Nuke the sandbox

4 files changed, 0 insertions, 460 deletions

diff --git a/security/sandbox/test/browser.ini b/security/sandbox/test/browser.ini
deleted file mode 100644
index 7e3e96ea4..000000000
--- a/security/sandbox/test/browser.ini
+++ /dev/null
@@ -1,11 +0,0 @@
-# Any copyright is dedicated to the Public Domain.
-# http://creativecommons.org/publicdomain/zero/1.0/
-[DEFAULT]
-tags = contentsandbox
-support-files =
-  browser_content_sandbox_utils.js
-
-skip-if = !e10s
-[browser_content_sandbox_fs.js]
-skip-if = !e10s
-[browser_content_sandbox_syscalls.js]
diff --git a/security/sandbox/test/browser_content_sandbox_fs.js b/security/sandbox/test/browser_content_sandbox_fs.js
deleted file mode 100644
index 946f86bb9..000000000
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ /dev/null
@@ -1,169 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
-            .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
-    "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test exercises file I/O from the content process using OS.File
- * methods to validate that calls that are meant to be blocked by content
- * sandboxing are blocked.
- */
-
-// Creates file at |path| and returns a promise that resolves with true
-// if the file was successfully created, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function createFile(path) {
-  Components.utils.import("resource://gre/modules/osfile.jsm");
-  let encoder = new TextEncoder();
-  let array = encoder.encode("WRITING FROM CONTENT PROCESS");
-  return OS.File.writeAtomic(path, array).then(function(value) {
-    return true;
-  }, function(reason) {
-    return false;
-  });
-}
-
-// Deletes file at |path| and returns a promise that resolves with true
-// if the file was successfully deleted, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function deleteFile(path) {
-  Components.utils.import("resource://gre/modules/osfile.jsm");
-  return OS.File.remove(path, {ignoreAbsent: false}).then(function(value) {
-    return true;
-  }).catch(function(err) {
-    return false;
-  });
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports filesystem sandboxing.
-function isContentFileIOSandboxed(level) {
-  let fileIOSandboxMinLevel = 0;
-
-  // Set fileIOSandboxMinLevel to the lowest level that has
-  // content filesystem sandboxing enabled. For now, this
-  // varies across Windows, Mac, Linux, other.
-  switch (Services.appinfo.OS) {
-    case "WINNT":
-      fileIOSandboxMinLevel = 1;
-      break;
-    case "Darwin":
-      fileIOSandboxMinLevel = 1;
-      break;
-    case "Linux":
-      fileIOSandboxMinLevel = 2;
-      break;
-    default:
-      Assert.ok(false, "Unknown OS");
-  }
-
-  return (level >= fileIOSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests attempting to write to a file in the home directory from the
-// content process--expected to fail.
-//
-// Tests attempting to write to a file in the content temp directory
-// from the content process--expected to succeed. On Mac and Windows,
-// use "ContentTmpD", but on Linux use "TmpD" until Linux uses the
-// content temp dir key.
-//
-add_task(function*() {
-  // This test is only relevant in e10s
-  if (!gMultiProcessBrowser) {
-    ok(false, "e10s is enabled");
-    info("e10s is not enabled, exiting");
-    return;
-  }
-
-  let level = 0;
-  let prefExists = true;
-
-  // Read the security.sandbox.content.level pref.
-  // If the pref isn't set and we're running on Linux on !isNightly(),
-  // exit without failing. The Linux content sandbox is only enabled
-  // on Nightly at this time.
-  try {
-    level = prefs.getIntPref("security.sandbox.content.level");
-  } catch (e) {
-    prefExists = false;
-  }
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(prefExists, "pref security.sandbox.content.level exists");
-    if (!prefExists) {
-      return;
-    }
-  }
-
-  ok(prefExists, "pref security.sandbox.content.level exists");
-  if (!prefExists) {
-    return;
-  }
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(level > 0, "content sandbox enabled for !nightly.");
-    return;
-  }
-
-  info(`security.sandbox.content.level=${level}`);
-  ok(level > 0, "content sandbox is enabled.");
-  if (level == 0) {
-    info("content sandbox is not enabled, exiting");
-    return;
-  }
-
-  let isFileIOSandboxed = isContentFileIOSandboxed(level);
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(isFileIOSandboxed, "content file I/O sandbox enabled for !nightly.");
-    return;
-  }
-
-  // Content sandbox enabled, but level doesn't include file I/O sandboxing.
-  ok(isFileIOSandboxed, "content file I/O sandboxing is enabled.");
-  if (!isFileIOSandboxed) {
-    info("content sandbox level too low for file I/O tests, exiting\n");
-    return;
-  }
-
-  let browser = gBrowser.selectedBrowser;
-
-  {
-    // test if the content process can create in $HOME, this should fail
-    let homeFile = fileInHomeDir();
-    let path = homeFile.path;
-    let fileCreated = yield ContentTask.spawn(browser, path, createFile);
-    ok(fileCreated == false, "creating a file in home dir is not permitted");
-    if (fileCreated == true) {
-      // content process successfully created the file, now remove it
-      homeFile.remove(false);
-    }
-  }
-
-  {
-    // test if the content process can create a temp file, should pass
-    let path = fileInTempDir().path;
-    let fileCreated = yield ContentTask.spawn(browser, path, createFile);
-    if (!fileCreated && isWin()) {
-      // TODO: fix 1329294 and enable this test for Windows.
-      // Not using todo() because this only fails on automation.
-      info("ignoring failure to write to content temp due to 1329294\n");
-      return;
-    }
-    ok(fileCreated == true, "creating a file in content temp is permitted");
-    // now delete the file
-    let fileDeleted = yield ContentTask.spawn(browser, path, deleteFile);
-    ok(fileDeleted == true, "deleting a file in content temp is permitted");
-  }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
deleted file mode 100644
index d56456966..000000000
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ /dev/null
@@ -1,223 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
-            .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
-    "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test is for executing system calls in content processes to validate
- * that calls that are meant to be blocked by content sandboxing are blocked.
- * We use the term system calls loosely so that any OS API call such as
- * fopen could be included.
- */
-
-// Calls the native execv library function. Include imports so this can be
-// safely serialized and run remotely by ContentTask.spawn.
-function callExec(args) {
-  Components.utils.import("resource://gre/modules/ctypes.jsm");
-  let {lib, cmd} = args;
-  let libc = ctypes.open(lib);
-  let exec = libc.declare("execv", ctypes.default_abi,
-      ctypes.int, ctypes.char.ptr);
-  let rv = exec(cmd);
-  libc.close();
-  return (rv);
-}
-
-// Calls the native fork syscall.
-function callFork(args) {
-  Components.utils.import("resource://gre/modules/ctypes.jsm");
-  let {lib} = args;
-  let libc = ctypes.open(lib);
-  let fork = libc.declare("fork", ctypes.default_abi, ctypes.int);
-  let rv = fork();
-  libc.close();
-  return (rv);
-}
-
-// Calls the native open/close syscalls.
-function callOpen(args) {
-  Components.utils.import("resource://gre/modules/ctypes.jsm");
-  let {lib, path, flags} = args;
-  let libc = ctypes.open(lib);
-  let open = libc.declare("open", ctypes.default_abi,
-                          ctypes.int, ctypes.char.ptr, ctypes.int);
-  let close = libc.declare("close", ctypes.default_abi,
-                           ctypes.int, ctypes.int);
-  let fd = open(path, flags);
-  close(fd);
-  libc.close();
-  return (fd);
-}
-
-// open syscall flags
-function openWriteCreateFlags() {
-  Assert.ok(isMac() || isLinux());
-  if (isMac()) {
-    let O_WRONLY = 0x001;
-    let O_CREAT  = 0x200;
-    return (O_WRONLY | O_CREAT);
-  } else {
-    // Linux
-    let O_WRONLY = 0x01;
-    let O_CREAT  = 0x40;
-    return (O_WRONLY | O_CREAT);
-  }
-}
-
-// Returns the name of the native library needed for native syscalls
-function getOSLib() {
-  switch (Services.appinfo.OS) {
-    case "WINNT":
-      return "kernel32.dll";
-    case "Darwin":
-      return "libc.dylib";
-    case "Linux":
-      return "libc.so.6";
-    default:
-      Assert.ok(false, "Unknown OS");
-  }
-}
-
-// Returns a harmless command to execute with execv
-function getOSExecCmd() {
-  Assert.ok(!isWin());
-  return ("/bin/cat");
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports syscall sandboxing.
-function areContentSyscallsSandboxed(level) {
-  let syscallsSandboxMinLevel = 0;
-
-  // Set syscallsSandboxMinLevel to the lowest level that has
-  // syscall sandboxing enabled. For now, this varies across
-  // Windows, Mac, Linux, other.
-  switch (Services.appinfo.OS) {
-    case "WINNT":
-      syscallsSandboxMinLevel = 1;
-      break;
-    case "Darwin":
-      syscallsSandboxMinLevel = 1;
-      break;
-    case "Linux":
-      syscallsSandboxMinLevel = 2;
-      break;
-    default:
-      Assert.ok(false, "Unknown OS");
-  }
-
-  return (level >= syscallsSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests executing OS API calls in the content process. Limited to Mac
-// and Linux calls for now.
-//
-add_task(function*() {
-  // This test is only relevant in e10s
-  if (!gMultiProcessBrowser) {
-    ok(false, "e10s is enabled");
-    info("e10s is not enabled, exiting");
-    return;
-  }
-
-  let level = 0;
-  let prefExists = true;
-
-  // Read the security.sandbox.content.level pref.
-  // If the pref isn't set and we're running on Linux on !isNightly(),
-  // exit without failing. The Linux content sandbox is only enabled
-  // on Nightly at this time.
