mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1731890 - Adding Utility process with basic sandbox r=agi,nika,bobowen 

Differential Revision: https://phabricator.services.mozilla.com/D126297
This commit is contained in:
Alexandre Lissy 2022-01-12 20:52:58 +00:00
Родитель c57f789bf4
Коммит 161f130b0a
67 изменённых файлов: 2173 добавлений и 36 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
dom/chrome-webidl/ChromeUtils.webidl
Просмотреть файл

@ -632,6 +632,7 @@ enum WebIDLProcType {
#ifdef MOZ_ENABLE_FORKSERVER
"forkServer",
#endif
"utility",
"preallocated",
"unknown",
};

17
ipc/glue/GeckoChildProcessHost.cpp
Просмотреть файл

@ -89,6 +89,8 @@
# include "nsMacUtilsImpl.h"
#endif
#include "mozilla/ipc/UtilityProcessHost.h"
#include "nsClassHashtable.h"
#include "nsHashKeys.h"
#include "nsNativeCharsetUtils.h"
@ -159,6 +161,7 @@ class BaseProcessLauncher {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
mAllowedFilesRead(aHost->mAllowedFilesRead),
mSandboxLevel(aHost->mSandboxLevel),
mSandbox(aHost->mSandbox),
mIsFileContent(aHost->mIsFileContent),
mEnableSandboxLogging(aHost->mEnableSandboxLogging),
#endif
@ -219,6 +222,7 @@ class BaseProcessLauncher {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
std::vector<std::wstring> mAllowedFilesRead;
int32_t mSandboxLevel;
SandboxingKind mSandbox;
bool mIsFileContent;
bool mEnableSandboxLogging;
#endif
@ -1447,6 +1451,15 @@ bool WindowsProcessLauncher::DoSetup() {
mUseSandbox = true;
}
break;
case GeckoProcessType_Utility:
if (!PR_GetEnv("MOZ_DISABLE_UTILITY_SANDBOX")) {
if (!mResults.mSandboxBroker->SetSecurityLevelForUtilityProcess(
mSandbox)) {
return false;
}
mUseSandbox = true;
}
break;
case GeckoProcessType_RemoteSandboxBroker:
// We don't sandbox the sandbox launcher...
break;
@ -1722,9 +1735,13 @@ bool GeckoChildProcessHost::StartMacSandbox(int aArgc, char** aArgv,
case GeckoProcessType_GMPlugin:
sandboxType = gmp::GMPProcessParent::GetMacSandboxType();
break;
case GeckoProcessType_Utility:
sandboxType = ipc::UtilityProcessHost::GetMacSandboxType();
break;
default:
return true;
}
return mozilla::StartMacSandboxIfEnabled(sandboxType, aArgc, aArgv,
aErrorMessage);
}

8
ipc/glue/GeckoChildProcessHost.h
Просмотреть файл

@ -39,6 +39,10 @@
# include "mozilla/Sandbox.h"
#endif
#if defined(MOZ_SANDBOX)
# include "mozilla/ipc/UtilityProcessSandboxing.h"
#endif
struct _MacSandboxInfo;
typedef _MacSandboxInfo MacSandboxInfo;
@ -233,6 +237,10 @@ class GeckoChildProcessHost : public ChildProcessHost,
# endif
#endif // XP_WIN
#if defined(MOZ_SANDBOX)
SandboxingKind mSandbox;
#endif
ProcessHandle mChildProcessHandle;
#if defined(OS_MACOSX)
task_t mChildTask;

52
ipc/glue/PUtilityProcess.ipdl Normal file
Просмотреть файл

@ -0,0 +1,52 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
include MemoryReportTypes;
include PrefsTypes;
include protocol PProfiler;
#if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
include protocol PSandboxTesting;
#endif
using mozilla::dom::NativeThreadId from "mozilla/dom/NativeThreadId.h";
namespace mozilla {
namespace ipc {
// This protocol allows the UI process to talk to the Utility process. There is
// one instance of this protocol, with the UtilityProcessParent living on the main thread
// of the Utility process and the UtilityProcessChild living on the main thread of the UI
// process.
[RefCounted, NeedsOtherPid] protocol PUtilityProcess
{
parent:
async InitCrashReporter(NativeThreadId threadId);
async AddMemoryReport(MemoryReport aReport);
child:
async Init(FileDescriptor? sandboxBroker, bool canRecordReleaseTelemetry);
async InitProfiler(Endpoint<PProfilerChild> endpoint);
async RequestMemoryReport(uint32_t generation,
bool anonymize,
bool minimizeMemoryUsage,
FileDescriptor? DMDFile)
returns (uint32_t aGeneration);
async PreferenceUpdate(Pref pref);
#if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
async InitSandboxTesting(Endpoint<PSandboxTestingChild> aEndpoint);
#endif
};
} // namespace ipc
} // namespace mozilla

207
ipc/glue/UtilityProcessChild.cpp Normal file
Просмотреть файл

@ -0,0 +1,207 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "UtilityProcessChild.h"
#include "mozilla/ipc/UtilityProcessManager.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/dom/MemoryReportRequest.h"
#include "mozilla/ipc/CrashReporterClient.h"
#include "mozilla/ipc/Endpoint.h"
#include "mozilla/Preferences.h"
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
# include "mozilla/Sandbox.h"
#endif
#if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
# include "mozilla/SandboxTestingChild.h"
#endif
#include "mozilla/Telemetry.h"
#if defined(XP_WIN)
# include "mozilla/WinDllServices.h"
#endif
#include "nsDebugImpl.h"
#include "nsThreadManager.h"
#include "mozilla/ipc/ProcessChild.h"
namespace mozilla::ipc {
using namespace layers;
static StaticRefPtr<UtilityProcessChild> sUtilityProcessChild;
UtilityProcessChild::UtilityProcessChild() {
nsDebugImpl::SetMultiprocessMode("Utility");
sUtilityProcessChild = this;
}
UtilityProcessChild::~UtilityProcessChild() = default;
/* static */
RefPtr<UtilityProcessChild> UtilityProcessChild::GetSingleton() {
if (!sUtilityProcessChild) {
sUtilityProcessChild = new UtilityProcessChild();
}
return sUtilityProcessChild;
}
/* static */
RefPtr<UtilityProcessChild> UtilityProcessChild::Get() {
return sUtilityProcessChild;
}
bool UtilityProcessChild::Init(base::ProcessId aParentPid,
const nsCString& aParentBuildID,
uint64_t aSandboxingKind,
mozilla::ipc::ScopedPort aPort) {
MOZ_ASSERT(NS_IsMainThread());
// Initialize the thread manager before starting IPC. Otherwise, messages
// may be posted to the main thread and we won't be able to process them.
if (NS_WARN_IF(NS_FAILED(nsThreadManager::get().Init()))) {
return false;
}
// Now it's safe to start IPC.
if (NS_WARN_IF(!Open(std::move(aPort), aParentPid))) {
return false;
}
// This must be checked before any IPDL message, which may hit sentinel
// errors due to parent and content processes having different
// versions.
MessageChannel* channel = GetIPCChannel();
if (channel && !channel->SendBuildIDsMatchMessage(aParentBuildID.get())) {
// We need to quit this process if the buildID doesn't match the parent's.
// This can occur when an update occurred in the background.
ipc::ProcessChild::QuickExit();
}
// Init crash reporter support.
ipc::CrashReporterClient::InitSingleton(this);
if (NS_FAILED(NS_InitMinimalXPCOM())) {
return false;
}
mSandbox = (SandboxingKind)aSandboxingKind;
mozilla::ipc::SetThisProcessName("Utility Process");
return true;
}
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
extern "C" {
void CGSShutdownServerConnections();
};
#endif
mozilla::ipc::IPCResult UtilityProcessChild::RecvInit(
const Maybe<FileDescriptor>& aBrokerFd,
const bool& aCanRecordReleaseTelemetry) {
#if defined(MOZ_SANDBOX)
# if defined(XP_MACOSX)
// Close all current connections to the WindowServer. This ensures that the
// Activity Monitor will not label the content process as "Not responding"
// because it's not running a native event loop. See bug 1384336.
CGSShutdownServerConnections();
# elif defined(XP_LINUX)
int fd = -1;
if (aBrokerFd.isSome()) {
fd = aBrokerFd.value().ClonePlatformHandle().release();
}
SetUtilitySandbox(fd, mSandbox);
# endif // XP_MACOSX/XP_LINUX
#endif // MOZ_SANDBOX
#if defined(XP_WIN)
if (aCanRecordReleaseTelemetry) {
RefPtr<DllServices> dllSvc(DllServices::Get());
dllSvc->StartUntrustedModulesProcessor();
}
#endif // defined(XP_WIN)
return IPC_OK();
}
mozilla::ipc::IPCResult UtilityProcessChild::RecvPreferenceUpdate(
const Pref& aPref) {
Preferences::SetPreference(aPref);
return IPC_OK();
}
mozilla::ipc::IPCResult UtilityProcessChild::RecvInitProfiler(
Endpoint<PProfilerChild>&& aEndpoint) {
mProfilerController = ChildProfilerController::Create(std::move(aEndpoint));
return IPC_OK();
}
mozilla::ipc::IPCResult UtilityProcessChild::RecvRequestMemoryReport(
const uint32_t& aGeneration, const bool& aAnonymize,
const bool& aMinimizeMemoryUsage, const Maybe<FileDescriptor>& aDMDFile,
const RequestMemoryReportResolver& aResolver) {
nsPrintfCString processName("Utility (pid %u)", base::GetCurrentProcId());
mozilla::dom::MemoryReportRequestClient::Start(
aGeneration, aAnonymize, aMinimizeMemoryUsage, aDMDFile, processName,
[&](const MemoryReport& aReport) {
Unused << GetSingleton()->SendAddMemoryReport(aReport);
},
aResolver);
return IPC_OK();
}
#if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
mozilla::ipc::IPCResult UtilityProcessChild::RecvInitSandboxTesting(
Endpoint<PSandboxTestingChild>&& aEndpoint) {
if (!SandboxTestingChild::Initialize(std::move(aEndpoint))) {
return IPC_FAIL(
this, "InitSandboxTesting failed to initialise the child process.");
}
return IPC_OK();
}
#endif
void UtilityProcessChild::ActorDestroy(ActorDestroyReason aWhy) {
if (AbnormalShutdown == aWhy) {
NS_WARNING("Shutting down Utility process early due to a crash!");
ipc::ProcessChild::QuickExit();
}
#ifndef NS_FREE_PERMANENT_DATA
ProcessChild::QuickExit();
#else
if (mProfilerController) {
mProfilerController->Shutdown();
mProfilerController = nullptr;
}
# if defined(XP_WIN)
{
RefPtr<DllServices> dllSvc(DllServices::Get());
dllSvc->DisableFull();
}
# endif // defined(XP_WIN)
if (sUtilityProcessChild) {
sUtilityProcessChild = nullptr;
}
ipc::CrashReporterClient::DestroySingleton();
XRE_ShutdownChildProcess();
#endif // NS_FREE_PERMANENT_DATA
}
} // namespace mozilla::ipc

61
ipc/glue/UtilityProcessChild.h Normal file
Просмотреть файл

@ -0,0 +1,61 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessChild_h_
#define _include_ipc_glue_UtilityProcessChild_h_
#include "mozilla/ipc/PUtilityProcessChild.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/UniquePtr.h"
#include "ChildProfilerController.h"
namespace mozilla::ipc {
class UtilityProcessHost;
class UtilityProcessChild final : public PUtilityProcessChild {
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(UtilityProcessChild, override);
UtilityProcessChild();
static RefPtr<UtilityProcessChild> GetSingleton();
static RefPtr<UtilityProcessChild> Get();
SandboxingKind mSandbox{};
bool Init(base::ProcessId aParentPid, const nsCString& aParentBuildID,
uint64_t aSandboxingKind, mozilla::ipc::ScopedPort aPort);
mozilla::ipc::IPCResult RecvInit(const Maybe<ipc::FileDescriptor>& aBrokerFd,
const bool& aCanRecordReleaseTelemetry);
mozilla::ipc::IPCResult RecvInitProfiler(
Endpoint<PProfilerChild>&& aEndpoint);
mozilla::ipc::IPCResult RecvPreferenceUpdate(const Pref& pref);
mozilla::ipc::IPCResult RecvRequestMemoryReport(
const uint32_t& generation, const bool& anonymize,
const bool& minimizeMemoryUsage,
const Maybe<ipc::FileDescriptor>& DMDFile,
const RequestMemoryReportResolver& aResolver);
void ActorDestroy(ActorDestroyReason aWhy) override;
#if defined(MOZ_SANDBOX) && defined(MOZ_DEBUG) && defined(ENABLE_TESTS)
mozilla::ipc::IPCResult RecvInitSandboxTesting(
Endpoint<PSandboxTestingChild>&& aEndpoint);
#endif
protected:
friend class UtilityProcessImpl;
~UtilityProcessChild();
private:
RefPtr<ChildProfilerController> mProfilerController;
};
} // namespace mozilla::ipc
#endif // _include_ipc_glue_UtilityProcessChild_h_

