Commit Graph

1458 Commits

Author SHA1 Message Date
Simon Giesecke
6ae9169f08 Bug 1698098 - Make use of nsBaseHashtable::Clone. r=xpcom-reviewers,mccr8
Differential Revision: https://phabricator.services.mozilla.com/D107617
2021-03-19 09:01:46 +00:00
Simon Giesecke
b9621d6376 Bug 1695162 - Use range-based for instead of custom hashtable iterators. r=xpcom-reviewers,kmag
Differential Revision: https://phabricator.services.mozilla.com/D108585
2021-03-17 15:49:46 +00:00
Jed Davis
8262eb0e29 Bug 1690921 - Detect socket syscalls only once per process when building Linux sandbox policies. r=gcp
The function to detect whether the kernel has separate syscalls for
socket operations (rather than only `socketcall`) had a comment that
it's called only once, which is no longer true.  So, this seems like a
good time to add a cache (but not on newer archs like `x86_64` where the
answer is constant).

This patch also removes the ifdefs on `__NR_socket`, because all archs
have it now, and our local headers will define it even if the build
host's headers don't.

Differential Revision: https://phabricator.services.mozilla.com/D105853
2021-03-12 21:12:11 +00:00
Jed Davis
2d6db34852 Bug 1690921 - Limit IPC sendmsg gather list sizes based on socket buffer capacity. r=mccr8,gcp
When setting up calls to `sendmsg` for IPC on Unix systems, we generate
`iovec`s for the entire message or until the `IOV_MAX` limit is reached,
whichever comes first.  However, messages can be very large (up to 256
MiB currently), while the OS socket buffer is relatively small (8KiB on
macOS and FreeBSD, ~200KiB on Linux).

This patch detects the socket buffer size with the `SO_SNDBUF` socket
option and cuts off the `iovec` array after it's reached; it also adjusts
the Linux sandbox policy to allow reading that value in all processes.

On my test machines this increases throughput on large messages by about
2.5x on macOS (from ~0.3 to ~0.7 GB/s), but on Linux the improvement is
only about 5% (most of the running time is spent elsewhere).

Differential Revision: https://phabricator.services.mozilla.com/D105852
2021-03-12 21:12:10 +00:00
Jan Alexander Steffens (heftig)
4920407bb3 Bug 1696845 - Use dlsym for gdk_*_display_get_type. r=stransky
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.

Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.

Differential Revision: https://phabricator.services.mozilla.com/D107406
2021-03-11 14:32:53 +00:00
Bryce Seager van Dyk
c7fc3894ed Bug 1694450 - Return Error(ENOSYS) for unsupported madvise args in the GMP process. r=jld
Because Widevine may probe madvise using advice arguments we do not currently
support, including invalid arguments, this patch changes the handling of these
args so we will not crash in nightly.

Differential Revision: https://phabricator.services.mozilla.com/D106537
2021-03-10 20:58:44 +00:00
Simon Giesecke
ad01a10a3b Bug 1634281 - Use nsTHashMap instead of nsDataHashtable. r=xpcom-reviewers,necko-reviewers,jgilbert,nika,valentin
Note that this patch only transforms the use of the nsDataHashtable type alias
to a directly equivalent use of nsTHashMap. It does not change the specification
of the hash key type to make use of the key class deduction that nsTHashMap
allows for in some cases. That can be done in a separate step, but requires more
attention.

Differential Revision: https://phabricator.services.mozilla.com/D106008
2021-03-10 10:47:47 +00:00
Simon Giesecke
eefee48405 Bug 1693541 - Improve uses of nsBaseHashtable and descendants and avoid multiple subsequent lookups in security/sandbox/linux/broker. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D106116
2021-03-10 10:37:05 +00:00
Narcis Beleuzu
198358fc15 Backed out changeset a4f4f640eaa7 (bug 1696845) for bustages on pangofc-fontmap.h 2021-03-10 04:49:51 +02:00
Jan Alexander Steffens (heftig)
1261a74d17 Bug 1696845 - Use dlsym for gdk_*_display_get_type. r=stransky
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.

Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.

Differential Revision: https://phabricator.services.mozilla.com/D107406
2021-03-09 22:55:47 +00:00
Bob Owen
0066fab260 Bug 1570460: Add fonts path and named pipe creation to windows content process sandbox policy. r=handyman
These are needed for USER_LOCKDOWN access token level and untrusted integrity.

