Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
This updates security/sandbox/chromium/ files to chromium commit 84108231f6e6e0772fb9a4643679ce76aa771e67.
Existing and new patches applied from security/sandbox/chromium-shim/patches/with_update/ to give a compiling and mostly working browser.
See patch files for additional commit comments.
--HG--
rename : security/sandbox/chromium-shim/base/debug/debugging_flags.h => security/sandbox/chromium-shim/base/debug/debugging_buildflags.h
rename : security/sandbox/chromium-shim/base/win/base_features.h => security/sandbox/chromium-shim/base/win/base_win_buildflags.h
If the system doesn't support seccomp-bpf, the parent process won't
try to set up sandboxing, but the child process has a separate check that
didn't test for this, and ends up failing a release assertion (in
SandboxReporterClient, but we also release-assert that installing the
seccomp-bpf policy succeeds).
This patch just fixes the child-side conditional to match the intended
behavior, but in the long term we should consider redesigning SandboxInfo
to avoid this.
Differential Revision: https://phabricator.services.mozilla.com/D27624
--HG--
extra : moz-landing-system : lando
Added files to UNIFIED_SOURCES and removed conflicts. Files that required flags still remain in SOURCES. SOURCES use "StrictOrderingOnAppendListWithFlagsFactory" base class and UNIFIED_SOURCES use "StrictOrderingOnAppendList" base class. As of now I do not think there is an option to add flags for the later. So the files requiring flags are kept in SOURCES.
Differential Revision: https://phabricator.services.mozilla.com/D23795
--HG--
extra : moz-landing-system : lando
The seccomp-bpf policy is currently just the "common" policy with no
additions (but with the fixes in bug 1511560 to enable shared memory
creation). The file broker policy allows shared memory creation and
nothing else. The namespace setup is the same as for GMP (i.e., as
restrictive as we currently can be).
The sandbox can be turned off for troubleshooting by setting the
environment variable MOZ_DISABLE_RDD_SANDBOX, similarly to the other
process types.
Tested against https://demo.bitmovin.com/public/firefox/av1/ with the
necessary prefs set.
Depends on D20895
Differential Revision: https://phabricator.services.mozilla.com/D14525
--HG--
extra : moz-landing-system : lando
File descriptors are sometimes dup()ed in the process of communicating
them over IPC; some of this may be unnecessary (due to insufficient
use of move-only types), but dup() is relatively harmless. It was
previously allowed for both content and GMP, so this doesn't change
anything.
The handling of ftruncate is a little complicated -- it's used for IPC
shared memory, but only when creating segments; so GMP doesn't allow
it and should continue not allowing it, but content needs it and RDD
will as well. As a result, the subclass indicates if it will be needed.
Note that even when we have memfd_create support (bug 1440203),
ftruncate is still necessary even though brokering may not.
Depends on D14523
Differential Revision: https://phabricator.services.mozilla.com/D14524
--HG--
extra : moz-landing-system : lando
The sandbox broker uses socketpair to construct the per-request channels
over which responses are sent; thus, if and only if the policy will be
using brokering, it will allow socketpair as safely as possible (i.e.,
denying datagram sockets if possible).
Depends on D14522
Differential Revision: https://phabricator.services.mozilla.com/D14523
--HG--
extra : moz-landing-system : lando
madvise is used by our malloc (and probably others), and mprotect is
used with shared memory, including when created by another process, so
the common policy should include those rules.
Depends on D14521
Differential Revision: https://phabricator.services.mozilla.com/D14522
--HG--
extra : moz-landing-system : lando
This will allow other policies to use brokering if needed (e.g., RDD and
similar utility processes may need to access /dev/shm to create shared
memory). The concrete policy class can deny filesystem access completely
(matching the current behavior of the GMP policy) by passing nullptr to
the superclass constructor instead.
Depends on D14520
Differential Revision: https://phabricator.services.mozilla.com/D14521
--HG--
extra : moz-landing-system : lando
ContentSandboxPolicy currently allows direct filesystem access if it
isn't given a broker client; this is a legacy design from the B2G era,
before the current idea of "sandbox level". With this patch, it allows
filesystem access at level 1, and above that it requires brokering.
