Bug 1608558 - pt4 - use security.sandbox.socket.process.level for linux socket process sandbox. r=gcp

Differential Revision: https://phabricator.services.mozilla.com/D63716 --HG-- extra : moz-landing-system : lando
2020-03-09 14:57:13 +00:00 · 2020-03-09 14:57:13 +00:00 · 98301e7475
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1101,6 +1101,12 @@ pref("dom.ipc.shims.enabledWarnings", false);
  // exotic configurations we can't reasonably support out of the box.
  //
  pref("security.sandbox.content.level", 4);
+  // Introduced as part of bug 1608558.  Linux is currently the only platform
+  // that uses a sandbox level for the socket process.  There are currently
+  // only 2 levels:
+  // 0 -> "no sandbox"
+  // 1 -> "sandboxed, allows socket operations and reading necessary certs"
+  pref("security.sandbox.socket.process.level", 1);
  pref("security.sandbox.content.write_path_whitelist", "");
  pref("security.sandbox.content.read_path_whitelist", "");
  pref("security.sandbox.content.syscall_whitelist", "");
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -7945,6 +7945,12 @@
  mirror: always
  do_not_use_directly: true # Consumers should use SandboxSettings to ask.

+- name: security.sandbox.socket.process.level
+  type: int32_t
+  value: 0
+  mirror: always
+  do_not_use_directly: true # Consumers should use SandboxSettings to ask.
+
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  # Whether win32k is disabled for content processes.
  # true means win32k system calls are not permitted.
--- a/security/sandbox/common/SandboxSettings.cpp
+++ b/security/sandbox/common/SandboxSettings.cpp
@ -41,6 +41,17 @@ int GetEffectiveContentSandboxLevel() {

 bool IsContentSandboxEnabled() { return GetEffectiveContentSandboxLevel() > 0; }

+int GetEffectiveSocketProcessSandboxLevel() {
+  if (PR_GetEnv("MOZ_DISABLE_SOCKET_PROCESS_SANDBOX")) {
+    return 0;
+  }
+
+  int level =
+      StaticPrefs::security_sandbox_socket_process_level_DoNotUseDirectly();
+
+  return level;
+}
+
 #if defined(XP_MACOSX)
 int ClampFlashSandboxLevel(const int aLevel) {
  const int minLevel = 0;
--- a/security/sandbox/common/SandboxSettings.h
+++ b/security/sandbox/common/SandboxSettings.h
@ -13,6 +13,7 @@ namespace mozilla {
 // minimum allowed level. Returns 0 (disabled) if the env var
 // MOZ_DISABLE_CONTENT_SANDBOX is set.
 int GetEffectiveContentSandboxLevel();
+int GetEffectiveSocketProcessSandboxLevel();

 // Checks whether the effective content sandbox level is > 0.
 bool IsContentSandboxEnabled();
--- a/security/sandbox/linux/launch/SandboxLaunch.cpp
+++ b/security/sandbox/linux/launch/SandboxLaunch.cpp
@ -250,7 +250,9 @@ static int GetEffectiveSandboxLevel(GeckoProcessType aType) {
    case GeckoProcessType_RDD:
      return PR_GetEnv("MOZ_DISABLE_RDD_SANDBOX") == nullptr ? 1 : 0;
    case GeckoProcessType_Socket:
-      return PR_GetEnv("MOZ_DISABLE_SOCKET_PROCESS_SANDBOX") == nullptr ? 1 : 0;
+      // GetEffectiveSocketProcessSandboxLevel is main-thread-only due to prefs.
+      MOZ_ASSERT(NS_IsMainThread());
+      return GetEffectiveSocketProcessSandboxLevel();
    default:
      return 0;
  }