mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out 4 changesets (bug 1644917, bug 1640345) for causing failures in browser_preferences_usage.js CLOSED TREE 

Backed out changeset 0f8b6494d3eb (bug 1640345)
Backed out changeset 4da77f0a0687 (bug 1644917)
Backed out changeset 54904fe41df8 (bug 1644917)
Backed out changeset ef0321787c8f (bug 1644917)
This commit is contained in:
Noemi Erli 2020-06-30 05:27:44 +03:00
Родитель e89722580c
Коммит 9c9875dead
4 изменённых файлов: 107 добавлений и 144 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
modules/libpref/init/StaticPrefList.yaml
Просмотреть файл

@ -8799,18 +8799,6 @@
mirror: always
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
# Run content processes in headless mode and disallow connections to
# the X server. Experimental; breaks WebGL and Flash, and requires
# `widget.disable-native-theme-for-content`. Changing it requires a
# restart because sandbox policy information dependent on it is cached.
# See bug 1640345 for details.
- name: security.sandbox.content.headless
type: bool
value: false
mirror: once
#endif
# When comparing schemes, if this pref is set, view-source URIs are reachable
# from same-protocol (so e.g. file: can link to view-source:file). This is
# required for reftests.

204
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
Просмотреть файл

@ -12,11 +12,10 @@
#include "mozilla/Array.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/Preferences.h"
#include "mozilla/SandboxLaunch.h"
#include "mozilla/SandboxSettings.h"
#include "mozilla/StaticPrefs_security.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/UniquePtrExtensions.h"
#include "mozilla/SandboxLaunch.h"
#include "mozilla/dom/ContentChild.h"
#include "nsPrintfCString.h"
#include "nsString.h"
@ -278,35 +277,17 @@ static void AddSharedMemoryPaths(SandboxBroker::Policy* aPolicy, pid_t aPid) {
}
}
static void AddDynamicPathList(SandboxBroker::Policy* policy,
const char* aPathListPref, int perms) {
nsAutoCString pathList;
nsresult rv = Preferences::GetCString(aPathListPref, pathList);
if (NS_SUCCEEDED(rv)) {
for (const nsACString& path : pathList.Split(',')) {
nsCString trimPath(path);
trimPath.Trim(" ", true, true);
policy->AddDynamic(perms, trimPath.get());
}
}
}
void SandboxBrokerPolicyFactory::InitContentPolicy() {
const bool headless =
StaticPrefs::security_sandbox_content_headless_AtStartup();
SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() {
// Policy entries that are the same in every process go here, and
// are cached over the lifetime of the factory.
SandboxBroker::Policy* policy = new SandboxBroker::Policy;
// Write permssions
//
if (!headless) {
// Bug 1308851: NVIDIA proprietary driver when using WebGL
policy->AddFilePrefix(rdwr, "/dev", "nvidia");
// Bug 1308851: NVIDIA proprietary driver when using WebGL
policy->AddFilePrefix(rdwr, "/dev", "nvidia");
// Bug 1312678: Mesa with DRI when using WebGL
policy->AddDir(rdwr, "/dev/dri");
}
// Bug 1312678: radeonsi/Intel with DRI when using WebGL
policy->AddDir(rdwr, "/dev/dri");
// Bug 1575985: WASM library sandbox needs RW access to /dev/null
policy->AddPath(rdwr, "/dev/null");
@ -332,16 +313,12 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
policy->AddDir(rdonly, "/run/host/user-fonts");
policy->AddDir(rdonly, "/var/cache/fontconfig");
if (!headless) {
AddMesaSysfsPaths(policy);
}
AddMesaSysfsPaths(policy);
AddLdconfigPaths(policy);
AddLdLibraryEnvPaths(policy);
if (!headless) {
// Bug 1385715: NVIDIA PRIME support
policy->AddPath(rdonly, "/proc/modules");
}
// Bug 1385715: NVIDIA PRIME support
policy->AddPath(rdonly, "/proc/modules");
// Allow access to XDG_CONFIG_PATH and XDG_CONFIG_DIRS
if (const auto xdgConfigPath = PR_GetEnv("XDG_CONFIG_PATH")) {
@ -494,44 +471,87 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
}
#endif
if (!headless) {
// Allow Primus to contact the Bumblebee daemon to manage GPU
// switching on NVIDIA Optimus systems.
const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
if (bumblebeeSocket == nullptr) {
bumblebeeSocket = "/var/run/bumblebee.socket";
}
policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
// Allow Primus to contact the Bumblebee daemon to manage GPU
// switching on NVIDIA Optimus systems.
const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
if (bumblebeeSocket == nullptr) {
bumblebeeSocket = "/var/run/bumblebee.socket";
}
policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
#if defined(MOZ_WIDGET_GTK)
// Allow local X11 connections, for Primus and VirtualGL to contact
// the secondary X server. No exception for Wayland.
// Allow local X11 connections, for Primus and VirtualGL to contact
// the secondary X server. No exception for Wayland.
# if defined(MOZ_WAYLAND)
if (GDK_IS_X11_DISPLAY(gdk_display_get_default())) {
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
}
# else
if (GDK_IS_X11_DISPLAY(gdk_display_get_default())) {
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
# endif
if (const auto xauth = PR_GetEnv("XAUTHORITY")) {
policy->AddPath(rdonly, xauth);
}
#endif
}
# else
policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
# endif
if (const auto xauth = PR_GetEnv("XAUTHORITY")) {
policy->AddPath(rdonly, xauth);
}
#endif
mCommonContentPolicy.reset(policy);
}
UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
int aPid, bool aFileProcess) {
// Policy entries that vary per-process (currently the only reason
// that can happen is because they contain the pid) are added here,
