diff options
| -rw-r--r-- | dom/media/gmp/GMPChild.cpp | 131 | ||||
| -rw-r--r-- | dom/media/gmp/GMPChild.h | 4 | ||||
| -rw-r--r-- | dom/media/gmp/GMPLoader.cpp | 13 | ||||
| -rw-r--r-- | dom/media/gmp/GMPLoader.h | 17 | ||||
| -rw-r--r-- | dom/media/gmp/GMPParent.cpp | 11 | ||||
| -rw-r--r-- | dom/media/gmp/GMPService.cpp | 11 | ||||
| -rw-r--r-- | dom/media/gmp/GMPServiceParent.cpp | 12 | ||||
| -rw-r--r-- | ipc/contentproc/plugin-container.cpp | 48 | ||||
| -rw-r--r-- | modules/libpref/init/all.js | 7 | ||||
| -rw-r--r-- | old-configure.in | 37 | ||||
| -rw-r--r-- | security/sandbox/linux/Sandbox.cpp | 56 | ||||
| -rw-r--r-- | security/sandbox/linux/Sandbox.h | 7 | ||||
| -rw-r--r-- | security/sandbox/linux/SandboxFilter.cpp | 129 | ||||
| -rw-r--r-- | security/sandbox/linux/SandboxFilter.h | 9 | ||||
| -rw-r--r-- | security/sandbox/linux/SandboxInfo.cpp | 5 |
15 files changed, 0 insertions, 497 deletions
diff --git a/dom/media/gmp/GMPChild.cpp b/dom/media/gmp/GMPChild.cpp index f8e75e299..f83a927ca 100644 --- a/dom/media/gmp/GMPChild.cpp +++ b/dom/media/gmp/GMPChild.cpp @@ -36,12 +36,6 @@ static const int MAX_VOUCHER_LENGTH = 500000; #include <unistd.h> // for _exit() #endif -#if defined(MOZ_GMP_SANDBOX) -#if defined(XP_MACOSX) -#include "mozilla/Sandbox.h" -#endif -#endif - namespace mozilla { #undef LOG @@ -131,7 +125,6 @@ GetPluginFile(const nsAString& aPluginPath, return true; } -#if !defined(XP_MACOSX) || !defined(MOZ_GMP_SANDBOX) static bool GetPluginFile(const nsAString& aPluginPath, nsCOMPtr<nsIFile>& aLibFile) @@ -139,110 +132,6 @@ GetPluginFile(const nsAString& aPluginPath, nsCOMPtr<nsIFile> unusedlibDir; return GetPluginFile(aPluginPath, unusedlibDir, aLibFile); } -#endif - -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) -static nsCString -GetNativeTarget(nsIFile* aFile) -{ - bool isLink; - nsCString path; - aFile->IsSymlink(&isLink); - if (isLink) { - aFile->GetNativeTarget(path); - } else { - aFile->GetNativePath(path); - } - return path; -} - -static bool -GetPluginPaths(const nsAString& aPluginPath, - nsCString &aPluginDirectoryPath, - nsCString &aPluginFilePath) -{ - nsCOMPtr<nsIFile> libDirectory, libFile; - if (!GetPluginFile(aPluginPath, libDirectory, libFile)) { - return false; - } - - // Mac sandbox rules expect paths to actual files and directories -- not - // soft links. - libDirectory->Normalize(); - aPluginDirectoryPath = GetNativeTarget(libDirectory); - - libFile->Normalize(); - aPluginFilePath = GetNativeTarget(libFile); - - return true; -} - -static bool -GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath) -{ - nsAutoCString appPath; - nsAutoCString appBinaryPath( - (CommandLine::ForCurrentProcess()->argv()[0]).c_str()); - - nsAutoCString::const_iterator start, end; - appBinaryPath.BeginReading(start); - appBinaryPath.EndReading(end); - if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) { - end = start; - ++end; ++end; ++end; ++end; - appBinaryPath.BeginReading(start); - appPath.Assign(Substring(start, end)); - } else { - return false; - } - - nsCOMPtr<nsIFile> app, appBinary; - nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath), - true, getter_AddRefs(app)); - if (NS_FAILED(rv)) { - return false; - } - rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath), - true, getter_AddRefs(appBinary)); - if (NS_FAILED(rv)) { - return false; - } - - // Mac sandbox rules expect paths to actual files and directories -- not - // soft links. - aAppPath = GetNativeTarget(app); - appBinaryPath = GetNativeTarget(appBinary); - - return true; -} - -bool -GMPChild::SetMacSandboxInfo(MacSandboxPluginType aPluginType) -{ - if (!mGMPLoader) { - return false; - } - nsAutoCString pluginDirectoryPath, pluginFilePath; - if (!GetPluginPaths(mPluginPath, pluginDirectoryPath, pluginFilePath)) { - return