338
ipc/glue/UtilityProcessHost.cpp Normal file
Просмотреть файл

@ -0,0 +1,338 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "UtilityProcessHost.h"
#include "mozilla/ipc/Endpoint.h"
#include "mozilla/ipc/UtilityProcessManager.h"
#include "mozilla/Telemetry.h"
#include "chrome/common/process_watcher.h"
#include "mozilla/Preferences.h"
#include "mozilla/StaticPrefs_general.h"
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
# include "mozilla/Sandbox.h"
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
# include "mozilla/SandboxBrokerPolicyFactory.h"
#endif
#include "ProfilerParent.h"
#include "mozilla/PProfilerChild.h"
namespace mozilla::ipc {
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
bool UtilityProcessHost::sLaunchWithMacSandbox = false;
#endif
UtilityProcessHost::UtilityProcessHost(SandboxingKind aSandbox,
RefPtr<Listener> aListener)
: GeckoChildProcessHost(GeckoProcessType_Utility),
mListener(std::move(aListener)),
mLiveToken(new media::Refcountable<bool>(true)) {
MOZ_COUNT_CTOR(UtilityProcessHost);
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
if (!sLaunchWithMacSandbox) {
sLaunchWithMacSandbox =
(PR_GetEnv("MOZ_DISABLE_UTILITY_SANDBOX") == nullptr);
}
mDisableOSActivityMode = sLaunchWithMacSandbox;
#endif
#if defined(MOZ_SANDBOX)
mSandbox = aSandbox;
#endif
}
UtilityProcessHost::~UtilityProcessHost() {
MOZ_COUNT_DTOR(UtilityProcessHost);
}
bool UtilityProcessHost::Launch(StringVector aExtraOpts) {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mLaunchPhase == LaunchPhase::Unlaunched);
MOZ_ASSERT(!mUtilityProcessParent);
mPrefSerializer = MakeUnique<ipc::SharedPreferenceSerializer>();
if (!mPrefSerializer->SerializeToSharedMemory()) {
return false;
}
mPrefSerializer->AddSharedPrefCmdLineArgs(*this, aExtraOpts);
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
mSandboxLevel = Preferences::GetInt("security.sandbox.utility.level");
#endif
mLaunchPhase = LaunchPhase::Waiting;
int32_t timeoutMs = StaticPrefs::general_utility_process_startup_timeout_ms();
// If one of the following environment variables are set we can
// effectively ignore the timeout - as we can guarantee the Utility
// process will be terminated
if (PR_GetEnv("MOZ_DEBUG_CHILD_PROCESS") ||
PR_GetEnv("MOZ_DEBUG_CHILD_PAUSE")) {
timeoutMs = 0;
}
if (timeoutMs) {
// We queue a delayed task. If that task runs before the
// WhenProcessHandleReady promise gets resolved, we will abort the launch.
GetMainThreadSerialEventTarget()->DelayedDispatch(
NS_NewRunnableFunction(
"UtilityProcessHost::Launchtimeout",
[this, liveToken = mLiveToken]() {
if (!*liveToken || mTimerChecked) {
// We have been deleted or the runnable has already started, we
// can abort.
return;
}
InitAfterConnect(false);
MOZ_ASSERT(mTimerChecked,
"InitAfterConnect must have acted on the promise");
}),
timeoutMs);
}
if (!GeckoChildProcessHost::AsyncLaunch(aExtraOpts)) {
NS_WARNING("UtilityProcess AsyncLaunch failed, aborting.");
mLaunchPhase = LaunchPhase::Complete;
mPrefSerializer = nullptr;
return false;
}
return true;
}
RefPtr<GenericNonExclusivePromise> UtilityProcessHost::LaunchPromise() {
MOZ_ASSERT(NS_IsMainThread());
if (mLaunchPromise) {
return mLaunchPromise;
}
mLaunchPromise = MakeRefPtr<GenericNonExclusivePromise::Private>(__func__);
WhenProcessHandleReady()->Then(
GetCurrentSerialEventTarget(), __func__,
[this, liveToken = mLiveToken](
const ipc::ProcessHandlePromise::ResolveOrRejectValue& aResult) {
if (!*liveToken) {
// The UtilityProcessHost got deleted. Abort. The promise would have
// already been rejected.
return;
}
if (mTimerChecked) {
// We hit the timeout earlier, abort.
return;
}
mTimerChecked = true;
if (aResult.IsReject()) {
RejectPromise();
}
// If aResult.IsResolve() then we have succeeded in launching the
// Utility process. The promise will be resolved once the channel has
// connected (or failed to) later.
});
return mLaunchPromise;
}
void UtilityProcessHost::OnChannelConnected(int32_t peer_pid) {
MOZ_ASSERT(!NS_IsMainThread());
GeckoChildProcessHost::OnChannelConnected(peer_pid);
NS_DispatchToMainThread(NS_NewRunnableFunction(
"UtilityProcessHost::OnChannelConnected",
[this, liveToken = mLiveToken]() {
if (*liveToken && mLaunchPhase == LaunchPhase::Waiting) {
InitAfterConnect(true);
}
}));
}
void UtilityProcessHost::OnChannelError() {
MOZ_ASSERT(!NS_IsMainThread());
GeckoChildProcessHost::OnChannelError();
NS_DispatchToMainThread(NS_NewRunnableFunction(
"UtilityProcessHost::OnChannelError", [this, liveToken = mLiveToken]() {
if (*liveToken && mLaunchPhase == LaunchPhase::Waiting) {
InitAfterConnect(false);
}
}));
}
void UtilityProcessHost::InitAfterConnect(bool aSucceeded) {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mLaunchPhase == LaunchPhase::Waiting);
MOZ_ASSERT(!mUtilityProcessParent);
mLaunchPhase = LaunchPhase::Complete;
if (!aSucceeded) {
RejectPromise();
return;
}
mUtilityProcessParent = MakeRefPtr<UtilityProcessParent>(this);
DebugOnly<bool> rv = mUtilityProcessParent->Open(
TakeInitialPort(), base::GetProcId(GetChildProcessHandle()));
MOZ_ASSERT(rv);
// Only clear mPrefSerializer in the success case to avoid a
// possible race in the case case of a timeout on Windows launch.
// See Bug 1555076 comment 7:
// https://bugzilla.mozilla.org/show_bug.cgi?id=1555076#c7
mPrefSerializer = nullptr;
Maybe<FileDescriptor> brokerFd;
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
UniquePtr<SandboxBroker::Policy> policy;
switch (mSandbox) {
case SandboxingKind::GENERIC_UTILITY:
policy = SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(
GetActor()->OtherPid());
break;
default:
MOZ_ASSERT(false, "Invalid SandboxingKind");
break;
}
if (policy != nullptr) {
brokerFd = Some(FileDescriptor());
mSandboxBroker = SandboxBroker::Create(
std::move(policy), GetActor()->OtherPid(), brokerFd.ref());
// This is unlikely to fail and probably indicates OS resource
// exhaustion, but we can at least try to recover.
Unused << NS_WARN_IF(mSandboxBroker == nullptr);
MOZ_ASSERT(brokerFd.ref().IsValid());
}
#endif // XP_LINUX && MOZ_SANDBOX
Unused << GetActor()->SendInit(brokerFd, Telemetry::CanRecordReleaseData());
Unused << GetActor()->SendInitProfiler(
ProfilerParent::CreateForProcess(GetActor()->OtherPid()));
ResolvePromise();
}
void UtilityProcessHost::Shutdown() {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(!mShutdownRequested);
RejectPromise();
if (mUtilityProcessParent) {
// OnChannelClosed uses this to check if the shutdown was expected or
// unexpected.
mShutdownRequested = true;
// The channel might already be closed if we got here unexpectedly.
if (!mChannelClosed) {
mUtilityProcessParent->Close();
}
#ifndef NS_FREE_PERMANENT_DATA
// No need to communicate shutdown, the Utility process doesn't need to
// communicate anything back.
KillHard("NormalShutdown");
#endif
// If we're shutting down unexpectedly, we're in the middle of handling an
// ActorDestroy for PUtilityProcessParent, which is still on the stack.
// We'll return back to OnChannelClosed.
//
// Otherwise, we'll wait for OnChannelClose to be called whenever
// PUtilityProcessParent acknowledges shutdown.
return;
}
DestroyProcess();
}
void UtilityProcessHost::OnChannelClosed() {
MOZ_ASSERT(NS_IsMainThread());
mChannelClosed = true;
RejectPromise();
if (!mShutdownRequested && mListener) {
// This is an unclean shutdown. Notify our listener that we're going away.
mListener->OnProcessUnexpectedShutdown(this);
} else {
DestroyProcess();
}
// Release the actor.
UtilityProcessParent::Destroy(std::move(mUtilityProcessParent));
}
void UtilityProcessHost::KillHard(const char* aReason) {
MOZ_ASSERT(NS_IsMainThread());
ProcessHandle handle = GetChildProcessHandle();
if (!base::KillProcess(handle, base::PROCESS_END_KILLED_BY_USER, false)) {
NS_WARNING("failed to kill subprocess!");
}
SetAlreadyDead();
}
void UtilityProcessHost::DestroyProcess() {
MOZ_ASSERT(NS_IsMainThread());
RejectPromise();
// Any pending tasks will be cancelled from now on.
*mLiveToken = false;
NS_DispatchToMainThread(
NS_NewRunnableFunction("DestroyProcessRunnable", [this] { Destroy(); }));
}
void UtilityProcessHost::ResolvePromise() {
MOZ_ASSERT(NS_IsMainThread());
if (!mLaunchPromiseSettled) {
mLaunchPromise->Resolve(true, __func__);
mLaunchPromiseSettled = true;
}
// We have already acted on the promise; the timeout runnable no longer needs
// to interrupt anything.
mTimerChecked = true;
}
void UtilityProcessHost::RejectPromise() {
MOZ_ASSERT(NS_IsMainThread());
if (!mLaunchPromiseSettled) {
mLaunchPromise->Reject(NS_ERROR_FAILURE, __func__);
mLaunchPromiseSettled = true;
}
// We have already acted on the promise; the timeout runnable no longer needs
// to interrupt anything.
mTimerChecked = true;
}
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
bool UtilityProcessHost::FillMacSandboxInfo(MacSandboxInfo& aInfo) {
GeckoChildProcessHost::FillMacSandboxInfo(aInfo);
if (!aInfo.shouldLog && PR_GetEnv("MOZ_SANDBOX_UTILITY_LOGGING")) {
aInfo.shouldLog = true;
}
return true;
}
/* static */
MacSandboxType UtilityProcessHost::GetMacSandboxType() {
return MacSandboxType_Utility;
}
#endif
} // namespace mozilla::ipc

