Bug 1576733 - Part 1 - Launch native messaging helper applications with the "disclaim" posix_spawn attribute r=kmag

On macOS, launch native messaging helper apps with a new "Transparency, Consent, and Control" (TCC) attribution chain using the undocumented disclaim posix_spawn attribute. Differential Revision: https://phabricator.services.mozilla.com/D48028 --HG-- extra : moz-landing-system : lando
2019-11-06 04:44:54 +00:00 · 2019-11-06 04:44:54 +00:00 · e496f85edc
--- a/dom/system/OSFileConstants.cpp
+++ b/dom/system/OSFileConstants.cpp
@ -520,6 +520,10 @@ static const dom::ConstantSpec gLibcProperties[] = {
    // The size of |posix_spawn_file_actions_t|.
    {"OSFILE_SIZEOF_POSIX_SPAWN_FILE_ACTIONS_T",
     JS::Int32Value(sizeof(posix_spawn_file_actions_t))},
+
+    // The size of |posix_spawnattr_t|.
+    {"OSFILE_SIZEOF_POSIX_SPAWNATTR_T",
+     JS::Int32Value(sizeof(posix_spawnattr_t))},
 #  endif  // !defined(ANDROID)

    // Defining |dirent|.
--- a/toolkit/components/extensions/NativeMessaging.jsm
+++ b/toolkit/components/extensions/NativeMessaging.jsm
@ -97,7 +97,9 @@ var NativeApp = class extends EventEmitter {
          arguments: [hostInfo.path, context.extension.id],
          workdir: OS.Path.dirname(command),
          stderr: "pipe",
+          disclaim: true,
        };
+
        return Subprocess.call(subprocessOpts);
      })
      .then(proc => {
--- a/toolkit/modules/subprocess/Subprocess.jsm
+++ b/toolkit/modules/subprocess/Subprocess.jsm
@ -50,6 +50,10 @@ function encodeEnvVar(name, value) {
  return Uint8Array.of(...encode(name), ...encode("="), ...encode(value), 0);
 }

+function platformSupportsDisclaimedSpawn() {
+  return AppConstants.isPlatformAndVersionAtLeast("macosx", 18);
+}
+
 /**
 * Allows for creation of and communication with OS-level sub-processes.
 * @namespace
@ -93,6 +97,13 @@ var Subprocess = {
   * @param {string} [options.workdir]
   *        The working directory in which to launch the new process.
   *
+   * @param {boolean} [options.disclaim]
+   * macOS-specific option for 10.14+ OS versions. If true, enables a
+   * macOS-specific process launch option allowing the parent process to
+   * disclaim responsibility for the child process with respect to privacy/
+   * security permission prompts and decisions. This option is ignored on
+   * platforms that do not support it.
+   *
   * @returns {Promise<Process>}
   *
   * @rejects {Error}
@ -112,6 +123,7 @@ var Subprocess = {

    options.stderr = options.stderr || "ignore";
    options.workdir = options.workdir || null;
+    options.disclaim = options.disclaim || false;

    let environment = {};
    if (!options.environment || options.environmentAppend) {
@ -128,6 +140,10 @@ var Subprocess = {

    options.arguments = Array.from(options.arguments || []);

+    if (options.disclaim && !platformSupportsDisclaimedSpawn()) {
+      options.disclaim = false;
+    }
+
    return Promise.resolve(
      SubprocessImpl.isExecutableFile(options.command)
    ).then(isExecutable => {
--- a/toolkit/modules/subprocess/subprocess_shared.js
+++ b/toolkit/modules/subprocess/subprocess_shared.js
@ -93,6 +93,12 @@ const SubprocessConstants = {
   *           @constant
   */
  ERROR_BAD_EXECUTABLE: 0xff7a0003,
+  /**
+   * @property {integer} ERROR_INVALID_OPTION
+   *           The operation failed because an invalid option was provided.
+   *           @constant
+   */
+  ERROR_INVALID_OPTION: 0xff7a0004,
 };

 Object.freeze(SubprocessConstants);
--- a/toolkit/modules/subprocess/subprocess_shared_unix.js
+++ b/toolkit/modules/subprocess/subprocess_shared_unix.js
@ -27,6 +27,8 @@ const unix = {
    LIBC.OSFILE_SIZEOF_POSIX_SPAWN_FILE_ACTIONS_T
  ),

+  posix_spawnattr_t: ctypes.uint8_t.array(LIBC.OSFILE_SIZEOF_POSIX_SPAWNATTR_T),
+
  WEXITSTATUS(status) {
    return (status >> 8) & 0xff;
  },
@ -97,6 +99,25 @@ var libc = new Library("libc", LIBC_CHOICES, {
    ctypes.char.ptr.ptr /* envp */,
  ],

+  posix_spawnattr_init: [
+    ctypes.default_abi,
+    ctypes.int,
+    unix.posix_spawnattr_t.ptr,
+  ],
+
+  posix_spawnattr_destroy: [
+    ctypes.default_abi,
+    ctypes.int,
+    unix.posix_spawnattr_t.ptr,
+  ],
+
+  responsibility_spawnattrs_setdisclaim: [
+    ctypes.default_abi,
+    ctypes.int,
+    unix.posix_spawnattr_t.ptr,
+    ctypes.int,
+  ],
+
  posix_spawn_file_actions_addclose: [
    ctypes.default_abi,
    ctypes.int,
--- a/toolkit/modules/subprocess/subprocess_worker_unix.js
+++ b/toolkit/modules/subprocess/subprocess_worker_unix.js
@ -387,6 +387,8 @@ class Process extends BaseProcess {
    let actions = unix.posix_spawn_file_actions_t();
    let actionsp = actions.address();

+    let attr = null;
+
    let fds = this.initPipes(options);

    let cwd;
@ -407,12 +409,25 @@ class Process extends BaseProcess {
        libc.posix_spawn_file_actions_adddup2(actionsp, fd, i);
      }

+      if (options.disclaim) {
+        attr = unix.posix_spawnattr_t();
+        libc.posix_spawnattr_init(attr.address());
+        // Disclaim is a Mac-specific posix_spawn attribute
+        let rv = libc.responsibility_spawnattrs_setdisclaim(attr.address(), 1);
+        if (rv != 0) {
+          throw new Error(
+            `Failed to execute command "${command}" ` +
+              `due to disclaim error (${rv}).`
+          );
+        }
+      }
+
      let pid = unix.pid_t();
      let rv = libc.posix_spawn(
        pid.address(),
        command,
        actionsp,
-        null,
+        attr !== null ? attr.address() : null,
        argv,
        envp
      );
@ -426,6 +441,10 @@ class Process extends BaseProcess {

      this.pid = pid.value;
    } finally {
+      if (attr !== null) {
+        libc.posix_spawnattr_destroy(attr.address());
+      }
+
      libc.posix_spawn_file_actions_destroy(actionsp);

      this.stringArrays.length = 0;