344f6abf7b
Bug 1093334 - Delete unnecessary copies of Chromium headers in security/sandbox/linux. r=kang
2014-12-10 17:26:12 -08:00
c2384cf7c7
Bug 1093334 - Adjust includes of Linux sandboxing headers from Chromium. r=kang
...
Also re-sorts some of the includes into something closer to the style guide.
2014-12-10 17:26:12 -08:00
30ba635db0
Bug 1102209 - Remove use of CodeGen::JoinInstructions in the Linux sandboxing code. r=kang
...
This reorganizes SandboxAssembler to stack up the policy rules and
traverse them in reverse order to build the filter DAG from tail to head
(i.e., starting with "deny all" and prepending allow and return-errno
rules). Thus, this code will continue to work (perhaps with minor
changes, such as to the NodePtr typedef) with future versions of the
Chromium sandbox code that don't allow mutating the filter program with
the JoinInstructions method.
2014-12-10 17:26:12 -08:00
114cf4fb41
Bug 1108759 - Fix B2G no-optimization builds. r=glandium
2014-12-10 16:17:47 -08:00
56bf9455a1
Bug 1105452 - Need to use new Audio system APIs for audio offload playback. r=roc, r=jld, r=ggrisco
...
Resolve the build failure caused by API changes
There are some changes in Audio APIs in Android version
21. Modifying the code to use the new APIs.
Change-Id: I24fdeb20f8f957d05fb6c0c317de0a6f0769c347
Resolve seccomp violation caused by syscall 256
Modify the filter to allow syscall 256 (set_tid_address).
Change-Id: I49461770c4c5e70bf68462d34321381b0b7ead0a
2014-12-02 17:10:00 -05:00
1b16fc180f
Bug 1101170 - Move Linux sandbox code into plugin-container on desktop. r=kang r=glandium
...
Specifically:
* SandboxCrash() uses internal Gecko interfaces, so stays in libxul.
* SandboxInfo moves to libxul from libmozsandbox, which no longer exists.
* Where libxul calls Set*Sandbox(), it uses weak symbols.
* Everything remains as it was on mobile.
2014-11-24 15:22:13 -08:00
2fdd7150c1
Bug 1101170 - Move sandbox status info into a separate module. r=kang r=glandium
...
This changes the interface so that the code which determines the flags
can live in one place, but checking the flags doesn't need to call into
another library.
Also removes the no-op wrappers for Set*Sandbox when disabled at build
time; nothing used them, one of them was unusable due to having the wrong
type, and all they really accomplish is allowing sloppiness with ifdefs
(which could hide actual mistakes).
2014-11-24 15:22:13 -08:00
59573e5f85
Bug 1077057 - Expose Linux sandboxing information to JS via nsSystemInfo. r=kang r=froydnj
...
This adds "hasSeccompBPF" for seccomp-bpf support; other "has" keys
will be added in the future (e.g., user namespaces).
This also adds "canSandboxContent" and "canSandboxMedia", which are
absent if the corresponding type of sandboxing isn't enabled at build
type (or is disabled with environment variables), and otherwise present
as a boolean indicating whether that type of sandboxing is supported.
Currently this is always the same as hasSeccompBPF, but that could change
in the future.
Some changes have been made to the "mozilla/Sandbox.h" interface to
support this; the idea is that the MOZ_DISABLE_*_SANDBOX environment
variables should be equivalent to disabling MOZ_*_SANDBOX at build time.
2014-11-06 13:11:00 +01:00
e6ede214a5
Bug 1093893 - Fix B2G sandbox for ICS Bionic pthread_kill(). r=kang
2014-11-06 11:04:14 -08:00
5ec3c350dd
Bug 1081242 - Make ASAN's error reporting work while sandboxed on Linux. r=kang
2014-10-21 11:18:00 +02:00
82a97e04c9
Bug 1078838 - Restrict clone(2) flags for sandboxed content processes. r=kang
...
--HG--
extra : amend_source : f80a3a672f5496f76d8649f0c8ab905044ea81ac
2014-10-20 12:29:25 -07:00
67e50f1aa1
Bug 1080165 - Allow setpriority() to fail without crashing in media plugins on Linux. r=kang
2014-10-16 12:42:00 +02:00
56cddbd763
Bug 1080077 - For sandbox failures with no crash reporter, log the C stack. r=kang
...
This is mostly for ASAN builds, which --disable-crash-reporter, but also
fixes a related papercut: debug builds don't use the crash reporter
unless overridden with an environment variable.
Note: this is Linux-only, so NS_StackWalk is always part of the build;
see also bug 1063455.