160
ipc/glue/UtilityProcessHost.h Normal file
Просмотреть файл

@ -0,0 +1,160 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessHost_h_
#define _include_ipc_glue_UtilityProcessHost_h_
#include "mozilla/UniquePtr.h"
#include "mozilla/ipc/UtilityProcessParent.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/ipc/GeckoChildProcessHost.h"
#include "mozilla/ipc/ProtocolUtils.h"
#include "mozilla/media/MediaUtils.h"
#include "mozilla/ipc/ProcessUtils.h"
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
# include "mozilla/SandboxBroker.h"
#endif
namespace mozilla::ipc {
class UtilityProcessParent;
// UtilityProcessHost is the "parent process" container for a subprocess handle
// and IPC connection. It owns the parent process IPDL actor, which in this
// case, is a UtilityChild.
//
// UtilityProcessHosts are allocated and managed by UtilityProcessManager.
class UtilityProcessHost final : public mozilla::ipc::GeckoChildProcessHost {
friend class UtilityProcessParent;
public:
class Listener {
protected:
virtual ~Listener() = default;
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(UtilityProcessHost::Listener);
// The UtilityProcessHost has unexpectedly shutdown or had its connection
// severed. This is not called if an error occurs after calling
// Shutdown().
virtual void OnProcessUnexpectedShutdown(UtilityProcessHost* aHost) {}
};
explicit UtilityProcessHost(SandboxingKind aSandbox,
RefPtr<Listener> listener);
// Launch the subprocess asynchronously. On failure, false is returned.
// Otherwise, true is returned. If succeeded, a follow-up call should be made
// to LaunchPromise() which will return a promise that will be resolved once
// the Utility process has launched and a channel has been established.
//
// @param aExtraOpts (StringVector)
// Extra options to pass to the subprocess.
bool Launch(StringVector aExtraOpts);
// Return a promise that will be resolved once the process has completed its
// launch. The promise will be immediately resolved if the launch has already
// succeeded.
RefPtr<GenericNonExclusivePromise> LaunchPromise();
// Inform the process that it should clean up its resources and shut
// down. This initiates an asynchronous shutdown sequence. After this
// method returns, it is safe for the caller to forget its pointer to
// the UtilityProcessHost.
//
// After this returns, the attached Listener is no longer used.
void Shutdown();
// Return the actor for the top-level actor of the process. If the process
// has not connected yet, this returns null.
UtilityProcessParent* GetActor() const {
MOZ_ASSERT(NS_IsMainThread());
return mUtilityProcessParent.get();
}
bool IsConnected() const {
MOZ_ASSERT(NS_IsMainThread());
return bool(mUtilityProcessParent);
}
// Called on the IO thread.
void OnChannelConnected(int32_t peer_pid) override;
void OnChannelError() override;
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
// Return the sandbox type to be used with this process type.
static MacSandboxType GetMacSandboxType();
#endif
private:
~UtilityProcessHost();
// Called on the main thread with true after a connection has been established
// or false if it failed (including if it failed before the timeout kicked in)
void InitAfterConnect(bool aSucceeded);
// Called on the main thread when the mUtilityProcessParent actor is shutting
// down.
void OnChannelClosed();
// Kill the remote process, triggering IPC shutdown.
void KillHard(const char* aReason);
void DestroyProcess();
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
static bool sLaunchWithMacSandbox;
// Sandbox the Utility process at launch for all instances
bool IsMacSandboxLaunchEnabled() override { return sLaunchWithMacSandbox; }
// Override so we can turn on Utility process-specific sandbox logging
bool FillMacSandboxInfo(MacSandboxInfo& aInfo) override;
#endif
DISALLOW_COPY_AND_ASSIGN(UtilityProcessHost);
RefPtr<Listener> mListener;
// All members below are only ever accessed on the main thread.
enum class LaunchPhase { Unlaunched, Waiting, Complete };
LaunchPhase mLaunchPhase = LaunchPhase::Unlaunched;
RefPtr<UtilityProcessParent> mUtilityProcessParent;
UniquePtr<ipc::SharedPreferenceSerializer> mPrefSerializer{};
bool mShutdownRequested = false;
bool mChannelClosed = false;
void RejectPromise();
void ResolvePromise();
// Set to true on construction and to false just prior deletion.
// The UtilityProcessHost isn't refcounted; so we can capture this by value in
// lambdas along with a strong reference to mLiveToken and check if that value
// is true before accessing "this".
// While a reference to mLiveToken can be taken on any thread; its value can
// only be read or written on the main thread.
const RefPtr<media::Refcountable<bool>> mLiveToken;
RefPtr<GenericNonExclusivePromise::Private> mLaunchPromise{};
bool mLaunchPromiseSettled = false;
// Will be set to true if we've exceeded the allowed startup time or if the
// Utility process as successfully started. This is used to determine if the
// timeout runnable needs to execute code or not.
bool mTimerChecked = false;
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
UniquePtr<SandboxBroker> mSandboxBroker{};
#endif
};
} // namespace mozilla::ipc
#endif // _include_ipc_glue_UtilityProcessHost_h_

57
ipc/glue/UtilityProcessImpl.cpp Normal file
Просмотреть файл

@ -0,0 +1,57 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "UtilityProcessImpl.h"
#include "mozilla/ipc/IOThreadChild.h"
#include "mozilla/GeckoArgs.h"
#if defined(OS_WIN) && defined(MOZ_SANDBOX)
# include "mozilla/sandboxTarget.h"
#endif
namespace mozilla::ipc {
UtilityProcessImpl::UtilityProcessImpl(ProcessId aParentPid)
: ProcessChild(aParentPid) {
mUtility = new UtilityProcessChild();
}
UtilityProcessImpl::~UtilityProcessImpl() { mUtility = nullptr; }
bool UtilityProcessImpl::Init(int aArgc, char* aArgv[]) {
#if defined(MOZ_SANDBOX) && defined(OS_WIN)
mozilla::SandboxTarget::Instance()->StartSandbox();
#endif
Maybe<const char*> parentBuildID =
geckoargs::sParentBuildID.Get(aArgc, aArgv);
if (parentBuildID.isNothing()) {
return false;
}
Maybe<uint64_t> sandboxingKind = geckoargs::sSandboxingKind.Get(aArgc, aArgv);
if (sandboxingKind.isNothing()) {
return false;
}
// This checks needs to be kept in sync with SandboxingKind enum living in
// ipc/glue/UtilityProcessSandboxing.h
if (*sandboxingKind < SandboxingKind::GENERIC_UTILITY ||
*sandboxingKind > SandboxingKind::GENERIC_UTILITY) {
return false;
}
if (!ProcessChild::InitPrefs(aArgc, aArgv)) {
return false;
}
return mUtility->Init(ParentPid(), nsCString(*parentBuildID), *sandboxingKind,
IOThreadChild::TakeInitialPort());
}
void UtilityProcessImpl::CleanUp() { NS_ShutdownXPCOM(nullptr); }
} // namespace mozilla::ipc

41
ipc/glue/UtilityProcessImpl.h Normal file
Просмотреть файл

@ -0,0 +1,41 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessImpl_h__
#define _include_ipc_glue_UtilityProcessImpl_h__
#include "mozilla/ipc/ProcessChild.h"
#if defined(XP_WIN)
# include "mozilla/mscom/ProcessRuntime.h"
#endif
#include "mozilla/ipc/UtilityProcessChild.h"
namespace mozilla::ipc {
// This class owns the subprocess instance of a PUtilityProcess - which in this
// case, is a UtilityProcessParent. It is instantiated as a singleton in
// XRE_InitChildProcess.
class UtilityProcessImpl final : public ipc::ProcessChild {
public:
explicit UtilityProcessImpl(ProcessId aParentPid);
~UtilityProcessImpl();
bool Init(int aArgc, char* aArgv[]) override;
void CleanUp() override;
private:
RefPtr<UtilityProcessChild> mUtility;
DISALLOW_COPY_AND_ASSIGN(UtilityProcessImpl);
#if defined(XP_WIN)
// This object initializes and configures COM.
mozilla::mscom::ProcessRuntime mCOMRuntime;
#endif
};
} // namespace mozilla::ipc
#endif // _include_ipc_glue_UtilityProcessImpl_h__

293
ipc/glue/UtilityProcessManager.cpp Normal file
Просмотреть файл

@ -0,0 +1,293 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "UtilityProcessManager.h"
#include "mozilla/ipc/UtilityProcessHost.h"
#include "mozilla/MemoryReportingProcess.h"
#include "mozilla/Preferences.h"
#include "mozilla/StaticPrefs_media.h"
#include "mozilla/SyncRunnable.h" // for LaunchUtilityProcess
#include "mozilla/ipc/UtilityProcessParent.h"
#include "mozilla/dom/ContentParent.h"
#include "mozilla/ipc/Endpoint.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/ipc/ProcessChild.h"
#include "nsAppRunner.h"
#include "nsContentUtils.h"
#include "mozilla/GeckoArgs.h"
namespace mozilla::ipc {
static StaticRefPtr<UtilityProcessManager> sSingleton;
static bool sXPCOMShutdown = false;
bool UtilityProcessManager::IsShutdown() const {
MOZ_ASSERT(NS_IsMainThread());
return sXPCOMShutdown || !sSingleton;
}
RefPtr<UtilityProcessManager> UtilityProcessManager::GetSingleton() {
MOZ_ASSERT(XRE_IsParentProcess());
MOZ_ASSERT(NS_IsMainThread());
if (!sXPCOMShutdown && sSingleton == nullptr) {
sSingleton = new UtilityProcessManager();
}
return sSingleton;
}
UtilityProcessManager::UtilityProcessManager() : mObserver(new Observer(this)) {
// Start listening for pref changes so we can
// forward them to the process once it is running.
nsContentUtils::RegisterShutdownObserver(mObserver);
Preferences::AddStrongObserver(mObserver, "");
}
UtilityProcessManager::~UtilityProcessManager() {
// The Utility process should have already been shut down.
MOZ_ASSERT(!mProcess && !mProcessParent);
}
NS_IMPL_ISUPPORTS(UtilityProcessManager::Observer, nsIObserver);
UtilityProcessManager::Observer::Observer(
RefPtr<UtilityProcessManager> aManager)
: mManager(std::move(aManager)) {}
NS_IMETHODIMP
UtilityProcessManager::Observer::Observe(nsISupports* aSubject,
const char* aTopic,
const char16_t* aData) {
if (!strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID)) {
mManager->OnXPCOMShutdown();
} else if (!strcmp(aTopic, "nsPref:changed")) {
mManager->OnPreferenceChange(aData);
}
return NS_OK;
}
void UtilityProcessManager::OnXPCOMShutdown() {
MOZ_ASSERT(NS_IsMainThread());
sXPCOMShutdown = true;
nsContentUtils::UnregisterShutdownObserver(mObserver);
CleanShutdown();
}
void UtilityProcessManager::OnPreferenceChange(const char16_t* aData) {
MOZ_ASSERT(NS_IsMainThread());
if (!mProcess) {
// Process hasn't been launched yet
return;
}
// A pref changed. If it is useful to do so, inform child processes.
if (!dom::ContentParent::ShouldSyncPreference(aData)) {
return;
}
// We know prefs are ASCII here.
NS_LossyConvertUTF16toASCII strData(aData);
mozilla::dom::Pref pref(strData, /* isLocked */ false, Nothing(), Nothing());
Preferences::GetPreference(&pref);
if (bool(mProcessParent)) {
MOZ_ASSERT(mQueuedPrefs.IsEmpty());
Unused << mProcessParent->SendPreferenceUpdate(pref);
} else if (IsProcessLaunching()) {
mQueuedPrefs.AppendElement(pref);
}
}
RefPtr<GenericNonExclusivePromise> UtilityProcessManager::LaunchProcess(
SandboxingKind aSandbox) {
MOZ_ASSERT(NS_IsMainThread());
if (IsShutdown()) {
return GenericNonExclusivePromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE,
__func__);
}
if (mNumProcessAttempts) {
// We failed to start the Utility process earlier, abort now.
return GenericNonExclusivePromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE,
__func__);
}
if (mLaunchPromise && mProcess) {
return mLaunchPromise;
}
std::vector<std::string> extraArgs;
ProcessChild::AddPlatformBuildID(extraArgs);
geckoargs::sSandboxingKind.Put(aSandbox, extraArgs);
// The subprocess is launched asynchronously, so we
// wait for the promise to be resolved to acquire the IPDL actor.
mProcess = new UtilityProcessHost(aSandbox, this);
if (!mProcess->Launch(extraArgs)) {
mNumProcessAttempts++;
DestroyProcess();
return GenericNonExclusivePromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE,
__func__);
}
RefPtr<UtilityProcessManager> self = this;
mLaunchPromise = mProcess->LaunchPromise()->Then(
GetMainThreadSerialEventTarget(), __func__,
[self](bool) {
if (self->IsShutdown()) {
return GenericNonExclusivePromise::CreateAndReject(
NS_ERROR_NOT_AVAILABLE, __func__);
}
if (self->IsProcessDestroyed()) {
return GenericNonExclusivePromise::CreateAndReject(
NS_ERROR_NOT_AVAILABLE, __func__);
}
self->mProcessParent = self->mProcess->GetActor();
// Flush any pref updates that happened during
// launch and weren't included in the blobs set
// up in LaunchUtilityProcess.
for (const mozilla::dom::Pref& pref : self->mQueuedPrefs) {
Unused << NS_WARN_IF(
!self->mProcessParent->SendPreferenceUpdate(pref));
}
self->mQueuedPrefs.Clear();
CrashReporter::AnnotateCrashReport(
CrashReporter::Annotation::UtilityProcessStatus, "Running"_ns);
return GenericNonExclusivePromise::CreateAndResolve(true, __func__);
},
[self](nsresult aError) {
if (GetSingleton()) {
self->mNumProcessAttempts++;
self->DestroyProcess();
}
return GenericNonExclusivePromise::CreateAndReject(aError, __func__);
});
return mLaunchPromise;
}
bool UtilityProcessManager::IsProcessLaunching() {
MOZ_ASSERT(NS_IsMainThread());
return mProcess && !mProcessParent;
}
bool UtilityProcessManager::IsProcessDestroyed() const {
MOZ_ASSERT(NS_IsMainThread());
return !mProcessParent && !mProcess;
}
void UtilityProcessManager::OnProcessUnexpectedShutdown(
UtilityProcessHost* aHost) {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mProcess && mProcess == aHost);
mNumUnexpectedCrashes++;
DestroyProcess();
}
void UtilityProcessManager::NotifyRemoteActorDestroyed() {
if (!NS_IsMainThread()) {
RefPtr<UtilityProcessManager> self = this;
NS_DispatchToMainThread(NS_NewRunnableFunction(
"UtilityProcessManager::NotifyRemoteActorDestroyed()",
[self]() { self->NotifyRemoteActorDestroyed(); }));
return;
}
// One of the bridged top-level actors for the Utility process has been
// prematurely terminated, and we're receiving a notification. This
// can happen if the ActorDestroy for a bridged protocol fires
// before the ActorDestroy for PUtilityProcessParent.
OnProcessUnexpectedShutdown(mProcess);
}
void UtilityProcessManager::CleanShutdown() { DestroyProcess(); }
void UtilityProcessManager::DestroyProcess() {
MOZ_RELEASE_ASSERT(NS_IsMainThread());
if (!mProcess) {
return;
}
mProcess->Shutdown();
mProcess = nullptr;
mProcessParent = nullptr;
mQueuedPrefs.Clear();
Preferences::RemoveObserver(mObserver, "");
mObserver = nullptr;
CrashReporter::AnnotateCrashReport(
CrashReporter::Annotation::UtilityProcessStatus, "Destroyed"_ns);
sSingleton = nullptr;
}
Maybe<base::ProcessId> UtilityProcessManager::ProcessPid() {
MOZ_ASSERT(NS_IsMainThread());
if (mProcessParent) {
return Some(mProcessParent->OtherPid());
}
return Nothing();
}
class UtilityMemoryReporter : public MemoryReportingProcess {
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(UtilityMemoryReporter, override)
bool IsAlive() const override { return bool(GetChild()); }
bool SendRequestMemoryReport(
const uint32_t& aGeneration, const bool& aAnonymize,
const bool& aMinimizeMemoryUsage,
const Maybe<ipc::FileDescriptor>& aDMDFile) override {
UtilityProcessParent* child = GetChild();
if (!child) {
return false;
}
return child->SendRequestMemoryReport(aGeneration, aAnonymize,
aMinimizeMemoryUsage, aDMDFile);
}
int32_t Pid() const override {
if (UtilityProcessParent* child = GetChild()) {
return (int32_t)child->OtherPid();
}
return 0;
}
private:
UtilityProcessParent* GetChild() const {
if (RefPtr<UtilityProcessManager> utilitypm =
UtilityProcessManager::GetSingleton()) {
if (UtilityProcessParent* child = utilitypm->GetProcessParent()) {
return child;
}
}
return nullptr;
}
protected:
~UtilityMemoryReporter() = default;
};
RefPtr<MemoryReportingProcess>
UtilityProcessManager::GetProcessMemoryReporter() {
if (!mProcess || !mProcess->IsConnected()) {
return nullptr;
}
return new UtilityMemoryReporter();
}
} // namespace mozilla::ipc

