The tables in SandboxFilterUtil.cpp should remain vertically aligned,
but clang-format would disagree. This patch excludes that region from
reformatting, and applies the other changes that clang-format would make
there.
Differential Revision: https://phabricator.services.mozilla.com/D12499
--HG--
extra : moz-landing-system : lando
Until more analysis is done, add back access to com.apple.CoreServices.coreservicesd to avoid extra allocations that are triggered when the service is blocked.
Differential Revision: https://phabricator.services.mozilla.com/D12479
--HG--
extra : moz-landing-system : lando
Don't start the sandbox until after the port exchange so the parent process does not have to wait longer in ContentParent::LaunchSubprocess() for the (expensive) sandbox_init_with_parameters call to complete in the child. Remove the policy rule allowing access to the parent port now that it is already open when the sandbox is initialized and therefore not needed.
Differential Revision: https://phabricator.services.mozilla.com/D11186
--HG--
extra : moz-landing-system : lando
mingw-clang, when using SEH exceptions, compile these fine but don't unwind
them properly. When using sj/lj exceptions it can't compile them at all.
--HG--
extra : histedit_source : 4bda121d4d60ab6e7cf51a3d4287261c81904fe2
Add the /private/var directory to the list of file-read-metadata paths to avoid rendering issues on macOS 10.14 when sandbox early startup is enabled.
Differential Revision: https://phabricator.services.mozilla.com/D9933
--HG--
extra : moz-landing-system : lando
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command line allowing for early sandbox startup.
Pref'd off behind "security.sandbox.content.mac.earlyinit" until it's ready to be enabled by default.
Once early startup is enabled by default and considered stable, the original sandbox startup code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR. Change APP_PATH to be the path to the parent process .app directory and make GetAppPath return this path when called from the parent or a child process.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
The compiler warns that jobLevel is uninitialized if none of the if-else
conditions are true. Simply replacing the leading assert with a
"else crash" tells the compiler that case will never actually happen.
Differential Revision: https://phabricator.services.mozilla.com/D8841
--HG--
extra : moz-landing-system : lando
Allow NPAPI sandbox to use restricting SIDs. This hardens the plugin sandbox.
Differential Revision: https://phabricator.services.mozilla.com/D8746
--HG--
extra : moz-landing-system : lando
The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes.
Differential Revision: https://phabricator.services.mozilla.com/D7532
--HG--
extra : moz-landing-system : lando
The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes.
Differential Revision: https://phabricator.services.mozilla.com/D7532
--HG--
extra : moz-landing-system : lando
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command
line allowing for early sandbox startup. Limited to Nightly
until confirmed to be stable and ready to ride the trains.
Enable early sandbox startup by default on Nightly and use
pref "security.sandbox.content.mac.earlyinit" to disable
early startup for debugging purposes.
Once early startup is stable, the original sandbox startup
code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command
line allowing for early sandbox startup. Limited to Nightly
until confirmed to be stable and ready to ride the trains.
Enable early sandbox startup by default on Nightly and use
pref "security.sandbox.content.mac.earlyinit" to disable
early startup for debugging purposes.
Once early startup is stable, the original sandbox startup
code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : source : a03a61d6d724503c3b7c5e31fe32ced1f5d1c219
extra : intermediate-source : 5152af6ab3e399216ef6db8f060c257b2ffbd330
extra : histedit_source : ef06000344416e0919f536d5720fa979d2d29c66%2C4671676b613dc3e3ec762edf5d72a2ffbe6fca3f
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : rebase_source : fcf8fa50e748c4b54c3bb1997575d9ffd4cbaae1
extra : source : a03a61d6d724503c3b7c5e31fe32ced1f5d1c219
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : rebase_source : 02c5572b92ee48c11697d90941336e10c03d49cf
Add StartOpenBSDSandbox method calling pledge() syscall,
and use it where we're sandboxing processes.
The pledge subsets are coming from two new prefs:
- security.sandbox.pledge.content for the content process
- security.sandbox.pledge.main for the main process
--HG--
extra : rebase_source : 60da70e2d335755fda6126a6b7de7aad41eebb7e
Closures are nice but -- as pointed out in bug 1481978 comment #2 --
it's a footgun to take a std::function argument in a context where heap
allocation isn't safe.
Fortunately, non-capturing closures convert to C function pointers,
so a C-style interface with a void* context can still be relatively
ergonomic.
Right now, a lot of test code relies on side-effects of SpecialPowers being
loaded into frame script globals. In particular:
- It forces permissive COWs from those scopes, which allows frame scripts to
pass objects from those scopes to unprivileged content that they otherwise
wouldn't.
- It imports a bunch of helper modules and WebIDL globals which would
otherwise not be available.
