summaryrefslogtreecommitdiffstats
path: root/security/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox')
-rw-r--r--security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h9
-rw-r--r--security/sandbox/linux/Sandbox.cpp28
-rw-r--r--security/sandbox/linux/Sandbox.h8
-rw-r--r--security/sandbox/linux/SandboxFilter.cpp489
-rw-r--r--security/sandbox/linux/SandboxFilter.h6
-rw-r--r--security/sandbox/linux/SandboxInfo.cpp8
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp144
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h4
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp124
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.h3
10 files changed, 0 insertions, 823 deletions
diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
index f9402c527..27b6e5239 100644
--- a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
+++ b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
@@ -89,15 +89,6 @@ InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb)
if (Preferences::GetBool("security.sandbox.windows.log") ||
PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
aProvideLogFunctionCb(Log);
-
-#if defined(MOZ_CONTENT_SANDBOX)
- // We can only log the stack trace on process types where we know that the
- // sandbox won't prevent it.
- if (XRE_IsContentProcess()) {
- Preferences::AddUintVarCache(&sStackTraceDepth,
- "security.sandbox.windows.log.stackTraceDepth");
- }
-#endif
}
}
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
index 7f1182be9..65ca467ca 100644
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -626,34 +626,6 @@ SandboxEarlyInit(GeckoProcessType aType)
}
}
-#ifdef MOZ_CONTENT_SANDBOX
-/**
- * Starts the seccomp sandbox for a content process. Should be called
- * only once, and before any potentially harmful content is loaded.
- *
- * Will normally make the process exit on failure.
-*/
-bool
-SetContentProcessSandbox(int aBrokerFd)
-{
- if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForContent)) {
- if (aBrokerFd >= 0) {
- close(aBrokerFd);
- }
- return false;
- }
-
- // This needs to live until the process exits.
- static Maybe<SandboxBrokerClient> sBroker;
- if (aBrokerFd >= 0) {
- sBroker.emplace(aBrokerFd);
- }
-
- SetCurrentProcessSandbox(GetContentSandboxPolicy(sBroker.ptrOr(nullptr)));
- return true;
-}
-#endif // MOZ_CONTENT_SANDBOX
-
#ifdef MOZ_GMP_SANDBOX
/**
* Starts the seccomp sandbox for a media plugin process. Should be
diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h
index 94b26e25b..aefdda22d 100644
--- a/security/sandbox/linux/Sandbox.h
+++ b/security/sandbox/linux/Sandbox.h
@@ -19,14 +19,6 @@ namespace mozilla {
// This must be called early, while the process is still single-threaded.
MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);
-#ifdef MOZ_CONTENT_SANDBOX
-// Call only if SandboxInfo::CanSandboxContent() returns true.
-// (No-op if MOZ_DISABLE_CONTENT_SANDBOX is set.)
-// aBrokerFd is the filesystem broker client file descriptor,
-// or -1 to allow direct filesystem access.
-MOZ_EXPORT bool SetContentProcessSandbox(int aBrokerFd);
-#endif
-
#ifdef MOZ_GMP_SANDBOX
// Call only if SandboxInfo::CanSandboxMedia() returns true.
// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.)
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index f8db9dc80..da7e54300 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -340,495 +340,6 @@ public:
// The process-type-specific syscall rules start here:
-#ifdef MOZ_CONTENT_SANDBOX
-// The seccomp-bpf filter for content processes is not a true sandbox
-// on its own; its purpose is attack surface reduction and syscall
-// interception in support of a semantic sandboxing layer. On B2G
-// this is the Android process permission model; on desktop,
-// namespaces and chroot() will be used.
-class ContentSandboxPolicy : public SandboxPolicyCommon {
- SandboxBrokerClient* mBroker;
-
- // Trap handlers for filesystem brokering.
- // (The amount of code duplication here could be improved....)