108
ipc/glue/UtilityProcessManager.h Normal file
Просмотреть файл

@ -0,0 +1,108 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessManager_h_
#define _include_ipc_glue_UtilityProcessManager_h_
#include "mozilla/MozPromise.h"
#include "mozilla/ipc/UtilityProcessHost.h"
#include "nsIObserver.h"
namespace mozilla {
class MemoryReportingProcess;
namespace ipc {
class UtilityProcessParent;
// The UtilityProcessManager is a singleton responsible for creating
// Utility-bound objects that may live in another process. Currently, it
// provides access to the Utility process via ContentParent.
class UtilityProcessManager final : public UtilityProcessHost::Listener {
friend class UtilityProcessParent;
public:
static void Initialize();
static void Shutdown();
static RefPtr<UtilityProcessManager> GetSingleton();
// Launch a new Utility process asynchronously
RefPtr<GenericNonExclusivePromise> LaunchProcess(SandboxingKind aSandbox);
void OnProcessUnexpectedShutdown(UtilityProcessHost* aHost);
// Notify the UtilityProcessManager that a top-level PUtility protocol has
// been terminated. This may be called from any thread.
void NotifyRemoteActorDestroyed();
// Returns the platform pid for the Utility process.
Maybe<base::ProcessId> ProcessPid();
// If a Utility process is present, create a MemoryReportingProcess object.
// Otherwise, return null.
RefPtr<MemoryReportingProcess> GetProcessMemoryReporter();
// Returns access to the PUtility protocol if a Utility process is present.
UtilityProcessParent* GetProcessParent() { return mProcessParent; }
// Returns whether or not a Utility process was ever launched.
bool AttemptedProcess() const { return mNumProcessAttempts > 0; }
// Returns the Utility Process
UtilityProcessHost* Process() { return mProcess; }
// Shutdown the Utility process.
void CleanShutdown();
private:
~UtilityProcessManager();
bool IsProcessLaunching();
bool IsProcessDestroyed() const;
// Called from our xpcom-shutdown observer.
void OnXPCOMShutdown();
void OnPreferenceChange(const char16_t* aData);
UtilityProcessManager();
void DestroyProcess();
bool IsShutdown() const;
class Observer final : public nsIObserver {
public:
NS_DECL_ISUPPORTS
NS_DECL_NSIOBSERVER
explicit Observer(RefPtr<UtilityProcessManager> aManager);
protected:
~Observer() = default;
RefPtr<UtilityProcessManager> mManager;
};
friend class Observer;
RefPtr<Observer> mObserver;
uint32_t mNumProcessAttempts = 0;
uint32_t mNumUnexpectedCrashes = 0;
// Fields that are associated with the current Utility process.
UtilityProcessHost* mProcess = nullptr;
UtilityProcessParent* mProcessParent = nullptr;
// Collects any pref changes that occur during process launch (after
// the initial map is passed in command-line arguments) to be sent
// when the process can receive IPC messages.
nsTArray<dom::Pref> mQueuedPrefs;
// Promise will be resolved when the Utility process has been fully started
// and VideoBridge configured. Only accessed on the main thread.
RefPtr<GenericNonExclusivePromise> mLaunchPromise;
};
} // namespace ipc
} // namespace mozilla
#endif // _include_ipc_glue_UtilityProcessManager_h_

102
ipc/glue/UtilityProcessParent.cpp Normal file
Просмотреть файл

@ -0,0 +1,102 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mozilla/ipc/UtilityProcessParent.h"
#include "mozilla/ipc/UtilityProcessManager.h"
#if defined(XP_WIN)
# include <dwrite.h>
# include <process.h>
# include "mozilla/WinDllServices.h"
#endif
#include "mozilla/ipc/ProcessChild.h"
namespace mozilla::ipc {
static std::atomic<UtilityProcessParent*> sUtilityProcessParent;
UtilityProcessParent::UtilityProcessParent(UtilityProcessHost* aHost)
: mHost(aHost) {
MOZ_ASSERT(NS_IsMainThread());
MOZ_ASSERT(mHost);
sUtilityProcessParent = this;
}
UtilityProcessParent::~UtilityProcessParent() = default;
/* static */
UtilityProcessParent* UtilityProcessParent::GetSingleton() {
MOZ_DIAGNOSTIC_ASSERT(sUtilityProcessParent);
return sUtilityProcessParent;
}
bool UtilityProcessParent::SendRequestMemoryReport(
const uint32_t& aGeneration, const bool& aAnonymize,
const bool& aMinimizeMemoryUsage, const Maybe<FileDescriptor>& aDMDFile) {
mMemoryReportRequest = MakeUnique<MemoryReportRequestHost>(aGeneration);
PUtilityProcessParent::SendRequestMemoryReport(
aGeneration, aAnonymize, aMinimizeMemoryUsage, aDMDFile,
[&](const uint32_t& aGeneration2) {
if (RefPtr<UtilityProcessManager> utilitypm =
UtilityProcessManager::GetSingleton()) {
if (UtilityProcessParent* child = utilitypm->GetProcessParent()) {
if (child->mMemoryReportRequest) {
child->mMemoryReportRequest->Finish(aGeneration2);
child->mMemoryReportRequest = nullptr;
}
}
}
},
[&](mozilla::ipc::ResponseRejectReason) {
if (RefPtr<UtilityProcessManager> utilitypm =
UtilityProcessManager::GetSingleton()) {
if (UtilityProcessParent* child = utilitypm->GetProcessParent()) {
child->mMemoryReportRequest = nullptr;
}
}
});
return true;
}
mozilla::ipc::IPCResult UtilityProcessParent::RecvAddMemoryReport(
const MemoryReport& aReport) {
if (mMemoryReportRequest) {
mMemoryReportRequest->RecvReport(aReport);
}
return IPC_OK();
}
void UtilityProcessParent::ActorDestroy(ActorDestroyReason aWhy) {
if (aWhy == AbnormalShutdown) {
GenerateCrashReport(OtherPid());
}
mHost->OnChannelClosed();
}
// To ensure that IPDL is finished before UtilityParent gets deleted.
class DeferredDeleteUtilityProcessParent : public Runnable {
public:
explicit DeferredDeleteUtilityProcessParent(
RefPtr<UtilityProcessParent> aParent)
: Runnable("ipc::glue::DeferredDeleteUtilityProcessParent"),
mParent(std::move(aParent)) {}
NS_IMETHODIMP Run() override { return NS_OK; }
private:
RefPtr<UtilityProcessParent> mParent;
};
/* static */
void UtilityProcessParent::Destroy(RefPtr<UtilityProcessParent> aParent) {
NS_DispatchToMainThread(
new DeferredDeleteUtilityProcessParent(std::move(aParent)));
}
} // namespace mozilla::ipc

56
ipc/glue/UtilityProcessParent.h Normal file
Просмотреть файл

@ -0,0 +1,56 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessParent_h__
#define _include_ipc_glue_UtilityProcessParent_h__
#include "mozilla/ipc/PUtilityProcessParent.h"
#include "mozilla/ipc/CrashReporterHelper.h"
#include "mozilla/ipc/UtilityProcessHost.h"
#include "mozilla/dom/MemoryReportRequest.h"
#include "mozilla/RefPtr.h"
namespace mozilla {
namespace ipc {
class UtilityProcessHost;
class UtilityProcessParent final
: public PUtilityProcessParent,
public ipc::CrashReporterHelper<GeckoProcessType_Utility> {
typedef mozilla::dom::MemoryReportRequestHost MemoryReportRequestHost;
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(UtilityProcessParent, override);
friend class UtilityProcessHost;
explicit UtilityProcessParent(UtilityProcessHost* aHost);
static UtilityProcessParent* GetSingleton();
mozilla::ipc::IPCResult RecvAddMemoryReport(const MemoryReport& aReport);
bool SendRequestMemoryReport(const uint32_t& aGeneration,
const bool& aAnonymize,
const bool& aMinimizeMemoryUsage,
const Maybe<ipc::FileDescriptor>& aDMDFile);
void ActorDestroy(ActorDestroyReason aWhy) override;
private:
UtilityProcessHost* mHost;
UniquePtr<MemoryReportRequestHost> mMemoryReportRequest{};
~UtilityProcessParent();
static void Destroy(RefPtr<UtilityProcessParent> aParent);
};
} // namespace ipc
} // namespace mozilla
#endif // _include_ipc_glue_UtilityProcessParent_h__

