandbox early during child process startup instead
|
||||
// of when messaged by the parent after the message loop is running.
|
||||
pref("security.sandbox.content.mac.earlyinit", true);
|
||||
|
||||
// This pref is discussed in bug 1083344, the naming is inspired from its
|
||||
// Windows counterpart, but on Mac it's an integer which means:
|
||||
// 0 -> "no sandbox" (nightly only)
|
||||
|
||||
@ -1654,7 +1654,7 @@ extern "C" {
|
||||
CGError CGSSetDenyWindowServerConnections(bool);
|
||||
};
|
||||
|
||||
static bool StartMacOSContentSandbox() {
|
||||
static void DisconnectWindowServer(bool aIsSandboxEnabled) {
|
||||
// Close all current connections to the WindowServer. This ensures that the
|
||||
// Activity Monitor will not label the content process as "Not responding"
|
||||
// because it's not running a native event loop. See bug 1384336.
|
||||
@ -1665,15 +1665,11 @@ static bool StartMacOSContentSandbox() {
|
||||
// is called.
|
||||
CGSShutdownServerConnections();
|
||||
|
||||
int sandboxLevel = GetEffectiveContentSandboxLevel();
|
||||
if (sandboxLevel < 1) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Actual security benefits are only acheived when we additionally deny
|
||||
// future connections, however this currently breaks WebGL so it's not done
|
||||
// by default.
|
||||
if (Preferences::GetBool(
|
||||
if (aIsSandboxEnabled &&
|
||||
Preferences::GetBool(
|
||||
"security.sandbox.content.mac.disconnect-windowserver")) {
|
||||
CGError result = CGSSetDenyWindowServerConnections(true);
|
||||
MOZ_DIAGNOSTIC_ASSERT(result == kCGErrorSuccess);
|
||||
@ -1681,105 +1677,6 @@ static bool StartMacOSContentSandbox() {
|
||||
Unused << result;
|
||||
# endif
|
||||
}
|
||||
|
||||
// If the sandbox is already enabled, there's nothing more to do here.
|
||||
if (Preferences::GetBool("security.sandbox.content.mac.earlyinit")) {
|
||||
return true;
|
||||
}
|
||||
|
||||
nsAutoCString appPath;
|
||||
if (!nsMacUtilsImpl::GetAppPath(appPath)) {
|
||||
MOZ_CRASH("Error resolving child process app path");
|
||||
}
|
||||
|
||||
ContentChild* cc = ContentChild::GetSingleton();
|
||||
|
||||
nsresult rv;
|
||||
nsCOMPtr<nsIFile> profileDir;
|
||||
cc->GetProfileDir(getter_AddRefs(profileDir));
|
||||
nsCString profileDirPath;
|
||||
if (profileDir) {
|
||||
profileDir->Normalize();
|
||||
rv = profileDir->GetNativePath(profileDirPath);
|
||||
if (NS_FAILED(rv) || profileDirPath.IsEmpty()) {
|
||||
MOZ_CRASH("Failed to get profile path");
|
||||
}
|
||||
}
|
||||
|
||||
bool isFileProcess = cc->GetRemoteType().EqualsLiteral(FILE_REMOTE_TYPE);
|
||||
|
||||
MacSandboxInfo info;
|
||||
info.type = MacSandboxType_Content;
|
||||
info.level = sandboxLevel;
|
||||
info.hasFilePrivileges = isFileProcess;
|
||||
info.shouldLog = Preferences::GetBool("security.sandbox.logging.enabled") ||
|
||||
PR_GetEnv("MOZ_SANDBOX_LOGGING");
|
||||
info.appPath.assign(appPath.get());
|
||||
info.hasAudio = !StaticPrefs::media_cubeb_sandbox();
|
||||
info.hasWindowServer = !Preferences::GetBool(
|
||||
"security.sandbox.content.mac.disconnect-windowserver");
|
||||
|
||||
// These paths are used to allowlist certain directories used by the testing
|
||||
// system. They should not be considered a public API, and are only intended
|
||||
// for use in automation.
