diff --git a/dom/ipc/ContentProcess.cpp b/dom/ipc/ContentProcess.cpp index 74a745e1a997..e3b89a4eb68a 100644 --- a/dom/ipc/ContentProcess.cpp +++ b/dom/ipc/ContentProcess.cpp @@ -14,6 +14,7 @@ #if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) #include +#include "mozilla/Sandbox.h" #endif #if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) @@ -296,7 +297,13 @@ ContentProcess::Init(int aArgc, char* aArgv[]) mXREEmbed.Start(); #if (defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) mContent.SetProfileDir(profileDir); -#endif +#if defined(DEBUG) + if (IsContentSandboxEnabled() && + Preferences::GetBool("security.sandbox.content.mac.earlyinit")) { + AssertMacSandboxEnabled(); + } +#endif /* DEBUG */ +#endif /* XP_MACOSX && MOZ_CONTENT_SANDBOX */ #if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX) SetUpSandboxEnvironment(); diff --git a/security/sandbox/mac/Sandbox.h b/security/sandbox/mac/Sandbox.h index 2ea6784e6cc4..efa3e61cd283 100644 --- a/security/sandbox/mac/Sandbox.h +++ b/security/sandbox/mac/Sandbox.h @@ -78,6 +78,9 @@ namespace mozilla { bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage); bool EarlyStartMacSandboxIfEnabled(int aArgc, char** aArgv, std::string &aErrorMessage); +#ifdef DEBUG +void AssertMacSandboxEnabled(); +#endif /* DEBUG */ } // namespace mozilla diff --git a/security/sandbox/mac/Sandbox.mm b/security/sandbox/mac/Sandbox.mm index d57387783937..2ef3c29502ae 100644 --- a/security/sandbox/mac/Sandbox.mm +++ b/security/sandbox/mac/Sandbox.mm @@ -489,5 +489,20 @@ EarlyStartMacSandboxIfEnabled(int aArgc, char** aArgv, return StartMacSandbox(info, aErrorMessage); } +#ifdef DEBUG +/* + * Ensures that a process sandbox is enabled by attempting to enable + * a new sandbox policy and ASSERT'ing that this fails. This depends + * on sandbox_init() failing when called again after a sandbox has + * already been successfully enabled. + */ +void +AssertMacSandboxEnabled() +{ + char *errorbuf = NULL; + int rv = sandbox_init("(version 1)(deny default)", 0, &errorbuf); + MOZ_ASSERT(rv != 0); +} +#endif /* DEBUG */ } // namespace mozilla