false; - } - nsAutoCString appPath, appBinaryPath; - if (!GetAppPaths(appPath, appBinaryPath)) { - return false; - } - - MacSandboxInfo info; - info.type = MacSandboxType_Plugin; - info.pluginInfo.type = aPluginType; - info.pluginInfo.pluginPath.assign(pluginDirectoryPath.get()); - info.pluginInfo.pluginBinaryPath.assign(pluginFilePath.get()); - info.appPath.assign(appPath.get()); - info.appBinaryPath.assign(appBinaryPath.get()); - - mGMPLoader->SetSandboxInfo(&info); - return true; -} -#endif // XP_MACOSX && MOZ_GMP_SANDBOX bool GMPChild::Init(const nsAString& aPluginPath, @@ -324,14 +213,6 @@ GMPChild::RecvPreloadLibs(const nsCString& aLibs) bool GMPChild::GetUTF8LibPath(nsACString& aOutLibPath) { -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - nsAutoCString pluginDirectoryPath, pluginFilePath; - if (!GetPluginPaths(mPluginPath, pluginDirectoryPath, pluginFilePath)) { - MOZ_CRASH("Error scanning plugin path"); - } - aOutLibPath.Assign(pluginFilePath); - return true; -#else nsCOMPtr<nsIFile> libFile; if (!GetPluginFile(mPluginPath, libFile)) { return false; @@ -347,7 +228,6 @@ GMPChild::GetUTF8LibPath(nsACString& aOutLibPath) aOutLibPath = NS_ConvertUTF16toUTF8(path); return true; -#endif } bool @@ -377,17 +257,6 @@ GMPChild::AnswerStartPlugin(const nsString& aAdapter) } bool isWidevine = aAdapter.EqualsLiteral("widevine"); -#if defined(MOZ_GMP_SANDBOX) && defined(XP_MACOSX) - MacSandboxPluginType pluginType = MacSandboxPluginType_GMPlugin_Default; - if (isWidevine) { - pluginType = MacSandboxPluginType_GMPlugin_EME_Widevine; - } - if (!SetMacSandboxInfo(pluginType)) { - NS_WARNING("Failed to set Mac GMP sandbox info"); - delete platformAPI; - return false; - } -#endif GMPAdapter* adapter = (isWidevine) ? new WidevineAdapter() : nullptr; if (!mGMPLoader->Load(libPath.get(), diff --git a/dom/media/gmp/GMPChild.h b/dom/media/gmp/GMPChild.h index d5314cf96..a4f688901 100644 --- a/dom/media/gmp/GMPChild.h +++ b/dom/media/gmp/GMPChild.h @@ -40,10 +40,6 @@ public: // GMPAsyncShutdownHost void ShutdownComplete() override; -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - bool SetMacSandboxInfo(MacSandboxPluginType aPluginType); -#endif - private: friend class GMPContentChild; diff --git a/dom/media/gmp/GMPLoader.cpp b/dom/media/gmp/GMPLoader.cpp index c10208a49..0bccdd0b1 100644 --- a/dom/media/gmp/GMPLoader.cpp +++ b/dom/media/gmp/GMPLoader.cpp @@ -44,10 +44,6 @@ public: void Shutdown() override; -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - void SetSandboxInfo(MacSandboxInfo* aSandboxInfo) override; -#endif - private: SandboxStarter* mSandboxStarter; UniquePtr<GMPAdapter> mAdapter; @@ -208,15 +204,6 @@ GMPLoaderImpl::Shutdown() } } -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) -void -GMPLoaderImpl::SetSandboxInfo(MacSandboxInfo* aSandboxInfo) -{ - if (mSandboxStarter) { - mSandboxStarter->SetSandboxInfo(aSandboxInfo); - } -} -#endif } // namespace gmp } // namespace mozilla diff --git a/dom/media/gmp/GMPLoader.h b/dom/media/gmp/GMPLoader.h index 60581be2d..8e6b3cfac 100644 --- a/dom/media/gmp/GMPLoader.h +++ b/dom/media/gmp/GMPLoader.h @@ -12,10 +12,6 @@ #include "gmp-entrypoints.h" #include "mozilla/UniquePtr.h" -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) -#include "mozilla/Sandbox.h" -#endif - namespace mozilla { namespace gmp { @@ -23,12 +19,6 @@ class SandboxStarter { public: virtual ~SandboxStarter() {} virtual bool Start(const char* aLibPath) = 0; -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - // On OS X we need to set Mac-specific sandbox info just before we start the - // sandbox, which we don't yet know when the GMPLoader and SandboxStarter - // objects are created. - virtual void SetSandboxInfo(MacSandboxInfo* aSandboxInfo) = 