-#ifdef __NR_open
- static intptr_t OpenTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto flags = static_cast<int>(aArgs.args[1]);
- return broker->Open(path, flags);
- }
-#endif
-
- static intptr_t OpenAtTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto fd = static_cast<int>(aArgs.args[0]);
- auto path = reinterpret_cast<const char*>(aArgs.args[1]);
- auto flags = static_cast<int>(aArgs.args[2]);
- if (fd != AT_FDCWD && path[0] != '/') {
- SANDBOX_LOG_ERROR("unsupported fd-relative openat(%d, \"%s\", 0%o)",
- fd, path, flags);
- return BlockedSyscallTrap(aArgs, nullptr);
- }
- return broker->Open(path, flags);
- }
-
-#ifdef __NR_access
- static intptr_t AccessTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto mode = static_cast<int>(aArgs.args[1]);
- return broker->Access(path, mode);
- }
-#endif
-
- static intptr_t AccessAtTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto fd = static_cast<int>(aArgs.args[0]);
- auto path = reinterpret_cast<const char*>(aArgs.args[1]);
- auto mode = static_cast<int>(aArgs.args[2]);
- // Linux's faccessat syscall has no "flags" argument. Attempting
- // to handle the flags != 0 case is left to userspace; this is
- // impossible to do correctly in all cases, but that's not our
- // problem.
- if (fd != AT_FDCWD && path[0] != '/') {
- SANDBOX_LOG_ERROR("unsupported fd-relative faccessat(%d, \"%s\", %d)",
- fd, path, mode);
- return BlockedSyscallTrap(aArgs, nullptr);
- }
- return broker->Access(path, mode);
- }
-
- static intptr_t StatTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
- return broker->Stat(path, buf);
- }
-
- static intptr_t LStatTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
- return broker->LStat(path, buf);
- }
-
- static intptr_t StatAtTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto fd = static_cast<int>(aArgs.args[0]);
- auto path = reinterpret_cast<const char*>(aArgs.args[1]);
- auto buf = reinterpret_cast<statstruct*>(aArgs.args[2]);
- auto flags = static_cast<int>(aArgs.args[3]);
- if (fd != AT_FDCWD && path[0] != '/') {
- SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, %d)",
- fd, path, buf, flags);
- return BlockedSyscallTrap(aArgs, nullptr);
- }
- if ((flags & ~AT_SYMLINK_NOFOLLOW) != 0) {
- SANDBOX_LOG_ERROR("unsupported flags %d in fstatat(%d, \"%s\", %p, %d)",
- (flags & ~AT_SYMLINK_NOFOLLOW), fd, path, buf, flags);
- return BlockedSyscallTrap(aArgs, nullptr);
- }
- return (flags & AT_SYMLINK_NOFOLLOW) == 0
- ? broker->Stat(path, buf)
- : broker->LStat(path, buf);
- }
-
- static intptr_t ChmodTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto mode = static_cast<mode_t>(aArgs.args[1]);
- return broker->Chmod(path, mode);
- }
-
- static intptr_t LinkTrap(ArgsRef aArgs, void *aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
- return broker->Link(path, path2);
- }
-
- static intptr_t SymlinkTrap(ArgsRef aArgs, void *aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
- return broker->Symlink(path, path2);
- }
-
- static intptr_t RenameTrap(ArgsRef aArgs, void *aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
- return broker->Rename(path, path2);
- }
-
- static intptr_t MkdirTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto mode = static_cast<mode_t>(aArgs.args[1]);
- return broker->Mkdir(path, mode);
- }
-
- static intptr_t RmdirTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- return broker->Rmdir(path);
- }
-
- static intptr_t UnlinkTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- return broker->Unlink(path);
- }
-
- static intptr_t ReadlinkTrap(ArgsRef aArgs, void* aux) {
- auto broker = static_cast<SandboxBrokerClient*>(aux);
- auto path = reinterpret_cast<const char*>(aArgs.args[0]);
- auto buf = reinterpret_cast<char*>(aArgs.args[1]);
- auto size = static_cast<size_t>(aArgs.args[2]);
- return broker->Readlink(path, buf, size);
- }
-
- static intptr_t GetPPidTrap(ArgsRef aArgs, void* aux) {
- // In a pid namespace, getppid() will return 0. We will return 0 instead
- // of the real parent pid to see what breaks when we introduce the
- // pid namespace (Bug 1151624).
- return 0;
- }
-
-public:
- explicit ContentSandboxPolicy(SandboxBrokerClient* aBroker):mBroker(aBroker) { }
- virtual ~ContentSandboxPolicy() { }
- virtual ResultExpr PrctlPolicy() const override {
- // Ideally this should be restricted to a whitelist, but content
- // uses enough things that it's not trivial to determine it.
- return Allow();
- }
- virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
- switch(aCall) {
- case SYS_RECVFROM:
- case SYS_SENDTO:
- return Some(Allow());
-
- case SYS_SOCKETPAIR: {
- // See bug 1066750.
