The current collection of preloaded intermediates is under 3MB. This should not
be a prohibitive amount for mobile users to download. Once downloaded, updates
to the collection are minimal and again should not be an issue.
Differential Revision: https://phabricator.services.mozilla.com/D159092
1. Allow to store more than one token per key.
2. Allow to use the token only once. The token will be removed after reading it.
3. Add a gtest.
Differential Revision: https://phabricator.services.mozilla.com/D153605
As discussed in the last patch, allowing `fstatfs` will also make
`statfs` work on any path that the process could open for reading
(subject to sandbox policy).
Differential Revision: https://phabricator.services.mozilla.com/D157542
We have code to handle `statfs` calls in content processes by
intercepting them and calling `open` and `fstatfs` instead; the former
is then recursively intercepted and brokered. This patch moves that
feature into the common policy, but does not allow `fstatfs` in any
other sandbox types (yet; see next patch). This doesn't affect security
because the caller could have attempted the `open` and `fstatfs`
syscalls itself.
Differential Revision: https://phabricator.services.mozilla.com/D157541
1. Allow to store more than one token per key.
2. Allow to use the token only once. The token will be removed after reading it.
3. Add a gtest.
Differential Revision: https://phabricator.services.mozilla.com/D153605
These macros will produce better outputs when they fail than these existing
patterns using `ENSURE_TRUE(NS_SUCCEEDED(...))` or similar, so this is a bulk
rewrite of existing tests to use them.
It should also help with discoverability when people base their tests off of
other existing tests.
Differential Revision: https://phabricator.services.mozilla.com/D157214
This was previously disabled in bug 1673194 because of start up crashes.
It seems like msmpeg2vdec.dll may use dynamic code to support encrypted
code that uses. In recent versions of Windows this only seems used
in the 32bit version. The 32bit version will opt out of ACG on the
threads where it needs to use VirtualProtect so we use the weaker
variant there.
Differential Revision: https://phabricator.services.mozilla.com/D153762
When setting alternative destktop for the mf cdm process, it seems
interfering the media foundation framework and make the video playback
stutter.
But if we call `SetAlternateDesktop(false)` which won't create a new
window station, then the video playback won't be affected.
My guess is that there might be some internal performance issues
inside the media foundation framework when using Dcomp API between
different window stations.
In addition, Chromium also didn't enable alternative desktop for their
mf cdm process. So it makes sense to us to disalbe that as well.
Differential Revision: https://phabricator.services.mozilla.com/D155026
Create a new type of utility process which would be used for media
foundation media engine CDM usage. The media engine is a media pipeline
provided by the Windows Media Foundation, and our final goal is to use
that pipeline to play encrypted content in order to achieve Widevine L1
protection to allow users to watch high resolution videos.
Differential Revision: https://phabricator.services.mozilla.com/D154033
Previously, instantiating an nsIX509Cert (implemented by nsNSSCertificate)
would cause NSS to be initialized. However, if 'new nsNSSCertificate()' was
called directly (rather than going through XPCOM), NSS would not be
initialized. This didn't seem to be a problem until bug 1787942 changed how
nsITransportSecurityInfo was sent between processes for PHttpChannel and
HttpChannelOnStartRequestArgs (namely, by using the direct IPC support rather
than first serializing to a string, sending it over IPC, and then deserializing
it). That direct IPC implementation uses 'new nsNSSCertificate()', which is now
a problem.
nsNSSCertificate used to make extensive use of NSS, which warranted ensuring
NSS was initialized before creating one at all. Now, as of bug 1748341, the
cases where nsNSSCertificate uses NSS are limited and clearly delineated.
Accordinly, this change makes it so nsNSSCertificate only initializes NSS if
and when it needs it, rather than relying on the XPCOM boilerplate to
initialize NSS first.
