From e1490c07e29f5e4715f73088b7ca7aab4ada90a6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 2 May 2018 23:30:36 +0200 Subject: Remove GMP sandbox code. --- security/sandbox/linux/Sandbox.cpp | 56 -------------- security/sandbox/linux/Sandbox.h | 7 -- security/sandbox/linux/SandboxFilter.cpp | 129 ------------------------------- security/sandbox/linux/SandboxFilter.h | 9 --- security/sandbox/linux/SandboxInfo.cpp | 5 -- 5 files changed, 206 deletions(-) (limited to 'security/sandbox') diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp index 65ca467ca..80a18f855 100644 --- a/security/sandbox/linux/Sandbox.cpp +++ b/security/sandbox/linux/Sandbox.cpp @@ -76,13 +76,6 @@ namespace mozilla { // This is initialized by SandboxSetCrashFunc(). SandboxCrashFunc gSandboxCrashFunc; -#ifdef MOZ_GMP_SANDBOX -// For media plugins, we can start the sandbox before we dlopen the -// module, so we have to pre-open the file and simulate the sandboxed -// open(). -static SandboxOpenedFile gMediaPluginFile; -#endif - static UniquePtr gChrootHelper; static void (*gChromiumSigSysHandler)(int, siginfo_t*, void*); @@ -525,19 +518,6 @@ SandboxEarlyInit(GeckoProcessType aType) case GeckoProcessType_Default: MOZ_ASSERT(false, "SandboxEarlyInit in parent process"); return; -#ifdef MOZ_GMP_SANDBOX - case GeckoProcessType_GMPlugin: - if (!info.Test(SandboxInfo::kEnabledForMedia)) { - break; - } - canUnshareNet = true; - canUnshareIPC = true; - // Need seccomp-bpf to intercept open(). - canChroot = info.Test(SandboxInfo::kHasSeccompBPF); - break; -#endif - // In the future, content processes will be able to use some of - // these. default: // Other cases intentionally left blank. break; @@ -626,40 +606,4 @@ SandboxEarlyInit(GeckoProcessType aType) } } -#ifdef MOZ_GMP_SANDBOX -/** - * Starts the seccomp sandbox for a media plugin process. Should be - * called only once, and before any potentially harmful content is - * loaded -- including the plugin itself, if it's considered untrusted. - * - * The file indicated by aFilePath, if non-null, can be open()ed - * read-only, once, after the sandbox starts; it should be the .so - * file implementing the not-yet-loaded plugin. - * - * Will normally make the process exit on failure. -*/ -void -SetMediaPluginSandbox(const char *aFilePath) -{ - if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForMedia)) { - return; - } - - MOZ_ASSERT(!gMediaPluginFile.mPath); - if (aFilePath) { - gMediaPluginFile.mPath = strdup(aFilePath); - gMediaPluginFile.mFd = open(aFilePath, O_RDONLY | O_CLOEXEC); - if (gMediaPluginFile.mFd == -1) { - SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", - aFilePath, strerror(errno)); - MOZ_CRASH(); - } - } else { - gMediaPluginFile.mFd = -1; - } - // Finally, start the sandbox. - SetCurrentProcessSandbox(GetMediaSandboxPolicy(&gMediaPluginFile)); -} -#endif // MOZ_GMP_SANDBOX - } // namespace mozilla diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h index aefdda22d..9d1c3d4b3 100644 --- a/security/sandbox/linux/Sandbox.h +++ b/security/sandbox/linux/Sandbox.h @@ -19,13 +19,6 @@ namespace mozilla { // This must be called early, while the process is still single-threaded. MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType); -#ifdef MOZ_GMP_SANDBOX -// Call only if SandboxInfo::CanSandboxMedia() returns true. -// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.) -// aFilePath is the path to the plugin file. -MOZ_EXPORT void SetMediaPluginSandbox(const char *aFilePath); -#endif - } // namespace mozilla #endif // mozilla_Sandbox_h diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index da7e54300..afaf53cec 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -340,133 +340,4 @@ public: // The process-type-specific syscall rules start here: -#ifdef MOZ_GMP_SANDBOX -// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs -// to be an effective sandbox by itself, because we allow GMP on Linux -// systems where that's