зеркало из https://github.com/mozilla/gecko-dev.git
Backed out 4 changesets (bug 1644917, bug 1640345) for causing failures in browser_preferences_usage.js CLOSED TREE
Backed out changeset 0f8b6494d3eb (bug 1640345) Backed out changeset 4da77f0a0687 (bug 1644917) Backed out changeset 54904fe41df8 (bug 1644917) Backed out changeset ef0321787c8f (bug 1644917)
This commit is contained in:
Родитель
e89722580c
Коммит
9c9875dead
|
@ -8799,18 +8799,6 @@
|
|||
mirror: always
|
||||
#endif
|
||||
|
||||
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
|
||||
# Run content processes in headless mode and disallow connections to
|
||||
# the X server. Experimental; breaks WebGL and Flash, and requires
|
||||
# `widget.disable-native-theme-for-content`. Changing it requires a
|
||||
# restart because sandbox policy information dependent on it is cached.
|
||||
# See bug 1640345 for details.
|
||||
- name: security.sandbox.content.headless
|
||||
type: bool
|
||||
value: false
|
||||
mirror: once
|
||||
#endif
|
||||
|
||||
# When comparing schemes, if this pref is set, view-source URIs are reachable
|
||||
# from same-protocol (so e.g. file: can link to view-source:file). This is
|
||||
# required for reftests.
|
||||
|
|
|
@ -12,11 +12,10 @@
|
|||
#include "mozilla/Array.h"
|
||||
#include "mozilla/ClearOnShutdown.h"
|
||||
#include "mozilla/Preferences.h"
|
||||
#include "mozilla/SandboxLaunch.h"
|
||||
#include "mozilla/SandboxSettings.h"
|
||||
#include "mozilla/StaticPrefs_security.h"
|
||||
#include "mozilla/UniquePtr.h"
|
||||
#include "mozilla/UniquePtrExtensions.h"
|
||||
#include "mozilla/SandboxLaunch.h"
|
||||
#include "mozilla/dom/ContentChild.h"
|
||||
#include "nsPrintfCString.h"
|
||||
#include "nsString.h"
|
||||
|
@ -278,35 +277,17 @@ static void AddSharedMemoryPaths(SandboxBroker::Policy* aPolicy, pid_t aPid) {
|
|||
}
|
||||
}
|
||||
|
||||
static void AddDynamicPathList(SandboxBroker::Policy* policy,
|
||||
const char* aPathListPref, int perms) {
|
||||
nsAutoCString pathList;
|
||||
nsresult rv = Preferences::GetCString(aPathListPref, pathList);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
for (const nsACString& path : pathList.Split(',')) {
|
||||
nsCString trimPath(path);
|
||||
trimPath.Trim(" ", true, true);
|
||||
policy->AddDynamic(perms, trimPath.get());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
||||
const bool headless =
|
||||
StaticPrefs::security_sandbox_content_headless_AtStartup();
|
||||
|
||||
SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() {
|
||||
// Policy entries that are the same in every process go here, and
|
||||
// are cached over the lifetime of the factory.
|
||||
SandboxBroker::Policy* policy = new SandboxBroker::Policy;
|
||||
// Write permssions
|
||||
//
|
||||
if (!headless) {
|
||||
// Bug 1308851: NVIDIA proprietary driver when using WebGL
|
||||
policy->AddFilePrefix(rdwr, "/dev", "nvidia");
|
||||
// Bug 1308851: NVIDIA proprietary driver when using WebGL
|
||||
policy->AddFilePrefix(rdwr, "/dev", "nvidia");
|
||||
|
||||
// Bug 1312678: Mesa with DRI when using WebGL
|
||||
policy->AddDir(rdwr, "/dev/dri");
|
||||
}
|
||||
// Bug 1312678: radeonsi/Intel with DRI when using WebGL
|
||||
policy->AddDir(rdwr, "/dev/dri");
|
||||
|
||||
// Bug 1575985: WASM library sandbox needs RW access to /dev/null
|
||||
policy->AddPath(rdwr, "/dev/null");
|
||||
|
@ -332,16 +313,12 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
policy->AddDir(rdonly, "/run/host/user-fonts");
|
||||
policy->AddDir(rdonly, "/var/cache/fontconfig");
|
||||
|
||||
if (!headless) {
|
||||
AddMesaSysfsPaths(policy);
|
||||
}
|
||||
AddMesaSysfsPaths(policy);
|
||||
AddLdconfigPaths(policy);
|
||||
AddLdLibraryEnvPaths(policy);
|
||||
|
||||
if (!headless) {
|
||||
// Bug 1385715: NVIDIA PRIME support
|
||||
policy->AddPath(rdonly, "/proc/modules");
|
||||
}
|
||||
// Bug 1385715: NVIDIA PRIME support
|
||||
policy->AddPath(rdonly, "/proc/modules");
|
||||
|
||||
// Allow access to XDG_CONFIG_PATH and XDG_CONFIG_DIRS
|
||||
if (const auto xdgConfigPath = PR_GetEnv("XDG_CONFIG_PATH")) {
|
||||
|
@ -494,44 +471,87 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
}
|
||||
#endif
|
||||
|
||||
if (!headless) {
|
||||
// Allow Primus to contact the Bumblebee daemon to manage GPU
|
||||
// switching on NVIDIA Optimus systems.
