summaryrefslogtreecommitdiffstats
path: root/security/sandbox
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox')
-rw-r--r--security/sandbox/linux/Sandbox.cpp56
-rw-r--r--security/sandbox/linux/Sandbox.h7
-rw-r--r--security/sandbox/linux/SandboxFilter.cpp129
-rw-r--r--security/sandbox/linux/SandboxFilter.h9
-rw-r--r--security/sandbox/linux/SandboxInfo.cpp5
5 files changed, 0 insertions, 206 deletions
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
index 65ca467ca..80a18f855 100644
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -76,13 +76,6 @@ namespace mozilla {
// This is initialized by SandboxSetCrashFunc().
SandboxCrashFunc gSandboxCrashFunc;
-#ifdef MOZ_GMP_SANDBOX
-// For media plugins, we can start the sandbox before we dlopen the
-// module, so we have to pre-open the file and simulate the sandboxed
-// open().
-static SandboxOpenedFile gMediaPluginFile;
-#endif
-
static UniquePtr<SandboxChroot> gChrootHelper;
static void (*gChromiumSigSysHandler)(int, siginfo_t*, void*);
@@ -525,19 +518,6 @@ SandboxEarlyInit(GeckoProcessType aType)
case GeckoProcessType_Default:
MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
return;
-#ifdef MOZ_GMP_SANDBOX
- case GeckoProcessType_GMPlugin:
- if (!info.Test(SandboxInfo::kEnabledForMedia)) {
- break;
- }
- canUnshareNet = true;
- canUnshareIPC = true;
- // Need seccomp-bpf to intercept open().
- canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
- break;
-#endif
- // In the future, content processes will be able to use some of
- // these.
default:
// Other cases intentionally left blank.
break;
@@ -626,40 +606,4 @@ SandboxEarlyInit(GeckoProcessType aType)
}
}
-#ifdef MOZ_GMP_SANDBOX
-/**
- * Starts the seccomp sandbox for a media plugin process. Should be
- * called only once, and before any potentially harmful content is
- * loaded -- including the plugin itself, if it's considered untrusted.
- *
- * The file indicated by aFilePath, if non-null, can be open()ed
- * read-only, once, after the sandbox starts; it should be the .so
- * file implementing the not-yet-loaded plugin.
- *
- * Will normally make the process exit on failure.
-*/
-void
-SetMediaPluginSandbox(const char *aFilePath)
-{
- if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForMedia)) {
- return;
- }
-
- MOZ_ASSERT(!gMediaPluginFile.mPath);
- if (aFilePath) {
- gMediaPluginFile.mPath = strdup(aFilePath);
- gMediaPluginFile.mFd = open(aFilePath, O_RDONLY | O_CLOEXEC);
- if (gMediaPluginFile.mFd == -1) {
- SANDBOX_LOG_ERROR("failed to open plugin file %s: %s",
- aFilePath, strerror(errno));
- MOZ_CRASH();
- }
- } else {
- gMediaPluginFile.mFd = -1;
- }
- // Finally, start the sandbox.
- SetCurrentProcessSandbox(GetMediaSandboxPolicy(&gMediaPluginFile));
-}
-#endif // MOZ_GMP_SANDBOX
-
} // namespace mozilla
diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h
index aefdda22d..9d1c3d4b3 100644
--- a/security/sandbox/linux/Sandbox.h
+++ b/security/sandbox/linux/Sandbox.h
@@ -19,13 +19,6 @@ namespace mozilla {
// This must be called early, while the process is still single-threaded.
MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);
-#ifdef MOZ_GMP_SANDBOX
-// Call only if SandboxInfo::CanSandboxMedia() returns true.
-// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.)
-// aFilePath is the path to the plugin file.
-MOZ_EXPORT void SetMediaPluginSandbox(const char *aFilePath);
-#endif
-
} // namespace mozilla
#endif // mozilla_Sandbox_h
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index da7e54300..afaf53cec 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -340,133 +340,4 @@ public:
// The process-type-specific syscall rules start here:
-#ifdef MOZ_GMP_SANDBOX
-// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs
-// to be an effective sandbox by itself, because we allow GMP on Linux
-// systems where that's the only sandboxing mechanism we can use.
-//
-// Be especially careful about what this policy allows.
-class GMPSandboxPolicy : public SandboxPolicyCommon {
- static intptr_t OpenTrap(const sandbox::arch_seccomp_data& aArgs,
- void* aux)
- {
- auto plugin = static_cast<SandboxOpenedFile*>(aux);
- const char* path;
- int flags;
-
- switch (aArgs.nr) {
-#ifdef __NR_open
- case __NR_open:
- path = reinterpret_cast<const char*>(aArgs.args[0]);
- flags = static_cast<int>(aArgs.args[1]);
- break;
-#endif
- case __NR_openat:
- // The path has to be absolute to match the pre-opened file (see
- // assertion in ctor) so the dirfd argument is ignored.
