Bug 1457092 - Implement sandboxing on OpenBSD. r=gcp, r=jld

Add StartOpenBSDSandbox method calling pledge() syscall, and use it where we're sandboxing processes. The pledge subsets are coming from two new prefs: - security.sandbox.pledge.content for the content process - security.sandbox.pledge.main for the main process --HG-- extra : rebase_source : 60da70e2d335755fda6126a6b7de7aad41eebb7e
2018-08-23 07:35:00 -04:00 · 2018-08-23 07:35:00 -04:00 · aa545e34c8
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@ -109,6 +109,8 @@
 #include "CubebUtils.h"
 #elif defined(XP_MACOSX)
 #include "mozilla/Sandbox.h"
+#elif defined(__OpenBSD__)
+#include <unistd.h>
 #endif
 #endif

@ -1783,6 +1785,8 @@ ContentChild::RecvSetProcessSandbox(const MaybeFileDesc& aBroker)
  mozilla::SandboxTarget::Instance()->StartSandbox();
 #elif defined(XP_MACOSX)
  sandboxEnabled = StartMacOSContentSandbox();
+#elif defined(__OpenBSD__)
+  sandboxEnabled = StartOpenBSDSandbox(GeckoProcessType_Content);
 #endif

  CrashReporter::AnnotateCrashReport(
@ -3921,6 +3925,55 @@ ContentChild::OnMessageReceived(const Message& aMsg, Message*& aReply)

 } // namespace dom

+#if defined(__OpenBSD__) && defined(MOZ_CONTENT_SANDBOX)
+#include <unistd.h>
+
+static LazyLogModule sPledgeLog("SandboxPledge");
+
+bool
+StartOpenBSDSandbox(GeckoProcessType type)
+{
+  nsAutoCString promisesString;
+  nsAutoCString processTypeString;
+
+  switch (type) {
+    case GeckoProcessType_Default:
+      processTypeString = "main";
+      Preferences::GetCString("security.sandbox.pledge.main",
+                              promisesString);
+      break;
+
+    case GeckoProcessType_Content:
+      processTypeString = "content";
+      Preferences::GetCString("security.sandbox.pledge.content",
+                              promisesString);
+      break;
+
+    default:
+      MOZ_ASSERT(false, "unknown process type");
+      return false;
+  };
+
+  if (pledge(promisesString.get(), NULL) == -1) {
+    if (errno == EINVAL) {
+        MOZ_LOG(sPledgeLog, LogLevel::Error,
+               ("pledge promises for %s process is a malformed string: '%s'\n",
+                processTypeString.get(), promisesString.get()));
+    } else if (errno == EPERM) {
+        MOZ_LOG(sPledgeLog, LogLevel::Error,
+               ("pledge promises for %s process can't elevate privileges: '%s'\n",
+                processTypeString.get(), promisesString.get()));
+    }
+    return false;
+  } else {
+      MOZ_LOG(sPledgeLog, LogLevel::Debug,
+             ("pledged %s process with promises: '%s'\n",
+              processTypeString.get(), promisesString.get()));
+  }
+  return true;
+}
+#endif
+
 #if !defined(XP_WIN)
 bool IsDevelopmentBuild()
 {
--- a/security/sandbox/common/SandboxSettings.h
+++ b/security/sandbox/common/SandboxSettings.h
@ -21,5 +21,9 @@ bool IsContentSandboxEnabled();
 int ClampFlashSandboxLevel(const int aLevel);
 #endif

+#if defined(__OpenBSD__)
+bool StartOpenBSDSandbox(GeckoProcessType type);
+#endif
+
 }
 #endif // mozilla_SandboxPolicies_h
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@ -4384,6 +4384,9 @@ void AddSandboxAnnotations()
  sandboxCapable = true;
 #elif defined(XP_LINUX)
  sandboxCapable = SandboxInfo::Get().CanSandboxContent();
+#elif defined(__OpenBSD__)
+  sandboxCapable = true;
+  StartOpenBSDSandbox(GeckoProcessType_Default);
 #endif

  CrashReporter::AnnotateCrashReport(