This patch moves handling of the "MOZ_DISABLE_CONTENT_SANDBOX" environment
variable into GetEffectiveContentSandboxLevel. It also introduces
IsContentSandboxEnabled and ports many users of GetEffectiveContentSandboxLevel
to use it.
MozReview-Commit-ID: 4CsOf89vlRB
--HG--
extra : rebase_source : b9130f522e860e6a582933799a9bac07b771139b
This patch moves handling of the "MOZ_DISABLE_CONTENT_SANDBOX" environment
variable into GetEffectiveContentSandboxLevel. It also introduces
IsContentSandboxEnabled and ports many users of GetEffectiveContentSandboxLevel
to use it.
MozReview-Commit-ID: 4CsOf89vlRB
--HG--
extra : rebase_source : 10234bd7d837eae8dc915e4a0c0a37040fd0a280
See the previous patch for an explanation of the mistake that this is
meant to catch.
Note that, even for arguments that really are 64-bit on 32-bit platforms
(typically off_t), it's generally not safe to pass them directly to
syscall(): some architectures, like ARM, use ABIs that require such
arguments to be passed in aligned register pairs, and they'll be aligned
differently for syscall() vs. the actual system call due to the leading
system call number argument. The syscall(2) man page discusses this
and documents that such arguments should be split into high/low halves,
passed separately, and manually padded.
Therefore, this patch rejects any argument types larger than a word.
MozReview-Commit-ID: FVhpri4zcWk
--HG--
extra : rebase_source : 0329fe68be2a4e16fb71736627f0190e005c9972
The values in arch_seccomp_data::args are uint64_t even on 32-bit
platforms, and syscall takes varargs, so the arguments need to be
explicitly cast to the word size in order to be passed correctly.
MozReview-Commit-ID: 5ldv6WbL2Z3
--HG--
extra : rebase_source : c6ef37d8b367ad6025e510e58e6ab4d2f96cfc9e
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : b7fe3ad6317fafa382a2ad38c7d9d5338aeafc9b
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : 38bd2a2ffc593bf94b3c16f0c755d169d5998f7f
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : 304481a18c371c3253448971f48064bcbd681a81
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : 3542ea305aabaca0500d66f8e86f5c12170d793e
This prctl is used by PulseAudio; once bug 1394163 is resolved, allowing
it can be made conditional on the media.cubeb.sandbox pref.
MozReview-Commit-ID: 6jAM65V32vK
--HG--
extra : rebase_source : abb039aff7cefc0aa3b95f4574fdf1e3fb0d93a6
ChildPrivileges is a leftover from the B2G process model; it's now
mostly unused, except for the Windows sandbox using it to carry whether
a content process has file:/// access.
In general, when sandboxing needs to interact with process launch, the
inputs are some subset of: the GeckoProcessType, the subtype if content,
various prefs and even GPU configuration; and the resulting launch
adjustments are platform-specific. And on some platforms (e.g., OS X)
it's all done after launch. So a simple enum used cross-platform isn't
a good fit.
MozReview-Commit-ID: K31OHOpJzla
--HG--
extra : rebase_source : 3928b44eb86cd076bcac7897536590555237b76b
This removes the allow-all override in the content policy, which means it will
fall back to the more restrictive prctl policy in SandboxPolicyCommon.
MozReview-Commit-ID: CncoGi0HLxR
--HG--
extra : rebase_source : 6cb1834c56a1781f1512b7b078ba3469c3dd8537
I think that trying to slice this up by feature is just going to lead to complications down the line,
so to keep it simple I've moved this to the launch code for all sandboxed children, not just when the
Alternate Desktop is enabled.
This also, similar to chromium, only adds them to the blocklist if they are loaded in the parent.
This does two things:
1) Move the level 3 rules to always be applicable, and simplifies level 2 accordingly
2) Consistently uses the raw string literal syntax for regexes
MozReview-Commit-ID: 6iwjOvRVMM7
--HG--
extra : rebase_source : 3ac59219ad0793a98bdb203fb3d247561216a560
PulseAudio is the only thing that's known to need this. Note that the
same file often exists as /etc/machine-id, and we currently allow reading
all of /etc (which includes other fingerprinting hazards as well).
MozReview-Commit-ID: FoyKQzhAV6M
--HG--
extra : rebase_source : 593ee0b94cf507681a034d22cd06a9050d56b86a
If these aren't close-on-exec, they can be inherited by the crash
reporter process after the parent process has crashed and exited,
causing child processes to continue running when the IPC I/O thread blocks
in the file broker trying to open a GeckoChildCrash temp file.
(Empirically, the main thread then blocks waiting for the I/O thread.)
Operations that run on dedicated threads, like playing media, may
continue even though the main and IPC threads are locked up, resulting in
videos that keep playing sound even though the browser seems to no longer
exist.