Differential Revision: https://phabricator.services.mozilla.com/D156353
In preparation for making nsISocketTransport.securityInfo a concrete type
(nsITransportSecurityInfo), nsITLSServerConnectionInfo needs to be moved off of
securityInfo. securityCallbacks seems like a reasonable place.
Differential Revision: https://phabricator.services.mozilla.com/D154256
In preparation for making nsISocketTransport.securityInfo a concrete type
(nsITransportSecurityInfo), nsITLSServerConnectionInfo needs to be moved off of
securityInfo. securityCallbacks seems like a reasonable place.
Differential Revision: https://phabricator.services.mozilla.com/D154256
This was previously disabled in bug 1673194 because of start up crashes.
It seems like msmpeg2vdec.dll may use dynamic code to support encrypted
code that uses. In recent versions of Windows this only seems used
in the 32bit version. The 32bit version will opt out of ACG on the
threads where it needs to use VirtualProtect so we use the weaker
variant there.
Differential Revision: https://phabricator.services.mozilla.com/D153762
This makes it easier to get parity between legacy and regular flex
without having to either have tons of arbitrary attribute selectors in
the xul sheet, nor adding attribute lookup hacks to the html flexbox
layout.
Also, reimplement the remaining supported flex attribute-values (0 and 1)
purely in terms of CSS rules in xul.css (regardless of whether
emulate-moz-box-with-flex is enabled).
In practice these are pretty uncommon and the style attribute does the
trick in every case I've tried.
Add a debug-only assertion to ensure we preserve behavior for now.
Add a new test with another behavior difference between flexbox
emulation and old xul layout because the old reftest now passes. Use
replaced elements, which in modern flex are treated differently.
Differential Revision: https://phabricator.services.mozilla.com/D154394
This makes it easier to get parity between legacy and regular flex
without having to either have tons of arbitrary attribute selectors in
the xul sheet, nor adding attribute lookup hacks to the html flexbox
layout.
Also, reimplement the remaining supported flex attribute-values (0 and 1)
purely in terms of CSS rules in xul.css (regardless of whether
emulate-moz-box-with-flex is enabled).
In practice these are pretty uncommon and the style attribute does the
trick in every case I've tried.
Add a debug-only assertion to ensure we preserve behavior for now.
Add a new test with another behavior difference between flexbox
emulation and old xul layout because the old reftest now passes. Use
replaced elements, which in modern flex are treated differently.
Differential Revision: https://phabricator.services.mozilla.com/D154394
When generating code for arrays of interfaces from the rust-xpidl
compiler, the type was declared incorrectly as ThinVec<RefPtr<T>>
instead of ThinVec<Option<RefPtr<T>>> meaning that null values in the
array would be handled incorrectly.
This patch fixes this code generation mistake and updates crates using
the interface to handle null values correctly.
Differential Revision: https://phabricator.services.mozilla.com/D153485
These constructors are unnecessary and can be defined with a `using` statement,
making it easier to change all constructors simultaneously.
Differential Revision: https://phabricator.services.mozilla.com/D153620
This improves consistency with the child process case, and will make it easier
to attach additional state without needing to thread it through every child
process callsite manually.
Differential Revision: https://phabricator.services.mozilla.com/D153619
This type is also used in other places to start non-initial actors, and will
allow us to attach additional state more easily without needing to thread it
through every child process callsite manually.
Differential Revision: https://phabricator.services.mozilla.com/D153618
We uninstall signal handlers in child processes after clone(), because
they probably won't do the right thing if invoked in that context.
However, the current code also resets signals which were ignored;
if that disposition was set by an outside program like `nohup`, the
expectation is that it should be inherited. This patch omits those
signals when resetting handlers (similar to what `exec` does).
Differential Revision: https://phabricator.services.mozilla.com/D151336
These tests set up an ECH server which will only negotiate http/1.1 in the TLS ALPN extension.
If the client doesn't send an ALPN offering at least http/1.1 the connection will fail with
SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL.