|
||||
const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
|
||||
if (bumblebeeSocket == nullptr) {
|
||||
bumblebeeSocket = "/var/run/bumblebee.socket";
|
||||
}
|
||||
policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
|
||||
// Allow Primus to contact the Bumblebee daemon to manage GPU
|
||||
// switching on NVIDIA Optimus systems.
|
||||
const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
|
||||
if (bumblebeeSocket == nullptr) {
|
||||
bumblebeeSocket = "/var/run/bumblebee.socket";
|
||||
}
|
||||
policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
|
||||
|
||||
#if defined(MOZ_WIDGET_GTK)
|
||||
// Allow local X11 connections, for Primus and VirtualGL to contact
|
||||
// the secondary X server. No exception for Wayland.
|
||||
// Allow local X11 connections, for Primus and VirtualGL to contact
|
||||
// the secondary X server. No exception for Wayland.
|
||||
# if defined(MOZ_WAYLAND)
|
||||
if (GDK_IS_X11_DISPLAY(gdk_display_get_default())) {
|
||||
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
|
||||
}
|
||||
# else
|
||||
if (GDK_IS_X11_DISPLAY(gdk_display_get_default())) {
|
||||
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
|
||||
# endif
|
||||
if (const auto xauth = PR_GetEnv("XAUTHORITY")) {
|
||||
policy->AddPath(rdonly, xauth);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
# else
|
||||
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
|
||||
# endif
|
||||
if (const auto xauth = PR_GetEnv("XAUTHORITY")) {
|
||||
policy->AddPath(rdonly, xauth);
|
||||
}
|
||||
#endif
|
||||
|
||||
mCommonContentPolicy.reset(policy);
|
||||
}
|
||||
|
||||
UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
|
||||
int aPid, bool aFileProcess) {
|
||||
// Policy entries that vary per-process (currently the only reason
|
||||
// that can happen is because they contain the pid) are added here,
|
||||
// as well as entries that depend on preferences or paths not available
|
||||
// in early startup.
|
||||
|
||||
MOZ_ASSERT(NS_IsMainThread());
|
||||
// The file broker is used at level 2 and up.
|
||||
if (GetEffectiveContentSandboxLevel() <= 1) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
MOZ_ASSERT(mCommonContentPolicy);
|
||||
UniquePtr<SandboxBroker::Policy> policy(
|
||||
new SandboxBroker::Policy(*mCommonContentPolicy));
|
||||
|
||||
const int level = GetEffectiveContentSandboxLevel();
|
||||
|
||||
// Read any extra paths that will get write permissions,
|
||||
// configured by the user or distro
|
||||
AddDynamicPathList(policy, "security.sandbox.content.write_path_whitelist",
|
||||
rdwr);
|
||||
AddDynamicPathList(policy.get(),
|
||||
"security.sandbox.content.write_path_whitelist", rdwr);
|
||||
|
||||
// Whitelisted for reading by the user/distro
|
||||
AddDynamicPathList(policy, "security.sandbox.content.read_path_whitelist",
|
||||
rdonly);
|
||||
AddDynamicPathList(policy.get(),
|
||||
"security.sandbox.content.read_path_whitelist", rdonly);
|
||||
|
||||
// No read blocking at level 2 and below.
|
||||
// file:// processes also get global read permissions
|
||||
// This requires accessing user preferences so we can only do it now.
|
||||
// Our constructor is initialized before user preferences are read in.
|
||||
if (level <= 2 || aFileProcess) {
|
||||
policy->AddDir(rdonly, "/");
|
||||
// Any other read-only rules will be removed as redundant by
|
||||
// Policy::FixRecursivePermissions, so there's no need to
|
||||
// early-return here.
|
||||
}
|
||||
|
||||
// Bug 1198550: the profiler's replacement for dl_iterate_phdr
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
|
||||
|
||||
// Bug 1198552: memory reporting.