Differential Revision: https://phabricator.services.mozilla.com/D107464
2021-03-09 08:34:07 +00:00
Simon Giesecke
9af107a839 Bug 1691913 - Rename nsBaseHashtable::Put to InsertOrUpdate. r=xpcom-reviewers,necko-reviewers,jgilbert,dragana,nika
This makes the naming more consistent with other functions called
Insert and/or Update. Also, it removes the ambiguity whether
Put expects that an entry already exists or not, in particular because
it differed from nsTHashtable::PutEntry in that regard.

Differential Revision: https://phabricator.services.mozilla.com/D105473
2021-02-26 09:11:46 +00:00
Haik Aftandilian
8a14bd779c Bug 1692220 - Add a test to ensure the com.apple.FontRegistry dir is readable from content processes r=jfkthame
Differential Revision: https://phabricator.services.mozilla.com/D105822
2021-02-19 21:57:00 +00:00
Jonathan Kew
6a82712eab Bug 1692220 - Allow content-process read access to libFontRegistry caches. r=haik
Differential Revision: https://phabricator.services.mozilla.com/D105801
2021-02-19 21:56:59 +00:00
Alexis Beingessner
ade0725530 Bug 1686616 - make GfxInfo use Components instead of Services. r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D105522
2021-02-18 13:26:29 +00:00
Michael Goossens
0747b8564f Bug 1649590 - Convert XPIProvider.jsm to use IOUtils r=emalysz,mixedpuppy,barret,gcp
Differential Revision: https://phabricator.services.mozilla.com/D97354
2021-02-10 02:46:04 +00:00
Csoregi Natalia
cc417af149 Backed out changeset ee49da8ea890 (bug 1649590) for failures on browser_content_sandbox_fs.js. CLOSED TREE 2021-02-05 04:21:45 +02:00
Michael Goossens
1fa798a7eb Bug 1649590 - Convert XPIProvider.jsm to use IOUtils r=emalysz,mixedpuppy,barret,gcp
Differential Revision: https://phabricator.services.mozilla.com/D97354
2021-02-04 23:08:01 +00:00
Bob Owen
4967e1cddf Bug 1689398 p2: Add prefs to allow CET Strict Mode to be turned on for each sandboxed child process. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D103474
2021-01-31 16:47:11 +00:00
Bob Owen
cc73dd0338 Bug 1689398 p1: Add MITIGATION_CET_STRICT_MODE to chromium sandbox code. r=handyman
The patch for the chromium changes doesn't include the updates to
windows_version, because these are already in the release version of chromium
and so will be picked up when we next update.

Differential Revision: https://phabricator.services.mozilla.com/D103473
2021-01-31 16:46:48 +00:00
Geoff Lankow
610cbaea58 Bug 1667294 - Skip parts of SandboxBroker::LaunchApp when launching a Thunderbird process. r=tkikuchi
Thunderbird does not yet have the same blocklist initialization as Firefox, so we skip calling InitDllBlocklistOOP to avoid a MOZ_RELEASE_ASSERT.

Differential Revision: https://phabricator.services.mozilla.com/D99173
2021-01-19 22:33:02 +00:00
Toshihito Kikuchi
7545ed9378 Bug 1684532 - Detect injected dependent modules in NtMapViewOfSection. r=mhowell
This patch is to improve the way to detect an injected dependent module for
automatic DLL blocking (bug 1659438).

In the previous version, we created a list of dependent modules in the launcher
process and shared it with other processes via the shared section.  However, it
was not compatible with third-party applications who tamper the Import Table and
revert it in the injected module's DllMain (bug 1682834) because we parsed the
Import Table in the launcher process after it was reverted.

With this patch, we check the Import Table in `patched_NtMapViewOfSection`,
so we can see tampering before it's reverted.  More specifically, we create
a list of dependent modules in the browser process as below.

1. The launcher process creates a section object and initializes
   the kernel32.dll's functions in it.

2. The launcher process transfers a writable handle of the shared
   section to the browser process.

3. In the browser process, if an injected dependent module is being
   mapped by `NtMapViewOfSection`, we add its NT path to the shared
   section and block it with `REDIRECT_TO_NOOP_ENTRYPOINT`.

4. The `main` function of the browser process converts the writable
   handle of the shared section into a readonly handle.