Differential Revision: https://phabricator.services.mozilla.com/D153368
The biggest set of APIs from ns[T]StringObsolete which are still heavily used
are the string searching APIs. It appears the intention was for these to be
replaced by the `FindInReadable` APIs, however that doesn't appear to have
happened.
In addition, the APIs have some quirks around their handling of mixed character
widths. These APIs generally supported both narrow strings and the native
string type, probably because char16_t string literals weren't available until
c++11. Finally they also used easy-to-confuse unlabeled boolean and integer
optional arguments to control behaviour.
These patches do the following major changes to the searching APIs:
1. The ASCII case-insensitive search method was split out as
LowerCaseFindASCII, rather than using a boolean. This should be less
error-prone and more explicit, and allows the method to continue to use
narrow string literals for all string types (as only ASCII is supported).
2. The other [R]Find methods were restricted to only support arguments with
matching character types. I considered adding a FindASCII method which would
use narrow string literals for both wide and narrow strings but it would've
been the same amount of work as changing all of the literals to unicode
literals.
This ends up being the bulk of the changes in the patch.
3. All find methods were re-implemented using std::basic_string_view's find
algorithm or stl algorithms to reduce code complexity, and avoid the need to
carry around the logic from nsStringObsolete.cpp.
4. The implementations were moved to nsTStringRepr.cpp.
5. An overload of Find was added to try to catch callers which previously
called `Find(..., false)` or `Find(..., true)` to set case-sensitivity, due
to booleans normally implicitly coercing to `index_type`. This should
probably be removed at some point, but may be useful during the transition.
Differential Revision: https://phabricator.services.mozilla.com/D148300
This patch moves EqualsIgnoreCase to ns[T]StringObsolete, and removes
the aCount argument, instead migrating callers to use `StringBeginsWith`
with a case-insensitive comparator.
In addition, nsTStringRepr::Compare was removed and replaced with either
calls to methods like `StringBeginsWith` or the global `Compare` method.
These changes required some modifications at call-sites but should make
the behaviour less surprising and more consistent.
Differential Revision: https://phabricator.services.mozilla.com/D148299
`strerror` is async signal unsafe, and we're using it in contexts where
that's a problem: in particular in the child process after `clone()`ing,
where it can deadlock if it takes locks the parents' other threads had
held (or cause other undefined behavior), but also in the SIGSYS handler
if it's nested inside an async signal. It's also thread-unsafe.
This is mostly a mechanical replacement with the new `SANDBOX_LOG_ERRNO`
or `SANDBOX_LOG_WITH_ERROR`; two messages had the error string in the
middle and have been adjusted.
Differential Revision: https://phabricator.services.mozilla.com/D152099
This adds two new logging macros, which are intended to be async signal
safe:
* `SANDBOX_LOG_ERRNO`, which appends the error similarly to `perror` but
uses the error identifier (e.g., `EINVAL` instead of `Invalid argument`).
Unlike `perror`, formatting directives are available as for `SANDBOX_LOG`.
* `SANDBOX_LOG_WITH_ERROR` is the same thing but the error number is the
first argument instead of using `errno`; this is useful for newer POSIX
APIs which return an error number.
This will be used in the next patch to replace the existing use of
`strerror`, which is not async signal safe (or thread-safe).
Differential Revision: https://phabricator.services.mozilla.com/D152098
Originally this was written for B2G and used the Android logging
facility, which (like syslog) includes a severity level. However, all
current usage is on desktop where we just write to stderr, and there was
never much demand to add support for any log levels besides "error".
More importantly for the current situation, renaming the macro to
`SANDBOX_LOG` avoids confusion between `SANDBOX_LOG_ERROR` and
`SANDBOX_LOG_ERRNO` (or `SANDBOX_LOG_ERROR_ERRNO` or whatever).
Differential Revision: https://phabricator.services.mozilla.com/D152097
Two minor things I noticed while converting the existing sandbox logging:
1. One call site was using %u, but that doesn't exist in this printf
dialect, only %d; signedness is determined by the actual argument
type via template magic.