- if (!kSocketCallHasArgs) {
- // We can't filter the args if the platform passes them by pointer.
- return Some(Allow());
- }
- Arg<int> domain(0), type(1);
- return Some(If(AllOf(domain == AF_UNIX,
- AnyOf(type == SOCK_STREAM, type == SOCK_SEQPACKET)),
- Allow())
- .Else(InvalidSyscall()));
- }
-
-#ifdef ANDROID
- case SYS_SOCKET:
- return Some(Error(EACCES));
-#else // #ifdef DESKTOP
- case SYS_RECV:
- case SYS_SEND:
- case SYS_SOCKET: // DANGEROUS
- case SYS_CONNECT: // DANGEROUS
- case SYS_ACCEPT:
- case SYS_ACCEPT4:
- case SYS_BIND:
- case SYS_LISTEN:
- case SYS_GETSOCKOPT:
- case SYS_SETSOCKOPT:
- case SYS_GETSOCKNAME:
- case SYS_GETPEERNAME:
- case SYS_SHUTDOWN:
- return Some(Allow());
-#endif
- default:
- return SandboxPolicyCommon::EvaluateSocketCall(aCall);
- }
- }
-
-#ifdef DESKTOP
- virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
- switch(aCall) {
- // These are a problem: SysV shared memory follows the Unix
- // "same uid policy" and can't be restricted/brokered like file
- // access. But the graphics layer might not be using them
- // anymore; this needs to be studied.
- case SHMGET:
- case SHMCTL:
- case SHMAT:
- case SHMDT:
- case SEMGET:
- case SEMCTL:
- case SEMOP:
- case MSGGET:
- return Some(Allow());
- default:
- return SandboxPolicyCommon::EvaluateIpcCall(aCall);
- }
- }
-#endif
-
- virtual ResultExpr EvaluateSyscall(int sysno) const override {
- if (mBroker) {
- // Have broker; route the appropriate syscalls to it.
- switch (sysno) {
- case __NR_open:
- return Trap(OpenTrap, mBroker);
- case __NR_openat:
- return Trap(OpenAtTrap, mBroker);
- case __NR_access:
- return Trap(AccessTrap, mBroker);
- case __NR_faccessat:
- return Trap(AccessAtTrap, mBroker);
- CASES_FOR_stat:
- return Trap(StatTrap, mBroker);
- CASES_FOR_lstat:
- return Trap(LStatTrap, mBroker);
- CASES_FOR_fstatat:
- return Trap(StatAtTrap, mBroker);
- case __NR_chmod:
- return Trap(ChmodTrap, mBroker);
- case __NR_link:
- return Trap(LinkTrap, mBroker);
- case __NR_mkdir:
- return Trap(MkdirTrap, mBroker);
- case __NR_symlink:
- return Trap(SymlinkTrap, mBroker);
- case __NR_rename:
- return Trap(RenameTrap, mBroker);
- case __NR_rmdir:
- return Trap(RmdirTrap, mBroker);
- case __NR_unlink:
- return Trap(UnlinkTrap, mBroker);
- case __NR_readlink:
- return Trap(ReadlinkTrap, mBroker);
- }
- } else {
- // No broker; allow the syscalls directly. )-:
- switch(sysno) {
- case __NR_open:
- case __NR_openat:
- case __NR_access:
- case __NR_faccessat:
- CASES_FOR_stat:
- CASES_FOR_lstat:
- CASES_FOR_fstatat:
- case __NR_chmod:
- case __NR_link:
- case __NR_mkdir:
- case __NR_symlink:
- case __NR_rename:
- case __NR_rmdir:
- case __NR_unlink:
- case __NR_readlink:
- return Allow();
- }
- }
-
- switch (sysno) {
-#ifdef DESKTOP
- case __NR_getppid:
- return Trap(GetPPidTrap, nullptr);
-
- // Filesystem syscalls that need more work to determine who's
- // using them, if they need to be, and what we intend to about it.