2014-10-13 18:48:17 -07:00
5043e01249
Bug 1068410 - Convert remote crash dump to use pipe instead of socketpair in the child. r=kang r=ted
2014-10-03 14:55:03 -07:00
9fd62691c6
Bug 1069700 - Fix recursive crash when non-content children violate sandbox policy. r=kang
2014-09-18 18:17:00 -04:00
4728b78382
bug 1062567 - prevent gcc lto builds from dropping SyscallAsm on the floor r=froydnj
2014-09-15 19:46:14 -04:00
af04cea2d8
Bug 1059038 - Move mozilla::unused from xpcom/glue to mfbt. r=Waldo
...
--HG--
rename : xpcom/glue/unused.cpp => mfbt/unused.cpp
rename : xpcom/glue/unused.h => mfbt/unused.h
2014-08-29 10:11:00 +02:00
4b99580194
Bug 1059113 - Use templates for shared libraries and frameworks. r=gps
...
Also force to use the existing template for XPCOM components.
2014-09-04 09:04:45 +09:00
ed70c5f377
Bug 1041941 - Use templates for programs, simple programs, libraries and C++ unit tests. r=gps
2014-09-03 14:10:54 +09:00
1dfa299843
Bug 1061085 - Clean up misused export macros from bug 1041886. r=glandium
2014-08-31 23:23:00 +02:00
1ea7e357ca
Bug 1059602 - Make libxul -> libmozsandbox dependency not a weak symbol. r=glandium
...
MFBT_API is not the right macro for this; it changes the affected
definition/usage to a weak symbol, for reasons explained in the comments
on its definition.
This was causing the linker to drop the dependency from libmozglue
to libmozsandbox, in some cases (--as-needed, with a linker that
doesn't consider weak symbols "needed"), and thus load libxul with
gSandboxCrashFunc relocated to address 0 (the expected behavior of an
unresolved weak symbol), which caused crashes when writing to it on
startup.
--HG--
extra : amend_source : b99fded391ae90b1311f4cabaf40f15e6414f245
2014-08-28 23:23:13 -07:00
3f1e2a85b6
Bug 1041886 - Fix no-opt-only build bustage caused by mozilla::unused. r=glandium
...
See also bug 1059038.
2014-08-26 19:23:44 -07:00
3ae6c90876
Bug 1054616 - Clean up logging-related shims for Linux sandboxing. r=kang
2014-08-26 13:54:16 -07:00
23c21aa709
Bug 1041886 - Separate Linux sandbox code into its own shared library. r=kang r=glandium
...
This creates libmozsandbox.so on builds that use sandboxing
(MOZ_CONTENT_SANDBOX or MOZ_GMP_SANDBOX).
The unavoidably libxul-dependent parts, for invoking the crash reporter
and printing the JS context, are separated into glue/SandboxCrash.cpp
and invoked via a callback.
2014-08-26 13:54:09 -07:00
e020caf2de
Bug 1041886 - Break out Linux sandbox logging into its own header. r=kang
2014-08-26 13:54:03 -07:00
1c8a8d2d9b
No bug - Add trailing newlines for non-Android Linux sandbox logging. r=kang
...
--HG--
extra : rebase_source : c0e936b62289c0e5eecad41fce9afac881fe4667
2014-08-14 15:39:14 -07:00
033a6785eb
Bug 1043733 - Require sandboxing to load Gecko Media Plugins on Linux. r=jesup r=kang
...
Also refactors how sandbox support and disabling are handled, and allows
simulating a lack of sandbox support with an env var (for testing
without rebuilding a kernel).
2014-08-12 21:28:27 -07:00
b0bd63525b
Bug 1047620 - Fix sandboxing for B2G --disable-jemalloc builds. r=kang
...
--HG--
extra : rebase_source : 1b2ec6491277a9dc451ab767d8563076cf522c27
2014-08-04 15:11:33 -07:00
9d31844f0c
Bug 1012951 - Add Linux sandboxing for GeckoMediaPlugin processes. r=kang r=ted
...
--HG--
extra : rebase_source : 1b890000d5b8d2a8954cdd1118a1023eba829c29
2014-08-04 15:11:18 -07:00
d2d145dc65
Bug 1046541 - Use stdio for non-Android Linux sandbox error messages. r=kang
...
--HG--
extra : rebase_source : e93a4a76f8188d715886e263a366d694c28b4525
2014-08-04 15:11:04 -07:00
9b70e225e5
Bug 1046525 - Allow get{e,}gid and sched_{g,s}etparam in sandboxed content processes. r=kang
...