This is both to reduce the opportunities for accidentally having a
too-permissive sandbox and to prepare for refactoring the broker glue in
bug 1511560.
Depends on D14519
Differential Revision: https://phabricator.services.mozilla.com/D14520
--HG--
extra : moz-landing-system : lando
Level 1 is meant to enable some seccomp-bpf filtering, but still allow
direct access to the filesystem, and level 2 is where brokering starts.
This was accidentally broken in 1365257 (making "level 1" act like level
2); this patch fixes that.
This feature obviously isn't used much given how long nobody noticed it was
broken, but it's useful to have around for troubleshooting, and it's
actually easier to fix it than edit it out of the documentation.
Differential Revision: https://phabricator.services.mozilla.com/D14519
--HG--
extra : moz-landing-system : lando
The tables in SandboxFilterUtil.cpp should remain vertically aligned,
but clang-format would disagree. This patch excludes that region from
reformatting, and applies the other changes that clang-format would make
there.
Differential Revision: https://phabricator.services.mozilla.com/D12499
--HG--
extra : moz-landing-system : lando
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : source : a03a61d6d724503c3b7c5e31fe32ced1f5d1c219
extra : intermediate-source : 5152af6ab3e399216ef6db8f060c257b2ffbd330
extra : histedit_source : ef06000344416e0919f536d5720fa979d2d29c66%2C4671676b613dc3e3ec762edf5d72a2ffbe6fca3f
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : rebase_source : fcf8fa50e748c4b54c3bb1997575d9ffd4cbaae1
extra : source : a03a61d6d724503c3b7c5e31fe32ced1f5d1c219
Most of the times when we automatically create nsThread wrappers for threads
that don't already have them, we don't actually need the event targets, since
those threads don't run XPCOM event loops. Aside from wasting memory, actually
creating these event loops can lead to leaks if a thread tries to dispatch a
runnable to the queue which creates a reference cycle with the thread.
Not creating the event queues for threads that don't actually need them helps
avoid those foot guns, and also makes it easier to figure out which treads
actually run XPCOM event loops.
MozReview-Commit-ID: Arck4VQqdne
--HG--
extra : rebase_source : 02c5572b92ee48c11697d90941336e10c03d49cf
Closures are nice but -- as pointed out in bug 1481978 comment #2 --
it's a footgun to take a std::function argument in a context where heap
allocation isn't safe.
Fortunately, non-capturing closures convert to C function pointers,
so a C-style interface with a void* context can still be relatively
ergonomic.
This patch uses the shared memory name prefixes introduced in bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.
When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in bug 1440203),
/dev/shm access is completely denied.
MozReview-Commit-ID: L2ylG5KrXTU
This replaces some old Chromium code that tries to minimally disentangle
an arbitrary file descriptor mapping with simpler algorithm, for several
reasons:
1. Do something appropriate when a file descriptor is mapped to the same
fd number in the child; currently they're ignored, which means they'll
be closed if they were close-on-exec. This implementation duplicates
the fd twice in that case, which seems to be uncommon in practice; this
isn't maximally efficient but avoids special-case code.
2. Make this more generally applicable; the previous design is
specialized for arbitrary code running between fork and exec, but we
also want to use this on OS X with posix_spawn, which exposes a very
limited set of operations.
3. Avoid the use of C++ standard library iterators in async signal safe
code; the Chromium developers mention that this is a potential problem in
some debugging implementations that take locks.
4. In general the algorithm is simpler and should be more "obviously
correct"; more concretely, it should get complete coverage just by being
run normally in a debug build.
As a convenient side benefit, CloseSuperfluousFds now takes an arbitrary
predicate for which fds to leave open, which means it can be used in
other code that needs it without creating a fake fd mapping.