- case __NR_getcwd:
- CASES_FOR_statfs:
- CASES_FOR_fstatfs:
- case __NR_quotactl:
- CASES_FOR_fchown:
- case __NR_fchmod:
- case __NR_flock:
-#endif
- return Allow();
-
- case __NR_readlinkat:
-#ifdef DESKTOP
- // Bug 1290896
- return Allow();
-#else
- // Workaround for bug 964455:
- return Error(EINVAL);
-#endif
-
- CASES_FOR_select:
- case __NR_pselect6:
- return Allow();
-
- CASES_FOR_getdents:
- CASES_FOR_ftruncate:
- case __NR_writev:
- case __NR_pread64:
-#ifdef DESKTOP
- case __NR_pwrite64:
- case __NR_readahead:
-#endif
- return Allow();
-
- case __NR_ioctl:
- // ioctl() is for GL. Remove when GL proxy is implemented.
- // Additionally ioctl() might be a place where we want to have
- // argument filtering
- return Allow();
-
- CASES_FOR_fcntl:
- // Some fcntls have significant side effects like sending
- // arbitrary signals, and there's probably nontrivial kernel
- // attack surface; this should be locked down more if possible.
- return Allow();
-
- case __NR_mprotect:
- case __NR_brk:
- case __NR_madvise:
-#if !defined(MOZ_MEMORY)
- // libc's realloc uses mremap (Bug 1286119).
- case __NR_mremap:
-#endif
- return Allow();
-
- case __NR_sigaltstack:
- return Allow();
-
-#ifdef __NR_set_thread_area
- case __NR_set_thread_area:
- return Allow();
-#endif
-
- case __NR_getrusage:
- case __NR_times:
- return Allow();
-
- case __NR_dup:
- return Allow();
-
- CASES_FOR_getuid:
- CASES_FOR_getgid:
- CASES_FOR_geteuid:
- CASES_FOR_getegid:
- return Allow();
-
- case __NR_fsync:
- case __NR_msync:
- return Allow();
-
- case __NR_getpriority:
- case __NR_setpriority:
- case __NR_sched_get_priority_min:
- case __NR_sched_get_priority_max:
- case __NR_sched_getscheduler:
- case __NR_sched_setscheduler:
- case __NR_sched_getparam:
- case __NR_sched_setparam:
-#ifdef DESKTOP
- case __NR_sched_getaffinity:
-#endif
- return Allow();
-
-#ifdef DESKTOP
- case __NR_pipe2:
- return Allow();
-
- CASES_FOR_getrlimit:
- case __NR_clock_getres:
- CASES_FOR_getresuid:
- CASES_FOR_getresgid:
- return Allow();
-
- case __NR_umask:
- case __NR_kill:
- case __NR_wait4:
-#ifdef __NR_waitpid
- case __NR_waitpid:
-#endif
-#ifdef __NR_arch_prctl
- case __NR_arch_prctl:
-#endif
- return Allow();
-
- case __NR_eventfd2:
- case __NR_inotify_init1:
- case __NR_inotify_add_watch:
- case __NR_inotify_rm_watch:
- return Allow();
-
-#ifdef __NR_memfd_create
- case __NR_memfd_create:
- return Allow();
-#endif
-
-#ifdef __NR_rt_tgsigqueueinfo
- // Only allow to send signals within the process.
- case __NR_rt_tgsigqueueinfo: {
- Arg<pid_t> tgid(0);
- return If(tgid == getpid(), Allow())
- .Else(InvalidSyscall());
- }
-#endif
-
- case __NR_mlock:
- case __NR_munlock:
- return Allow();
-
- // We can't usefully allow fork+exec, even on a temporary basis;
- // the child would inherit the seccomp-bpf policy and almost
- // certainly die from an unexpected SIGSYS. We also can't have
- // fork() crash, currently, because there are too many system
- // libraries/plugins that try to run commands. But they can
- // usually do something reasonable on error.