// as well as entries that depend on preferences or paths not available
// in early startup.
MOZ_ASSERT(NS_IsMainThread());
// The file broker is used at level 2 and up.
if (GetEffectiveContentSandboxLevel() <= 1) {
return nullptr;
}
MOZ_ASSERT(mCommonContentPolicy);
UniquePtr<SandboxBroker::Policy> policy(
new SandboxBroker::Policy(*mCommonContentPolicy));
const int level = GetEffectiveContentSandboxLevel();
// Read any extra paths that will get write permissions,
// configured by the user or distro
AddDynamicPathList(policy, "security.sandbox.content.write_path_whitelist",
rdwr);
AddDynamicPathList(policy.get(),
"security.sandbox.content.write_path_whitelist", rdwr);
// Whitelisted for reading by the user/distro
AddDynamicPathList(policy, "security.sandbox.content.read_path_whitelist",
rdonly);
AddDynamicPathList(policy.get(),
"security.sandbox.content.read_path_whitelist", rdonly);
// No read blocking at level 2 and below.
// file:// processes also get global read permissions
// This requires accessing user preferences so we can only do it now.
// Our constructor is initialized before user preferences are read in.
if (level <= 2 || aFileProcess) {
policy->AddDir(rdonly, "/");
// Any other read-only rules will be removed as redundant by
// Policy::FixRecursivePermissions, so there's no need to
// early-return here.
}
// Bug 1198550: the profiler's replacement for dl_iterate_phdr
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
// Bug 1198552: memory reporting.
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
// Bug 1384804, notably comment 15
// Used by libnuma, included by x265/ffmpeg, who falls back
// to get_mempolicy if this fails
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/status", aPid).get());
// Add write permissions on the content process specific temporary dir.
nsCOMPtr<nsIFile> tmpDir;
rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
getter_AddRefs(tmpDir));
nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
getter_AddRefs(tmpDir));
if (NS_SUCCEEDED(rv)) {
nsAutoCString tmpPath;
rv = tmpDir->GetNativePath(tmpPath);
@ -541,7 +561,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
}
// userContent.css and the extensions dir sit in the profile, which is
// normally blocked.
// normally blocked and we can't get the profile dir earlier in startup,
// so this must happen here.
nsCOMPtr<nsIFile> profileDir;
rv = NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR,
getter_AddRefs(profileDir));
@ -571,7 +592,6 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
}
}
const int level = GetEffectiveContentSandboxLevel();
bool allowPulse = false;
bool allowAlsa = false;
if (level < 4) {
@ -590,6 +610,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
if (allowPulse) {
policy->AddDir(rdwrcr, "/dev/shm");
} else {
AddSharedMemoryPaths(policy.get(), aPid);
}
#ifdef MOZ_WIDGET_GTK
@ -618,65 +640,31 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
// Bug 1434711 - AMDGPU-PRO crashes if it can't read it's marketing ids
// and various other things
if (!headless && HasAtiDrivers()) {
if (HasAtiDrivers()) {
policy->AddDir(rdonly, "/opt/amdgpu/share");
policy->AddPath(rdonly, "/sys/module/amdgpu");
// AMDGPU-PRO's MESA version likes to readlink a lot of things here
policy->AddDir(access, "/sys");
}
mCommonContentPolicy.reset(policy);
}
UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
int aPid, bool aFileProcess) {
// Policy entries that vary per-process (because they depend on the
// pid or content subtype) are added here.
MOZ_ASSERT(NS_IsMainThread());
const int level = GetEffectiveContentSandboxLevel();
// The file broker is used at level 2 and up.
if (level <= 1) {
return nullptr;
}
std::call_once(mContentInited, [this] { InitContentPolicy(); });
MOZ_ASSERT(mCommonContentPolicy);
UniquePtr<SandboxBroker::Policy> policy(
new SandboxBroker::Policy(*mCommonContentPolicy));
// No read blocking at level 2 and below.
// file:// processes also get global read permissions
if (level <= 2 || aFileProcess) {
policy->AddDir(rdonly, "/");
// Any other read-only rules will be removed as redundant by
// Policy::FixRecursivePermissions, so there's no need to
// early-return here.
}
// Access to /dev/shm is restricted to a per-process prefix to
// prevent interfering with other processes or with services outside
// the browser (e.g., PulseAudio).
AddSharedMemoryPaths(policy.get(), aPid);
// Bug 1198550: the profiler's replacement for dl_iterate_phdr
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
// Bug 1198552: memory reporting.
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
// Bug 1384804, notably comment 15
// Used by libnuma, included by x265/ffmpeg, who falls back
// to get_mempolicy if this fails
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/status", aPid).get());
// Finalize the policy.
// Return the common policy.
policy->FixRecursivePermissions();
return policy;
}
void SandboxBrokerPolicyFactory::AddDynamicPathList(
SandboxBroker::Policy* policy, const char* aPathListPref, int perms) {
nsAutoCString pathList;
nsresult rv = Preferences::GetCString(aPathListPref, pathList);
if (NS_SUCCEEDED(rv)) {
for (const nsACString& path : pathList.Split(',')) {
nsCString trimPath(path);
trimPath.Trim(" ", true, true);
policy->AddDynamic(perms, trimPath.get());
}
}
}
/* static */ UniquePtr<SandboxBroker::Policy>
SandboxBrokerPolicyFactory::GetUtilityPolicy(int aPid) {
auto policy = MakeUnique<SandboxBroker::Policy>();

