To do this, we preload the AV libraries. They may not be needed right now,
but by doing this now we ensure that future RDD work won't mysteriously
fail during development for some poor coworker.
Differential Revision: https://phabricator.services.mozilla.com/D37928
--HG--
extra : moz-landing-system : lando
To avoid crashing in macOS 10.15, allow access to the proc_info PROC_INFO_CALL_SETCONTROL syscall variant in the GMP and RDD sandboxes.
Differential Revision: https://phabricator.services.mozilla.com/D39079
--HG--
extra : moz-landing-system : lando
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
This is because we are hitting it frequently during PolicyBase::OnJobEmpty and
currently we can't work out how this can happen.
Differential Revision: https://phabricator.services.mozilla.com/D38090
--HG--
extra : moz-landing-system : lando
Having to namespace these into GeckoChildProcessHost is annoying. The
|using| declarations help to some extent, but it's easier to just put
them in mozilla::ipc.
Differential Revision: https://phabricator.services.mozilla.com/D36538
--HG--
extra : moz-landing-system : lando
Allow limited access to the proc_pidinfo() syscall from the Mac utility process sandbox.
Differential Revision: https://phabricator.services.mozilla.com/D37533
--HG--
extra : moz-landing-system : lando
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.
Depends on D26737
Differential Revision: https://phabricator.services.mozilla.com/D26738
--HG--
extra : moz-landing-system : lando
Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.
Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.
Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.
Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.
Differential Revision: https://phabricator.services.mozilla.com/D34085
--HG--
extra : moz-landing-system : lando
Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.
Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.
Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.
Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.
Differential Revision: https://phabricator.services.mozilla.com/D34085
--HG--
extra : moz-landing-system : lando
Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.
Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.
Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.
Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.
Differential Revision: https://phabricator.services.mozilla.com/D34085
--HG--
extra : moz-landing-system : lando
Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.
Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.
Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.
Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.
Differential Revision: https://phabricator.services.mozilla.com/D34085
--HG--
extra : moz-landing-system : lando
This updates security/sandbox/chromium/ files to chromium commit 84108231f6e6e0772fb9a4643679ce76aa771e67.
Existing and new patches applied from security/sandbox/chromium-shim/patches/with_update/ to give a compiling and mostly working browser.
See patch files for additional commit comments.
--HG--
rename : security/sandbox/chromium-shim/base/debug/debugging_flags.h => security/sandbox/chromium-shim/base/debug/debugging_buildflags.h
rename : security/sandbox/chromium-shim/base/win/base_features.h => security/sandbox/chromium-shim/base/win/base_win_buildflags.h
There's a bug in ole32.dll on arm64 versions of Windows prior to 1809, that crashes our content processes if we enable CFG. We've reported the issue, but even if it gets fixed, we can't assume users will have the update.
This patch uses process mitigation policy flags to disable CFG on arm64 before 1809. Based on testing, we only need to do this in the sandbox for child processes, and it's not strictly necessary for the launcher stub to set the flag on the main process. But I've included that anyway as a guard against some yet-undiscovered scenario that might hit the issue and make the browser unusable.
The effects of this patch won't be visible until we actually enable CFG in a subsequent landing.
Differential Revision: https://phabricator.services.mozilla.com/D29474
--HG--
extra : moz-landing-system : lando
There's a bug in ole32.dll on arm64 versions of Windows prior to 1809, that crashes our content processes if we enable CFG. We've reported the issue, but even if it gets fixed, we can't assume users will have the update.
This patch uses process mitigation policy flags to disable CFG on arm64 before 1809. Based on testing, we only need to do this in the sandbox for child processes, and it's not strictly necessary for the launcher stub to set the flag on the main process. But I've included that anyway as a guard against some yet-undiscovered scenario that might hit the issue and make the browser unusable.
The effects of this patch won't be visible until we actually enable CFG in a subsequent landing.
Differential Revision: https://phabricator.services.mozilla.com/D29474
--HG--
extra : moz-landing-system : lando
PGO instrumentation interacts badly with this code, and it's not crucial
that this code be lightning fast.
Differential Revision: https://phabricator.services.mozilla.com/D31131
--HG--
extra : moz-landing-system : lando
Conditionally include WindowServer access in the GMP sandbox so that it is only allowed for the Widevine CDM plugin, and not OpenH264.
Differential Revision: https://phabricator.services.mozilla.com/D29586
--HG--
extra : moz-landing-system : lando
Replace the MacSandboxType_Plugin sandbox type with MacSandboxType_Flash and MacSandboxType_GMP so that there is a 1:1 association between MacSandboxType values and sandbox policies.
Remove the MacSandboxPluginType enum. Instead of having different MacSandboxPluginTypes, we will just have MacSandboxType_GMP. We only use GMP for two plugin types, Widevine and OpenH264, and they only differ in that Widevine requires accss to the WindowServer.
Remove the MacSandboxPluginInfo struct and move the two needed fields pluginPath and pluginBinaryPath to MacSandboxInfo.
Differential Revision: https://phabricator.services.mozilla.com/D29585
--HG--
extra : moz-landing-system : lando
This allows us to loosen the coupling between the sandbox and code that needs
to run as soon as the token has been lowered.
We use std::list here because the observer service is not yet initialized.
Differential Revision: https://phabricator.services.mozilla.com/D28392
--HG--
extra : moz-landing-system : lando
Allow access to Apple's Metal shader language compiler in our content process sandbox. Limit the sandbox policy change to 10.14 and newer OS versions to reduce risk given that problems have only been reported on 10.14.5.
Differential Revision: https://phabricator.services.mozilla.com/D28904
--HG--
extra : moz-landing-system : lando
If the system doesn't support seccomp-bpf, the parent process won't
try to set up sandboxing, but the child process has a separate check that
didn't test for this, and ends up failing a release assertion (in
SandboxReporterClient, but we also release-assert that installing the
seccomp-bpf policy succeeds).
This patch just fixes the child-side conditional to match the intended
behavior, but in the long term we should consider redesigning SandboxInfo
to avoid this.
Differential Revision: https://phabricator.services.mozilla.com/D27624
--HG--
extra : moz-landing-system : lando
Tom Ritter
Gian-Carlo Pascutto
Bob Owen
Haik Aftandilian
Paul Adenot
Jed Davis
Sylvestre Ledru
Bobby Holley
Victor Porof
Narcis Beleuzu
Aaron Klotz
Ciure Andrei
Dorel Luca
Bogdan Tara
Andreea Pavel
arthur.iakab
David Major
Coroiu Cristina
Nathan Froyd