- case __NR_clone:
- return ClonePolicy(Error(EPERM));
-
-#ifdef __NR_fadvise64
- case __NR_fadvise64:
- return Allow();
-#endif
-
-#ifdef __NR_fadvise64_64
- case __NR_fadvise64_64:
- return Allow();
-#endif
-
- case __NR_fallocate:
- return Allow();
-
- case __NR_get_mempolicy:
- return Allow();
-
-#endif // DESKTOP
-
-#ifdef __NR_getrandom
- case __NR_getrandom:
- return Allow();
-#endif
-
- // nsSystemInfo uses uname (and we cache an instance, so
- // the info remains present even if we block the syscall)
- case __NR_uname:
-#ifdef DESKTOP
- case __NR_sysinfo:
-#endif
- return Allow();
-
-#ifdef MOZ_JPROF
- case __NR_setitimer:
- return Allow();
-#endif // MOZ_JPROF
-
- default:
- return SandboxPolicyCommon::EvaluateSyscall(sysno);
- }
- }
-};
-
-UniquePtr<sandbox::bpf_dsl::Policy>
-GetContentSandboxPolicy(SandboxBrokerClient* aMaybeBroker)
-{
- return UniquePtr<sandbox::bpf_dsl::Policy>(new ContentSandboxPolicy(aMaybeBroker));
-}
-#endif // MOZ_CONTENT_SANDBOX
-
-
#ifdef MOZ_GMP_SANDBOX
// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs
// to be an effective sandbox by itself, because we allow GMP on Linux
diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h
index 6b1cb47f4..ecd2e610b 100644
--- a/security/sandbox/linux/SandboxFilter.h
+++ b/security/sandbox/linux/SandboxFilter.h
@@ -18,12 +18,6 @@ class Policy;
namespace mozilla {
-#ifdef MOZ_CONTENT_SANDBOX
-class SandboxBrokerClient;
-
-UniquePtr<sandbox::bpf_dsl::Policy> GetContentSandboxPolicy(SandboxBrokerClient* aMaybeBroker);
-#endif
-
#ifdef MOZ_GMP_SANDBOX
struct SandboxOpenedFile {
const char *mPath;
diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp
index f813fb026..4d0c1d584 100644
--- a/security/sandbox/linux/SandboxInfo.cpp
+++ b/security/sandbox/linux/SandboxInfo.cpp
@@ -225,14 +225,6 @@ SandboxInfo::SandboxInfo() {
}
}
-#ifdef MOZ_CONTENT_SANDBOX
- if (!getenv("MOZ_DISABLE_CONTENT_SANDBOX")) {
- flags |= kEnabledForContent;
- }
- if (getenv("MOZ_PERMISSIVE_CONTENT_SANDBOX")) {
- flags |= kPermissive;
- }
-#endif
#ifdef MOZ_GMP_SANDBOX
if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) {
flags |= kEnabledForMedia;
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 8e698606e..c3a15ea3d 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -41,154 +41,10 @@ SandboxBrokerPolicyFactory::IsSystemSupported() {
return false;
}
-#if defined(MOZ_CONTENT_SANDBOX)
-namespace {
-static const int rdonly = SandboxBroker::MAY_READ;
-static const int wronly = SandboxBroker::MAY_WRITE;
-static const int rdwr = rdonly | wronly;
-static const int rdwrcr = rdwr | SandboxBroker::MAY_CREATE;
-#if defined(MOZ_WIDGET_GONK)
-static const int wrlog = wronly | SandboxBroker::MAY_CREATE;
-#endif
-}
-#endif
-
SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory()
{
// Policy entries that are the same in every process go here, and
// are cached over the lifetime of the factory.
-#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK)
- SandboxBroker::Policy* policy = new SandboxBroker::Policy;
-
- // Devices that need write access:
- policy->AddPath(rdwr, "/dev/genlock"); // bug 980924
- policy->AddPath(rdwr, "/dev/ashmem"); // bug 980947
- policy->AddTree(wronly, "/dev/log"); // bug 1199857
- // Graphics devices are a significant source of attack surface, but
- // there's not much we can do about it without proxying (which is
- // very difficult and a perforamnce hit).
- policy->AddPrefix(rdwr, "/dev", "kgsl"); // bug 995072
- policy->AddPath(rdwr, "/dev/qemu_pipe"); // but 1198410: goldfish gralloc.
-
- // Bug 1198475: mochitest logs. (This is actually passed in via URL
- // query param to the mochitest page, and is configurable, so this
- // isn't enough in general, but hopefully it's good enough for B2G.)
- // Conditional on tests being run, using the same check seen in
- // DirectoryProvider.js to set ProfD.
- if (access("/data/local/tests/profile", R_OK) == 0) {
- policy->AddPath(wrlog, "/data/local/tests/log/mochitest.log");
- }
-
- // Read-only items below this line.