If the broker socket is closed as expected when the parent process
exits, the child will return failure from the brokered file operation
and then go on to get an IPC error due to the parent process's
nonexistence, and will exit as normal.
This patch makes the same change to rejected syscall reporting, even
though that's a one-way asynchronous message with no response to wait
for, just in case something goes wrong enough to fill the entire socket
buffer but not so badly broken that it would wind up in an infinite loop
anyway.
SOCK_CLOEXEC has been present since Linux 2.6.26, and it would be used
only if seccomp-bpf is available, so it should be safe to use
unconditionally.
MozReview-Commit-ID: 7tDPBJILzlj
--HG--
extra : rebase_source : b797655dff2eea88c406d83dcee4a859f2a038b7
As a special case to deal with PulseAudio, testing for a process's
existence with kill(pid, 0) quietly fails with EPERM instead.
(I also added some commentary on umask, since I was touching that part of
the code anyway.)
MozReview-Commit-ID: CM0Aqii13j4
--HG--
extra : rebase_source : 44ef05e9a39a9eea4a649399c63b865f5523d43b
This fixes improper usages of Find where an offset was actually being use for
the boolean ignore case flag. It also fixes a few instances of passing in a
literal wchar_t to our functions where a NS_LITERAL_STRING or char16_t should
be used instead.
--HG--
extra : rebase_source : 5de1e9335895d65e6db06c510e8887d27be3390f
extra : source : f762f605dd83fc6331161a33e1ef5d54cafbd08d
This is 0cb5dadc2b1f84fbbd9c6f75056e38d05a5b07d3 and
db4c64b63d6098294ed255e962700fd2d465575e in the chromium repository.
This allows a single process to create sandboxed children with alternate
desktops on both an alternate winstation and the local winstation.
MozReview-Commit-ID: 8sS7LjoveOk
--HG--
extra : rebase_source : 6915af73743f87ed74ddefe04210dbdd95bb56ed
Adds access to video encoding/decoding services when running on macOS 10.13 High Sierra.
MozReview-Commit-ID: 6h4dZ6gkFtp
--HG--
extra : rebase_source : 8c5078b336631e3254fcaaf6727dff281c840159
Fix the file access check by adding missing parentheses to isDirectory method call.
Don't run the cookies file check on Linux because the test profile is read accessible due to being in /tmp.
MozReview-Commit-ID: lps2hk8f5U
--HG--
extra : rebase_source : 5fba75d65081e56df5a0d171c41689c489a3aace
Generally, the intent for the Add* methods is that they always grant
rights in addition to what's already in the policy, not remove them;
this makes subtree rules that overlap single-file rules follow that
principle.
This requires a global analysis because the conflicting rules can be
added in any order. It does not currently attempt to handle prefix
rules that aren't at a path component boundary, because that's not a
problem we currently have.
MozReview-Commit-ID: 4kv6QoGCBTV
--HG--
extra : rebase_source : 9e41263bbb1c07b8cde40ec2e72d746f17278fcb
Now that all of the operations that took two paths are removed, we can
have less string manipulation running on untrusted inputs in a trusted
context.
Note that the path isn't null-terminated in transit, because we know
the message length and there's no longer any need to delimit anything.
(This is how the protocol worked before the two-path operations were
added.)
MozReview-Commit-ID: 5VHkMoPlWmU
--HG--
extra : rebase_source : 2108a4f7c7bf5098f2ef63786c3675367bd56e19
In testing (local and CI) these seem to no longer be used.
MozReview-Commit-ID: 2D3C8eWoIsB
--HG--
extra : rebase_source : dde2015af1d036c32631d185703f1149285b253e
Now that all of the operations that took two paths are removed, we can
have less string manipulation running on untrusted inputs in a trusted
context.
Note that the path isn't null-terminated in transit, because we know
the message length and there's no longer any need to delimit anything.
(This is how the protocol worked before the two-path operations were
added.)
MozReview-Commit-ID: 5VHkMoPlWmU
--HG--
extra : rebase_source : 74fd595c4aea6c9e073ae704b8e59599770300b4
In testing (local and CI) these seem to no longer be used.
MozReview-Commit-ID: 2D3C8eWoIsB
--HG--
extra : rebase_source : 20d986e1430a70ddb534fdd73d1d06e12510292f
Moves IsDevelopmentBuild(), GetRepoDir(), and GetObjectDir() out of
SandboxSettings because they also need to be used by ExtensionProtocolHandler
to do security checks on developer builds as a result of how developer builds
rely on symlinks to the repo dir from system extension directories.
Remove the Linux-implementation of GetRepoDir() and GetObjectDir()
because the Linux content sandbox implementation and the
ExtensionProtocolHandler checks don't need them.
