This patch introduces ipcclientcerts, a PKCS#11 module that the socket process
can load to get access to client certificates and keys managed by the parent
process. This enables client certificate authentication to work with the socket
process (particularly for keys stored outside of NSS, as with osclientcerts or
third-party PKCS#11 modules).
Differential Revision: https://phabricator.services.mozilla.com/D122392
unlink("") will always return -ENOENT if passed to the kernel, so just
do the same thing here. We need this as empty paths can't be whitelisted.
Differential Revision: https://phabricator.services.mozilla.com/D132174
This patch introduces ipcclientcerts, a PKCS#11 module that the socket process
can load to get access to client certificates and keys managed by the parent
process. This enables client certificate authentication to work with the socket
process (particularly for keys stored outside of NSS, as with osclientcerts or
third-party PKCS#11 modules).
Differential Revision: https://phabricator.services.mozilla.com/D122392
Building with --disable-xul has been busted since _at least_ bug
1082579, for more than 7 years (I didn't try to track that down
further). It's time to recognize that the option serves no purpose.
Differential Revision: https://phabricator.services.mozilla.com/D133161
This patch introduces ipcclientcerts, a PKCS#11 module that the socket process
can load to get access to client certificates and keys managed by the parent
process. This enables client certificate authentication to work with the socket
process (particularly for keys stored outside of NSS, as with osclientcerts or
third-party PKCS#11 modules).
Differential Revision: https://phabricator.services.mozilla.com/D122392
This patch introduces ipcclientcerts, a PKCS#11 module that the socket process
can load to get access to client certificates and keys managed by the parent
process. This enables client certificate authentication to work with the socket
process (particularly for keys stored outside of NSS, as with osclientcerts or
third-party PKCS#11 modules).
Differential Revision: https://phabricator.services.mozilla.com/D122392
I considered removing this class initially, but it's actually a pretty
useful abstraction over the DateTimeFormat interface when used
specifically with Gecko. It applies the OS preferences and provides some
caching behavior.
Differential Revision: https://phabricator.services.mozilla.com/D131671
-Wshadow warnings are not enabled globally, so these -Wno-shadow suppressions have no effect. I had intended to enable -Wshadow globally along with these suppressions in some directories (in bug 1272513), but that was blocked by other issues.
There are too many -Wshadow warnings (now over 2000) to realistically fix them all. We should remove all these unnecessary -Wno-shadow flags cluttering many moz.build files.
Differential Revision: https://phabricator.services.mozilla.com/D132289
I considered removing this class initially, but it's actually a pretty
useful abstraction over the DateTimeFormat interface when used
specifically with Gecko. It applies the OS preferences and provides some
caching behavior.
Differential Revision: https://phabricator.services.mozilla.com/D131671
Changes:
1. For the `intel` drivers [on newer hardware][VCS2], access to SysV IPC
is granted. There is a slight restriction: `semget` and `shmget` are
restricted to the fixed `key_t` value used by the driver; however,
the other calls take shm/sem identifiers, which are dynamically
assigned and globally scoped, so an attacker could still access
other resources. This is considered a reasonable tradeoff for not
needing to allow this (or, eventually, any GPU access) in the content
process, which is much easier for malicious content to attack than
RDD.
2. Access to devices in `/dev/dri` and the `DRM_IOCTL_*` ioctls (type `'d'`).
3. Read access to the parts of sysfs used by Mesa to do device detection;
again, given the choice we'd rather allow this in RDD than content.
4. Read access to directories containing libraries, for plugin loading.
5. Allowing `kcmp` in the special case of comparing the process's
own fds, for `amdgpu` (already allowed for content).
6. The `eventfd2` syscall, which we use in connection with dma-buf.
[VCS2]: https://github.com/intel/media-driver/blob/77b3b2a6c366/media_driver/linux/common/os/mos_os_specific.c#L1508-L1512
Differential Revision: https://phabricator.services.mozilla.com/D131680
Minor functional changes:
1. `fcntl` `F_DUPFD_CLOEXEC` is now allowed everywhere instead of
just content. It's the obvious (and maybe only? and probably
only portable) way for a library to `dup` and atomically set the
close-on-exec flag, and appears harmless.
2. `ioctl`s used by the `isatty` function are denied with `ENOTTY` by
default in all processes, instead of being treated as an invalid
syscall, and this now applies to `TIOCGWINSZ` (used by musl) as well
as `TCGETS` (used by glibc). Nothing new is allowed here; it's just
that this is treated as an expected denial.
3. Getting the real or effective user or group ID is allowed everywhere.
Every process type except RDD previously did, and RDD soon will. See
also the new comment about why GMP may not always need it, but that
it's not very meaningful to block.
Refactoring, no functional change intended:
1. The policy for the `kcmp` syscall as used by Mesa's `amdgpu` driver
is now in a protected method of SandboxPolicyCommon, but is used only
in the content process as previously. A later patch will also apply
it to the RDD process, so this avoids code duplication.
Differential Revision: https://phabricator.services.mozilla.com/D131679
On 32-bit x86, Linux originally used a single system call, ipc(2), for
all SysV IPC. This is similar to socketcall(2), but the arguments are
passed directly (shifted by one position) instead of indirected via
a pointer, so seccomp-bpf can filter them normally. Also similar to
socketcall(2), individual syscalls were added later (in kernel 5.1,
vs. 4.3 for socket calls), so the policy needs to handle both of them,
adjusting argument offsets as needed. This patch adds an argument to
`EvaluateIpcCall` to allow that.
Differential Revision: https://phabricator.services.mozilla.com/D131678