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
|
||||
|
||||
// Bug 1384804, notably comment 15
|
||||
// Used by libnuma, included by x265/ffmpeg, who falls back
|
||||
// to get_mempolicy if this fails
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/status", aPid).get());
|
||||
|
||||
// Add write permissions on the content process specific temporary dir.
|
||||
nsCOMPtr<nsIFile> tmpDir;
|
||||
rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
|
||||
getter_AddRefs(tmpDir));
|
||||
nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
|
||||
getter_AddRefs(tmpDir));
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
nsAutoCString tmpPath;
|
||||
rv = tmpDir->GetNativePath(tmpPath);
|
||||
|
@ -541,7 +561,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
}
|
||||
|
||||
// userContent.css and the extensions dir sit in the profile, which is
|
||||
// normally blocked.
|
||||
// normally blocked and we can't get the profile dir earlier in startup,
|
||||
// so this must happen here.
|
||||
nsCOMPtr<nsIFile> profileDir;
|
||||
rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
|
||||
getter_AddRefs(profileDir));
|
||||
|
@ -571,7 +592,6 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
}
|
||||
}
|
||||
|
||||
const int level = GetEffectiveContentSandboxLevel();
|
||||
bool allowPulse = false;
|
||||
bool allowAlsa = false;
|
||||
if (level < 4) {
|
||||
|
@ -590,6 +610,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
|
||||
if (allowPulse) {
|
||||
policy->AddDir(rdwrcr, "/dev/shm");
|
||||
} else {
|
||||
AddSharedMemoryPaths(policy.get(), aPid);
|
||||
}
|
||||
|
||||
#ifdef MOZ_WIDGET_GTK
|
||||
|
@ -618,65 +640,31 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
|
|||
|
||||
// Bug 1434711 - AMDGPU-PRO crashes if it can't read it's marketing ids
|
||||
// and various other things
|
||||
if (!headless && HasAtiDrivers()) {
|
||||
if (HasAtiDrivers()) {
|
||||
policy->AddDir(rdonly, "/opt/amdgpu/share");
|
||||
policy->AddPath(rdonly, "/sys/module/amdgpu");
|
||||
// AMDGPU-PRO's MESA version likes to readlink a lot of things here
|
||||
policy->AddDir(access, "/sys");
|
||||
}
|
||||
|
||||
mCommonContentPolicy.reset(policy);
|
||||
}
|
||||
|
||||
UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
|
||||
int aPid, bool aFileProcess) {
|
||||
// Policy entries that vary per-process (because they depend on the
|
||||
// pid or content subtype) are added here.
|
||||
|
||||
MOZ_ASSERT(NS_IsMainThread());
|
||||
|
||||
const int level = GetEffectiveContentSandboxLevel();
|
||||
// The file broker is used at level 2 and up.
|
||||
if (level <= 1) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
std::call_once(mContentInited, [this] { InitContentPolicy(); });
|
||||
MOZ_ASSERT(mCommonContentPolicy);
|
||||
UniquePtr<SandboxBroker::Policy> policy(
|
||||
new SandboxBroker::Policy(*mCommonContentPolicy));
|
||||
|
||||
// No read blocking at level 2 and below.
|
||||
// file:// processes also get global read permissions
|
||||
if (level <= 2 || aFileProcess) {
|
||||
policy->AddDir(rdonly, "/");
|
||||
// Any other read-only rules will be removed as redundant by
|
||||
// Policy::FixRecursivePermissions, so there's no need to
|
||||
// early-return here.
|
||||
}
|
||||
|
||||
// Access to /dev/shm is restricted to a per-process prefix to
|
||||
// prevent interfering with other processes or with services outside
|
||||
// the browser (e.g., PulseAudio).
|
||||
AddSharedMemoryPaths(policy.get(), aPid);
|
||||
|
||||
// Bug 1198550: the profiler's replacement for dl_iterate_phdr
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
|
||||
|
||||
// Bug 1198552: memory reporting.