- path = reinterpret_cast<const char*>(aArgs.args[1]);
- flags = static_cast<int>(aArgs.args[2]);
- break;
- default:
- MOZ_CRASH("unexpected syscall number");
- }
-
- if (strcmp(path, plugin->mPath) != 0) {
- SANDBOX_LOG_ERROR("attempt to open file %s (flags=0%o) which is not the"
- " media plugin %s", path, flags, plugin->mPath);
- return -EPERM;
- }
- if ((flags & O_ACCMODE) != O_RDONLY) {
- SANDBOX_LOG_ERROR("non-read-only open of file %s attempted (flags=0%o)",
- path, flags);
- return -EPERM;
- }
- int fd = plugin->mFd.exchange(-1);
- if (fd < 0) {
- SANDBOX_LOG_ERROR("multiple opens of media plugin file unimplemented");
- return -ENOSYS;
- }
- return fd;
- }
-
- static intptr_t SchedTrap(const sandbox::arch_seccomp_data& aArgs,
- void* aux)
- {
- const pid_t tid = syscall(__NR_gettid);
- if (aArgs.args[0] == static_cast<uint64_t>(tid)) {
- return syscall(aArgs.nr,
- 0,
- aArgs.args[1],
- aArgs.args[2],
- aArgs.args[3],
- aArgs.args[4],
- aArgs.args[5]);
- }
- SANDBOX_LOG_ERROR("unsupported tid in SchedTrap");
- return BlockedSyscallTrap(aArgs, nullptr);
- }
-
- SandboxOpenedFile* mPlugin;
-public:
- explicit GMPSandboxPolicy(SandboxOpenedFile* aPlugin)
- : mPlugin(aPlugin)
- {
- MOZ_ASSERT(aPlugin->mPath[0] == '/', "plugin path should be absolute");
- }
-
- virtual ~GMPSandboxPolicy() { }
-
- virtual ResultExpr EvaluateSyscall(int sysno) const override {
- switch (sysno) {
- // Simulate opening the plugin file.
-#ifdef __NR_open
- case __NR_open:
-#endif
- case __NR_openat:
- return Trap(OpenTrap, mPlugin);
-
- // ipc::Shmem
- case __NR_mprotect:
- return Allow();
- case __NR_madvise: {
- Arg<int> advice(2);
- return If(advice == MADV_DONTNEED, Allow())
- .ElseIf(advice == MADV_FREE, Allow())
-#ifdef MOZ_ASAN
- .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
- .ElseIf(advice == MADV_DONTDUMP, Allow())
-#endif
- .Else(InvalidSyscall());
- }
- case __NR_brk:
- CASES_FOR_geteuid:
- return Allow();
- case __NR_sched_getparam:
- case __NR_sched_getscheduler:
- case __NR_sched_get_priority_min:
- case __NR_sched_get_priority_max:
- case __NR_sched_setscheduler: {
- Arg<pid_t> pid(0);
- return If(pid == 0, Allow())
- .Else(Trap(SchedTrap, nullptr));
- }
-
- // For clock(3) on older glibcs; bug 1304220.
- case __NR_times:
- return Allow();
-
- default:
- return SandboxPolicyCommon::EvaluateSyscall(sysno);
- }
- }
-};
-
-UniquePtr<sandbox::bpf_dsl::Policy>
-GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin)
-{
- return UniquePtr<sandbox::bpf_dsl::Policy>(new GMPSandboxPolicy(aPlugin));
-}
-
-#endif // MOZ_GMP_SANDBOX
-
}
diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h
index ecd2e610b..b6031d30e 100644
--- a/security/sandbox/linux/SandboxFilter.h
+++ b/security/sandbox/linux/SandboxFilter.h
@@ -18,15 +18,6 @@ class Policy;
namespace mozilla {
-#ifdef MOZ_GMP_SANDBOX
-struct SandboxOpenedFile {
- const char *mPath;
- Atomic<int> mFd;
-};
-
-UniquePtr<sandbox::bpf_dsl::Policy> GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin);
-#endif
-
} // namespace mozilla
#endif
diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp
index 4d0c1d584..2eb65e39c 100644
--- a/security/sandbox/linux/SandboxInfo.cpp
+++ b/security/sandbox/linux/SandboxInfo.cpp
@@ -225,11 +225,6 @@ SandboxInfo::SandboxInfo() {
}
}
-#ifdef MOZ_GMP_SANDBOX
- if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) {
- flags |= kEnabledForMedia;
- }
-#endif
if (getenv("MOZ_SANDBOX_VERBOSE")) {
flags |= kVerbose;
}