|
||||
nsAutoCString testingReadPath1;
|
||||
Preferences::GetCString("security.sandbox.content.mac.testing_read_path1",
|
||||
testingReadPath1);
|
||||
if (!testingReadPath1.IsEmpty()) {
|
||||
info.testingReadPath1.assign(testingReadPath1.get());
|
||||
}
|
||||
nsAutoCString testingReadPath2;
|
||||
Preferences::GetCString("security.sandbox.content.mac.testing_read_path2",
|
||||
testingReadPath2);
|
||||
if (!testingReadPath2.IsEmpty()) {
|
||||
info.testingReadPath2.assign(testingReadPath2.get());
|
||||
}
|
||||
|
||||
if (mozilla::IsDevelopmentBuild()) {
|
||||
nsCOMPtr<nsIFile> repoDir;
|
||||
rv = nsMacUtilsImpl::GetRepoDir(getter_AddRefs(repoDir));
|
||||
if (NS_FAILED(rv)) {
|
||||
MOZ_CRASH("Failed to get path to repo dir");
|
||||
}
|
||||
nsCString repoDirPath;
|
||||
Unused << repoDir->GetNativePath(repoDirPath);
|
||||
info.testingReadPath3.assign(repoDirPath.get());
|
||||
|
||||
nsCOMPtr<nsIFile> objDir;
|
||||
rv = nsMacUtilsImpl::GetObjDir(getter_AddRefs(objDir));
|
||||
if (NS_FAILED(rv)) {
|
||||
MOZ_CRASH("Failed to get path to build object dir");
|
||||
}
|
||||
|
||||
nsCString objDirPath;
|
||||
Unused << objDir->GetNativePath(objDirPath);
|
||||
info.testingReadPath4.assign(objDirPath.get());
|
||||
}
|
||||
|
||||
if (profileDir) {
|
||||
info.hasSandboxedProfile = true;
|
||||
info.profileDir.assign(profileDirPath.get());
|
||||
} else {
|
||||
info.hasSandboxedProfile = false;
|
||||
}
|
||||
|
||||
# ifdef DEBUG
|
||||
// For bloat/leak logging or when a content process dies intentionally
|
||||
// (|NoteIntentionalCrash|) for tests, it wants to log that it did this.
|
||||
// Allow writing to this location.
|
||||
nsAutoCString bloatLogDirPath;
|
||||
if (NS_SUCCEEDED(nsMacUtilsImpl::GetBloatLogDir(bloatLogDirPath))) {
|
||||
info.debugWriteDir = bloatLogDirPath.get();
|
||||
}
|
||||
# endif // DEBUG
|
||||
|
||||
std::string err;
|
||||
if (!mozilla::StartMacSandbox(info, err)) {
|
||||
NS_WARNING(err.c_str());
|
||||
MOZ_CRASH("sandbox_init() failed");
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -1817,7 +1714,8 @@ mozilla::ipc::IPCResult ContentChild::RecvSetProcessSandbox(
|
||||
# elif defined(XP_WIN)
|
||||
mozilla::SandboxTarget::Instance()->StartSandbox();
|
||||
# elif defined(XP_MACOSX)
|
||||
sandboxEnabled = StartMacOSContentSandbox();
|
||||
sandboxEnabled = (GetEffectiveContentSandboxLevel() >= 1);
|
||||
DisconnectWindowServer(sandboxEnabled);
|
||||
# endif
|
||||
|
||||
CrashReporter::AnnotateCrashReport(
|
||||
|
||||
@ -633,10 +633,6 @@ static const char* sObserverTopics[] = {
|
||||
NS_NETWORK_LINK_TYPE_TOPIC,
|
||||
};
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
bool ContentParent::sEarlySandboxInit = false;
|
||||
#endif
|
||||
|
||||
// PreallocateProcess is called by the PreallocatedProcessManager.
|
||||
// ContentParent then takes this process back within GetNewOrUsedBrowserProcess.
|
||||
/*static*/ RefPtr<ContentParent::LaunchPromise>
|
||||
@ -2110,11 +2106,8 @@ bool ContentParent::BeginSubprocessLaunch(bool aIsSync,
|
||||
}
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
bool sandboxEnabled = IsContentSandboxEnabled();
|
||||
if (sandboxEnabled && sEarlySandboxInit) {
|
||||
if (IsContentSandboxEnabled()) {
|
||||
AppendSandboxParams(extraArgs);
|
||||
}
|
||||
if (sandboxEnabled) {
|
||||
mSubprocess->DisableOSActivityMode();
|
||||
}
|
||||
#endif
|
||||
@ -2293,17 +2286,6 @@ ContentParent::ContentParent(ContentParent* aOpener,
|
||||
NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
|
||||
bool isFile = mRemoteType.EqualsLiteral(FILE_REMOTE_TYPE);
|
||||
mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content, isFile);
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
// sEarlySandboxInit is statically initialized to false.
|
||||
// Once we've set it to true due to the pref, avoid checking the
|
||||
// pref on subsequent calls. As a result, changing the earlyinit
|
||||
// pref requires restarting the browser to take effect.