27
ipc/glue/UtilityProcessSandboxing.h Normal file
Просмотреть файл

@ -0,0 +1,27 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _include_ipc_glue_UtilityProcessSandboxing_h_
#define _include_ipc_glue_UtilityProcessSandboxing_h_
#include <stdint.h>
namespace mozilla {
namespace ipc {
// When adding a new value, the checks within UtilityProcessImpl::Init() needs
// to be updated as well.
enum SandboxingKind : uint64_t {
GENERIC_UTILITY = 0x01,
};
} // namespace ipc
} // namespace mozilla
#endif // _include_ipc_glue_UtilityProcessSandboxing_h_

18
ipc/glue/moz.build
Просмотреть файл

@ -66,6 +66,12 @@ EXPORTS.mozilla.ipc += [
"Transport.h",
"TransportSecurityInfoUtils.h",
"URIUtils.h",
"UtilityProcessChild.h",
"UtilityProcessHost.h",
"UtilityProcessImpl.h",
"UtilityProcessManager.h",
"UtilityProcessParent.h",
"UtilityProcessSandboxing.h",
"WindowsMessageLoop.h",
]
@ -192,6 +198,11 @@ UNIFIED_SOURCES += [
"StringUtil.cpp",
"TransportSecurityInfoUtils.cpp",
"URIUtils.cpp",
"UtilityProcessChild.cpp",
"UtilityProcessHost.cpp",
"UtilityProcessImpl.cpp",
"UtilityProcessManager.cpp",
"UtilityProcessParent.cpp",
]
SOURCES += [
@ -223,6 +234,10 @@ LOCAL_INCLUDES += [
"/xpcom/build",
]
PREPROCESSED_IPDL_SOURCES = [
"PUtilityProcess.ipdl",
]
IPDL_SOURCES = [
"InputStreamParams.ipdlh",
"IPCStream.ipdlh",
@ -278,5 +293,8 @@ if CONFIG["MOZ_SANDBOX"] and CONFIG["OS_ARCH"] == "WINNT":
"/security/sandbox/win/src/sandboxbroker",
]
if CONFIG["ENABLE_TESTS"]:
DIRS += ["test/gtest"]
# Add libFuzzer configuration directives
include("/tools/fuzzing/libfuzzer-config.mozbuild")

131
ipc/glue/test/gtest/TestUtilityProcess.cpp Normal file
Просмотреть файл

@ -0,0 +1,131 @@
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "gtest/gtest.h"
#include "mozilla/SpinEventLoopUntil.h"
#include "mozilla/ipc/UtilityProcessManager.h"
#if defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
# include "nsIAppShellService.h"
# include "nsServiceManagerUtils.h"
#endif // defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
#ifdef MOZ_WIDGET_ANDROID
# define NS_APPSHELLSERVICE_CONTRACTID "@mozilla.org/widget/appshell/android;1"
#endif // MOZ_WIDGET_ANDROID
#ifdef XP_MACOSX
# define NS_APPSHELLSERVICE_CONTRACTID "@mozilla.org/widget/appshell/mac;1"
#endif // XP_MACOSX
using namespace mozilla;
using namespace mozilla::ipc;
#define WAIT_FOR_EVENTS \
SpinEventLoopUntil("UtilityProcess::emptyUtil"_ns, [&]() { return done; });
bool setupDone = false;
class UtilityProcess : public ::testing::Test {
protected:
void SetUp() override {
if (setupDone) {
return;
}
#if defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
appShell = do_GetService(NS_APPSHELLSERVICE_CONTRACTID);
#endif // defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
#ifdef XP_WIN
mozilla::SandboxBroker::GeckoDependentInitialize();
#endif // XP_WIN
setupDone = true;
}
#if defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
nsCOMPtr<nsIAppShellService> appShell;
#endif // defined(MOZ_WIDGET_ANDROID) || defined(XP_MACOSX)
};
TEST_F(UtilityProcess, ProcessManager) {
RefPtr<UtilityProcessManager> utilityProc =
UtilityProcessManager::GetSingleton();
ASSERT_NE(utilityProc, nullptr);
}
TEST_F(UtilityProcess, NoProcess) {
RefPtr<UtilityProcessManager> utilityProc =
UtilityProcessManager::GetSingleton();
EXPECT_NE(utilityProc, nullptr);
Maybe<int32_t> noPid = utilityProc->ProcessPid();
ASSERT_TRUE(noPid.isNothing());
}
TEST_F(UtilityProcess, LaunchProcess) {
bool done = false;
RefPtr<UtilityProcessManager> utilityProc =
UtilityProcessManager::GetSingleton();
EXPECT_NE(utilityProc, nullptr);
int32_t thisPid = base::GetCurrentProcId();
EXPECT_GE(thisPid, 1);
utilityProc->LaunchProcess(SandboxingKind::GENERIC_UTILITY)
->Then(
GetCurrentSerialEventTarget(), __func__,
[&]() mutable {
EXPECT_TRUE(true);
Maybe<int32_t> utilityPid = utilityProc->ProcessPid();
EXPECT_TRUE(utilityPid.isSome());
EXPECT_GE(*utilityPid, 1);
EXPECT_NE(*utilityPid, thisPid);
printf_stderr("UtilityProcess running as %d\n", *utilityPid);
done = true;
},
[&](nsresult aError) mutable {
EXPECT_TRUE(false);
done = true;
});
WAIT_FOR_EVENTS;
}
TEST_F(UtilityProcess, DestroyProcess) {
bool done = false;
RefPtr<UtilityProcessManager> utilityProc =
UtilityProcessManager::GetSingleton();
utilityProc->LaunchProcess(SandboxingKind::GENERIC_UTILITY)
->Then(
GetCurrentSerialEventTarget(), __func__,
[&]() {
Maybe<int32_t> utilityPid = utilityProc->ProcessPid();
EXPECT_TRUE(utilityPid.isSome());
EXPECT_GE(*utilityPid, 1);
utilityProc->CleanShutdown();
utilityPid = utilityProc->ProcessPid();
EXPECT_TRUE(utilityPid.isNothing());
EXPECT_TRUE(true);
done = true;
},
[&](nsresult aError) {
EXPECT_TRUE(false);
done = true;
});
WAIT_FOR_EVENTS;
}

20
ipc/glue/test/gtest/moz.build Normal file
Просмотреть файл

@ -0,0 +1,20 @@
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at http://mozilla.org/MPL/2.0/.
Library("ipcgluetest")
UNIFIED_SOURCES = [
"TestUtilityProcess.cpp",
]
LOCAL_INCLUDES += [
"/widget",
"/widget/android",
]
include("/ipc/chromium/chromium-config.mozbuild")
FINAL_LIBRARY = "xul-gtest"

7
mobile/android/geckoview/src/main/AndroidManifest.xml
Просмотреть файл

@ -71,6 +71,13 @@
android:isolatedProcess="false"
android:process=":gpu">
</service>
<service
android:name="org.mozilla.gecko.process.GeckoChildProcessServices$utility"
android:enabled="true"
android:exported="false"
android:isolatedProcess="false"
android:process=":utility">
</service>
<service
android:name="org.mozilla.gecko.gfx.SurfaceAllocatorService"
android:enabled="true"

1
mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoChildProcessServices.jinja
Просмотреть файл

@ -10,6 +10,7 @@ public class GeckoChildProcessServices {
public static final class gmplugin extends GeckoServiceChildProcess {}
public static final class socket extends GeckoServiceChildProcess {}
public static final class gpu extends GeckoServiceGpuProcess {}
public static final class utility extends GeckoServiceChildProcess {}
{% for id in range(0, MOZ_ANDROID_CONTENT_SERVICE_COUNT | int) %}
public static final class tab{{ id }} extends GeckoServiceChildProcess {}

3
mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessType.java
Просмотреть файл

@ -19,7 +19,8 @@ public enum GeckoProcessType {
RDD("rdd"),
SOCKET("socket"),
REMOTESANDBOXBROKER("sandboxbroker"),
FORKSERVER("forkserver");
FORKSERVER("forkserver"),
UTILITY("utility");
private final String mGeckoName;

2
modules/libpref/components.conf
Просмотреть файл

@ -20,7 +20,7 @@ Classes = [
'type': 'mozilla::Preferences',
'headers': ['mozilla/Preferences.h'],
'constructor': 'mozilla::Preferences::GetInstanceForService',
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{064d9cee-1dd2-11b2-83e3-d25ab0193c26}',

5
modules/libpref/init/StaticPrefList.yaml
Просмотреть файл

@ -4875,6 +4875,11 @@
value: 1000
mirror: always
- name: general.utility-process.startup_timeout_ms
type: RelaxedAtomicInt32
value: 5000
mirror: always
#---------------------------------------------------------------------------
# Prefs starting with "geo."
#---------------------------------------------------------------------------

26
security/sandbox/common/test/SandboxTest.cpp
Просмотреть файл

@ -16,6 +16,9 @@
#include "mozilla/net/SocketProcessParent.h"
#include "mozilla/RDDProcessManager.h"
#include "mozilla/RDDChild.h"
#include "mozilla/ipc/UtilityProcessManager.h"
#include "mozilla/ipc/UtilityProcessParent.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "GMPService.h"
#include "mozilla/gmp/GMPTypes.h"
#include "mozilla/ipc/Endpoint.h"
@ -199,6 +202,29 @@ SandboxTest::StartTests(const nsTArray<nsCString>& aProcessesList) {
break;
}
case GeckoProcessType_Utility: {
RefPtr<UtilityProcessManager> utilityProc =
UtilityProcessManager::GetSingleton();
utilityProc->LaunchProcess(SandboxingKind::GENERIC_UTILITY)
->Then(
GetMainThreadSerialEventTarget(), __func__,
[processPromise, utilityProc]() {
UtilityProcessParent* utilityParent =
utilityProc ? utilityProc->GetProcessParent() : nullptr;
if (utilityParent) {
return InitializeSandboxTestingActors(utilityParent,
processPromise);
}
return processPromise->Reject(NS_ERROR_FAILURE, __func__);
},
[processPromise](nsresult aError) {
MOZ_ASSERT_UNREACHABLE(
"SandboxTest; failure to get Utility process");
return processPromise->Reject(aError, __func__);
});
break;
}
default:
MOZ_ASSERT_UNREACHABLE(
"SandboxTest does not yet support this process type");

18
security/sandbox/common/test/SandboxTestingChild.cpp
Просмотреть файл

@ -8,6 +8,8 @@
#include "SandboxTestingChildTests.h"
#include "SandboxTestingThread.h"
#include "mozilla/ipc/Endpoint.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/ipc/UtilityProcessChild.h"
#ifdef XP_LINUX
# include "mozilla/Sandbox.h"
@ -79,6 +81,20 @@ void SandboxTestingChild::Bind(Endpoint<PSandboxTestingChild>&& aEndpoint) {
RunTestsSocket(this);
}
if (XRE_IsUtilityProcess()) {
RefPtr<ipc::UtilityProcessChild> s = ipc::UtilityProcessChild::Get();
MOZ_ASSERT(s, "Unable to grab a UtilityProcessChild");
switch (s->mSandbox) {
case ipc::SandboxingKind::GENERIC_UTILITY:
RunTestsUtility(this);
break;
default:
MOZ_ASSERT(false, "Invalid SandboxingKind");
break;
}
}
#ifdef XP_LINUX
SetSandboxCrashOnError(sandboxCrashOnError);
#endif
@ -111,7 +127,6 @@ void SandboxTestingChild::ReportNoTests() {
"The test framework fails if there are no cases."_ns);
}
#ifdef XP_UNIX
template <typename F>
void SandboxTestingChild::ErrnoTest(const nsCString& aName, bool aExpectSuccess,
F&& aFunction) {
@ -140,6 +155,5 @@ void SandboxTestingChild::PosixTest(const nsCString& aName, bool aExpectSuccess,
SendReportTestResults(aName, aExpectSuccess, succeeded, message);
}
#endif // XP_UNIX
} // namespace mozilla