2. POSIX functions that return an error number just return the number;
there was one place that was negating it before use, as if it had
come from the Linux syscall ABI.
Differential Revision: https://phabricator.services.mozilla.com/D152096
This prevents copies and avoids the hack we have to avoid this, which
right now is using nsDependent{C,}String.
Non-virtual actors can still use `nsString` if they need to on the
receiving end.
Differential Revision: https://phabricator.services.mozilla.com/D152519
This patch adds two new telemetry histograms which collect specific types
of TLS handshake seperately from existing handshakes.
- The conservative histogram tracks handshakes used for essential connections (e.g. update checks)
- The first-try histogram tracks all initial connection attempts. This allows us to identify issues that might otherwise be masked by our retry logic.
A single handshake may belong to more than one histogram. All handshakes belong to the root histogram.
As the histogram buckets are aligned, it is possible to derive new histograms from these stored results.
For example, as ECH GREASE is only used on first-try handshakes, the histogram from non-GREASE first-try
handshakes can be calculated by subtracting the entries in the GREASE histogram from the first-try histogram.
This patch also extends the existing handshake necko tests to verify that the telemetry is recorded correctly.
Telemetry checks don't run if networking is running on the socket process as the histograms are no longer
accessible.
Differential Revision: https://phabricator.services.mozilla.com/D150754
If nsNSSSocketInfo::mFd is nullptr, it means the connection has been closed.
This isn't an error, and ClientAuthCertificateSelected shouldn't assert if this
happens.
Differential Revision: https://phabricator.services.mozilla.com/D151962
Cleanup our entitlement files by removing entitlements that use the default setting of false.
production.entitlements.xml and developer.entitlements.xml are used today.
The browser and plugin-container entitlement lists will be used when we enable using different entitlements for parent and child processes.
Differential Revision: https://phabricator.services.mozilla.com/D151943
In bug 1682412, loadCerts was removed from nsICertTree. At the time, the
certificate manager still had one use of it that should have been updated to
loadCertsFromCache. This patch makes that update.
Differential Revision: https://phabricator.services.mozilla.com/D150503
On multi-GPU systems, even though the GPU we're going to use for
accelerated video decoding is driven by Mesa, sometimes the nvidia
proprietary driver can be loaded and attempt to probe devices. This
patch attempts to make the sandbox policy quietly return errors for
those syscalls, instead of treating them as unexpected (and crashing on
Nightly).
Differential Revision: https://phabricator.services.mozilla.com/D149652
There are two parts to this patch; both affect only Linux:
1. The GMP sandbox policy is adjusted to allow certain syscalls used in
shared memory creation (ftruncate and fallocate). However, the file
broker is not used; the process still has no access to files in /dev/shm.
2. The profiler is not initialized for GMP processes unless memfd_create
is available (so the process can create shared memory to send
profiling data back, without filesystem access), or the GMP sandbox
is disabled (either at runtime or build time).
As of this patch, profiling GMP processes on Linux should succeed on
distros with kernel >=3.17 (Oct. 2014), but native stack frames won't
have symbols (and may be incorrectly unwound, not that it matters much
without symbols); see the bug for more info. Pseudo-stack frames and
markers should work, however.
Differential Revision: https://phabricator.services.mozilla.com/D148470
The profiler may try to readlink `/proc/self/exe` to determine the
executable name; currently, its attempt to get information about loaded
objects is broken for other reasons, so this isn't helpful. Thus, this
patch has it fail with `EINVAL` (meaning "not a symbolic link) instead of
being treated as unexpected.
(In the future, if we need to, we could simulate that syscall by
recording the target of `/proc/self/exe` before sandboxing, and
recognizing that specific case in a trap function.)