Some of these were already in the desktop whitelist; those duplicates
are removed.
--HG--
extra : amend_source : 3ab4b50e3f1980b4d7b93cc17f34b926e2aa2396
2014-08-01 15:05:44 -07:00
dcbfd040d1
Backed out changeset d50d7e88f35e (bug 1012951) for LSan failures
2014-07-30 16:49:43 +01:00
8cff1bfff8
Bug 1012951 - Sandbox GMP plugins on Linux using seccomp-bpf. r=kang r=ted
2014-07-29 15:31:12 -07:00
301d254a40
Bug 1017393 - Record rejected syscall number in crash dump. r=kang
2014-07-24 11:36:00 +02:00
90ebf4e684
Bug 1037211 - Remove MOZ_CONTENT_SANDBOX_REPORTER by making it always true. r=kang r=ted
...
--HG--
extra : amend_source : 450d51dab077794e194bf407044de95627de0cde
2014-07-17 14:57:28 -07:00
c55ab9dd20
Bug 1038900 - Dynamically allocate signal number for sandbox startup. r=kang
2014-07-16 13:37:00 +02:00
2ff3fcad0d
Bug 1038490 - Fix misuse of MOZ_WIDGET_GONK in Linux content process sandbox policy. r=kang
...
--HG--
extra : amend_source : 0a7fe8ca751b59102cbc23316b18982268306423
2014-07-14 18:35:56 -07:00
79f8763545
Bug 1038486 - Fix Linux desktop seccomp sandbox build on 32-bit x86. r=kang
...
--HG--
extra : amend_source : 130d2cbd485734997739ea96ac5d83c01899d8b0
2014-07-09 16:52:56 -07:00
20443103f0
Bug 1035786 - Fix namespace bug in Linux sandbox LOG_ERROR macro. r=jld
2014-07-08 05:53:00 +01:00
51e7e12a6c
Bug 1035786 - Avoid warning-as-error sandbox build failure with an explicit cast. r=gdestuynder
...
getpid() is never negative, so this is safe.
2014-07-10 17:37:45 -07:00
d9210e4477
Bug 1035786 - Fix member variable initialisation order in LogMessage stub in Linux Sandbox.cpp. r=jld
2014-07-09 12:32:49 +01:00
afdeb7bf07
Bug 956961 - Stop disabling sandboxing when DMD is enabled. r=kang
...
--HG--
extra : rebase_source : 4737cfd613c1ddee8e1a4340e819eddc151e73f7
extra : histedit_source : 2d2610a775a3ae986157f61ef3797f4e88baa922
2014-07-02 11:28:48 -07:00
03cdc19fec
Backed out 3 changesets (bug 956961) for non-unified build bustage
...
Backed out changeset f1be89cb58b9 (bug 956961)
Backed out changeset 272b01e4f856 (bug 956961)
Backed out changeset 56907af18c66 (bug 956961)
2014-07-02 15:03:29 -07:00
1ef012aafb
Bug 956961 - Stop disabling sandboxing when DMD is enabled. r=kang
...
--HG--
extra : amend_source : 66f2453794e6a8a581e1564e786cfc8cac1f6bbd
2014-07-02 11:28:48 -07:00
0fb3cb7f61
Bug 1014299 - Add times() to seccomp whitelist. r=kang
...
This system call seems to be used by some versions of the Qualcomm Adreno
graphics drivers when we run WebGL apps.
2014-06-02 14:52:00 +02:00
9f78dc2ea0
Bug 920372 - Fix socketcall whitelisting on i386. r=kang
2014-05-20 18:38:14 -07:00
f6ffcab30d
Bug 920372 - Allow tgkill only for threads of the calling process itself. r=kang
2014-05-20 18:38:06 -07:00
ebb89f61f4
Bug 920372 - Use Chromium seccomp-bpf compiler to dynamically build sandbox program. r=kang
2014-05-20 18:37:53 -07:00
3ab8eb01df
Bug 1004832 - Add tgkill to seccomp-bpf whitelist. r=kang
2014-05-02 16:57:00 +02:00
3fd7deadb7
Bug 997409 - Add set_thread_area to seccomp whitelist if available. r=kang
2014-04-17 16:23:23 -04:00
59ee14f2ce
Bug 981949 - Whitelist ftruncate for seccomp-bpf sandboxing. r=kang
2014-04-11 13:09:00 +02:00
e3cb82bf06
Bug 995047 followup. Fix a caller that I missed because it's only compiled on some platforms, so we can reopen the CLOSED TREE
2014-04-12 00:38:06 -04:00
7f0d9d7eb4
Bug 993145 - Skip attempting seccomp sandboxing if seccomp unavailable. r=kang
2014-04-09 15:23:00 +02:00
628fb11481
Bug 989172 - Re-add sigaltstack to seccomp whitelist. r=kang
...