2
security/sandbox/common/test/SandboxTestingChild.h
Просмотреть файл

@ -45,7 +45,6 @@ class SandboxTestingChild : public PSandboxTestingChild {
// absence of test report as a failure.
inline void ReportNoTests();
#ifdef XP_UNIX
// For test cases that return an error number or 0, like newer POSIX APIs.
void PosixTest(const nsCString& aName, bool aExpectSuccess, int aStatus);
@ -60,7 +59,6 @@ class SandboxTestingChild : public PSandboxTestingChild {
template <typename F>
void ErrnoValueTest(const nsCString& aName, bool aExpectEquals,
int aExpectedErrno, F&& aFunction);
#endif
private:
explicit SandboxTestingChild(SandboxTestingThread* aThread,

37
security/sandbox/common/test/SandboxTestingChildTests.h
Просмотреть файл

@ -33,6 +33,10 @@
# include <CoreGraphics/CoreGraphics.h>
#endif
#ifdef XP_WIN
# include <stdio.h>
#endif
namespace mozilla {
#ifdef XP_LINUX
@ -317,4 +321,37 @@ void RunTestsGMPlugin(SandboxTestingChild* child) {
#endif
}
void RunTestsUtility(SandboxTestingChild* child) {
MOZ_ASSERT(child, "No SandboxTestingChild*?");
#ifdef XP_UNIX
# ifdef XP_LINUX
child->ErrnoValueTest("ioctl_tiocsti"_ns, false, ENOSYS, [&] {
int rv = ioctl(1, TIOCSTI, "x");
return rv;
});
struct rusage res;
child->ErrnoTest("getrusage"_ns, true, [&] {
int rv = getrusage(RUSAGE_SELF, &res);
return rv;
});
# endif // XP_LINUX
#else // XP_UNIX
# ifdef XP_WIN
child->ErrnoValueTest("write_only"_ns, true, EPERM, [&] {
FILE* rv = fopen("test_sandbox.txt", "w");
int errno_copy = errno;
if (rv != nullptr) {
fclose(rv);
MOZ_ASSERT(!rv, "SHould have had a nullptr");
}
return errno_copy;
});
# else // XP_WIN
child->ReportNoTests();
# endif // XP_WIN
#endif
}
} // namespace mozilla

31
security/sandbox/linux/Sandbox.cpp
Просмотреть файл

@ -716,6 +716,37 @@ void SetSocketProcessSandbox(int aBroker) {
SetCurrentProcessSandbox(GetSocketProcessSandboxPolicy(sBroker));
}
void SetUtilitySandbox(int aBroker, ipc::SandboxingKind aKind) {
if (!SandboxInfo::Get().Test(SandboxInfo::kHasSeccompBPF) ||
PR_GetEnv("MOZ_DISABLE_UTILITY_SANDBOX")) {
if (aBroker >= 0) {
close(aBroker);
}
return;
}
gSandboxReporterClient =
new SandboxReporterClient(SandboxReport::ProcType::UTILITY);
static SandboxBrokerClient* sBroker;
if (aBroker >= 0) {
sBroker = new SandboxBrokerClient(aBroker);
}
UniquePtr<sandbox::bpf_dsl::Policy> policy;
switch (aKind) {
case ipc::SandboxingKind::GENERIC_UTILITY:
policy = GetUtilitySandboxPolicy(sBroker);
break;
default:
MOZ_ASSERT(false, "Invalid SandboxingKind");
break;
}
SetCurrentProcessSandbox(std::move(policy));
}
bool SetSandboxCrashOnError(bool aValue) {
bool oldValue = gSandboxCrashOnError;
gSandboxCrashOnError = aValue;

4
security/sandbox/linux/Sandbox.h
Просмотреть файл

@ -12,6 +12,8 @@
#include "nsXULAppAPI.h"
#include <vector>
#include "mozilla/ipc/UtilityProcessSandboxing.h"
// This defines the entry points for a content process to start
// sandboxing itself. See also SandboxInfo.h for what parts of
// sandboxing are enabled/supported.
@ -63,6 +65,8 @@ MOZ_EXPORT void SetRemoteDataDecoderSandbox(int aBroker);
MOZ_EXPORT void SetSocketProcessSandbox(int aBroker);
MOZ_EXPORT void SetUtilitySandbox(int aBroker, ipc::SandboxingKind aKind);
// We want to turn on/off crashing on error when running some tests
// This will return current value and set the aValue we pass
MOZ_EXPORT bool SetSandboxCrashOnError(bool aValue);

42
security/sandbox/linux/SandboxFilter.cpp
Просмотреть файл

@ -1997,4 +1997,46 @@ UniquePtr<sandbox::bpf_dsl::Policy> GetSocketProcessSandboxPolicy(
new SocketProcessSandboxPolicy(aMaybeBroker));
}
class UtilitySandboxPolicy final : public SandboxPolicyCommon {
public:
explicit UtilitySandboxPolicy(SandboxBrokerClient* aBroker)
: SandboxPolicyCommon(aBroker, ShmemUsage::MAY_CREATE,
AllowUnsafeSocketPair::NO) {}
ResultExpr PrctlPolicy() const override {
Arg<int> op(0);
return Switch(op)
.CASES((PR_SET_NAME, // Thread creation
PR_SET_DUMPABLE, // Crash reporting
PR_SET_PTRACER), // Debug-mode crash handling
Allow())
.Default(InvalidSyscall());
}
ResultExpr EvaluateSyscall(int sysno) const override {
switch (sysno) {
case __NR_getrusage:
return Allow();
case __NR_ioctl: {
Arg<unsigned long> request(1);
// ffmpeg, and anything else that calls isatty(), will be told
// that nothing is a typewriter:
return If(request == TCGETS, Error(ENOTTY)).Else(InvalidSyscall());
}
case __NR_prctl: {
return Allow();
}
// Pass through the common policy.
default:
return SandboxPolicyCommon::EvaluateSyscall(sysno);
}
}
};
UniquePtr<sandbox::bpf_dsl::Policy> GetUtilitySandboxPolicy(
SandboxBrokerClient* aMaybeBroker) {
return UniquePtr<sandbox::bpf_dsl::Policy>(
new UtilitySandboxPolicy(aMaybeBroker));
}
} // namespace mozilla

3
security/sandbox/linux/SandboxFilter.h
Просмотреть файл

@ -38,6 +38,9 @@ UniquePtr<sandbox::bpf_dsl::Policy> GetDecoderSandboxPolicy(
UniquePtr<sandbox::bpf_dsl::Policy> GetSocketProcessSandboxPolicy(
SandboxBrokerClient* aMaybeBroker);
UniquePtr<sandbox::bpf_dsl::Policy> GetUtilitySandboxPolicy(
SandboxBrokerClient* aMaybeBroker);
} // namespace mozilla
#endif

53
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
Просмотреть файл

@ -878,4 +878,57 @@ SandboxBrokerPolicyFactory::GetSocketProcessPolicy(int aPid) {
return policy;
}
/* static */ UniquePtr<SandboxBroker::Policy>
SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(int aPid) {
auto policy = MakeUnique<SandboxBroker::Policy>();
policy->AddPath(rdonly, "/dev/urandom");
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
policy->AddDir(rdonly, "/sys/devices/system/cpu");
policy->AddDir(rdonly, "/lib");
policy->AddDir(rdonly, "/lib64");
policy->AddDir(rdonly, "/usr/lib");
policy->AddDir(rdonly, "/usr/lib32");
policy->AddDir(rdonly, "/usr/lib64");
policy->AddDir(rdonly, "/usr/share");
policy->AddDir(rdonly, "/usr/local/share");
policy->AddDir(rdonly, "/etc");
// glibc will try to stat64("/") while populating nsswitch database
// https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/nss_database.c;h=cf0306adc47f12d9bc761ab1b013629f4482b7e6;hb=9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3#l396
// denying will make getaddrinfo() return ENONAME
policy->AddDir(access, "/");
AddLdconfigPaths(policy.get());
// Utility process sandbox needs to allow shmem in order to support
// profiling. See Bug 1626385.
AddSharedMemoryPaths(policy.get(), aPid);
// Bug 1647957: memory reporting.
AddMemoryReporting(policy.get(), aPid);
// Firefox binary dir.
// Note that unlike the previous cases, we use NS_GetSpecialDirectory
// instead of GetSpecialSystemDirectory. The former requires a working XPCOM
// system, which may not be the case for some tests. For querying for the
// location of XPCOM things, we can use it anyway.
nsCOMPtr<nsIFile> ffDir;
nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(ffDir));
if (NS_SUCCEEDED(rv)) {
nsAutoCString tmpPath;
rv = ffDir->GetNativePath(tmpPath);
if (NS_SUCCEEDED(rv)) {
policy->AddDir(rdonly, tmpPath.get());
}
}
if (policy->IsEmpty()) {
policy = nullptr;
}
return policy;
}
} // namespace mozilla

1
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
Просмотреть файл

@ -22,6 +22,7 @@ class SandboxBrokerPolicyFactory {
static UniquePtr<SandboxBroker::Policy> GetRDDPolicy(int aPid);
static UniquePtr<SandboxBroker::Policy> GetSocketProcessPolicy(int aPid);
static UniquePtr<SandboxBroker::Policy> GetUtilityProcessPolicy(int aPid);
private:
UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;

2
security/sandbox/linux/launch/SandboxLaunch.cpp
Просмотреть файл

@ -265,6 +265,8 @@ static int GetEffectiveSandboxLevel(GeckoProcessType aType) {
// GetEffectiveSocketProcessSandboxLevel is main-thread-only due to prefs.
MOZ_ASSERT(NS_IsMainThread());
return GetEffectiveSocketProcessSandboxLevel();
case GeckoProcessType_Utility:
return PR_GetEnv("MOZ_DISABLE_UTILITY_SANDBOX") == nullptr ? 1 : 0;
default:
return 0;
}

3
security/sandbox/linux/reporter/SandboxReporter.cpp
Просмотреть файл

@ -144,6 +144,9 @@ static void SubmitToTelemetry(const SandboxReport& aReport) {
case SandboxReport::ProcType::SOCKET_PROCESS:
key.AppendLiteral("socket");
break;
case SandboxReport::ProcType::UTILITY:
key.AppendLiteral("utility");
break;
default:
MOZ_ASSERT(false);
}

1
security/sandbox/linux/reporter/SandboxReporterCommon.h
Просмотреть файл

@ -35,6 +35,7 @@ struct SandboxReport {
MEDIA_PLUGIN,
RDD,
SOCKET_PROCESS,
UTILITY,
};
// The syscall number and arguments are usually `unsigned long`, but

3
security/sandbox/linux/reporter/SandboxReporterWrappers.cpp
Просмотреть файл

@ -82,6 +82,9 @@ NS_IMETHODIMP SandboxReportWrapper::GetProcType(nsACString& aProcType) {
case SandboxReport::ProcType::SOCKET_PROCESS:
aProcType.AssignLiteral("socketProcess");
return NS_OK;
case SandboxReport::ProcType::UTILITY:
aProcType.AssignLiteral("utility");
return NS_OK;
default:
MOZ_ASSERT(false);
return NS_ERROR_UNEXPECTED;

2
security/sandbox/mac/Sandbox.h
Просмотреть файл

@ -7,6 +7,7 @@
#define mozilla_Sandbox_h
#include <string>
#include "mozilla/ipc/UtilityProcessSandboxing.h"
enum MacSandboxType {
MacSandboxType_Default = 0,
@ -48,6 +49,7 @@ typedef struct _MacSandboxInfo {
public:
MacSandboxType type;
mozilla::ipc::SandboxingKind utilityKind;
int32_t level;
bool hasFilePrivileges;
bool hasSandboxedProfile;

