The previous patches mean that VA-API shouldn't cause sandbox violations
in the RDD process, so there's no need to lock it out.
This patch does **not** change the prefs to enable it
(`media.rdd-ffmpeg.enabled` and `media.ffmpeg.vaapi.enabled`), but now
those prefs will be honored if they are flipped, to allow testing.
Differential Revision: https://phabricator.services.mozilla.com/D131681
Changes:
1. For the `intel` drivers [on newer hardware][VCS2], access to SysV IPC
is granted. There is a slight restriction: `semget` and `shmget` are
restricted to the fixed `key_t` value used by the driver; however,
the other calls take shm/sem identifiers, which are dynamically
assigned and globally scoped, so an attacker could still access
other resources. This is considered a reasonable tradeoff for not
needing to allow this (or, eventually, any GPU access) in the content
process, which is much easier for malicious content to attack than
RDD.
2. Access to devices in `/dev/dri` and the `DRM_IOCTL_*` ioctls (type `'d'`).
3. Read access to the parts of sysfs used by Mesa to do device detection;
again, given the choice we'd rather allow this in RDD than content.
4. Read access to directories containing libraries, for plugin loading.
5. Allowing `kcmp` in the special case of comparing the process's
own fds, for `amdgpu` (already allowed for content).
6. The `eventfd2` syscall, which we use in connection with dma-buf.
[VCS2]: https://github.com/intel/media-driver/blob/77b3b2a6c366/media_driver/linux/common/os/mos_os_specific.c#L1508-L1512
Differential Revision: https://phabricator.services.mozilla.com/D131680
Minor functional changes:
1. `fcntl` `F_DUPFD_CLOEXEC` is now allowed everywhere instead of
just content. It's the obvious (and maybe only? and probably
only portable) way for a library to `dup` and atomically set the
close-on-exec flag, and appears harmless.
2. `ioctl`s used by the `isatty` function are denied with `ENOTTY` by
default in all processes, instead of being treated as an invalid
syscall, and this now applies to `TIOCGWINSZ` (used by musl) as well
as `TCGETS` (used by glibc). Nothing new is allowed here; it's just
that this is treated as an expected denial.
3. Getting the real or effective user or group ID is allowed everywhere.
Every process type except RDD previously did, and RDD soon will. See
also the new comment about why GMP may not always need it, but that
it's not very meaningful to block.
Refactoring, no functional change intended:
1. The policy for the `kcmp` syscall as used by Mesa's `amdgpu` driver
is now in a protected method of SandboxPolicyCommon, but is used only
in the content process as previously. A later patch will also apply
it to the RDD process, so this avoids code duplication.
Differential Revision: https://phabricator.services.mozilla.com/D131679
On 32-bit x86, Linux originally used a single system call, ipc(2), for
all SysV IPC. This is similar to socketcall(2), but the arguments are
passed directly (shifted by one position) instead of indirected via
a pointer, so seccomp-bpf can filter them normally. Also similar to
socketcall(2), individual syscalls were added later (in kernel 5.1,
vs. 4.3 for socket calls), so the policy needs to handle both of them,
adjusting argument offsets as needed. This patch adds an argument to
`EvaluateIpcCall` to allow that.
Differential Revision: https://phabricator.services.mozilla.com/D131678
Remove the dependencies on transforming both the prim and clips
into world space, by relying on the fact that in the complex
transform case, the clip spatial nodes are ancestors of the
primitive spatial node.
This allows us to work in the same of the clip spatial node. For
now, this is only applied to the CPU accept/reject code, however
in future will allow us to optimize and simplify the GPU mask
rendering code significantly.
Differential Revision: https://phabricator.services.mozilla.com/D131464
This version of minidump-stackwalk is now replaced with rust-minidump's
minidump-stackwalk, which we build from a FETCH. Not touching the other
stuff in this directory because I have no idea what it is.
Differential Revision: https://phabricator.services.mozilla.com/D131316
This is the first step in replacing a huge pile of our breakpad-based infra
with our new implementation (rust-minidump). This stackwalker is only used
for reporting crashes in local builds and CI, so it's a good first deploy.
Although most of the work on rust-minidump has been focused on the JSON output,
this uses the --human output, because it's primarily intended for humans to
directly read. There is however some minor parsing done on this format. This
is not *strictly* supported by --human (it has no schema) but it's not something
we plan to break. (This parsing is pre-existing, just recording the facts.)
The new build configs/scripts are hybridized from fix-stacks and dump_syms,
as this basically is a hybrid of the two. In particular it needs the openssl
vendoring tricks that dump_syms uses, but is a target binary that prefers
win32 over win64 (like fix-stacks).
Technically a regression but probably just culling legacy cruft at this point:
this patchset removes support for building a local copy of minidump-stackwalk
from source. You must now download a copy built on task-cluster using mozboot.
mozboot *already* did this, which is why this feature appears to be legacy cruft
-- there was little reason to build a local copy.
However rust-minidump's minidump-stackwalk has a far better portability story,
so you can build+install your own local copy by just running:
cargo install minidump-stackwalk
Differential Revision: https://phabricator.services.mozilla.com/D131315
The challenges here are:
* xpcshell tests still don't support the watcher actor and server side targets. So we have to ensure still using client side target fetched via Descriptor.getTarget RDP request. (We still also need that for WebExtension)
* some tests weren't spawning the TargetCommand while querying TabDescriptor.getTarget. I tuned them to call TargetCommand.startListening so that we start instantiating server side targets, including the top level one retrieved via TabDescriptor.getTarget.
Otherwise, thanks to this patch a few check can now be moved from `if (isLocalTab)` to `if (isTabDescriptor)`.
Differential Revision: https://phabricator.services.mozilla.com/D130761
This wasn't used except for a test and wasn't working with server side targets.
Making this compatible with SST wasn't trivial, so I went for removing this.
Differential Revision: https://phabricator.services.mozilla.com/D130919
This help any front to interact with commands, which is frequently useful.
In the long run, all fronts should be slowly converted to become commands.
Differential Revision: https://phabricator.services.mozilla.com/D131397
Mike Hommey
Hiroyuki Ikezoe
Paul Bone
Sandor Molnar
Jed Davis
Glenn Watson
Marcos Cáceres
Kagami Sascha Rosylight
Matthew Gaudet
lamoure6
Sylvestre Ledru
Renovate Bot
Zibi Braniecki
Evgenia Kotovich
Alexis Beingessner
Chris H-C
Author: Imanol Fernandez
Alexandre Poirot
dmeehan
Sebastian Hengst
Dan Minor
Shane Caraveo
Iulian Moraru
Vincent Couvert