5. The browser process transfers a readonly handle of the shared
   section to a sandbox process.

Since automatic DLL blocking may still cause a compat issue like bug 1682304,
we activate it only in Nightly for now.

Differential Revision: https://phabricator.services.mozilla.com/D101460
2021-01-13 15:13:18 +00:00
smolnar
0b57365558 Backed out changeset 48a0fcaf46b8 (bug 1684532) for causing gtest perma failure. CLOSED TREE 2021-01-13 11:49:37 +02:00
Toshihito Kikuchi
b27dd298e9 Bug 1684532 - Detect injected dependent modules in NtMapViewOfSection. r=mhowell
This patch is to improve the way to detect an injected dependent module for
automatic DLL blocking (bug 1659438).

In the previous version, we created a list of dependent modules in the launcher
process and shared it with other processes via the shared section.  However, it
was not compatible with third-party applications who tamper the Import Table and
revert it in the injected module's DllMain (bug 1682834) because we parsed the
Import Table in the launcher process after it was reverted.

With this patch, we check the Import Table in `patched_NtMapViewOfSection`,
so we can see tampering before it's reverted.  More specifically, we create
a list of dependent modules in the browser process as below.

1. The launcher process creates a section object and initializes
   the kernel32.dll's functions in it.

2. The launcher process transfers a writable handle of the shared
   section to the browser process.

3. In the browser process, if an injected dependent module is being
   mapped by `NtMapViewOfSection`, we add its NT path to the shared
   section and block it with `REDIRECT_TO_NOOP_ENTRYPOINT`.

4. The `main` function of the browser process converts the writable
   handle of the shared section into a readonly handle.

5. The browser process transfers a readonly handle of the shared
   section to a sandbox process.

Since automatic DLL blocking may still cause a compat issue like bug 1682304,
we activate it only in Nightly for now.

Differential Revision: https://phabricator.services.mozilla.com/D101460
2021-01-13 08:38:16 +00:00
Paul Adenot
b8fa268285 Bug 1205985 - Implement something to get the process uptime with and without the time the device was suspended. r=haik,dmajor,jld
Differential Revision: https://phabricator.services.mozilla.com/D99138
2021-01-12 12:34:59 +00:00
Mihai Alexandru Michis
f12a97c159 Backed out 3 changesets (bug 1205985) for causing xpcshell failures in test_TelemetrySession.js
CLOSED TREE

Backed out changeset f82f5070bee5 (bug 1205985)
Backed out changeset 89b03879ce7d (bug 1205985)
Backed out changeset 9ba60febbcf8 (bug 1205985)
2021-01-11 13:44:23 +02:00
Paul Adenot
57e6014622 Bug 1205985 - Implement something to get the process uptime with and without the time the device was suspended. r=haik,dmajor,jld
Differential Revision: https://phabricator.services.mozilla.com/D99138
2021-01-11 10:05:29 +00:00
Gerald Squelart
a82ad0bb16 Bug 1329600 - Capture CPU usage on Linux - r=canaltinova,gcp
Differential Revision: https://phabricator.services.mozilla.com/D99416
2021-01-04 11:37:46 +00:00
Jed Davis
145e038874 Bug 1678174 - Add remaining time64 syscalls to the Linux sandboxes. r=gcp
32-bit Linux architectures have gained new versions of every system
call handling time values, to allow a transition to 64-bit time_t that
will continue to work after the year 2038; newer versions of glibc will
attempt them and fall back to the 32-bit path (without caching the
failure, so at best we take the overhead of handling SIGSYS).

This patch allows time64 syscalls in the same cases where we allow their
time32 versions, including the restrictions on clockid_t to prevent
interacting with other processes or threads of other processes.  (I've
confirmed that the argument types match otherwise, so it's safe to reuse
the same policies.)

Differential Revision: https://phabricator.services.mozilla.com/D98693
2020-12-08 01:02:18 +00:00
Emilio Cobos Álvarez
8fa401f652 Bug 1680166 - GCC is smarter than clang, so ignore the warning properly.
CLOSED TREE

MANUAL PUSH: Base toolchain build bustage.
2020-12-02 14:31:39 +01:00
Emilio Cobos Álvarez
d97661003b Bug 1680166 - Return EFAULT when given a null path to stat* calls in the sandbox filter. r=gcp
It's a common way to check the existence of system calls. Glibc may fall
back to fstatat when statx is called, passing down the null path.