30
security/sandbox/mac/Sandbox.mm
Просмотреть файл

@ -28,6 +28,9 @@
#include "SandboxPolicyUtility.h"
#include "mozilla/Assertions.h"
#include "mozilla/GeckoArgs.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
// Undocumented sandbox setup routines.
extern "C" int sandbox_init_with_parameters(const char* profile, uint64_t flags,
const char* const parameters[], char** errorbuf);
@ -281,7 +284,15 @@ bool StartMacSandbox(MacSandboxInfo const& aInfo, std::string& aErrorMessage) {
std::string userCacheDir;
if (aInfo.type == MacSandboxType_Utility) {
profile = const_cast<char*>(SandboxPolicyUtility);
switch (aInfo.utilityKind) {
case ipc::SandboxingKind::GENERIC_UTILITY:
profile = const_cast<char*>(SandboxPolicyUtility);
break;
default:
MOZ_ASSERT(false, "Invalid SandboxingKind");
break;
}
params.push_back("SHOULD_LOG");
params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
params.push_back("APP_PATH");
@ -585,7 +596,8 @@ bool GetContentSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aI
return true;
}
bool GetUtilitySandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo) {
bool GetUtilitySandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo,
bool aSandboxingKindRequired = true) {
// Ensure we find these paramaters in the command
// line arguments. Return false if any are missing.
bool foundAppPath = false;
@ -611,6 +623,16 @@ bool GetUtilitySandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aI
}
}
if (aSandboxingKindRequired) {
Maybe<uint64_t> sandboxingKind =
geckoargs::sSandboxingKind.Get(aArgc, aArgv, CheckArgFlag::None);
if (sandboxingKind.isNothing()) {
fprintf(stderr, "Utility sandbox requires a sandboxingKind");
return false;
}
aInfo.utilityKind = (ipc::SandboxingKind)*sandboxingKind;
}
if (!foundAppPath) {
fprintf(stderr, "Utility sandbox disabled due to "
"missing sandbox CLI app path parameter.\n");
@ -621,7 +643,7 @@ bool GetUtilitySandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aI
}
bool GetSocketSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo) {
return GetUtilitySandboxParamsFromArgs(aArgc, aArgv, aInfo);
return GetUtilitySandboxParamsFromArgs(aArgc, aArgv, aInfo, false);
}
bool GetPluginSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo) {
@ -696,7 +718,7 @@ bool GetPluginSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aIn
}
bool GetRDDSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo) {
return GetUtilitySandboxParamsFromArgs(aArgc, aArgv, aInfo);
return GetUtilitySandboxParamsFromArgs(aArgc, aArgv, aInfo, false);
}
/*

6
security/sandbox/test/browser_sandbox_test.js
Просмотреть файл

@ -14,11 +14,7 @@ function test() {
// GPU process might not run depending on the platform, so we need it to be
// the last one of the list to allow the remainingTests logic below to work
// as expected.
//
// Skip GPU tests for now because they don't actually run anything and they
// trigger some shutdown hang on Windows
// FIXME: Bug XXX
var processTypes = ["tab", "socket", "rdd", "gmplugin", "gpu"];
var processTypes = ["tab", "socket", "rdd", "gmplugin", "utility", "gpu"];
// A callback called after each test-result.
let sandboxTestResult = (subject, topic, data) => {

6
security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.cpp
Просмотреть файл

@ -158,6 +158,12 @@ bool RemoteSandboxBroker::SetSecurityLevelForSocketProcess() {
"RemoteSandboxBroker::SetSecurityLevelForSocketProcess not Implemented");
}
bool RemoteSandboxBroker::SetSecurityLevelForUtilityProcess(
mozilla::ipc::SandboxingKind aSandbox) {
MOZ_CRASH(
"RemoteSandboxBroker::SetSecurityLevelForUtilityProcess not Implemented");
}
AbstractSandboxBroker* CreateRemoteSandboxBroker() {
return new RemoteSandboxBroker();
}

2
security/sandbox/win/src/remotesandboxbroker/remoteSandboxBroker.h
Просмотреть файл

@ -41,6 +41,8 @@ class RemoteSandboxBroker : public AbstractSandboxBroker {
bool SetSecurityLevelForSocketProcess() override;
bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
bool aIsRemoteLaunch = false) override;
bool SetSecurityLevelForUtilityProcess(
mozilla::ipc::SandboxingKind aSandbox) override;
bool AllowReadFile(wchar_t const* file) override;
void AddHandleToShare(HANDLE aHandle) override;

105
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
Просмотреть файл

@ -1244,6 +1244,111 @@ bool SandboxBroker::SetSecurityLevelForSocketProcess() {
return true;
}
bool SandboxBroker::SetSecurityLevelForUtilityProcess(
mozilla::ipc::SandboxingKind aSandbox) {
if (!mPolicy) {
return false;
}
auto result =
SetJobLevel(mPolicy, sandbox::JOB_LOCKDOWN, 0 /* ui_exceptions */);
SANDBOX_ENSURE_SUCCESS(
result,
"SetJobLevel should never fail with these arguments, what happened?");
result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
sandbox::USER_LOCKDOWN);
SANDBOX_ENSURE_SUCCESS(
result,
"SetTokenLevel should never fail with these arguments, what happened?");
result = mPolicy->SetAlternateDesktop(true);
if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {
LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result,
::GetLastError());
}
result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
SANDBOX_ENSURE_SUCCESS(result,
"SetIntegrityLevel should never fail with these "
"arguments, what happened?");
result =
mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
SANDBOX_ENSURE_SUCCESS(result,
"SetDelayedIntegrityLevel should never fail with "
"these arguments, what happened?");
mPolicy->SetLockdownDefaultDacl();
mPolicy->AddRestrictingRandomSid();
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
const Maybe<Vector<const wchar_t*>>& exceptionModules =
GetPrespawnCigExceptionModules();
if (exceptionModules.isSome()) {
mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
}
result = mPolicy->SetProcessMitigations(mitigations);
SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetProcessMitigations.");
if (exceptionModules.isSome()) {
// This needs to be called after MITIGATION_FORCE_MS_SIGNED_BINS is set
// because of DCHECK in PolicyBase::AddRuleInternal.
result = InitSignedPolicyRulesToBypassCig(mPolicy, exceptionModules.ref());
SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");
}
result = AddWin32kLockdownPolicy(mPolicy, false);
SANDBOX_ENSURE_SUCCESS(result, "Failed to add the win32k lockdown policy");
mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
sandbox::MITIGATION_DLL_SEARCH_ORDER;
if (exceptionModules.isNothing()) {
mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
}
result = mPolicy->SetDelayedProcessMitigations(mitigations);
SANDBOX_ENSURE_SUCCESS(result,
"Invalid flags for SetDelayedProcessMitigations.");
// Add the policy for the client side of a pipe. It is just a file
// in the \pipe\ namespace. We restrict it to pipes that start with
// "chrome." so the sandboxed process cannot connect to system services.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\chrome.*");
SANDBOX_ENSURE_SUCCESS(
result,
"With these static arguments AddRule should never fail, what happened?");
// Add the policy for the client side of the crash server pipe.
result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
sandbox::TargetPolicy::FILES_ALLOW_ANY,
L"\\??\\pipe\\gecko-crash-server-pipe.*");
SANDBOX_ENSURE_SUCCESS(
result,
"With these static arguments AddRule should never fail, what happened?");
switch (aSandbox) {
case mozilla::ipc::SandboxingKind::GENERIC_UTILITY:
// Nothing specific to perform yet?
break;
default:
MOZ_ASSERT(false, "Invalid SandboxingKind");
break;
}
return true;
}
bool SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
bool aIsRemoteLaunch) {
if (!mPolicy) {

6
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
Просмотреть файл

@ -16,6 +16,8 @@
#include "nsXULAppAPI.h"
#include "nsISupportsImpl.h"
#include "mozilla/ipc/UtilityProcessSandboxing.h"
namespace sandbox {
class BrokerServices;
class TargetPolicy;
@ -45,6 +47,8 @@ class AbstractSandboxBroker {
int32_t aSandboxLevel, const nsCOMPtr<nsIFile>& aProfileDir) = 0;
virtual bool SetSecurityLevelForRDDProcess() = 0;
virtual bool SetSecurityLevelForSocketProcess() = 0;
virtual bool SetSecurityLevelForUtilityProcess(
mozilla::ipc::SandboxingKind aSandbox) = 0;
enum SandboxLevel { LockDown, Restricted };
virtual bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
@ -96,6 +100,8 @@ class SandboxBroker : public AbstractSandboxBroker {
bool SetSecurityLevelForSocketProcess() override;
bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel,
bool aIsRemoteLaunch = false) override;
bool SetSecurityLevelForUtilityProcess(
mozilla::ipc::SandboxingKind aSandbox) override;
// File system permissions
bool AllowReadFile(wchar_t const* file) override;

4
toolkit/components/telemetry/Histograms.json
Просмотреть файл

@ -13416,7 +13416,9 @@
"rdd-crash",
"rdd-hang",
"socket-crash",
"socket-hang"
"socket-hang",
"utility-crash",
"utility-hang"
],
"releaseChannelCollection": "opt-out",
"description": "An attempt to submit a crash. Keyed on the CrashManager Crash.type."

2
toolkit/components/telemetry/core/components.conf
Просмотреть файл

@ -16,6 +16,6 @@ Classes = [
'interfaces': ['nsITelemetry'],
'singleton': True,
'type': 'nsITelemetry',
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
]

5
toolkit/crashreporter/CrashAnnotations.yaml
Просмотреть файл

@ -965,6 +965,11 @@ useragent_locale:
User-agent locale.
type: string
UtilityProcessStatus:
description: >
Status of the Utility process, can be set to "Running" or "Destroyed"
type: string
Vendor:
description: >
Application vendor (e.g. Mozilla).

3
toolkit/locales/en-US/toolkit/global/processTypes.ftl
Просмотреть файл

@ -53,6 +53,9 @@ process-type-socket = Socket
# process used to decode media
process-type-rdd = RDD
# process used to run some IPC actor in their own sandbox
process-type-utility = Sandboxed IPC Actor
##
## Other
##

1
toolkit/modules/ProcessType.jsm
Просмотреть файл

@ -17,6 +17,7 @@ const ProcessType = Object.freeze({
tab: "process-type-tab",
rdd: "process-type-rdd",
socket: "process-type-socket",
utility: "process-type-utility",
// Keys defined in dom/ipc/RemoteType.h
extension: "process-type-extension",

3
toolkit/xre/GeckoArgs.h
Просмотреть файл

@ -121,6 +121,9 @@ static CommandLineArg<uint64_t> sPrefMapSize{"-prefMapSize", "prefmapsize"};
static CommandLineArg<uint64_t> sChildID{"-childID", "childid"};
static CommandLineArg<uint64_t> sSandboxingKind{"-sandboxingKind",
"sandboxingkind"};
static CommandLineArg<bool> sSafeMode{"-safeMode", "safemode"};
static CommandLineArg<bool> sIsForBrowser{"-isForBrowser", "isforbrowser"};

4
toolkit/xre/nsAppRunner.cpp
Просмотреть файл

@ -986,7 +986,7 @@ nsXULAppInfo::GetWidgetToolkit(nsACString& aResult) {
#undef GECKO_PROCESS_TYPE
// .. and ensure that that is all of them:
static_assert(GeckoProcessType_ForkServer + 1 == GeckoProcessType_End,
static_assert(GeckoProcessType_Utility + 1 == GeckoProcessType_End,
"Did not find the final GeckoProcessType");
NS_IMETHODIMP
@ -5681,7 +5681,7 @@ bool XRE_IsE10sParentProcess() {
bool XRE_UseNativeEventProcessing() {
#if defined(XP_MACOSX) || defined(XP_WIN)
if (XRE_IsRDDProcess() || XRE_IsSocketProcess()) {
if (XRE_IsRDDProcess() || XRE_IsSocketProcess() || XRE_IsUtilityProcess()) {
return false;
}
#endif

6
toolkit/xre/nsEmbedFunctions.cpp
Просмотреть файл

@ -63,6 +63,7 @@
#include "mozilla/FilePreferences.h"
#include "mozilla/IOInterposer.h"
#include "mozilla/RDDProcessImpl.h"
#include "mozilla/ipc/UtilityProcessImpl.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/ipc/BrowserProcessSubThread.h"
@ -575,6 +576,7 @@ nsresult XRE_InitChildProcess(int aArgc, char* aArgv[],
case GeckoProcessType_VR:
case GeckoProcessType_RDD:
case GeckoProcessType_Socket:
case GeckoProcessType_Utility:
// Content processes need the XPCOM/chromium frankenventloop
uiLoopType = MessageLoop::TYPE_MOZILLA_CHILD;
break;
@ -649,6 +651,10 @@ nsresult XRE_InitChildProcess(int aArgc, char* aArgv[],
process = MakeUnique<net::SocketProcessImpl>(parentPID);
break;
case GeckoProcessType_Utility:
process = MakeUnique<ipc::UtilityProcessImpl>(parentPID);
break;
#if defined(MOZ_SANDBOX) && defined(XP_WIN)
case GeckoProcessType_RemoteSandboxBroker:
process = MakeUnique<RemoteSandboxBrokerProcessChild>(parentPID);