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
|
||||
|
||||
// Bug 1384804, notably comment 15
|
||||
// Used by libnuma, included by x265/ffmpeg, who falls back
|
||||
// to get_mempolicy if this fails
|
||||
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/status", aPid).get());
|
||||
|
||||
// Finalize the policy.
|
||||
// Return the common policy.
|
||||
policy->FixRecursivePermissions();
|
||||
return policy;
|
||||
}
|
||||
|
||||
void SandboxBrokerPolicyFactory::AddDynamicPathList(
|
||||
SandboxBroker::Policy* policy, const char* aPathListPref, int perms) {
|
||||
nsAutoCString pathList;
|
||||
nsresult rv = Preferences::GetCString(aPathListPref, pathList);
|
||||
if (NS_SUCCEEDED(rv)) {
|
||||
for (const nsACString& path : pathList.Split(',')) {
|
||||
nsCString trimPath(path);
|
||||
trimPath.Trim(" ", true, true);
|
||||
policy->AddDynamic(perms, trimPath.get());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* static */ UniquePtr<SandboxBroker::Policy>
|
||||
SandboxBrokerPolicyFactory::GetUtilityPolicy(int aPid) {
|
||||
auto policy = MakeUnique<SandboxBroker::Policy>();
|
||||
|
|
|
@ -9,13 +9,11 @@
|
|||
|
||||
#include "mozilla/SandboxBroker.h"
|
||||
|
||||
#include <mutex>
|
||||
|
||||
namespace mozilla {
|
||||
|
||||
class SandboxBrokerPolicyFactory {
|
||||
public:
|
||||
SandboxBrokerPolicyFactory() = default;
|
||||
SandboxBrokerPolicyFactory();
|
||||
|
||||
UniquePtr<SandboxBroker::Policy> GetContentPolicy(int aPid,
|
||||
bool aFileProcess);
|
||||
|
@ -25,9 +23,8 @@ class SandboxBrokerPolicyFactory {
|
|||
|
||||
private:
|
||||
UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;
|
||||
std::once_flag mContentInited;
|
||||
|
||||
void InitContentPolicy();
|
||||
static void AddDynamicPathList(SandboxBroker::Policy* policy,
|
||||
const char* aPathListPref, int perms);
|
||||
};
|
||||
|
||||
} // namespace mozilla
|
||||
|
|
|
@ -33,7 +33,6 @@
|
|||
#include "mozilla/SandboxSettings.h"
|
||||
#include "mozilla/Services.h"
|
||||
#include "mozilla/StaticPrefs_media.h"
|
||||
#include "mozilla/StaticPrefs_security.h"
|
||||
#include "mozilla/Unused.h"
|
||||
#include "nsCOMPtr.h"
|
||||
#include "nsDebug.h"
|
||||
|
@ -171,16 +170,14 @@ static bool ContentNeedsSysVIPC() {
|
|||
}
|
||||
#endif
|
||||
|
||||
if (!StaticPrefs::security_sandbox_content_headless_AtStartup()) {
|
||||
// Bug 1438391: VirtualGL uses SysV shm for images and configuration.
|
||||
if (PR_GetEnv("VGL_ISACTIVE") != nullptr) {
|
||||
return true;
|
||||
}
|
||||
// Bug 1438391: VirtualGL uses SysV shm for images and configuration.
|
||||
if (PR_GetEnv("VGL_ISACTIVE") != nullptr) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// The fglrx (ATI Catalyst) GPU drivers use SysV IPC.
|
||||
if (HasAtiDrivers()) {
|
||||
return true;
|
||||
}
|
||||
// The fglrx (ATI Catalyst) GPU drivers use SysV IPC.
|
||||
if (HasAtiDrivers()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
|
@ -296,10 +293,6 @@ void SandboxLaunchPrepare(GeckoProcessType aType,
|
|||
} else {
|
||||
flags |= CLONE_NEWIPC;
|
||||
}
|
||||
|
||||
if (StaticPrefs::security_sandbox_content_headless_AtStartup()) {
|
||||
aOptions->env_map["MOZ_HEADLESS"] = "1";
|
||||
}
|
||||
}
|
||||
|
||||
// Anything below this requires unprivileged user namespaces.
|
||||
|
@ -324,14 +317,11 @@ void SandboxLaunchPrepare(GeckoProcessType aType,
|
|||
case GeckoProcessType_Content:
|
||||
if (level >= 4) {
|
||||
canChroot = true;
|
||||
|
||||
// Unshare network namespace if allowed by graphics; see
|
||||
// function definition above for details. (The display
|
||||
// local-ness is cached because it won't change.)
|
||||
static const bool canCloneNet =
|
||||
StaticPrefs::security_sandbox_content_headless_AtStartup() ||
|
||||
(IsDisplayLocal() && !PR_GetEnv("RENDERDOC_CAPTUREOPTS"));
|
||||
|
||||
IsDisplayLocal() && !PR_GetEnv("RENDERDOC_CAPTUREOPTS");
|
||||
if (canCloneNet) {
|
||||
flags |= CLONE_NEWNET;
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче