Bug 928042 - Add an environment variable to disable content processes sandboxing even when MOZ_CONTENT_SANDBOX is defined. r=aklotz

dom/ipc/ContentParent.cpp

@@ -1421,6 +1421,7 @@ ContentParent::ContentParent(mozIApplication* aApp,
     NS_ASSERTION(NS_IsMainThread(), "Wrong thread!");
     mSubprocess = new GeckoChildProcessHost(GeckoProcessType_Content,
                                             aOSPrivileges);
+    mSubprocess->SetSandboxEnabled(ShouldSandboxContentProcesses());
 
     IToplevelProtocol::SetTransport(mSubprocess->GetChannel());
 
@@ -3282,5 +3283,15 @@ ContentParent::ShouldContinueFromReplyTimeout()
   return false;
 }
 
+bool
+ContentParent::ShouldSandboxContentProcesses()
+{
+#ifdef MOZ_CONTENT_SANDBOX
+  return !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
+#else
+  return true;
+#endif
+}
+
 } // namespace dom
 } // namespace mozilla

dom/ipc/ContentParent.h

@@ -220,6 +220,7 @@ protected:
     void OnNuwaForkTimeout();
 
     bool ShouldContinueFromReplyTimeout() MOZ_OVERRIDE;
+    bool ShouldSandboxContentProcesses();
 
 private:
     static nsDataHashtable<nsStringHashKey, ContentParent*> *sAppContentParents;

ipc/app/MozillaRuntimeMain.cpp

@@ -70,14 +70,16 @@ InitializeBinder(void *aDummy) {
 int
 main(int argc, char* argv[])
 {
-#ifdef MOZ_NUWA_PROCESS
     bool isNuwa = false;
+    bool isSandboxEnabled = false;
     for (int i = 1; i < argc; i++) {
-        if (strcmp(argv[i], "-nuwa") == 0) {
-            PrepareNuwaProcess();
-            isNuwa = true;
-            break;
-        }
+        isNuwa |= strcmp(argv[i], "-nuwa") == 0;
+        isSandboxEnabled |= strcmp(argv[i], "-sandbox") == 0;
+    }
+
+#ifdef MOZ_NUWA_PROCESS
+    if (isNuwa) {
+        PrepareNuwaProcess();
     }
 #endif
 
@@ -99,19 +101,21 @@ main(int argc, char* argv[])
 #endif
 
 #if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
-    sandbox::TargetServices* target_service =
-        sandbox::SandboxFactory::GetTargetServices();
-    if (!target_service) {
-        return 1;
-    }
+    if (isSandboxEnabled) {
+        sandbox::TargetServices* target_service =
+            sandbox::SandboxFactory::GetTargetServices();
+        if (!target_service) {
+            return 1;
+        }
 
-    sandbox::ResultCode result = target_service->Init();
-    if (result != sandbox::SBOX_ALL_OK) {
-        return 2;
-    }
+        sandbox::ResultCode result = target_service->Init();
+        if (result != sandbox::SBOX_ALL_OK) {
+            return 2;
+        }
 
-    // Initialization is finished, switch to the lowered token
-    target_service->LowerToken();
+        // Initialization is finished, switch to the lowered token
+        target_service->LowerToken();
+    }
 #endif
 
     // Check for the absolute minimum number of args we need to move

ipc/glue/GeckoChildProcessHost.cpp

@@ -87,6 +87,7 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
                                              ChildPrivileges aPrivileges)
   : ChildProcessHost(RENDER_PROCESS), // FIXME/cjones: we should own this enum
     mProcessType(aProcessType),
+    mSandboxEnabled(true),
     mPrivileges(aPrivileges),
     mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
     mProcessState(CREATING_CHANNEL),
@@ -739,6 +740,13 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
     }
   }
 
+#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
+  if (mSandboxEnabled) {
+    // Tell the process that it should lower its rights after initialization.
+    cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
+  }
+#endif
+
   // Add the application directory path (-appdir path)
   AddAppDirToCommandLine(cmdLine);
 
@@ -761,14 +769,17 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
 
 #if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
-  mozilla::SandboxBroker sandboxBroker;
-  sandboxBroker.LaunchApp(cmdLine.program().c_str(),
-                          cmdLine.command_line_string().c_str(),
-                          &process);
-#else
-  base::LaunchApp(cmdLine, false, false, &process);
-#endif
+  if (mSandboxEnabled) {
 
+    mozilla::SandboxBroker sandboxBroker;
+    sandboxBroker.LaunchApp(cmdLine.program().c_str(),
+                            cmdLine.command_line_string().c_str(),
+                            &process);
+  } else
+#endif
+  {
+    base::LaunchApp(cmdLine, false, false, &process);
+  }
 
 #else
 #  error Sorry

ipc/glue/GeckoChildProcessHost.h

@@ -123,11 +123,17 @@ public:
    */
   void Join();
 
+  void SetSandboxEnabled(bool aSandboxEnabled) {
+    mSandboxEnabled = aSandboxEnabled;
+  }
+
 protected:
   GeckoProcessType mProcessType;
+  bool mSandboxEnabled;
   ChildPrivileges mPrivileges;
   Monitor mMonitor;
   FilePath mProcessPath;
+
   // This value must be accessed while holding mMonitor.
   enum {
     // This object has been constructed, but the OS process has not