Since we handle fstatat, let's return -EFAULT the same way the real
fstatat syscall would do.

This is needed for the sandbox not to constantly crash due to this statx
call in rustc:

09c9c9f7da/library/std/src/sys/unix/fs.rs (L119-L123)

Differential Revision: https://phabricator.services.mozilla.com/D98414
2020-12-02 11:05:16 +00:00
Jean-Yves Avenard
53f8a78ca2 Bug 1679356 - P1. Make the VP9 HW decoder work on Apple Silicon. r=haik
We relax the sandbox to allow querying the IOAVDHEVCDecodeCapabilities property

Differential Revision: https://phabricator.services.mozilla.com/D97983
2020-11-27 21:26:11 +00:00
Sylvestre Ledru
5079cc5b3f Bug 1588710 - Do not fail on stack protector on some asm chromium & breakpad sandboxing code r=mhentges
caused:
[task 2020-11-05T10:14:26.012Z] 10:14:26     INFO -  In file included from Unified_cpp_sandbox_linux2.cpp:137:
[task 2020-11-05T10:14:26.012Z] 10:14:26    ERROR -  /builds/worker/checkouts/gecko/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc:369:3: error: Unable to protect inline asm that clobbers stack pointer against stack clash [-Werror,-Wstack-protector]
[task 2020-11-05T10:14:26.012Z] 10:14:26     INFO -    asm volatile(
[task 2020-11-05T10:14:26.013Z] 10:14:26     INFO -    ^
[task 2020-11-05T10:14:26.013Z] 10:14:26     INFO -  1 error generated.

Differential Revision: https://phabricator.services.mozilla.com/D97567
2020-11-27 10:14:01 +00:00
Jean-Yves Avenard
1ec040c4a0 Bug 1676999 - P1. Remove preference. r=bobowen
The RDD process can no longer work without having access to win32k ; enabling this pref would lead to a crash on Nightly and failure to work elsewhere.

Differential Revision: https://phabricator.services.mozilla.com/D97753
2020-11-20 17:22:51 +00:00
Simon Giesecke
ae75be244a Bug 1677466 - Split Endpoint.h and ProtocolMessageUtils.h from ProtocolUtils.h. r=mccr8
Differential Revision: https://phabricator.services.mozilla.com/D93568

Depends on D93567
2020-11-23 16:06:42 +00:00
Simon Giesecke
971b645fe3 Bug 1660470 - Add missing include directives/forward declarations. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D87865
2020-11-23 16:21:38 +00:00
Toshihito Kikuchi
056103e63e Bug 1620114 - Enable pre-spawn CIG in RDD. r=bobowen
This patch enables pre-spawn CIG in the RDD process.

If CIG prevents a module in the executable's Import Directory Table, Windows totally
fails to launch a process.  So we add a policy rule of `SUBSYS_SIGNED_BINARY` for
all files under the directory containing the executable such as mozglue.dll, and
modules injected via Import Directory Table.  The latter ones will be blocked by our
blocklist with `REDIRECT_TO_NOOP_ENTRYPOINT` (bug 1659438).

Differential Revision: https://phabricator.services.mozilla.com/D96933
2020-11-19 21:59:47 +00:00
Cosmin Sabou
f3018c915c No bug - Fix typo to trigger mochitest jobs.
CLOSED TREE
2020-11-12 21:18:08 +02:00
Philipp Ammann
93c8ef1413 Bug 1661450 - Guard X11-only code behind #ifdef MOZ_X11 r=stransky
Differential Revision: https://phabricator.services.mozilla.com/D88803
2020-08-31 11:41:22 +00:00
Cosmin Sabou
4d167c5d6b Backed out 5 changesets (bug 1661450) for causing build bustages. CLOSED TREE
Backed out changeset b01a3dceb3eb (bug 1661450)
Backed out changeset 4a0b897aa1b2 (bug 1661450)
Backed out changeset 561d7cce5353 (bug 1661450)
Backed out changeset 088f1afeff27 (bug 1661450)
Backed out changeset 04db3acdf84f (bug 1661450)
2020-11-05 12:00:59 +02:00
Philipp Ammann
d3b31d1286 Bug 1661450 - Guard X11-only code behind #ifdef MOZ_X11 r=stransky
Differential Revision: https://phabricator.services.mozilla.com/D88803
2020-08-31 11:41:22 +00:00
Aaron Klotz
a2f9ffcda8 Bug 1675090: Use rvalue ref in SandboxTarget::RegisterSandboxStartCallback; r=bobowen
Differential Revision: https://phabricator.services.mozilla.com/D95776
2020-11-03 19:36:42 +00:00
Jed Davis
4f544dfb07 Bug 1673770 - Extend the handling of fstatat-as-fstat to sandboxes that don't use a file broker. r=gcp
The fix for bug 1660901, to handle the subset of fstatat that is
equivalent to fstat, was incomplete: it was added to the existing
hook for the file broker, so processes that don't use a broker (like
GMP) didn't get the fix.  That wasn't a problem when the only use of
that feature was in content processes via GTK, but now that glibc has
reimplemented fstat that way, it's necessary for all processes.