This reinstates the patch from bug 983518, which was unintentionally
dropped while merging with the reorganization in bug 985227.
2014-03-28 17:58:26 -07:00
5a499cf36e
Bug 985227 - Part 3: Replace the seccomp filter arch ifdefs with syscall existence tests. r=kang
2014-03-20 10:19:42 -04:00
ebdd7da812
Bug 985227 - Part 2: Flatten out the #define maze in the seccomp filter. r=kang
2014-03-20 10:19:42 -04:00
5ddfd55b71
Bug 985227 - Part 1: Move the seccomp filter into its own translation unit. r=kang
...
--HG--
rename : security/sandbox/linux/seccomp_filter.h => security/sandbox/linux/SandboxFilter.cpp
2014-03-20 10:19:42 -04:00
3c61d46763
Bug 975273 - Add missing include to unbreak desktop seccomp build. r=kang
2014-03-20 09:27:28 -04:00
6034a4eab4
Bug 983518: Fix running B2G-1.4 on KitKat by whitelisting sigalstack in the sandbox. r=kang r=jld
2014-03-14 18:54:20 -07:00
c7a5c70ed1
Bug 944625 - B2G Emulator-x86: fix undeclared __NR_sendto, __NR_recvfrom. r=jld,kang
2014-03-13 13:44:43 +09:00
154d9c5e2a
Bug 977859 - Drop uid 0 in all content processes immediately after fork. r=bent r=kang
...
Now all regular child processes, including preallocated, are deprivileged.
Only Nuwa needs uid 0, because each of its children has a different uid/gid.
2014-03-12 15:48:15 -07:00
0b447036a1
Bug 979686 - Fix the non-(ARM|x86|x86_64) desktop build. r=kang
2014-03-06 12:23:06 -08:00
a76ee1d66c
Bug 946407 - Disable sandbox when DMDing. r=njn r=kang
...
See also bug 956961.
2014-03-04 18:27:14 -08:00
789c3d2ddb
Bug 970676 - Turn on sandboxing on all relevant threads. r=dhylands r=bent f=kang
2014-02-27 13:18:01 -08:00
065803a376
Bug 971128 - Add sched_yield to seccomp whitelist. r=kang
2014-02-22 18:58:59 -08:00
de99e18e18
Bug 970562 - Add sched_getscheduler to seccomp whitelist. r=kang
2014-02-22 18:58:59 -08:00
ad35f7df7c
Bug 974230 - Adjust sandbox so that socket() simply fails. r=kang
...
This is a workaround for issues with the SCTP code (bug 969715) and
NSPR's IPv6 support (bug 936320).
2014-02-20 09:35:44 -05:00
3a2e9e491d
Bug 966547 - Switch sipcc from named to anonymous sockets on Unix. r=jesup, r=kang
2014-02-20 09:35:26 -05:00
c630909fd0
Bug 974227 - Allow readlink while sandboxed to work around bug 964455. r=kang
2014-02-19 15:55:42 -05:00
3211da1532
Merge m-c to inbound on a CLOSED TREE
2014-02-13 18:50:08 -08:00
abe287ce8a
Bug 971370 - Fix seccomp whitelist errors caused by strace bug. r=kang
2014-02-13 09:47:16 -05:00
5957791d98
bug 948620 - Add env variable MOZ_DISABLE_CONTENT_SANDBOX to disable sandbox at runtime. r=jld
2014-02-13 16:26:28 -08:00
be875d9a91
Bug 945504 - Include JS stack in sandbox reporter logs. r=kang
2014-02-07 10:46:38 -05:00
4fd1e475bc
Bug 969126 - Fix sandbox build for b2g on OS X. r=kang
2014-02-06 16:11:53 -08:00
9af16a662a
Bug 945498 - Use breakpad to report seccomp violations as crashes. r=ted, r=kang
...
Upstream issue for breakpad patch: https://breakpad.appspot.com/1114003/
2014-02-05 13:29:51 -05:00
7752a142f0
Bug 964427 - Whitelist msync (asm.js cache) and sched_get_priority_m{in,ax} (webrtc). r=kang
2014-01-28 09:04:39 -05:00
7ee34b3db7
Bug 960365 - Whitelist uname for nsSystemInfo. r=kang
2014-01-21 15:48:00 -05:00
1acb8c0912
Bug 945330 - Reword and slightly improve sandbox violation log message. r=kang
...
The main goal is to have a message that unambiguously indicates a crash,
so mozharness can grep for it even if some of the details change later.
Also now includes the entire argument list; most syscalls don't use all
six, so the last few will be meaningless, but it can't hurt to log them.
2014-01-10 08:22:58 -05:00
52ab5ad2dc
Merge b2g-inbound to m-c.
2013-12-09 17:26:11 -05:00
3440613a39
Bug 713082 - Part 2: Rename Util.h to ArrayUtils.h. r=Waldo
...
--HG--
rename : mfbt/Util.h => mfbt/ArrayUtils.h
2013-12-08 21:52:54 -05:00
00ea22f388
Bug 944625 - B2G Emulator-x86: fix undeclared __NR_socketpair, __NR_sendmsg. r=kang,jld
2013-12-09 21:02:54 +08:00
6b929fc140
Bug 943774 - Allow sigaction when sandboxed, for the crash reporter. r=kang
2013-12-03 18:45:17 -05:00
c51e826c53
Bug 937258 - Part a: Remove empty makefiles; r=gps
2013-11-28 15:25:40 +01:00
b8680805ea
Bug 935111 - Enable seccomp-bpf for Linux. r=jld
2013-11-19 16:09:18 -08:00
2812d11fce
Bug 939632 - Remove LIBRARY_NAME for leaf libraries. r=gps
...
Landing on a CLOSED TREE.
2013-11-19 11:50:54 +09:00
e06d795c71
Bug 939074 - Remove most LIBXUL_LIBRARY. rs=gps
2013-11-19 11:48:10 +09:00
e80e877ab7
Bug 939044 - Remove most definitions of MODULE. r=mshal
2013-11-19 11:47:39 +09:00
ffe0380912
Bug 935881 - Use FINAL_LIBRARY for all (fake) libraries that end up linked in a single other library. r=gps
2013-11-19 11:47:14 +09:00
c4794bebcf
Bug 936163 - Fix profiling-specific sandbox whitelist for x86_64. r=kang
...
There is no sigaction, only rt_sigaction.
2013-11-08 13:30:05 -08:00
d8cfcfe430
Bug 936252 - Augment seccomp whitelist for b2g mochitests. r=kang
...
FormHistory invokes sqlite3, which calls fsync and geteuid.
A form test calls nsIFile's remove method, which uses lstat.
The crash reporter uses socketpair/sendmsg, to send a pipe back to the parent.
2013-11-11 09:11:43 -05:00
47aea81a72
Bug 936145 - Clean up architecture-specific parts of seccomp whitelist. r=kang
2013-11-08 15:31:20 -05:00
de45bd4422
Bug 922756 - Build config for Chromium sandbox. r=bsmedberg
...
--HG--
rename : security/sandbox/LICENSE => security/sandbox/linux/LICENSE
rename : security/sandbox/Makefile.in => security/sandbox/linux/Makefile.in
rename : security/sandbox/Sandbox.cpp => security/sandbox/linux/Sandbox.cpp
rename : security/sandbox/Sandbox.h => security/sandbox/linux/Sandbox.h
rename : security/sandbox/android_arm_ucontext.h => security/sandbox/linux/android_arm_ucontext.h
rename : security/sandbox/android_i386_ucontext.h => security/sandbox/linux/android_i386_ucontext.h
rename : security/sandbox/android_ucontext.h => security/sandbox/linux/android_ucontext.h
rename : security/sandbox/arm_linux_syscalls.h => security/sandbox/linux/arm_linux_syscalls.h
rename : security/sandbox/linux_seccomp.h => security/sandbox/linux/linux_seccomp.h
rename : security/sandbox/linux_syscalls.h => security/sandbox/linux/linux_syscalls.h
rename : security/sandbox/moz.build => security/sandbox/linux/moz.build
rename : security/sandbox/seccomp_filter.h => security/sandbox/linux/seccomp_filter.h
rename : security/sandbox/x86_32_linux_syscalls.h => security/sandbox/linux/x86_32_linux_syscalls.h
rename : security/sandbox/x86_64_linux_syscalls.h => security/sandbox/linux/x86_64_linux_syscalls.h
2013-10-28 14:54:36 -07:00
Jed Davis
Jay Wang
Trevor Saunders
Mike Hommey
Ed Morley
jvoisin
Bob Owen
Wes Kocher
Boris Zbarsky
Guillaume Destuynder
Vicamo Yang
Eric Rahm
Ryan VanderMeulen
Birunthan Mohanathas
Ms2ger
Christoph Kerschbaumer
Brian R. Bondy