MozReview-Commit-ID: EoiRttrbrKL
--HG--
extra : rebase_source : 336e0ba9f56dc80f7347dc62617b4ad1efea7e7e
Same approach as the other bug, mostly replacing automatically by removing
'using mozilla::Forward;' and then:
s/mozilla::Forward/std::forward/
s/Forward</std::forward</
The only file that required manual fixup was TestTreeTraversal.cpp, which had
a class called TestNodeForward with template parameters :)
MozReview-Commit-ID: A88qFG5AccP
This was done automatically replacing:
s/mozilla::Move/std::move/
s/ Move(/ std::move(/
s/(Move(/(std::move(/
Removing the 'using mozilla::Move;' lines.
And then with a few manual fixups, see the bug for the split series..
MozReview-Commit-ID: Jxze3adipUh
This patch uses the shared memory name prefixes introduced in bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.
When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in bug 1440203),
/dev/shm access is completely denied.
MozReview-Commit-ID: L2ylG5KrXTU
--HG--
extra : rebase_source : ca1deece6117e843d691a13fff05bd0f97ec0408
Factor out the ATI-based driver detection code and use this to set
specific permissions needed by this driver. In passing, unnest some
of the SandboxBroker fallback paths, and make it properly report
the operation in all error paths.
MozReview-Commit-ID: FrRpicj5NF
--HG--
extra : rebase_source : 1410cdddcf1264dc1572f9b9b691f9d08a2061cf
RenderDoc, a graphics debugging tool, uses a preload library that
creates a listening socket (Internet-domain) early in startup and
accepts connections from the frontend. If it's detected (via env vars),
we allow accept/accept4 (but not socket/bind/listen), and remain in
the parent process's network namespace so that other processes can
connect to the socket.
This doesn't change the sandbox policy if not running under RenderDoc.
MozReview-Commit-ID: 964RW4BFh4u
--HG--
extra : rebase_source : d4a954e68431d84fa2e0edea4171421a948794af
This is to support WebGL with hybrid graphics drivers that connect to
a secondary X server for GL (Primus and VirtualGL), without allowing
access to arbitrary sockets. In addition to local X11 connections,
Primus needs to connect to the Bumblebee daemon (otherwise it will exit
the calling process).
The broker support is limited to AF_UNIX, to non-datagram sockets (see
bug 1066750), and to pathname addresses. Abstract addresses could
theoretically be handled but there isn't currently a compelling reason
to, and the broker very much assumes it's dealing with a C-style string
referring to a filesystem path and not an arbitrary byte sequence
(including NULs).
At a higher level: If the GPU X server is remote then it won't work,
but it won't work anyway because WebGL requires features that aren't
supported by indirect GLX. If the GPU X server is local but the browser
is inside a chroot, it will fail to connect unless /tmp/.X11-unix is
bind-mounted into the chroot; hopefully this use case is not common.
MozReview-Commit-ID: IvI2jYDRZZ2
The SandboxLaunchPrepare currently bails out early if it detects a
lack of user namespaces. Hoist the check for drivers needing SysV
IPC up so it's done before that early exit, and the required env
variables get correctly set.
With this we no longer fail with a SIGSYS sandbox error, though
in a debug build we still crash because many assumptions in the
graphics stack get broken when that fails to initialize the driver
for WebGL.
MozReview-Commit-ID: 8n3Hx6VSjTF
--HG--
extra : rebase_source : 99bf2d25a7435b0eb95f186a00cc7723a196be4c
The X11 symbol interposition isn't enough, possibly because Cairo can
also use XCB. Interposing XCB is more difficult because the API exposes
more protocol details. Instead, just allow shmget to be called and
fail; this will tell Cairo that it can't use SysV IPC with the X server,
which is what we want.
MozReview-Commit-ID: 5y9tE7UXMTE
--HG--
extra : rebase_source : bb1e81116742a299bc4e412062327e69032ab3b3
Also covers fchownat() and attempts to be ready for newer archs like ARM64.
Bonus fix: extend bug 1354731 (mknod) fix to cover mknodat so this part
of the policy isn't glaringly inconsistent about "at" syscalls.
Tested locally by attaching gdb and injecting syscalls.
MozReview-Commit-ID: CCOk0jZVoG4
--HG--
extra : rebase_source : 1d0cafd9d91586eaec0233ff15b3bbb1ef7485f0
Guest sessions on Ubuntu (and maybe other distributions that use
LightDM?) apply an AppArmor policy that allows CLONE_NEWUSER but doesn't
allow using any of the capabilities it grants, or even configuring the
new user namespace.