the only sandboxing mechanism we can use. -// -// Be especially careful about what this policy allows. -class GMPSandboxPolicy : public SandboxPolicyCommon { - static intptr_t OpenTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - auto plugin = static_cast(aux); - const char* path; - int flags; - - switch (aArgs.nr) { -#ifdef __NR_open - case __NR_open: - path = reinterpret_cast(aArgs.args[0]); - flags = static_cast(aArgs.args[1]); - break; -#endif - case __NR_openat: - // The path has to be absolute to match the pre-opened file (see - // assertion in ctor) so the dirfd argument is ignored. - path = reinterpret_cast(aArgs.args[1]); - flags = static_cast(aArgs.args[2]); - break; - default: - MOZ_CRASH("unexpected syscall number"); - } - - if (strcmp(path, plugin->mPath) != 0) { - SANDBOX_LOG_ERROR("attempt to open file %s (flags=0%o) which is not the" - " media plugin %s", path, flags, plugin->mPath); - return -EPERM; - } - if ((flags & O_ACCMODE) != O_RDONLY) { - SANDBOX_LOG_ERROR("non-read-only open of file %s attempted (flags=0%o)", - path, flags); - return -EPERM; - } - int fd = plugin->mFd.exchange(-1); - if (fd < 0) { - SANDBOX_LOG_ERROR("multiple opens of media plugin file unimplemented"); - return -ENOSYS; - } - return fd; - } - - static intptr_t SchedTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - const pid_t tid = syscall(__NR_gettid); - if (aArgs.args[0] == static_cast(tid)) { - return syscall(aArgs.nr, - 0, - aArgs.args[1], - aArgs.args[2], - aArgs.args[3], - aArgs.args[4], - aArgs.args[5]); - } - SANDBOX_LOG_ERROR("unsupported tid in SchedTrap"); - return BlockedSyscallTrap(aArgs, nullptr); - } - - SandboxOpenedFile* mPlugin; -public: - explicit GMPSandboxPolicy(SandboxOpenedFile* aPlugin) - : mPlugin(aPlugin) - { - MOZ_ASSERT(aPlugin->mPath[0] == '/', "plugin path should be absolute"); - } - - virtual ~GMPSandboxPolicy() { } - - virtual ResultExpr EvaluateSyscall(int sysno) const override { - switch (sysno) { - // Simulate opening the plugin file. -#ifdef __NR_open - case __NR_open: -#endif - case __NR_openat: - return Trap(OpenTrap, mPlugin); - - // ipc::Shmem - case __NR_mprotect: - return Allow(); - case __NR_madvise: { - Arg advice(2); - return If(advice == MADV_DONTNEED, Allow()) - .ElseIf(advice == MADV_FREE, Allow()) -#ifdef MOZ_ASAN - .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) - .ElseIf(advice == MADV_DONTDUMP, Allow()) -#endif - .Else(InvalidSyscall()); - } - case __NR_brk: - CASES_FOR_geteuid: - return Allow(); - case __NR_sched_getparam: - case __NR_sched_getscheduler: - case __NR_sched_get_priority_min: - case __NR_sched_get_priority_max: - case __NR_sched_setscheduler: { - Arg pid(0); - return If(pid == 0, Allow()) - .Else(Trap(SchedTrap, nullptr)); - } - - // For clock(3) on older glibcs; bug 1304220. - case __NR_times: - return Allow(); - - default: - return SandboxPolicyCommon::EvaluateSyscall(sysno); - } - } -}; - -UniquePtr -GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin) -{ - return UniquePtr(new GMPSandboxPolicy(aPlugin)); -} - -#endif // MOZ_GMP_SANDBOX - } diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h index ecd2e610b..b6031d30e 100644 --- a/security/sandbox/linux/SandboxFilter.h +++ b/security/sandbox/linux/SandboxFilter.h @@ -18,15 +18,6 @@ class Policy; namespace mozilla { -#ifdef MOZ_GMP_SANDBOX -struct SandboxOpenedFile { - const char *mPath; - Atomic mFd; -}; - -UniquePtr GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin); -#endif - } // namespace mozilla #endif diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp index 4d0c1d584..2eb65e39c 100644 --- a/security/sandbox/linux/SandboxInfo.cpp +++ b/security/sandbox/linux/SandboxInfo.cpp @@ -225,11 +225,6 @@ SandboxInfo::SandboxInfo() { } } -#ifdef MOZ_GMP_SANDBOX - if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) { - flags |= kEnabledForMedia; - } -#endif if (getenv("MOZ_SANDBOX_VERBOSE")) { flags |= kVerbose; } -- cgit v1.2.3