Bug 1098428 - Add Linux sandboxing information to Telemetry. r=gfritzsche

MozReview-Commit-ID: GtIPsRqq5hr --HG-- extra : rebase_source : 6b918e5119f15536c9437c27cfee413577268b78
2016-05-18 18:37:44 +02:00 · 2016-05-18 18:37:44 +02:00 · 42b1907a65
--- a/security/sandbox/linux/common/SandboxInfo.cpp
+++ b/security/sandbox/linux/common/SandboxInfo.cpp
@ -19,6 +19,7 @@
 #include "base/posix/eintr_wrapper.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/Telemetry.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/services/linux_syscalls.h"

@ -254,4 +255,28 @@ SandboxInfo::ThreadingCheck()
  sSingleton.mFlags = static_cast<Flags>(flags);
 }

+/* static */ void
+SandboxInfo::SubmitTelemetry()
+{
+  SandboxInfo sandboxInfo = Get();
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_SECCOMP_BPF,
+    sandboxInfo.Test(SandboxInfo::kHasSeccompBPF));
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_SECCOMP_TSYNC,
+    sandboxInfo.Test(SandboxInfo::kHasSeccompTSync));
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_USER_NAMESPACES_PRIVILEGED,
+    sandboxInfo.Test(SandboxInfo::kHasPrivilegedUserNamespaces));
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_USER_NAMESPACES,
+    sandboxInfo.Test(SandboxInfo::kHasUserNamespaces));
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_ENABLED_CONTENT,
+    sandboxInfo.Test(SandboxInfo::kEnabledForContent));
+  Telemetry::Accumulate(
+    Telemetry::SANDBOX_CAPABILITIES_ENABLED_MEDIA,
+    sandboxInfo.Test(SandboxInfo::kEnabledForMedia));
+}
+
 } // namespace mozilla
--- a/security/sandbox/linux/common/SandboxInfo.h
+++ b/security/sandbox/linux/common/SandboxInfo.h
@ -57,6 +57,8 @@ public:
    return !Test(kEnabledForMedia) || Test(kHasSeccompBPF);
  }

+  static void SubmitTelemetry();
+
  // For bug 1222500 or anything else like it: On desktop, this is
  // called in the parent process at a point when it should still be
  // single-threaded, to check that the SandboxEarlyInit() call in a
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -10740,6 +10740,54 @@
    "kind": "boolean",
    "description": "Result of call to SandboxBroker::Initialize"
  },
+  "SANDBOX_CAPABILITIES_SECCOMP_BPF": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether the system has seccomp-bpf capability"
+  },
+  "SANDBOX_CAPABILITIES_SECCOMP_TSYNC": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether the system has seccomp-bpf thread-sync capability"
+  },
+  "SANDBOX_CAPABILITIES_USER_NAMESPACES": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether our process succedeed in creating a user namespace"
+  },
+  "SANDBOX_CAPABILITIES_USER_NAMESPACES_PRIVILEGED": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether the system has the capability to create privileged user namespaces"
+  },
+ "SANDBOX_CAPABILITIES_ENABLED_MEDIA": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether the sandbox is enabled for media/GMP plugins"
+  },
+ "SANDBOX_CAPABILITIES_ENABLED_CONTENT": {
+    "alert_emails": ["gcp@mozilla.com"],
+    "bug_numbers": [1098428],
+    "expires_in_version": "55",
+    "kind": "flag",
+    "cpp_guard": "XP_LINUX",
+    "description": "Whether the sandbox is enabled for the content process"
+  },
  "SYNC_WORKER_OPERATION": {
    "alert_emails": ["amarchesini@mozilla.com", "khuey@mozilla.com" ],
    "bug_numbers": [1267904],
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@ -4361,6 +4361,11 @@ XREMain::XRE_mainRun()
  }
 #endif /* MOZ_INSTRUMENT_EVENT_LOOP */

+#if defined(MOZ_SANDBOX) && defined(XP_LINUX)
+  // If we're on Linux, we now have information about the OS capabilities
+  // available to us.
+  SandboxInfo::SubmitTelemetry();
+#endif
 #if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
  SetUpSandboxEnvironment();
 #endif