|
||||
if (!ContentParent::sEarlySandboxInit) {
|
||||
ContentParent::sEarlySandboxInit =
|
||||
Preferences::GetBool("security.sandbox.content.mac.earlyinit");
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
ContentParent::~ContentParent() {
|
||||
|
||||
@ -182,8 +182,7 @@ bool ContentProcess::Init(int aArgc, char* aArgv[]) {
|
||||
#if (defined(XP_MACOSX)) && defined(MOZ_SANDBOX)
|
||||
mContent.SetProfileDir(profileDir);
|
||||
# if defined(DEBUG)
|
||||
if (IsContentSandboxEnabled() &&
|
||||
Preferences::GetBool("security.sandbox.content.mac.earlyinit")) {
|
||||
if (IsContentSandboxEnabled()) {
|
||||
AssertMacSandboxEnabled();
|
||||
}
|
||||
# endif /* DEBUG */
|
||||
|
||||
@ -248,19 +248,14 @@ void RDDProcessHost::DestroyProcess() {
|
||||
}
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
/* static */
|
||||
bool RDDProcessHost::StaticFillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
GeckoChildProcessHost::StaticFillMacSandboxInfo(aInfo);
|
||||
bool RDDProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
GeckoChildProcessHost::FillMacSandboxInfo(aInfo);
|
||||
if (!aInfo.shouldLog && PR_GetEnv("MOZ_SANDBOX_RDD_LOGGING")) {
|
||||
aInfo.shouldLog = true;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool RDDProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
return RDDProcessHost::StaticFillMacSandboxInfo(aInfo);
|
||||
}
|
||||
|
||||
/* static */
|
||||
MacSandboxType RDDProcessHost::GetMacSandboxType() {
|
||||
return GeckoChildProcessHost::GetDefaultMacSandboxType();
|
||||
|
||||
@ -96,11 +96,6 @@ class RDDProcessHost final : public mozilla::ipc::GeckoChildProcessHost {
|
||||
void KillProcess();
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
// To allow filling a MacSandboxInfo from the child
|
||||
// process without an instance of RDDProcessHost.
|
||||
// Only needed for late-start sandbox enabling.
|
||||
static bool StaticFillMacSandboxInfo(MacSandboxInfo& aInfo);
|
||||
|
||||
// Return the sandbox type to be used with this process type.
|
||||
static MacSandboxType GetMacSandboxType();
|
||||
#endif
|
||||
|
||||
@ -1663,8 +1663,7 @@ bool GeckoChildProcessHost::AppendMacSandboxParams(StringVector& aArgs) {
|
||||
}
|
||||
|
||||
// Fill |aInfo| with the flags needed to launch the utility sandbox
|
||||
/* static */
|
||||
bool GeckoChildProcessHost::StaticFillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
bool GeckoChildProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
aInfo.type = GetDefaultMacSandboxType();
|
||||
aInfo.shouldLog = Preferences::GetBool("security.sandbox.logging.enabled") ||
|
||||
PR_GetEnv("MOZ_SANDBOX_LOGGING");
|
||||
@ -1677,10 +1676,6 @@ bool GeckoChildProcessHost::StaticFillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
return true;
|
||||
}
|
||||
|
||||
bool GeckoChildProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
return GeckoChildProcessHost::StaticFillMacSandboxInfo(aInfo);
|
||||
}
|
||||
|
||||
void GeckoChildProcessHost::DisableOSActivityMode() {
|
||||
mDisableOSActivityMode = true;
|
||||
}
|
||||
|
||||
@ -153,11 +153,6 @@ class GeckoChildProcessHost : public ChildProcessHost,
|
||||
void SetAlreadyDead();
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
// To allow filling a MacSandboxInfo from the child
|
||||
// process without an instance of RDDProcessHost.
|
||||
// Only needed for late-start sandbox enabling.
|
||||
static bool StaticFillMacSandboxInfo(MacSandboxInfo& aInfo);
|
||||
|
||||
// Start the sandbox from the child process.
|
||||
static bool StartMacSandbox(int aArgc, char** aArgv,
|
||||
std::string& aErrorMessage);
|
||||
|
||||
@ -294,19 +294,14 @@ void SocketProcessHost::DestroyProcess() {
|
||||
}
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
/* static */
|
||||
bool SocketProcessHost::StaticFillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
GeckoChildProcessHost::StaticFillMacSandboxInfo(aInfo);
|
||||
bool SocketProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
GeckoChildProcessHost::FillMacSandboxInfo(aInfo);
|
||||
if (!aInfo.shouldLog && PR_GetEnv("MOZ_SANDBOX_SOCKET_PROCESS_LOGGING")) {
|
||||
aInfo.shouldLog = true;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool SocketProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
|
||||
return SocketProcessHost::StaticFillMacSandboxInfo(aInfo);
|
||||
}
|
||||
|
||||
/* static */
|
||||
MacSandboxType SocketProcessHost::GetMacSandboxType() {
|
||||
return MacSandboxType_Socket;
|
||||
|
||||
@ -78,8 +78,6 @@ class SocketProcessHost final : public mozilla::ipc::GeckoChildProcessHost {
|
||||
void OnChannelError() override;
|
||||
|
||||
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
|
||||
static bool StaticFillMacSandboxInfo(MacSandboxInfo& aInfo);
|
||||
|
||||
// Return the sandbox type to be used with this process type.
|
||||
static MacSandboxType GetMacSandboxType();
|
||||
#endif
|
||||
|
||||
Loading…
Reference in New Issue
Block a user