Bug 1376976 - Restrict sysctl access in the content process to a whitelist of sysctl names. r=jld, r=haik

MozReview-Commit-ID: 14yoiP1gskM
2017-06-29 13:55:15 -07:00 · 2017-06-29 13:55:15 -07:00 · d40ad40466
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@ -106,8 +106,50 @@ static const char contentSandboxRules[] = R"(
    file-ioctl
    (literal "/dev/dtracehelper"))

-  ; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
-  (allow sysctl-read)
+  ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
+  ; we need to allow all sysctl-reads there.
+  (if (string=? macosMinorVersion-9 "TRUE")
+    (allow sysctl-read)
+    (allow sysctl-read
+      (sysctl-name-regex #"^sysctl\.")
+      (sysctl-name "kern.ostype")
+      (sysctl-name "kern.osversion")
+      (sysctl-name "kern.osrelease")
+      (sysctl-name "kern.version")
+      ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
+      ; is arguably sensitive information, so we should see what can be done about
+      ; removing it.
+      (sysctl-name "kern.hostname")
+      (sysctl-name "hw.machine")
+      (sysctl-name "hw.model")
+      (sysctl-name "hw.ncpu")
+      (sysctl-name "hw.activecpu")
+      (sysctl-name "hw.byteorder")
+      (sysctl-name "hw.pagesize_compat")
+      (sysctl-name "hw.logicalcpu_max")
+      (sysctl-name "hw.physicalcpu_max")
+      (sysctl-name "hw.busfrequency_compat")
+      (sysctl-name "hw.busfrequency_max")
+      (sysctl-name "hw.cpufrequency")
+      (sysctl-name "hw.cpufrequency_compat")
+      (sysctl-name "hw.cpufrequency_max")
+      (sysctl-name "hw.l2cachesize")
+      (sysctl-name "hw.l3cachesize")
+      (sysctl-name "hw.cachelinesize_compat")
+      (sysctl-name "hw.tbfrequency_compat")
+      (sysctl-name "hw.vectorunit")
+      (sysctl-name "hw.optional.sse2")
+      (sysctl-name "hw.optional.sse3")
+      (sysctl-name "hw.optional.sse4_1")
+      (sysctl-name "hw.optional.sse4_2")
+      (sysctl-name "hw.optional.avx1_0")
+      (sysctl-name "hw.optional.avx2_0")
+      (sysctl-name "machdep.cpu.vendor")
+      (sysctl-name "machdep.cpu.family")
+      (sysctl-name "machdep.cpu.model")
+      (sysctl-name "machdep.cpu.stepping")
+      (sysctl-name "debug.intel.gstLevelGST")
+      (sysctl-name "debug.intel.gstLoaderControl")))

  (define (home-regex home-relative-regex)
    (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ b/security/sandbox/test/browser_content_sandbox_syscalls.js
@ -40,6 +40,20 @@ function callFork(args) {
  return (rv);
 }

+// Calls the native sysctl syscall.
+function callSysctl(args) {
+  Components.utils.import("resource://gre/modules/ctypes.jsm");
+  let {lib, name} = args;
+  let libc = ctypes.open(lib);
+  let sysctlbyname = libc.declare("sysctlbyname", ctypes.default_abi,
+                                  ctypes.int, ctypes.char.ptr,
+                                  ctypes.voidptr_t, ctypes.size_t.ptr,
+                                  ctypes.voidptr_t, ctypes.size_t.ptr);
+  let rv = sysctlbyname(name, null, null, null, null);
+  libc.close();
+  return rv;
+}
+
 // Calls the native open/close syscalls.
 function callOpen(args) {
  Components.utils.import("resource://gre/modules/ctypes.jsm");
@ -196,4 +210,21 @@ add_task(async function() {
    let rv = await ContentTask.spawn(browser, {lib}, callFork);
    ok(rv == -1, "calling fork is not permitted");
  }
+
+  // On macOS before 10.10 the |sysctl-name| predicate didn't exist for
+  // filtering |sysctl| access. Check the Darwin version before running the
+  // tests (Darwin 14.0.0 is macOS 10.10). This branch can be removed when we
+  // remove support for macOS 10.9.
+  if (isMac() && Services.sysinfo.getProperty("version") >= "14.0.0") {
+    let rv = await ContentTask.spawn(browser, {lib, name: "kern.boottime"},
+                                     callSysctl);
+    ok(rv == -1, "calling sysctl('kern.boottime') is not permitted");
+
+    rv = await ContentTask.spawn(browser, {lib, name: "net.inet.ip.ttl"},
+                                 callSysctl);
+    ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
+
+    rv = await ContentTask.spawn(browser, {lib, name: "hw.ncpu"}, callSysctl);
+    ok(rv == 0, "calling sysctl('hw.ncpu') is permitted");
+  }
 });