9
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
Просмотреть файл

@ -9,13 +9,11 @@
#include "mozilla/SandboxBroker.h"
#include <mutex>
namespace mozilla {
class SandboxBrokerPolicyFactory {
public:
SandboxBrokerPolicyFactory() = default;
SandboxBrokerPolicyFactory();
UniquePtr<SandboxBroker::Policy> GetContentPolicy(int aPid,
bool aFileProcess);
@ -25,9 +23,8 @@ class SandboxBrokerPolicyFactory {
private:
UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;
std::once_flag mContentInited;
void InitContentPolicy();
static void AddDynamicPathList(SandboxBroker::Policy* policy,
const char* aPathListPref, int perms);
};
} // namespace mozilla

26
security/sandbox/linux/launch/SandboxLaunch.cpp
Просмотреть файл

@ -33,7 +33,6 @@
#include "mozilla/SandboxSettings.h"
#include "mozilla/Services.h"
#include "mozilla/StaticPrefs_media.h"
#include "mozilla/StaticPrefs_security.h"
#include "mozilla/Unused.h"
#include "nsCOMPtr.h"
#include "nsDebug.h"
@ -171,16 +170,14 @@ static bool ContentNeedsSysVIPC() {
}
#endif
if (!StaticPrefs::security_sandbox_content_headless_AtStartup()) {
// Bug 1438391: VirtualGL uses SysV shm for images and configuration.
if (PR_GetEnv("VGL_ISACTIVE") != nullptr) {
return true;
}
// Bug 1438391: VirtualGL uses SysV shm for images and configuration.
if (PR_GetEnv("VGL_ISACTIVE") != nullptr) {
return true;
}
// The fglrx (ATI Catalyst) GPU drivers use SysV IPC.
if (HasAtiDrivers()) {
return true;
}
// The fglrx (ATI Catalyst) GPU drivers use SysV IPC.
if (HasAtiDrivers()) {
return true;
}
return false;
@ -296,10 +293,6 @@ void SandboxLaunchPrepare(GeckoProcessType aType,
} else {
flags |= CLONE_NEWIPC;
}
if (StaticPrefs::security_sandbox_content_headless_AtStartup()) {
aOptions->env_map["MOZ_HEADLESS"] = "1";
}
}
// Anything below this requires unprivileged user namespaces.
@ -324,14 +317,11 @@ void SandboxLaunchPrepare(GeckoProcessType aType,
case GeckoProcessType_Content:
if (level >= 4) {
canChroot = true;
// Unshare network namespace if allowed by graphics; see
// function definition above for details. (The display
// local-ness is cached because it won't change.)
static const bool canCloneNet =
StaticPrefs::security_sandbox_content_headless_AtStartup() ||
(IsDisplayLocal() && !PR_GetEnv("RENDERDOC_CAPTUREOPTS"));
IsDisplayLocal() && !PR_GetEnv("RENDERDOC_CAPTUREOPTS");
if (canCloneNet) {
flags |= CLONE_NEWNET;
}