Bug 742434 - Part 2: Introduce pref to control content sandbox. r=jld

MozReview-Commit-ID: JQAQAbHUObN --HG-- extra : rebase_source : 42a14a28503b685125f27faa40ae4efc920c5c5d
2016-06-16 12:39:07 +02:00 · 2016-06-16 12:39:07 +02:00 · aa5c174aa4
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -973,6 +973,26 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
 pref("security.sandbox.content.level", 1);
 #endif

+#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
+// This pref is introduced as part of bug 742434, the naming is inspired from
+// its Windows/Mac counterpart, but on Linux it's an integer which means:
+// 0 -> "no sandbox"
+// 1 -> "content sandbox using seccomp-bpf when available"
+// 2 -> "seccomp-bpf + file broker"
+// Content sandboxing on Linux is currently in the stage of
+// 'just getting it enabled', which includes a very permissive whitelist. We
+// enable seccomp-bpf on nightly to see if everything is running, or if we need
+// to whitelist more system calls.
+//
+// So the purpose of this setting is to allow nightly users to disable the
+// sandbox while we fix their problems. This way, they won't have to wait for
+// another nightly release which disables seccomp-bpf again.
+//
+// This setting may not be required anymore once we decide to permanently
+// enable the content sandbox.
+pref("security.sandbox.content.level", 1);
+#endif
+
 #if defined(XP_MACOSX) || defined(XP_WIN)
 #if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
 // ID (a UUID when set by gecko) that is used to form the name of a
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@ -2599,6 +2599,14 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
 #endif
  MaybeFileDesc brokerFd = void_t();
 #ifdef XP_LINUX
+  // XXX: Checking the pref here makes it possible to enable/disable sandboxing
+  // during an active session. Currently the pref is only used for testing
+  // purpose. If the decision is made to permanently rely on the pref, this
+  // should be changed so that it is required to restart firefox for the change
+  // of value to take effect.
+  shouldSandbox = (Preferences::GetInt("security.sandbox.content.level") > 0) &&
+    !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
+
  if (shouldSandbox) {
    MOZ_ASSERT(!mSandboxBroker);
    UniquePtr<SandboxBroker::Policy> policy =
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@ -120,7 +120,7 @@ SandboxBrokerPolicyFactory::GetContentPolicy(int aPid)
 {
  // Allow overriding "unsupported"ness with a pref, for testing.
  if (!IsSystemSupported() &&
-      Preferences::GetInt("security.sandbox.content.level") <= 0) {
+      Preferences::GetInt("security.sandbox.content.level") <= 1) {
    return nullptr;
  }