-  try {
-    level = prefs.getIntPref("security.sandbox.content.level");
-  } catch (e) {
-    prefExists = false;
-  }
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(prefExists, "pref security.sandbox.content.level exists");
-    if (!prefExists) {
-      return;
-    }
-  }
-
-  ok(prefExists, "pref security.sandbox.content.level exists");
-  if (!prefExists) {
-    return;
-  }
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(level > 0, "content sandbox enabled for !nightly.");
-    return;
-  }
-
-  info(`security.sandbox.content.level=${level}`);
-  ok(level > 0, "content sandbox is enabled.");
-  if (level == 0) {
-    info("content sandbox is not enabled, exiting");
-    return;
-  }
-
-  let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
-
-  // Special case Linux on !isNightly
-  if (isLinux() && !isNightly()) {
-    todo(areSyscallsSandboxed, "content syscall sandbox enabled for !nightly.");
-    return;
-  }
-
-  // Content sandbox enabled, but level doesn't include syscall sandboxing.
-  ok(areSyscallsSandboxed, "content syscall sandboxing is enabled.");
-  if (!areSyscallsSandboxed) {
-    info("content sandbox level too low for syscall tests, exiting\n");
-    return;
-  }
-
-  let browser = gBrowser.selectedBrowser;
-  let lib = getOSLib();
-
-  // use execv syscall
-  // (causes content process to be killed on Linux)
-  if (isMac()) {
-    // exec something harmless, this should fail
-    let cmd = getOSExecCmd();
-    let rv = yield ContentTask.spawn(browser, {lib, cmd}, callExec);
-    ok(rv == -1, `exec(${cmd}) is not permitted`);
-  }
-
-  // use open syscall
-  if (isLinux() || isMac())
-  {
-    // open a file for writing in $HOME, this should fail
-    let path = fileInHomeDir().path;
-    let flags = openWriteCreateFlags();
-    let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
-    ok(fd < 0, "opening a file for writing in home is not permitted");
-  }
-
-  // use open syscall
-  if (isLinux() || isMac())
-  {
-    // open a file for writing in the content temp dir, this should work
-    // and the open handler in the content process closes the file for us
-    let path = fileInTempDir().path;
-    let flags = openWriteCreateFlags();
-    let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
-    ok(fd >= 0, "opening a file for writing in content temp is permitted");
-  }
-
-  // use fork syscall
-  if (isLinux() || isMac())
-  {
-    let rv = yield ContentTask.spawn(browser, {lib}, callFork);
-    ok(rv == -1, "calling fork is not permitted");
-  }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_utils.js b/security/sandbox/test/browser_content_sandbox_utils.js
deleted file mode 100644
index 0e9d01352..000000000
--- a/security/sandbox/test/browser_content_sandbox_utils.js
+++ /dev/null
@@ -1,57 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-const uuidGenerator = Cc["@mozilla.org/uuid-generator;1"]
-                      .getService(Ci.nsIUUIDGenerator);
-
-/*
- * Utility functions for the browser content sandbox tests.
- */
-
-function isMac() { return Services.appinfo.OS == "Darwin" }
-function isWin() { return Services.appinfo.OS == "WINNT" }
-function isLinux() { return Services.appinfo.OS == "Linux" }
-
-function isNightly() {
-  let version = SpecialPowers.Cc["@mozilla.org/xre/app-info;1"].
-    getService(SpecialPowers.Ci.nsIXULAppInfo).version;
-  return (version.endsWith("a1"));
-}
-
-function uuid() {
-  return uuidGenerator.generateUUID().toString();
-}
-
-// Returns a file object for a new file in the home dir ($HOME/<UUID>).
-function fileInHomeDir() {
-  // get home directory, make sure it exists
-  let homeDir = Services.dirsvc.get("Home", Ci.nsILocalFile);
-  Assert.ok(homeDir.exists(), "Home dir exists");
-  Assert.ok(homeDir.isDirectory(), "Home dir is a directory");
-
-  // build a file object for a new file named $HOME/<UUID>
-  let homeFile = homeDir.clone();
-  homeFile.appendRelativePath(uuid());
-  Assert.ok(!homeFile.exists(), homeFile.path + " does not exist");
-  return (homeFile);
-}
-
-// Returns a file object for a new file in the content temp dir (.../<UUID>).
-function fileInTempDir() {
-  let contentTempKey = "ContentTmpD";
-  if (Services.appinfo.OS == "Linux") {
-    // Linux builds don't use the content-specific temp key
-    contentTempKey = "TmpD";
-  }
-
-  // get the content temp dir, make sure it exists
-  let ctmp = Services.dirsvc.get(contentTempKey, Ci.nsILocalFile);
-  Assert.ok(ctmp.exists(), "Content temp dir exists");
-  Assert.ok(ctmp.isDirectory(), "Content temp dir is a directory");
-
-  // build a file object for a new file in content temp
-  let tempFile = ctmp.clone();
-  tempFile.appendRelativePath(uuid());
-  Assert.ok(!tempFile.exists(), tempFile.path + " does not exist");
-  return (tempFile);
-}