0; -#endif }; // Interface that adapts a plugin to the GMP API. @@ -94,13 +84,6 @@ public: // Calls the GMPShutdown function exported by the GMP lib, and unloads the // plugin library. virtual void Shutdown() = 0; - -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - // On OS X we need to set Mac-specific sandbox info just before we start the - // sandbox, which we don't yet know when the GMPLoader and SandboxStarter - // objects are created. - virtual void SetSandboxInfo(MacSandboxInfo* aSandboxInfo) = 0; -#endif }; // On Desktop, this function resides in plugin-container. diff --git a/dom/media/gmp/GMPParent.cpp b/dom/media/gmp/GMPParent.cpp index 00bc97777..851634ce7 100644 --- a/dom/media/gmp/GMPParent.cpp +++ b/dom/media/gmp/GMPParent.cpp @@ -18,9 +18,6 @@ #include "nsIObserverService.h" #include "GMPTimerParent.h" #include "runnable_utils.h" -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -#include "mozilla/SandboxInfo.h" -#endif #include "GMPContentParent.h" #include "MediaPrefs.h" #include "VideoUtils.h" @@ -749,14 +746,6 @@ GMPParent::ReadGMPInfoFile(nsIFile* aFile) if (cap.mAPIName.EqualsLiteral(GMP_API_DECRYPTOR)) { mCanDecrypt = true; -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) - if (!mozilla::SandboxInfo::Get().CanSandboxMedia()) { - printf_stderr("GMPParent::ReadGMPMetaData: Plugin \"%s\" is an EME CDM" - " but this system can't sandbox it; not loading.\n", - mDisplayName.get()); - return GenericPromise::CreateAndReject(NS_ERROR_FAILURE, __func__); - } -#endif #ifdef XP_WIN // Adobe GMP doesn't work without SSE2. Check the tags to see if // the decryptor is for the Adobe GMP, and refuse to load it if diff --git a/dom/media/gmp/GMPService.cpp b/dom/media/gmp/GMPService.cpp index 65f4037ee..1901210da 100644 --- a/dom/media/gmp/GMPService.cpp +++ b/dom/media/gmp/GMPService.cpp @@ -25,9 +25,6 @@ #include "nsComponentManagerUtils.h" #include "runnable_utils.h" #include "VideoUtils.h" -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -#include "mozilla/SandboxInfo.h" -#endif #include "nsAppDirectoryServiceDefs.h" #include "nsDirectoryServiceUtils.h" #include "nsDirectoryServiceDefs.h" @@ -485,14 +482,6 @@ GeckoMediaPluginService::GetGMPDecryptor(GMPCrashHelper* aHelper, const nsACString& aNodeId, UniquePtr<GetGMPDecryptorCallback>&& aCallback) { -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) - if (!SandboxInfo::Get().CanSandboxMedia()) { - NS_WARNING("GeckoMediaPluginService::GetGMPDecryptor: " - "EME decryption not available without sandboxing support."); - return NS_ERROR_NOT_AVAILABLE; - } -#endif - MOZ_ASSERT(NS_GetCurrentThread() == mGMPThread); NS_ENSURE_ARG(aTags && aTags->Length() > 0); NS_ENSURE_ARG(aCallback); diff --git a/dom/media/gmp/GMPServiceParent.cpp b/dom/media/gmp/GMPServiceParent.cpp index f25c36811..b58ab8853 100644 --- a/dom/media/gmp/GMPServiceParent.cpp +++ b/dom/media/gmp/GMPServiceParent.cpp @@ -27,9 +27,6 @@ #include "nsComponentManagerUtils.h" #include "runnable_utils.h" #include "VideoUtils.h" -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -#include "mozilla/SandboxInfo.h" -#endif #include "nsAppDirectoryServiceDefs.h" #include "nsDirectoryServiceUtils.h" #include "nsDirectoryServiceDefs.h" @@ -960,15 +957,6 @@ GeckoMediaPluginServiceParent::SelectPluginForAPI(const nsACString& aNodeId, RefPtr<GMPParent> CreateGMPParent() { -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) - if (!SandboxInfo::Get().CanSandboxMedia()) { - if (!MediaPrefs::GMPAllowInsecure()) { - NS_WARNING("Denying media plugin load due to lack of sandboxing."); - return nullptr; - } - NS_WARNING("Loading media plugin despite lack of sandboxing."); - } -#endif return new GMPParent(); } diff --git a/ipc/contentproc/plugin-container.cpp