From a826b27def8dba56f3e15849dc6efaae64530312 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 2 Aug 2018 15:18:51 +0000 Subject: [PATCH] Bug 1426100 - disable native event processing in content processes on macOS; r=haik We originally thought that this would enable us to disconnect from the windowserver local service (which is a significant sandbox escape risk), however investigations revealed that that requires changes to WebGL and thus will be handled separately. This also corrects an incorrect usage of the (undocumented) APIs for closing windowserver connections. If CGSSetDenyWindowServerConnections is called while there are open connections it is a no-op, so it must be called after disconnecting any open connections. Differential Revision: https://phabricator.services.mozilla.com/D2478 --HG-- extra : moz-landing-system : lando --- dom/ipc/ContentChild.cpp | 9 ++++++--- modules/libpref/init/all.js | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dom/ipc/ContentChild.cpp b/dom/ipc/ContentChild.cpp index 06373b690cda..7cfff3bc0a20 100644 --- a/dom/ipc/ContentChild.cpp +++ b/dom/ipc/ContentChild.cpp @@ -1619,7 +1619,8 @@ GetDirectoryPath(const char *aPath) { #endif // DEBUG extern "C" { -void CGSSetDenyWindowServerConnections(bool); +CGError +CGSSetDenyWindowServerConnections(bool); void CGSShutdownServerConnections(); }; @@ -1631,13 +1632,15 @@ StartMacOSContentSandbox() return false; } - if (!XRE_UseNativeEventProcessing()) { + if (Preferences::GetBool( + "security.sandbox.content.mac.disconnect-windowserver")) { // If we've opened a connection to the window server, shut it down now. Forbid // future connections as well. We do this for sandboxing, but it also ensures // that the Activity Monitor will not label the content process as "Not // responding" because it's not running a native event loop. See bug 1384336. - CGSSetDenyWindowServerConnections(true); CGSShutdownServerConnections(); + CGError result = CGSSetDenyWindowServerConnections(true); + MOZ_DIAGNOSTIC_ASSERT(result == kCGErrorSuccess); } nsAutoCString appPath, appBinaryPath, appDir; diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index 14c3c42af7d3..3457ed525159 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -3254,7 +3254,7 @@ pref("dom.ipc.processCount.privileged", 1); pref("dom.ipc.keepProcessesAlive.privileged", 1); // Whether a native event loop should be used in the content process. -#if defined(XP_WIN) +#if defined(XP_WIN) || defined(XP_MACOSX) pref("dom.ipc.useNativeEventProcessing.content", false); #else pref("dom.ipc.useNativeEventProcessing.content", true);