Fortunately, this seems to only impact test code at this point. But there's a
real down-the-road risk of it impacting shipping code, which ends up working
in automation due to the side-effects of SpecialPowers, but failing in real
world use.
MozReview-Commit-ID: G27eSSOHymX
--HG--
extra : rebase_source : 1702e63fed719fc92def2bdbbb8a7c53572432db
extra : source : 41bedc526dd6ec6b7e8c7be1c832ac60c81d6263
This patch uses the shared memory name prefixes introduced in bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.
When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in bug 1440203),
/dev/shm access is completely denied.
MozReview-Commit-ID: L2ylG5KrXTU
On 10.9 and 10.10, grant global read access to the Flash sandbox.
Change Flash sandbox levels by adding a new level 1 that includes
global read access which will be the default on 10.9/10.10.
Level 2 is the new default for 10.11 and above with file read
access enabled by file dialog activity.
MozReview-Commit-ID: LvXhd6Vf7mo
--HG--
extra : rebase_source : 946f89937e5bb4506fd6bc8b2c050c86a8b29cc8
Pass the user cache dir as a parameter to the Flash sandbox profile.
Add services and paths to the Flash sandbox profile needed for TLS
and encrypted video playback.
MozReview-Commit-ID: 1szVXVVATFy
--HG--
extra : rebase_source : 04885bb5d8b9995559462d373199078b109bfdc5
Add the com.apple.xpcd service to the Flash plugin sandbox for OS X 10.9 systems to avoid crashes when opening file dialogs.
MozReview-Commit-ID: A40Mov98Ddy
--HG--
extra : rebase_source : 3aa7471f239bd64d9e153e2e7076e99006358f1f
Add whitelist rules to allow access to Extensis Universal Type Manager fonts
on 10.11 and earlier OS versions.
MozReview-Commit-ID: 3cPKlC1xCUW
--HG--
extra : rebase_source : 2f8b126cbc7dff2b4d660b6261c1a45d695e09d8
This replaces some old Chromium code that tries to minimally disentangle
an arbitrary file descriptor mapping with simpler algorithm, for several
reasons:
1. Do something appropriate when a file descriptor is mapped to the same
fd number in the child; currently they're ignored, which means they'll
be closed if they were close-on-exec. This implementation duplicates
the fd twice in that case, which seems to be uncommon in practice; this
isn't maximally efficient but avoids special-case code.
2. Make this more generally applicable; the previous design is
specialized for arbitrary code running between fork and exec, but we
also want to use this on OS X with posix_spawn, which exposes a very
limited set of operations.
3. Avoid the use of C++ standard library iterators in async signal safe
code; the Chromium developers mention that this is a potential problem in
some debugging implementations that take locks.
4. In general the algorithm is simpler and should be more "obviously
correct"; more concretely, it should get complete coverage just by being
run normally in a debug build.
As a convenient side benefit, CloseSuperfluousFds now takes an arbitrary
predicate for which fds to leave open, which means it can be used in
other code that needs it without creating a fake fd mapping.
MozReview-Commit-ID: EoiRttrbrKL
--HG--
extra : rebase_source : 336e0ba9f56dc80f7347dc62617b4ad1efea7e7e
Same approach as the other bug, mostly replacing automatically by removing
'using mozilla::Forward;' and then:
s/mozilla::Forward/std::forward/
s/Forward</std::forward</
The only file that required manual fixup was TestTreeTraversal.cpp, which had
a class called TestNodeForward with template parameters :)
MozReview-Commit-ID: A88qFG5AccP
This was done automatically replacing:
s/mozilla::Move/std::move/
s/ Move(/ std::move(/
s/(Move(/(std::move(/
Removing the 'using mozilla::Move;' lines.
And then with a few manual fixups, see the bug for the split series..
MozReview-Commit-ID: Jxze3adipUh
Add font servers to sandbox policies instead of relying
on them to be registered before the sandbox is enabled.
MozReview-Commit-ID: IoVJhAqoEEW
--HG--
extra : rebase_source : 448cc9e556056c44cf76f79c126fbfe56e948e1e
Adds a test to validate that content sandboxing is allowing content
processes to access fonts from non-standard locations on the
filesystem. The test copies the Fira Sans font to the root of the
home directory and renders a page that should use Fira Sans when it
is installed and registered with the OS. The test checks for the use
of the ".LastResort" font which is an indication of the the content
process failing to load the font.
MozReview-Commit-ID: GPWqHdF3vhG
--HG--
extra : rebase_source : c0ea283d496517812202d068c610bdcc0ece640d
Add back font whitelist rules removed by the fix for bug 1393259
to workaround font sandbox extensions not being issued automatically
on OS X 10.11 and earlier.
MozReview-Commit-ID: 2hT0BzN3Ggq
--HG--
extra : rebase_source : 4fe9ce43eb7efe0c6a91c908c149126da6eb708e
Update Mac sandbox rules to allow executable mappings from /Library/GPUBundles which is
used by the Nvidia downloadable "Web" driver.
MozReview-Commit-ID: L2nTP4YWdJJ
--HG--
extra : rebase_source : d8eefdd5a180db5d3ea8207d923e021420f2318e
This patch uses the shared memory name prefixes introduced in bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.
When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in bug 1440203),
/dev/shm access is completely denied.
MozReview-Commit-ID: L2ylG5KrXTU
--HG--
extra : rebase_source : ca1deece6117e843d691a13fff05bd0f97ec0408
Factor out the ATI-based driver detection code and use this to set
specific permissions needed by this driver. In passing, unnest some
of the SandboxBroker fallback paths, and make it properly report
the operation in all error paths.
MozReview-Commit-ID: FrRpicj5NF
--HG--
extra : rebase_source : 1410cdddcf1264dc1572f9b9b691f9d08a2061cf
I'm not adding a patch to security/sandbox/chromium-shim/patches for this,
because we need to get this fixed ASAP, certainly before we take another update.
Replace the boolean pref "security.sandbox.mac.flash.enabled"
with "dom.ipc.plugins.sandbox-level.flash" to support sandbox
levels and be consistent with the Windows pref name.
Adds filesystem read access to the sandbox using sandbox extensions
granted by the file dialog machinery (level 1).
Add support for level 2 which blocks read access.
Allow the sandbox to be disabled with MOZ_DISABLE_NPAPI_SANDBOX.
MozReview-Commit-ID: 4rfobEoxQpF
--HG--
extra : rebase_source : 05dc54b46063967e959bc3fced21c61e5463de48
Adds additional sysctls that are used by the Flash plugin process and alphabetize the list.
MozReview-Commit-ID: 7CaPtaKe874
--HG--
extra : rebase_source : 909228ef9617029eaf7cb16565751150cd1c7404
Remove access to DARWIN_USER_CACHE_DIR. Limit DARWIN_USER_TEMP_DIR
access to the FlashTmp subdirectory. Remove xattr read access to
~/Library/Caches/ and ~/Library/Preferences.
MozReview-Commit-ID: 9svk0BoxVXs
--HG--
extra : rebase_source : 5ea9c7ecc0189455eceb190fb300170d42d0b890
Replace the boolean pref "security.sandbox.mac.flash.enabled"
with "dom.ipc.plugins.sandbox-level.flash" to support sandbox
levels and be consistent with the Windows pref name.
Adds filesystem read access to the sandbox using sandbox extensions
granted by the file dialog machinery (level 1).
Add support for level 2 which blocks read access.
Allow the sandbox to be disabled with MOZ_DISABLE_NPAPI_SANDBOX.
MozReview-Commit-ID: 4rfobEoxQpF
--HG--
extra : rebase_source : 87f2f00867c4522ae3102abbc44fd05db63c7ec7
Adds additional sysctls that are used by the Flash plugin process and alphabetize the list.
MozReview-Commit-ID: 7CaPtaKe874
--HG--
extra : rebase_source : 078697987ac7fec77c75953035b924422fc93066
Remove access to DARWIN_USER_CACHE_DIR. Limit DARWIN_USER_TEMP_DIR
access to the FlashTmp subdirectory. Remove xattr read access to
~/Library/Caches/ and ~/Library/Preferences.
MozReview-Commit-ID: 9svk0BoxVXs
--HG--
extra : rebase_source : 669c4fa446c9cab6b32cf60091e91eae2d08625f
RenderDoc, a graphics debugging tool, uses a preload library that
creates a listening socket (Internet-domain) early in startup and
accepts connections from the frontend. If it's detected (via env vars),
we allow accept/accept4 (but not socket/bind/listen), and remain in
the parent process's network namespace so that other processes can
connect to the socket.
This doesn't change the sandbox policy if not running under RenderDoc.
MozReview-Commit-ID: 964RW4BFh4u
--HG--
extra : rebase_source : d4a954e68431d84fa2e0edea4171421a948794af
This is to support WebGL with hybrid graphics drivers that connect to
a secondary X server for GL (Primus and VirtualGL), without allowing
access to arbitrary sockets. In addition to local X11 connections,
Primus needs to connect to the Bumblebee daemon (otherwise it will exit
the calling process).
The broker support is limited to AF_UNIX, to non-datagram sockets (see
bug 1066750), and to pathname addresses. Abstract addresses could
theoretically be handled but there isn't currently a compelling reason
to, and the broker very much assumes it's dealing with a C-style string
referring to a filesystem path and not an arbitrary byte sequence
(including NULs).
At a higher level: If the GPU X server is remote then it won't work,
but it won't work anyway because WebGL requires features that aren't
supported by indirect GLX. If the GPU X server is local but the browser
is inside a chroot, it will fail to connect unless /tmp/.X11-unix is
bind-mounted into the chroot; hopefully this use case is not common.
MozReview-Commit-ID: IvI2jYDRZZ2
The SandboxLaunchPrepare currently bails out early if it detects a
lack of user namespaces. Hoist the check for drivers needing SysV
IPC up so it's done before that early exit, and the required env
variables get correctly set.
With this we no longer fail with a SIGSYS sandbox error, though
in a debug build we still crash because many assumptions in the
graphics stack get broken when that fails to initialize the driver
for WebGL.
MozReview-Commit-ID: 8n3Hx6VSjTF
--HG--
extra : rebase_source : 99bf2d25a7435b0eb95f186a00cc7723a196be4c
The X11 symbol interposition isn't enough, possibly because Cairo can
also use XCB. Interposing XCB is more difficult because the API exposes
more protocol details. Instead, just allow shmget to be called and
fail; this will tell Cairo that it can't use SysV IPC with the X server,
which is what we want.
MozReview-Commit-ID: 5y9tE7UXMTE
--HG--
extra : rebase_source : bb1e81116742a299bc4e412062327e69032ab3b3
Also covers fchownat() and attempts to be ready for newer archs like ARM64.
Bonus fix: extend bug 1354731 (mknod) fix to cover mknodat so this part
of the policy isn't glaringly inconsistent about "at" syscalls.
Tested locally by attaching gdb and injecting syscalls.
MozReview-Commit-ID: CCOk0jZVoG4
--HG--
extra : rebase_source : 1d0cafd9d91586eaec0233ff15b3bbb1ef7485f0
Adds MITIGATION_IMAGE_LOAD_NO_REMOTE and MITIGATION_IMAGE_LOAD_NO_LOW_LABEL to the plugin process if we aren't running from a networked drive. The same condition applies to these mitigations in the content process.
--HG--
extra : rebase_source : b61f91f3e56f6b4930a03331b7791a9173857518
Enables new process mitigations that have been included from Chromium upstream.
--HG--
extra : rebase_source : 8997bef9c6a6c660b39e68ebfabf90f4de162bca
With this change, the macOS content sandbox has no ability to create files
anywhere on disk (in release builds). If the content process needs a file to
write to, it needs to obtain a file descriptor from the parent process.
MozReview-Commit-ID: 7LoG1PW0UDR
--HG--
extra : rebase_source : 4ac0a7f187d45c9b6c0f8a658edfdae0509054ac
This fixes a mistake in bug 1401062: the termination signal was omitted,
so it's 0, and if it isn't exactly SIGCHLD, then a tracer/debugger will
receive PTRACE_EVENT_CLONE rather than PTRACE_EVENT_FORK. This causes
GDB to see the child process as a thread instead of a separate process,
and it becomes very confused after the process calls execve().
MozReview-Commit-ID: Baf2RFHVWRU
--HG--
extra : rebase_source : 50839967fc766bb9db123fe1af99a88495f8421b
This replaces the globals for whether socket calls (and ipc(2) calls, but
we never used that) have real arguments with a parameter, which in hindsight
should have been done in bug 1273852, which is when we started handling
both socketcall(2) and separate socket calls in the same policy. This
allows handling the two cases differently.
MozReview-Commit-ID: 1pfckmCpJlW
--HG--
extra : rebase_source : 4b8459f01e8748fea95cbcb6eeb689f01417ca5b
There are a few things that use SysV IPC, which we discovered the last
time we tried to do this, which need to be accomodated:
1. The ALSA dmix plugin; if the build has ALSA support (off by default)
and if audio remoting is disabled, SysV IPC is allowed.
2. ATI/AMD's old proprietary graphics driver (fglrx), which is obsolete
and doesn't support newer hardware, but still has users; if it's
detected, SysV IPC is allowed.
3. Graphics libraries trying to use the MIT-SHM extension; this is
already turned off for other reasons (see bug 1271100), but that shim
seems to not load early enough in some cases, so it's copied into
libmozsandbox, which is preloaded before anything else in LD_PRELOAD.
Also, msgget is now blocked in all cases; the only case it was known
to be used involved ESET antivirus, which is now handled specially
(bug 1362601). In any case, the seccomp-bpf policy has never allowed
actually *using* message queues, so creating them is not very useful.
MozReview-Commit-ID: 5bOOQcXFd9U
--HG--
extra : rebase_source : ea79c0a7e31f58f056be15b551c57dde974dfae2
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : 1be7a99cd3640d15ddecd1c050d19d1b30e5202d
extra : histedit_source : 5787bfe610504356a04819039469083adf2ce77c
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : a93dfc2c62d3ac35dece87e4b4596cde761de207
extra : histedit_source : 455e6a79527226f398a861a72c1cfdef2c1761df