MozReview-Commit-ID: KwBFUnh6Cml
--HG--
extra : rebase_source : 3529a18ea802699ff968b798a7c560613469809b
1. X_OK is now allowed, and is limited only by the MAY_ACCESS permission.
2. The actual access() syscall is now used, if access is granted by the
broker policy. This fixed bug 1382246, which explains the background.
MozReview-Commit-ID: 926429PlBnL
--HG--
extra : rebase_source : 6ae54c4c25e1389fa3af75b0bdf727323448294a
This removes /tmp/com.apple.csseed access entirely, ipc-posix-shm-read-metadata
from CFPBS:, and ipc-posix-shm-write-{create,unlink} from AudioIO and CFPBS:.
MozReview-Commit-ID: Eahx6guqGos
--HG--
extra : rebase_source : 621e81eb00411ae39882504db7d10a50eef30b27
This mechanically replaces nsILocalFile with nsIFile in
*.js, *.jsm, *.sjs, *.html, *.xul, *.xml, and *.py.
MozReview-Commit-ID: 4ecl3RZhOwC
--HG--
extra : rebase_source : 412880ea27766118c38498d021331a3df6bccc70
Before this change we were trying to change the settings from both the content
and parent processes, so this doesn't change any functionality. This allows to
remove access to the com.apple.PowerManagement.control mach service from the
content process.
MozReview-Commit-ID: 3DOhqG5U6oz
--HG--
extra : rebase_source : dee0b97c444ae95cfc8f80cb0fb99aa9e2658d51
MozStackWalk() is different on Windows to the other platforms. It has two extra
arguments, which can be used to walk the stack of a different thread.
This patch makes those differences clearer. Instead of having a single function
and forbidding those two arguments on non-Windows, it removes those arguments
from MozStackWalk, and splits off MozStackWalkThread() which retains them. This
also allows those arguments to have more appropriate types (HANDLE instead of
uintptr_t; CONTEXT* instead of than void*) and names (aContext instead of
aPlatformData).
The patch also removes unnecessary reinterpret_casts for the aClosure argument
at a couple of MozStackWalk() callsites.
--HG--
extra : rebase_source : 111ab7d6426d7be921facc2264f6db86c501d127
Otherwise, a warning is triggered because the statement will never be executed [-
Found with -Wswitch-unreachable with gcc 7
MozReview-Commit-ID: FVStzyFlhJp
--HG--
extra : rebase_source : 1db87153c3e7dcde8d5a9e0f1f0ff607307c9ca2
On Mac developer builds, read the repo path and object dir path from the
Info.plist files in the application bundle instead of the
MOZ_DEVELOPER_REPO_DIR and MOZ_DEVELOPER_OBJ_DIR environment variables.
MozReview-Commit-ID: 8UtjkNPGUM1
--HG--
extra : rebase_source : 3e4ce32f2e2c40f8d899bc9190e48298081458d9
It is not used, so this is an attack surface reduction.
MozReview-Commit-ID: mrW9hi0SAh
--HG--
extra : rebase_source : 889b937cfd20680bbb62391fa7932b5cd2e1fd6a
I've made this non-ifdef'ed, and removed currently unused ifdef'ed cases
for old Android versions, because I'd rather have less code that we're
not even compile-testing than save a few cycles on a non-critical path.
MozReview-Commit-ID: B4Wn1elyK4f
--HG--
extra : rebase_source : f12ef40b325432a6aafe961095e5af64fc5a1a9a
On developer builds, use $MOZ_DEVELOPER_OBJ_DIR to whitelist the object dir in the content sandbox so that symlinks to the object dir from .app/ files can be loaded.
MozReview-Commit-ID: J4YdpxgbD8i
--HG--
extra : rebase_source : 19e369fe9ae29418d9d79e1fb83246474d858f34
This specifically disallows the creation of ttys and symlinks. Writable
directories are needed for plugins, which lazily create the plugintmp directory.
If/when the plugin API surface is reduced we can restrict down to just regular
files.
MozReview-Commit-ID: Ec6qeaiHSsB
--HG--
extra : rebase_source : 252a3cbf7954b9c09092b896ef8af45310438a86
On macOS, the file-write* permission type contains numerous sub-permissions (see
bug for full listing). Restrict the ones we allow to only the two we need:
file-write-create and file-write-data. This primarily reduces kernel attack
surface, I'm not aware of any bad things that could be done directly with the
removed permissions.
MozReview-Commit-ID: 3VvjFesy2qx
--HG--
extra : rebase_source : 934ec17c44c9ef3d7fab29919d66cf1a55d57697
Allow access to the "com.apple.audio.AudioComponentRegistrar" API on 10.13+ systems.
MozReview-Commit-ID: 8gWXvuXTNKi
--HG--
extra : rebase_source : 8abf9a2548d915a89adfa82580d46c1bc00726d8