2
widget/android/components.conf
Просмотреть файл

@ -17,7 +17,7 @@ Classes = [
'contract_ids': ['@mozilla.org/widget/appshell/android;1'],
'legacy_constructor': 'nsAppShellConstructor',
'headers': ['/widget/android/nsWidgetFactory.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{c401eb80-f9ea-11d3-bb6f-e732b73ebe7c}',

6
widget/cocoa/nsWidgetFactory.mm
Просмотреть файл

@ -125,7 +125,7 @@ static const mozilla::Module::CIDEntry kWidgetCIDs[] = {
{&kNS_COLORPICKER_CID, false, NULL, nsColorPickerConstructor,
mozilla::Module::MAIN_PROCESS_ONLY},
{&kNS_APPSHELL_CID, false, NULL, nsAppShellConstructor,
mozilla::Module::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS},
mozilla::Module::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS},
{&kNS_SOUND_CID, false, NULL, nsSoundConstructor, mozilla::Module::MAIN_PROCESS_ONLY},
{&kNS_TRANSFERABLE_CID, false, NULL, nsTransferableConstructor},
{&kNS_HTMLFORMATCONVERTER_CID, false, NULL, nsHTMLFormatConverterConstructor},
@ -156,7 +156,7 @@ static const mozilla::Module::ContractIDEntry kWidgetContracts[] = {
{"@mozilla.org/filepicker;1", &kNS_FILEPICKER_CID, mozilla::Module::MAIN_PROCESS_ONLY},
{"@mozilla.org/colorpicker;1", &kNS_COLORPICKER_CID, mozilla::Module::MAIN_PROCESS_ONLY},
{"@mozilla.org/widget/appshell/mac;1", &kNS_APPSHELL_CID,
mozilla::Module::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS},
mozilla::Module::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS},
{"@mozilla.org/sound;1", &kNS_SOUND_CID, mozilla::Module::MAIN_PROCESS_ONLY},
{"@mozilla.org/widget/transferable;1", &kNS_TRANSFERABLE_CID},
{"@mozilla.org/widget/htmlformatconverter;1", &kNS_HTMLFORMATCONVERTER_CID},
@ -199,4 +199,4 @@ extern const mozilla::Module kWidgetModule = {
NULL,
nsAppShellInit,
nsWidgetCocoaModuleDtor,
mozilla::Module::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS};
mozilla::Module::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS};

2
widget/gtk/components.conf
Просмотреть файл

@ -17,7 +17,7 @@ Classes = [
'contract_ids': ['@mozilla.org/widget/appshell/gtk;1'],
'legacy_constructor': 'nsAppShellConstructor',
'headers': ['/widget/gtk/nsWidgetFactory.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{c401eb80-f9ea-11d3-bb6f-e732b73ebe7c}',

4
widget/windows/components.conf
Просмотреть файл

@ -26,7 +26,7 @@ Classes = [
'contract_ids': ['@mozilla.org/widget/appshell/win;1'],
'headers': ['/widget/windows/nsWidgetFactory.h'],
'legacy_constructor': 'nsAppShellConstructor',
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{6987230e-0098-4e78-bc5f-1493ee7519fa}',
@ -125,7 +125,7 @@ Classes = [
'type': 'mozilla::widget::GfxInfo',
'headers': ['/widget/windows/GfxInfo.h'],
'init_method': 'Init',
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{bd57cee8-1dd1-11b2-9fe7-95cf4709aea3}',

4
xpcom/base/components.conf
Просмотреть файл

@ -10,14 +10,14 @@ Classes = [
'contract_ids': ['@mozilla.org/xpcom/debug;1'],
'legacy_constructor': 'nsDebugImpl::Create',
'headers': ['nsDebugImpl.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{30a04e40-38e7-11d4-8cf5-0060b0fc14a3}',
'contract_ids': ['@mozilla.org/xpcom/memory-service;1'],
'legacy_constructor': 'nsMemoryImpl::Create',
'headers': ['/xpcom/base/nsMemoryImpl.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{67b3ac0c-d806-4d48-939e-6a819e6c248f}',

2
xpcom/build/XPCOMInit.cpp
Просмотреть файл

@ -176,7 +176,7 @@ const mozilla::Module kXPCOMModule = {
nullptr,
nullptr,
nullptr,
mozilla::Module::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS};
mozilla::Module::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS};
// gDebug will be freed during shutdown.
static nsIDebug2* gDebug = nullptr;

2
xpcom/build/components.conf
Просмотреть файл

@ -70,7 +70,7 @@ Classes = [
'type': 'nsMemoryReporterManager',
'headers': ['/xpcom/base/nsMemoryReporterManager.h'],
'init_method': 'Init',
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{7b4eeb20-d781-11d4-8a83-0010a4e0c9ca}',

10
xpcom/components/Module.h
Просмотреть файл

@ -54,6 +54,7 @@ struct Module {
ALLOW_IN_VR_PROCESS = 0x8,
ALLOW_IN_SOCKET_PROCESS = 0x10,
ALLOW_IN_RDD_PROCESS = 0x20,
ALLOW_IN_UTILITY_PROCESS = 0x30,
ALLOW_IN_GPU_AND_MAIN_PROCESS = ALLOW_IN_GPU_PROCESS | MAIN_PROCESS_ONLY,
ALLOW_IN_GPU_AND_VR_PROCESS = ALLOW_IN_GPU_PROCESS | ALLOW_IN_VR_PROCESS,
ALLOW_IN_GPU_AND_SOCKET_PROCESS =
@ -64,13 +65,18 @@ struct Module {
ALLOW_IN_RDD_PROCESS | ALLOW_IN_SOCKET_PROCESS,
ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS =
ALLOW_IN_GPU_PROCESS | ALLOW_IN_RDD_PROCESS | ALLOW_IN_SOCKET_PROCESS,
ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS =
ALLOW_IN_GPU_PROCESS | ALLOW_IN_RDD_PROCESS | ALLOW_IN_SOCKET_PROCESS,
ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS =
ALLOW_IN_GPU_PROCESS | ALLOW_IN_RDD_PROCESS | ALLOW_IN_VR_PROCESS |
ALLOW_IN_SOCKET_PROCESS
ALLOW_IN_SOCKET_PROCESS,
ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS =
ALLOW_IN_GPU_PROCESS | ALLOW_IN_RDD_PROCESS | ALLOW_IN_VR_PROCESS |
ALLOW_IN_SOCKET_PROCESS | ALLOW_IN_UTILITY_PROCESS
};
static constexpr size_t kMaxProcessSelector =
size_t(ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS);
size_t(ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS);
/**
* This allows category entries to be marked so that they are or are

4
xpcom/components/components.conf
Просмотреть файл

@ -12,12 +12,12 @@ Classes = [
'interfaces': ['nsICategoryManager'],
'legacy_constructor': 'nsCategoryManager::Create',
'headers': ['/xpcom/components/nsCategoryManager.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS,
},
{
'cid': '{91775d60-d5dc-11d2-92fb-00e09805570f}',
'legacy_constructor': 'nsComponentManagerImpl::Create',
'headers': ['/xpcom/components/nsComponentManager.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
]

16
xpcom/components/gen_static_components.py
Просмотреть файл

@ -63,6 +63,7 @@ class ProcessSelector:
ALLOW_IN_VR_PROCESS = 0x8
ALLOW_IN_SOCKET_PROCESS = 0x10
ALLOW_IN_RDD_PROCESS = 0x20
ALLOW_IN_UTILITY_PROCESS = 0x30
ALLOW_IN_GPU_AND_MAIN_PROCESS = ALLOW_IN_GPU_PROCESS | MAIN_PROCESS_ONLY
ALLOW_IN_GPU_AND_SOCKET_PROCESS = ALLOW_IN_GPU_PROCESS | ALLOW_IN_SOCKET_PROCESS
ALLOW_IN_GPU_AND_VR_PROCESS = ALLOW_IN_GPU_PROCESS | ALLOW_IN_VR_PROCESS
@ -73,12 +74,25 @@ class ProcessSelector:
ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS = (
ALLOW_IN_GPU_PROCESS | ALLOW_IN_RDD_PROCESS | ALLOW_IN_SOCKET_PROCESS
)
ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS = (
ALLOW_IN_GPU_PROCESS
| ALLOW_IN_RDD_PROCESS
| ALLOW_IN_SOCKET_PROCESS
| ALLOW_IN_UTILITY_PROCESS
)
ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS = (
ALLOW_IN_GPU_PROCESS
| ALLOW_IN_RDD_PROCESS
| ALLOW_IN_VR_PROCESS
| ALLOW_IN_SOCKET_PROCESS
)
ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS = (
ALLOW_IN_GPU_PROCESS
| ALLOW_IN_RDD_PROCESS
| ALLOW_IN_VR_PROCESS
| ALLOW_IN_SOCKET_PROCESS
| ALLOW_IN_UTILITY_PROCESS
)
# Maps ProcessSelector constants to the name of the corresponding
@ -97,7 +111,9 @@ PROCESSES = {
ProcessSelector.ALLOW_IN_GPU_VR_AND_SOCKET_PROCESS: "ALLOW_IN_GPU_VR_AND_SOCKET_PROCESS",
ProcessSelector.ALLOW_IN_RDD_AND_SOCKET_PROCESS: "ALLOW_IN_RDD_AND_SOCKET_PROCESS",
ProcessSelector.ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS: "ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS",
ProcessSelector.ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS: "ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS", # NOQA: E501
ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS: "ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS", # NOQA: E501
ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS: "ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS", # NOQA: E501
}

12
xpcom/components/nsComponentManager.cpp
Просмотреть файл

@ -112,6 +112,10 @@ bool ProcessSelectorMatches(ProcessSelector aSelector) {
return !!(aSelector & Module::ALLOW_IN_VR_PROCESS);
}
if (type == GeckoProcessType_Utility) {
return !!(aSelector & Module::ALLOW_IN_UTILITY_PROCESS);
}
if (aSelector & Module::MAIN_PROCESS_ONLY) {
return type == GeckoProcessType_Default;
}
@ -340,10 +344,18 @@ nsresult nsComponentManagerImpl::Init() {
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS);
gProcessMatchTable[size_t(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS)] =
ProcessSelectorMatches(
ProcessSelector::ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS);
}
MOZ_ASSERT(NOT_INITIALIZED == mStatus);

2
xpcom/ds/components.conf
Просмотреть файл

@ -18,6 +18,6 @@ Classes = [
'interfaces': ['nsIObserverService'],
'legacy_constructor': 'nsObserverService::Create',
'headers': ['/xpcom/ds/nsObserverService.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_VR_SOCKET_AND_UTILITY_PROCESS,
},
]

14
xpcom/geckoprocesstypes_generator/geckoprocesstypes/__init__.py
Просмотреть файл

@ -30,6 +30,9 @@ from collections import namedtuple
# toolkit/crashreporter/CrashAnnotations.yaml
# - Add new Xxx*Status entry for your new process type description
#
# toolkit/components/telemetry/Histograms.json
# - Add entry in PROCESS_CRASH_SUBMIT_ATTEMPT
#
# toolkit/locales/en-US/toolkit/global/processTypes.ftl
# - Add a user-facing localizable name for your process, if needed
#
@ -323,4 +326,15 @@ process_types = [
"FORKSERVER",
False,
),
GeckoProcessType(
11,
"Utility",
"utility",
"Utility",
"Self",
"Utility",
"Utility",
"UTILITY",
True,
),
]

1
xpcom/system/nsIXULRuntime.idl
Просмотреть файл

@ -193,6 +193,7 @@ interface nsIXULRuntime : nsISupports
const unsigned long PROCESS_TYPE_SOCKET = 8;
const unsigned long PROCESS_TYPE_REMOTESANDBOXBROKER = 9;
const unsigned long PROCESS_TYPE_FORKSERVER = 10;
const unsigned long PROCESS_TYPE_UTILITY = 11;
/**
* The type of the caller's process. Returns one of the values above.

2
xpcom/threads/components.conf
Просмотреть файл

@ -16,6 +16,6 @@ Classes = [
'contract_ids': ['@mozilla.org/timer;1'],
'legacy_constructor': 'nsTimer::XPCOMConstructor',
'headers': ['/xpcom/threads/nsTimerImpl.h'],
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_AND_SOCKET_PROCESS,
'processes': ProcessSelector.ALLOW_IN_GPU_RDD_SOCKET_AND_UTILITY_PROCESS,
},
]