Differential Revision: https://phabricator.services.mozilla.com/D95108
2020-10-29 17:41:28 +00:00
Bob Owen
400cb18bfe Bug 1673194: Remove dynamic code disable for 64-bit RDD process. r=jya
Differential Revision: https://phabricator.services.mozilla.com/D95050
2020-10-29 08:51:39 +00:00
Jed Davis
28fdbc26d8 Bug 1673202 - Call fstat directly in Linux sandbox fstatat interception. r=gcp
Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)`
by invoking the SIGSYS handler (because seccomp-bpf can't tell if the
string will be empty when the syscall would use it), which makes the
equivalent call to `fstat`.

Unfortunately, recent development versions of glibc implement `fstat` by
calling `fstatat`, which causes unbounded recursion and stack overflow.
(This depends on the headers present at build time; see the bug for more
details.)  This patch switches it to use the `fstat` (or `fstat64` on
32-bit) syscall directly.

Differential Revision: https://phabricator.services.mozilla.com/D94798
2020-10-27 21:05:09 +00:00
Toshihito Kikuchi
83d95e2106 Bug 1671316 - Part1. Introduce CrossExecTransferManager. r=mhowell
This patch introduces a class `CrossExecTransferManager` to manage the data
transfer from the current process to a remote process via `WriteProcessMemory`.
The class also encapsulates a logic to bridge the gap between two executable's
imagebase.

Differential Revision: https://phabricator.services.mozilla.com/D94652
2020-10-27 14:09:00 +00:00
Ricky Stewart
02a7b4ebdf Bug 1654103: Standardize on Black for Python code in mozilla-central.
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.

To produce this patch I did all of the following:

1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.

2. Run ./mach lint --linter black --fix

3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.

4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.

5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D94045
2020-10-26 18:34:53 +00:00
Bogdan Tara
da1098d4aa Backed out 10 changesets (bug 1654103, bug 1672023, bug 1518999) for PanZoomControllerTest.touchEventForResult gv-junit failures CLOSED TREE
Backed out changeset ff3fb0b4a512 (bug 1672023)
Backed out changeset e7834b600201 (bug 1654103)
Backed out changeset 807893ca8069 (bug 1518999)
Backed out changeset 13e6b92440e9 (bug 1518999)
Backed out changeset 8b2ac5a6c98a (bug 1518999)
Backed out changeset 575748295752 (bug 1518999)
Backed out changeset 65f07ce7b39b (bug 1518999)
Backed out changeset 4bb80556158d (bug 1518999)
Backed out changeset 8ac8461d7bd7 (bug 1518999)
Backed out changeset e8ba13ee17f5 (bug 1518999)
2020-10-24 03:36:18 +03:00
Ricky Stewart
c0cea3b0fa Bug 1654103: Standardize on Black for Python code in mozilla-central. r=remote-protocol-reviewers,marionette-reviewers,webdriver-reviewers,perftest-reviewers,devtools-backward-compat-reviewers,jgilbert,preferences-reviewers,sylvestre,maja_zf,webcompat-reviewers,denschub,ntim,whimboo,sparky
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.

To produce this patch I did all of the following:

1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.

2. Run ./mach lint --linter black --fix

3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.

4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.

5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).

# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D94045
2020-10-23 20:40:42 +00:00
Bob Owen
a8453ad25d Bug 1668876: Take chromium commit b8479b16bfe703cb09147f4d5cff0cfa3bd91366. r=tkikuchi
Differential Revision: https://phabricator.services.mozilla.com/D94583
2020-10-23 16:01:59 +00:00