b/ipc/contentproc/plugin-container.cpp index 2383681d1..82ed16a90 100644 --- a/ipc/contentproc/plugin-container.cpp +++ b/ipc/contentproc/plugin-container.cpp @@ -27,11 +27,6 @@ #include "mozilla/sandboxing/sandboxLogging.h" #endif -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -#include "mozilla/Sandbox.h" -#include "mozilla/SandboxInfo.h" -#endif - #ifdef MOZ_WIDGET_GONK # include <sys/time.h> # include <sys/resource.h> @@ -79,54 +74,11 @@ public: }; #endif -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -class LinuxSandboxStarter : public mozilla::gmp::SandboxStarter { - LinuxSandboxStarter() { } -public: - static SandboxStarter* Make() { - if (mozilla::SandboxInfo::Get().CanSandboxMedia()) { - return new LinuxSandboxStarter(); - } else { - // Sandboxing isn't possible, but the parent has already - // checked that this plugin doesn't require it. (Bug 1074561) - return nullptr; - } - } - virtual bool Start(const char *aLibPath) override { - mozilla::SetMediaPluginSandbox(aLibPath); - return true; - } -}; -#endif - -#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) -class MacSandboxStarter : public mozilla::gmp::SandboxStarter { -public: - virtual bool Start(const char *aLibPath) override { - std::string err; - bool rv = mozilla::StartMacSandbox(mInfo, err); - if (!rv) { - fprintf(stderr, "sandbox_init() failed! Error \"%s\"\n", err.c_str()); - } - return rv; - } - virtual void SetSandboxInfo(MacSandboxInfo* aSandboxInfo) override { - mInfo = *aSandboxInfo; - } -private: - MacSandboxInfo mInfo; -}; -#endif - mozilla::gmp::SandboxStarter* MakeSandboxStarter() { #if defined(XP_WIN) && defined(MOZ_SANDBOX) return new WinSandboxStarter(); -#elif defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) - return LinuxSandboxStarter::Make(); -#elif defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX) - return new MacSandboxStarter(); #else return nullptr; #endif diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index bf7626391..88a9af2da 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -5432,13 +5432,6 @@ pref("narrate.voice", " { \"default\": \"automatic\" }"); // Only make voices that match content language available. pref("narrate.filter-voices", true); -#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX) -// Whether to allow, on a Linux system that doesn't support the necessary sandboxing -// features, loading Gecko Media Plugins unsandboxed. However, EME CDMs will not be -// loaded without sandboxing even if this pref is changed. -pref("media.gmp.insecure.allow", false); -#endif - pref("dom.audiochannel.mutedByDefault", false); // Enable <details> and <summary> tags. diff --git a/old-configure.in b/old-configure.in index 0b5f055c7..5dbcdb1bc 100644 --- a/old-configure.in +++ b/old-configure.in @@ -2306,7 +2306,6 @@ MOZ_INSTALL_TRACKING= ACCESSIBILITY=1 MOZ_TIME_MANAGER= MOZ_AUDIO_CHANNEL_MANAGER= -MOZ_GMP_SANDBOX= MOZ_SANDBOX= MOZ_BINARY_EXTENSIONS= MOZ_JETPACK=1 @@ -3860,42 +3859,6 @@ if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then fi dnl ======================================================== -dnl = Gecko Media Plugin sandboxing -dnl ======================================================== -case $OS_TARGET in -WINNT) - MOZ_GMP_SANDBOX=$MOZ_SANDBOX - ;; -Linux) - case $CPU_ARCH in - x86_64|x86) - MOZ_GMP_SANDBOX=$MOZ_SANDBOX - ;; - esac - ;; -Darwin) - MOZ_GMP_SANDBOX=$MOZ_SANDBOX - ;; -esac - -if test -n "$MOZ_GMP_SANDBOX"; then - AC_DEFINE(MOZ_GMP_SANDBOX) -fi - -AC_SUBST(MOZ_GMP_SANDBOX) - -if test -z "$MOZ_GMP_SANDBOX"; then - MOZ_SANDBOX= -fi - -if test -n "$MOZ_SANDBOX"; then - AC_DEFINE(MOZ_SANDBOX) -fi - -AC_SUBST(MOZ_SANDBOX) - - -dnl ======================================================== dnl = dnl = Module specific options dnl = diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp index 65ca467ca..80a18f855 100644 --- a/security/sandbox/linux/Sandbox.cpp +++ b/security/sandbox/linux/Sandbox.cpp @@ -76,13 +76,6 @@ namespace mozilla { // This is initialized by SandboxSetCrashFunc(). SandboxCrashFunc gSandboxCrashFunc; -#ifdef MOZ_GMP_SANDBOX -// For media plugins, we can start the sandbox before we dlopen the -// module, so we have to pre-open the file and simulate the sandboxed -// open(). -static SandboxOpenedFile gMediaPluginFile; -#endif - static UniquePtr<SandboxChroot> gChrootHelper; static void (*gChromiumSigSysHandler)(int, siginfo_t*, void*); @@ -525,19 +518,6 @@ SandboxEarlyInit(GeckoProcessType aType) case GeckoProcessType_Default: MOZ_ASSERT(false, "SandboxEarlyInit in parent process"); return; -#ifdef MOZ_GMP_SANDBOX - case GeckoProcessType_GMPlugin: - if (!info.Test(SandboxInfo::kEnabledForMedia)) { - break; - } - canUnshareNet = true; - canUnshareIPC = true; - // Need seccomp-bpf to intercept open(). - canChroot = info.Test(SandboxInfo::kHasSeccompBPF); - break; -#endif - // In the future, content processes will be able to use some of - // these. default: // Other cases intentionally left blank. break; @@ -626,40 +606,4 @@ SandboxEarlyInit(GeckoProcessType aType) } } -#ifdef MOZ_GMP_SANDBOX -/** - * Starts the seccomp sandbox for a media plugin process. Should be - * called only once, and before any potentially harmful content is - * loaded -- including the plugin itself, if it's considered untrusted. - * - * The file indicated by aFilePath, if non-null, can be open()ed - * read-only, once, after the sandbox starts; it should be the .so - * file implementing the not-yet-loaded plugin. - * - * Will normally make the process exit on failure. -*/ -void -SetMediaPluginSandbox(const char *aFilePath) -{ - if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForMedia)) { - return; - } - - MOZ_ASSERT(!gMediaPluginFile.mPath); - if (aFilePath) { - gMediaPluginFile.mPath = strdup(aFilePath); - gMediaPluginFile.mFd = open(aFilePath, O_RDONLY | O_CLOEXEC); - if (gMediaPluginFile.mFd == -1) { - SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", - aFilePath, strerror(errno)); - MOZ_CRASH(); - } - } else { - gMediaPluginFile.mFd = -1; - } - // Finally, start the sandbox. - SetCurrentProcessSandbox(GetMediaSandboxPolicy(&gMediaPluginFile)); -} -#endif // MOZ_GMP_SANDBOX - } // namespace mozilla diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h index aefdda22d..9d1c3d4b3 100644 --- a/security/sandbox/linux/Sandbox.h +++ b/security/sandbox/linux/Sandbox.h @@ -19,13 +19,6 @@ namespace mozilla { // This must be called early, while the process is still single-threaded. MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType); -#ifdef MOZ_GMP_SANDBOX -// Call only if SandboxInfo::CanSandboxMedia() returns true. -// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.) -// aFilePath is the path to the plugin file. -MOZ_EXPORT void SetMediaPluginSandbox(const char *aFilePath); -#endif - } // namespace mozilla #endif // mozilla_Sandbox_h diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index da7e54300..afaf53cec 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -340,133 +340,4 @@ public: // The process-type-specific syscall rules start here: -#ifdef MOZ_GMP_SANDBOX -// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs -// to be an effective sandbox by itself, because we allow GMP on Linux -// systems where that's the only sandboxing mechanism we can use. -// -// Be especially careful about what this policy allows. -class GMPSandboxPolicy : public SandboxPolicyCommon { - static intptr_t OpenTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - auto plugin = static_cast<SandboxOpenedFile*>(aux); - const char* path; - int flags; - - switch (aArgs.nr) { -#ifdef __NR_open - case __NR_open: - path = reinterpret_cast<const char*>(aArgs.args[0]); - flags = static_cast<int>(aArgs.args[1]); - break; -#endif - case __NR_openat: - // The path has to be absolute to match the pre-opened file (see - // assertion in ctor) so the dirfd argument is ignored. - path = reinterpret_cast<const char*>(aArgs.args[1]); - flags = static_cast<int>(aArgs.args[2]); - break; - default: - MOZ_CRASH("unexpected syscall number"); - } - - if (strcmp(path, plugin->mPath) != 0) { - SANDBOX_LOG_ERROR("attempt to open file %s (flags=0%o) which is not the" - " media plugin %s", path, flags, plugin->mPath); - return -EPERM; - } - if ((flags & O_ACCMODE) != O_RDONLY) { - SANDBOX_LOG_ERROR("non-read-only open of file %s attempted (flags=0%o)", - path, flags); - return -EPERM; - } - int fd = plugin->mFd.exchange(-1); - if (fd < 0) { - SANDBOX_LOG_ERROR("multiple opens of media plugin file unimplemented"); - return -ENOSYS; - } - return fd; - } - - static intptr_t SchedTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - const pid_t tid = syscall(__NR_gettid); - if (aArgs.args[0] == static_cast<uint64_t>(tid)) { - return syscall(aArgs.nr, - 0, - aArgs.args[1], - aArgs.args[2], - aArgs.args[3], - aArgs.args[4], - aArgs.args[5]); - } - SANDBOX_LOG_ERROR("unsupported tid in SchedTrap"); - return BlockedSyscallTrap(aArgs, nullptr); - } - - SandboxOpenedFile* mPlugin; -public: - explicit GMPSandboxPolicy(SandboxOpenedFile* aPlugin) - : mPlugin(aPlugin) - { - MOZ_ASSERT(aPlugin->mPath[0] == '/', "plugin path should be absolute"); - } - - virtual ~GMPSandboxPolicy() { } - - virtual ResultExpr EvaluateSyscall(int sysno) const override { - switch (sysno) { - // Simulate opening the plugin file. -#ifdef __NR_open - case __NR_open: -#endif - case __NR_openat: - return Trap(OpenTrap, mPlugin); - - // ipc::Shmem - case __NR_mprotect: - return Allow(); - case __NR_madvise: { - Arg<int> advice(2); - return If(advice == MADV_DONTNEED, Allow()) - .ElseIf(advice == MADV_FREE, Allow()) -#ifdef MOZ_ASAN - .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) - .ElseIf(advice == MADV_DONTDUMP, Allow()) -#endif - .Else(InvalidSyscall()); - } - case __NR_brk: - CASES_FOR_geteuid: - return Allow(); - case __NR_sched_getparam: - case __NR_sched_getscheduler: - case __NR_sched_get_priority_min: - case __NR_sched_get_priority_max: - case __NR_sched_setscheduler: { - Arg<pid_t> pid(0); - return If(pid == 0, Allow()) - .Else(Trap(SchedTrap, nullptr)); - } - - // For clock(3) on older glibcs; bug 1304220. - case __NR_times: - return Allow(); - - default: - return SandboxPolicyCommon::EvaluateSyscall(sysno); - } - } -}; - -UniquePtr<sandbox::bpf_dsl::Policy> -GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin) -{ - return UniquePtr<sandbox::bpf_dsl::Policy>(new GMPSandboxPolicy(aPlugin)); -} - -#endif // MOZ_GMP_SANDBOX - } diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h index ecd2e610b..b6031d30e 100644 --- a/security/sandbox/linux/SandboxFilter.h +++ b/security/sandbox/linux/SandboxFilter.h @@ -18,15 +18,6 @@ class Policy; namespace mozilla { -#ifdef MOZ_GMP_SANDBOX -struct SandboxOpenedFile { - const char *mPath; - Atomic<int> mFd; -}; - -UniquePtr<sandbox::bpf_dsl::Policy> GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin); -#endif - } // namespace mozilla #endif diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp index 4d0c1d584..2eb65e39c 100644 --- a/security/sandbox/linux/SandboxInfo.cpp +++ b/security/sandbox/linux/SandboxInfo.cpp @@ -225,11 +225,6 @@ SandboxInfo::SandboxInfo() { } } -#ifdef MOZ_GMP_SANDBOX - if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) { - flags |= kEnabledForMedia; - } -#endif if (getenv("MOZ_SANDBOX_VERBOSE")) { flags |= kVerbose; } |