Differential Revision: https://phabricator.services.mozilla.com/D148469
Before this patch, the certificate verifier would only attempt to build a
trusted path to a root with the first recognized EV OID in the end-entity
certificate. Thus, if an end-entity certificate had more than one EV OID, it
could fail to verify as EV if an intermediate or root had the "wrong" EV OID.
This patch addresses this shortcoming by trying to build a path with each
recognized EV OID in the end-entity certificate until it finds one that works.
Differential Revision: https://phabricator.services.mozilla.com/D149319
Certificate error overrides made in non-private contexts should be availble in
private contexts as well (but not vice-versa).
Differential Revision: https://phabricator.services.mozilla.com/D149296
Add a preference for whether to remove ECH GREASE extensions when retrying a connection. This repurposes the flag which was previously present but not actually functional.
Differential Revision: https://phabricator.services.mozilla.com/D147191
The biggest set of APIs from ns[T]StringObsolete which are still heavily used
are the string searching APIs. It appears the intention was for these to be
replaced by the `FindInReadable` APIs, however that doesn't appear to have
happened.
In addition, the APIs have some quirks around their handling of mixed character
widths. These APIs generally supported both narrow strings and the native
string type, probably because char16_t string literals weren't available until
c++11. Finally they also used easy-to-confuse unlabeled boolean and integer
optional arguments to control behaviour.
These patches do the following major changes to the searching APIs:
1. The ASCII case-insensitive search method was split out as
LowerCaseFindASCII, rather than using a boolean. This should be less
error-prone and more explicit, and allows the method to continue to use
narrow string literals for all string types (as only ASCII is supported).
2. The other [R]Find methods were restricted to only support arguments with
matching character types. I considered adding a FindASCII method which would
use narrow string literals for both wide and narrow strings but it would've
been the same amount of work as changing all of the literals to unicode
literals.
This ends up being the bulk of the changes in the patch.
3. All find methods were re-implemented using std::basic_string_view's find
algorithm or stl algorithms to reduce code complexity, and avoid the need to
carry around the logic from nsStringObsolete.cpp.
4. The implementations were moved to nsTStringRepr.cpp.
5. An overload of Find was added to try to catch callers which previously
called `Find(..., false)` or `Find(..., true)` to set case-sensitivity, due
to booleans normally implicitly coercing to `index_type`. This should
probably be removed at some point, but may be useful during the transition.
Differential Revision: https://phabricator.services.mozilla.com/D148300
This changes the behavior of CRLite when configured in `ConfirmRevocations`
mode (the default mode on nightly and early beta). Under the new definition,
ConfirmRevocations mode fails closed when OCSP fails open. In particular, a
certificate will be marked as "Revoked" in the following scenarios:
- CRLite returns "Revoked" and the certificate does not list an OCSP URL,
- CRLite returns "Revoked" and the OCSP responder is unreachable,
- CRLite returns "Revoked" and the OCSP responder returns an error.
Differential Revision: https://phabricator.services.mozilla.com/D148686
Add a preference for whether to remove ECH GREASE extensions when retrying a connection. This repurposes the flag which was previously present but not actually functional.
Differential Revision: https://phabricator.services.mozilla.com/D147191
Dana Keeler
ffxbld
Dennis Jackson
Alexandre Lissy
Kershaw Chang
Sandor Molnar
Emilio Cobos Álvarez
Yannis Juglaret
Mark Banner
Jed Davis
Joel Maher
Andreea Pavel
John Schanck
Nika Layzell
Narcis Beleuzu
Jeff Muizelaar
Cosmin Sabou
Bob Owen
Jan Varga
alwu
Butkovits Atila
Iulian Moraru
Barret Rennie
Anna Weine
Marian-Vasile Laza
Csoregi Natalia
Fabrice Desré
Tooru Fujisawa
Haik Aftandilian
Andi-Bogdan Postelnicu
Kagami Sascha Rosylight
Bogdan Szekely
serge-sans-paille
Mike Hommey
Chris Martin
criss
Sylvestre Ledru
Alexandre Lissy