Bug 1426100 - disable native event processing in content processes on macOS; r=haik

We originally thought that this would enable us to disconnect from the windowserver local service (which is a significant sandbox escape risk), however investigations revealed that that requires changes to WebGL and thus will be handled separately. This also corrects an incorrect usage of the (undocumented) APIs for closing windowserver connections. If CGSSetDenyWindowServerConnections is called while there are open connections it is a no-op, so it must be called after disconnecting any open connections. Differential Revision: https://phabricator.services.mozilla.com/D2478 --HG-- extra : moz-landing-system : lando
2018-08-02 15:18:51 +00:00 · 2018-08-02 15:18:51 +00:00 · a826b27def
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@ -1619,7 +1619,8 @@ GetDirectoryPath(const char *aPath) {
 #endif // DEBUG

 extern "C" {
-void CGSSetDenyWindowServerConnections(bool);
+CGError
+CGSSetDenyWindowServerConnections(bool);
 void CGSShutdownServerConnections();
 };

@ -1631,13 +1632,15 @@ StartMacOSContentSandbox()
    return false;
  }

-  if (!XRE_UseNativeEventProcessing()) {
+  if (Preferences::GetBool(
+        "security.sandbox.content.mac.disconnect-windowserver")) {
    // If we've opened a connection to the window server, shut it down now. Forbid
    // future connections as well. We do this for sandboxing, but it also ensures
    // that the Activity Monitor will not label the content process as "Not
    // responding" because it's not running a native event loop. See bug 1384336.
-    CGSSetDenyWindowServerConnections(true);
    CGSShutdownServerConnections();
+    CGError result = CGSSetDenyWindowServerConnections(true);
+    MOZ_DIAGNOSTIC_ASSERT(result == kCGErrorSuccess);
  }

  nsAutoCString appPath, appBinaryPath, appDir;
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -3254,7 +3254,7 @@ pref("dom.ipc.processCount.privileged", 1);
 pref("dom.ipc.keepProcessesAlive.privileged", 1);

 // Whether a native event loop should be used in the content process.
-#if defined(XP_WIN)
+#if defined(XP_WIN) || defined(XP_MACOSX)
 pref("dom.ipc.useNativeEventProcessing.content", false);
 #else
 pref("dom.ipc.useNativeEventProcessing.content", true);