This patch causes those environments to be detected as not supporting
unprivileged user namespaces, because for all practical purposes they
don't.
MozReview-Commit-ID: HVkoBakRwaA
--HG--
extra : rebase_source : 4028eff177de30acc58f7f0c32989265dfcad9fd
This fixes a mistake in bug 1401062: the termination signal was omitted,
so it's 0, and if it isn't exactly SIGCHLD, then a tracer/debugger will
receive PTRACE_EVENT_CLONE rather than PTRACE_EVENT_FORK. This causes
GDB to see the child process as a thread instead of a separate process,
and it becomes very confused after the process calls execve().
MozReview-Commit-ID: Baf2RFHVWRU
--HG--
extra : rebase_source : 50839967fc766bb9db123fe1af99a88495f8421b
This replaces the globals for whether socket calls (and ipc(2) calls, but
we never used that) have real arguments with a parameter, which in hindsight
should have been done in bug 1273852, which is when we started handling
both socketcall(2) and separate socket calls in the same policy. This
allows handling the two cases differently.
MozReview-Commit-ID: 1pfckmCpJlW
--HG--
extra : rebase_source : 4b8459f01e8748fea95cbcb6eeb689f01417ca5b
There are a few things that use SysV IPC, which we discovered the last
time we tried to do this, which need to be accomodated:
1. The ALSA dmix plugin; if the build has ALSA support (off by default)
and if audio remoting is disabled, SysV IPC is allowed.
2. ATI/AMD's old proprietary graphics driver (fglrx), which is obsolete
and doesn't support newer hardware, but still has users; if it's
detected, SysV IPC is allowed.
3. Graphics libraries trying to use the MIT-SHM extension; this is
already turned off for other reasons (see bug 1271100), but that shim
seems to not load early enough in some cases, so it's copied into
libmozsandbox, which is preloaded before anything else in LD_PRELOAD.
Also, msgget is now blocked in all cases; the only case it was known
to be used involved ESET antivirus, which is now handled specially
(bug 1362601). In any case, the seccomp-bpf policy has never allowed
actually *using* message queues, so creating them is not very useful.
MozReview-Commit-ID: 5bOOQcXFd9U
--HG--
extra : rebase_source : ea79c0a7e31f58f056be15b551c57dde974dfae2
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : 1be7a99cd3640d15ddecd1c050d19d1b30e5202d
extra : histedit_source : 5787bfe610504356a04819039469083adf2ce77c
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : a93dfc2c62d3ac35dece87e4b4596cde761de207
extra : histedit_source : 455e6a79527226f398a861a72c1cfdef2c1761df
This is turned off if the X11 server is remote -- including TCP to
localhost -- because otherwise it would be blocked. Note that ssh X
forwarding presents a TCP-only server.
The Nightly default for the force-namespace hidden pref is changed to
false, because we will now normally be using namespaces if available.
MozReview-Commit-ID: L9BbLdoLvLg
--HG--
extra : rebase_source : c737b65551deb134de18028714774e0aabb5baf5
This also removes an assertion that was failing under external sandboxes
that deny unshare() even when it's a no-op.
MozReview-Commit-ID: KBEPJyDGU7M
--HG--
extra : rebase_source : 411a51d7707e506ca8cbe49553ada1de02f7c76b
This also moves those parts of the policy factory out of the constructor,
because the pref service isn't initialized yet at that point.
MozReview-Commit-ID: 6wbq4MHu1GJ
The end goal is to allow the seccomp-bpf policy to vary based on the
content sandbox level.
Rather than add yet another parameter to SetContentProcessSandbox to
pass down the sandbox level, this collects the values that have to be
computed in libxul into a struct, and moves the code that computes it so
it's not cluttering up ContentChild.
MozReview-Commit-ID: L0dyQwHQKhc
This is a small piece of cleanup that turned out to not be strictly
necessary for the rest of this, so I've made it a separate commit.