-
- policy->AddPath(rdonly, "/dev/urandom"); // bug 964500, bug 995069
- policy->AddPath(rdonly, "/dev/ion"); // bug 980937
- policy->AddPath(rdonly, "/proc/cpuinfo"); // bug 995067
- policy->AddPath(rdonly, "/proc/meminfo"); // bug 1025333
- policy->AddPath(rdonly, "/sys/devices/system/cpu/present"); // bug 1025329
- policy->AddPath(rdonly, "/sys/devices/system/soc/soc0/id"); // bug 1025339
- policy->AddPath(rdonly, "/etc/media_profiles.xml"); // bug 1198419
- policy->AddPath(rdonly, "/etc/media_codecs.xml"); // bug 1198460
- policy->AddTree(rdonly, "/system/fonts"); // bug 1026063
-
- // Bug 1199051 (crossplatformly, this is NS_GRE_DIR).
- policy->AddTree(rdonly, "/system/b2g");
-
- // Bug 1026356: dynamic library loading from assorted frameworks we
- // don't control (media codecs, maybe others).
- //
- // Bug 1198515: Also, the profiler calls breakpad code to get info
- // on all loaded ELF objects, which opens those files.
- policy->AddTree(rdonly, "/system/lib");
- policy->AddTree(rdonly, "/vendor/lib");
- policy->AddPath(rdonly, "/system/bin/linker"); // (profiler only)
-
- // Bug 1199866: EGL/WebGL.
- policy->AddPath(rdonly, "/system/lib/egl");
- policy->AddPath(rdonly, "/vendor/lib/egl");
-
- // Bug 1198401: timezones. Yes, we need both of these; see bug.
- policy->AddTree(rdonly, "/system/usr/share/zoneinfo");
- policy->AddTree(rdonly, "/system//usr/share/zoneinfo");
-
- policy->AddPath(rdonly, "/data/local/tmp/profiler.options",
- SandboxBroker::Policy::AddAlways); // bug 1029337
-
- mCommonContentPolicy.reset(policy);
-#elif defined(MOZ_CONTENT_SANDBOX)
- SandboxBroker::Policy* policy = new SandboxBroker::Policy;
- policy->AddDir(rdonly, "/");
- policy->AddDir(rdwrcr, "/dev/shm");
- // Add write permissions on the temporary directory. This can come
- // from various environment variables (TMPDIR,TMP,TEMP,...) so
- // make sure to use the full logic.
- nsCOMPtr<nsIFile> tmpDir;
- nsresult rv = GetSpecialSystemDirectory(OS_TemporaryDirectory,
- getter_AddRefs(tmpDir));
- if (NS_SUCCEEDED(rv)) {
- nsAutoCString tmpPath;
- rv = tmpDir->GetNativePath(tmpPath);
- if (NS_SUCCEEDED(rv)) {
- policy->AddDir(rdwrcr, tmpPath.get());
- }
- }
- // If the above fails at any point, fall back to a very good guess.
- if (NS_FAILED(rv)) {
- policy->AddDir(rdwrcr, "/tmp");
- }
-
- // Bug 1308851: NVIDIA proprietary driver when using WebGL
- policy->AddPrefix(rdwr, "/dev", "nvidia");
-
- // Bug 1312678: radeonsi/Intel with DRI when using WebGL
- policy->AddDir(rdwr, "/dev/dri");
-
- mCommonContentPolicy.reset(policy);
-#endif
-}
-
-#ifdef MOZ_CONTENT_SANDBOX
-UniquePtr<SandboxBroker::Policy>
-SandboxBrokerPolicyFactory::GetContentPolicy(int aPid)
-{
- // Policy entries that vary per-process (currently the only reason
- // that can happen is because they contain the pid) are added here.
-
- MOZ_ASSERT(NS_IsMainThread());
- // File broker usage is controlled through a pref.
- if (Preferences::GetInt("security.sandbox.content.level") <= 1) {
- return nullptr;
- }
-
- MOZ_ASSERT(mCommonContentPolicy);
-#if defined(MOZ_WIDGET_GONK)
- // Allow overriding "unsupported"ness with a pref, for testing.
- if (!IsSystemSupported()) {
- return nullptr;
- }
- UniquePtr<SandboxBroker::Policy>
- policy(new SandboxBroker::Policy(*mCommonContentPolicy));
-
- // Bug 1029337: where the profiler writes the data.
- nsPrintfCString profilerLogPath("/data/local/tmp/profile_%d_%d.txt",
- GeckoProcessType_Content, aPid);
- policy->AddPath(wrlog, profilerLogPath.get());
-
- // Bug 1198550: the profiler's replacement for dl_iterate_phdr
- policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
-
- // Bug 1198552: memory reporting.
- policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
- policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
-
- return policy;
-#else
- UniquePtr<SandboxBroker::Policy>
- policy(new SandboxBroker::Policy(*mCommonContentPolicy));
- // Return the common policy.
- return policy;
-#endif
}
-#endif // MOZ_CONTENT_SANDBOX
} // namespace mozilla
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
index c66a09189..bf9be9856 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
@@ -15,10 +15,6 @@ class SandboxBrokerPolicyFactory {
public:
SandboxBrokerPolicyFactory();
-#ifdef MOZ_CONTENT_SANDBOX
- UniquePtr<SandboxBroker::Policy> GetContentPolicy(int aPid);
-#endif
-
private:
UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;
// B2G devices tend to have hardware-specific paths used by device
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
index 10b796268..d3aab815f 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -90,130 +90,6 @@ SandboxBroker::LaunchApp(const wchar_t *aPath,
return true;
}
-#if defined(MOZ_CONTENT_SANDBOX)
-void
-SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel)
-{
- MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call.");
-
- sandbox::JobLevel jobLevel;
- sandbox::TokenLevel accessTokenLevel;
- sandbox::IntegrityLevel initialIntegrityLevel;
- sandbox::IntegrityLevel delayedIntegrityLevel;
-
- // The setting of these levels is pretty arbitrary, but they are a useful (if
- // crude) tool while we are tightening the policy. Gaps are left to try and
- // avoid changing their meaning.
- MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1");
- if (aSandboxLevel >= 20) {
- jobLevel = sandbox::JOB_LOCKDOWN;
- accessTokenLevel = sandbox::USER_LOCKDOWN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED;
- } else if (aSandboxLevel >= 10) {
- jobLevel = sandbox::JOB_RESTRICTED;
- accessTokenLevel = sandbox::USER_LIMITED;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel >= 2) {
- jobLevel = sandbox::JOB_INTERACTIVE;
- accessTokenLevel = sandbox::USER_INTERACTIVE;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel == 1) {
- jobLevel = sandbox::JOB_NONE;
- accessTokenLevel = sandbox::USER_NON_ADMIN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- }
-
- sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
- 0 /* ui_exceptions */);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?");
-
- // If the delayed access token is not restricted we don't want the initial one
- // to be either, because it can interfere with running from a network drive.
- sandbox::TokenLevel initialAccessTokenLevel =
- (accessTokenLevel == sandbox::USER_UNPROTECTED ||
- accessTokenLevel == sandbox::USER_NON_ADMIN)
- ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS;
-
- result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS");
-
- result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "SetIntegrityLevel should never fail, what happened?");
- result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "SetDelayedIntegrityLevel should never fail, what happened?");
-
- if (aSandboxLevel > 2) {
- result = mPolicy->SetAlternateDesktop(true);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Failed to create alternate desktop for sandbox.");
- }
-
- sandbox::MitigationFlags mitigations =
- sandbox::MITIGATION_BOTTOM_UP_ASLR |
- sandbox::MITIGATION_HEAP_TERMINATE |
- sandbox::MITIGATION_SEHOP |
- sandbox::MITIGATION_DEP_NO_ATL_THUNK |
- sandbox::MITIGATION_DEP;
-
- result = mPolicy->SetProcessMitigations(mitigations);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Invalid flags for SetProcessMitigations.");
-
- mitigations =
- sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
- sandbox::MITIGATION_DLL_SEARCH_ORDER;
-
- result = mPolicy->SetDelayedProcessMitigations(mitigations);
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "Invalid flags for SetDelayedProcessMitigations.");
-
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\chrome.*");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // Add the policy for the client side of the crash server pipe.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\gecko-crash-server-pipe.*");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The content process needs to be able to duplicate named pipes back to the
- // broker process, which are File type handles.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER,
- L"File");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The content process needs to be able to duplicate shared memory handles,
- // which are Section handles, to the broker process and other child processes.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER,
- L"Section");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_ANY,
- L"Section");
- MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
- "With these static arguments AddRule should never fail, what happened?");
-}
-#endif
-
#define SANDBOX_ENSURE_SUCCESS(result, message) \
do { \
MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
index 3f73ec890..7f1f1597f 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -31,9 +31,6 @@ public:
virtual ~SandboxBroker();
// Security levels for different types of processes
-#if defined(MOZ_CONTENT_SANDBOX)
- void SetSecurityLevelForContentProcess(int32_t aSandboxLevel);
-#endif
bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
enum SandboxLevel {
LockDown,