Sandbox-related launch adjustments (currently, interposing libc
functions and providing a file descriptor for the syscall reporter)
are no longer applied to processes that won't be sandboxed. The
MOZ_SANDBOXED environment variable communicates this to the child
process, which allows SandboxEarlyInit to be skipped in that case as
well. The idea is that disabling sandboxing for a process type, as part
of troubleshooting, should disable everything sandbox-related.
As a side-effect, this also skips some very minor but unnecessary
overhead for NPAPI process startup.
MozReview-Commit-ID: D0KxsRIIRN
--HG--
extra : rebase_source : 89836bea80d0a171324a8e3ff15c6b8e2a163ea9
Namespace isolation is now handled by using clone() at process creation
time, rather than calling unshare.
pthread_atfork will no longer apply to sandboxed child processes.
The two significant uses of it in Firefox currently are to (1) make
malloc work post-fork, which we already avoid depending on in IPC and
sandboxing, and (2) block SIGPROF while forking, which is taken care of;
see SandboxFork::Fork for details. Note that if we need pthread_atfork
in the future it could be emulated by symbol interposition.
clone() is called via glibc's wrapper, for increased compatibility vs.
invoking the syscall directly, using longjmp to recover the syscall's
fork-like semantics the same way Chromium does; see comments for details.
The chroot helper is reimplemented; the general approach is similar,
but instead of a thread it's a process cloned with CLONE_FS (so the
filesystem root is shared) from the child process before it calls
exec, so that it still holds CAP_SYS_CHROOT in the newly created user
namespace. This does mean that it will retain a CoW copy of the
parent's address space until the child starts sandboxing, but that is a
relatively short period of time, so the memory overhead should be small
and short-lived.
The chrooting now happens *after* the seccomp-bpf policy is applied;
previously this wasn't possible because the chroot thread would have
become seccomp-restricted and unable to chroot. This fixes a potential
race condition where a thread could try to access the filesystem after
chrooting but before having its syscalls intercepted for brokering,
causing spurious failure. (This failure mode hasn't been observed in
practice, but we may not be looking for it.)
This adds a hidden bool pref, security.sandbox.content.force-namespace,
which unshares the user namespace (if possible) even if no sandboxing
requires it. It defaults to true on Nightly and false otherwise, to
get test coverage; the default will change to false once we're using
namespaces by default with content.
MozReview-Commit-ID: JhCXF9EgOt6
--HG--
rename : security/sandbox/linux/LinuxCapabilities.cpp => security/sandbox/linux/launch/LinuxCapabilities.cpp
rename : security/sandbox/linux/LinuxCapabilities.h => security/sandbox/linux/launch/LinuxCapabilities.h
extra : rebase_source : f37acacd4f79b0d6df0bcb9d1d5ceb4b9c5e6371
This is mostly deletion, except for SandboxEarlyInit. The unshare()
parts are going away, and the "unexpected threads" workaround can go away
along with them, but the signal broadcast setup still needs to happen
early so we can prevent blocking the signal.
So, SandboxEarlyInit's contract changes slightly from "call before
any other threads exist" to "before any threads that might block all
signals", and everything that can be deferred to immedately before
sandbox startup is. As a result, some getenv()s change to PR_GetEnv
because there can be threads, and there is now an NSPR dependency.
(This may mean that mozglue can no longer interpose symbols in NSPR,
because libmozsandbox is preloaded, but I don't think we're doing that.)
MozReview-Commit-ID: 7e9u0qBNOqn
--HG--
extra : rebase_source : 1a8442f7e0e26231ecf01b19078433d1b5b2763c
Jed Davis
Narcis Beleuzu
Ciure Andrei
Bob Owen
Gian-Carlo Pascutto
Sylvestre Ledru
Csoregi Natalia
srujana
brendaadel
Alex Gaynor
Gurzau Raul
Ryan Hunt
Kris Maglione
arthur.iakab
Ehsan Akhgari
Noemi Erli
Robert Bartlensky
Tom Ritter
Miko Mynttinen
Emilio Cobos Álvarez
Jan Beich
Boris Zbarsky
Sebastian Hengst
Harald van Dijk