From 755e1020782fb42863e97d58a3e44d2eca760bb0 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 2 May 2018 21:58:04 +0200 Subject: Remove content process sandbox code. --- dom/ipc/ContentChild.cpp | 196 --------------------------------------------- dom/ipc/ContentChild.h | 21 ----- dom/ipc/ContentParent.cpp | 60 -------------- dom/ipc/ContentParent.h | 11 --- dom/ipc/ContentProcess.cpp | 113 -------------------------- dom/ipc/ContentProcess.h | 8 -- dom/ipc/moz.build | 5 -- 7 files changed, 414 deletions(-) (limited to 'dom/ipc') diff --git a/dom/ipc/ContentChild.cpp b/dom/ipc/ContentChild.cpp index 75678ca96..d7068c6c3 100644 --- a/dom/ipc/ContentChild.cpp +++ b/dom/ipc/ContentChild.cpp @@ -65,21 +65,6 @@ #include "imgLoader.h" #include "GMPServiceChild.h" -#if defined(MOZ_CONTENT_SANDBOX) -#if defined(XP_WIN) -#define TARGET_SANDBOX_EXPORTS -#include "mozilla/sandboxTarget.h" -#elif defined(XP_LINUX) -#include "mozilla/Sandbox.h" -#include "mozilla/SandboxInfo.h" - -// Remove this include with Bug 1104619 -#include "CubebUtils.h" -#elif defined(XP_MACOSX) -#include "mozilla/Sandbox.h" -#endif -#endif - #include "mozilla/Unused.h" #include "mozInlineSpellChecker.h" @@ -1250,192 +1235,11 @@ ContentChild::AllocPProcessHangMonitorChild(Transport* aTransport, return CreateHangMonitorChild(aTransport, aOtherProcess); } -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) - -#include - -static bool -GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath, nsCString &aAppDir) -{ - nsAutoCString appPath; - nsAutoCString appBinaryPath( - (CommandLine::ForCurrentProcess()->argv()[0]).c_str()); - - nsAutoCString::const_iterator start, end; - appBinaryPath.BeginReading(start); - appBinaryPath.EndReading(end); - if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) { - end = start; - ++end; ++end; ++end; ++end; - appBinaryPath.BeginReading(start); - appPath.Assign(Substring(start, end)); - } else { - return false; - } - - nsCOMPtr app, appBinary; - nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath), - true, getter_AddRefs(app)); - if (NS_FAILED(rv)) { - return false; - } - rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath), - true, getter_AddRefs(appBinary)); - if (NS_FAILED(rv)) { - return false; - } - - nsCOMPtr appDir; - nsCOMPtr dirSvc = - do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID); - if (!dirSvc) { - return false; - } - rv = dirSvc->Get(NS_XPCOM_CURRENT_PROCESS_DIR, - NS_GET_IID(nsIFile), getter_AddRefs(appDir)); - if (NS_FAILED(rv)) { - return false; - } - bool exists; - rv = appDir->Exists(&exists); - if (NS_FAILED(rv) || !exists) { - return false; - } - - bool isLink; - app->IsSymlink(&isLink); - if (isLink) { - app->GetNativeTarget(aAppPath); - } else { - app->GetNativePath(aAppPath); - } - appBinary->IsSymlink(&isLink); - if (isLink) { - appBinary->GetNativeTarget(aAppBinaryPath); - } else { - appBinary->GetNativePath(aAppBinaryPath); - } - appDir->IsSymlink(&isLink); - if (isLink) { - appDir->GetNativeTarget(aAppDir); - } else { - appDir->GetNativePath(aAppDir); - } - - return true; -} - -static bool -StartMacOSContentSandbox() -{ - int sandboxLevel = Preferences::GetInt("security.sandbox.content.level"); - if (sandboxLevel < 1) { - return false; - } - - nsAutoCString appPath, appBinaryPath, appDir; - if (!GetAppPaths(appPath, appBinaryPath, appDir)) { - MOZ_CRASH("Error resolving child process path"); - } - - // During sandboxed content process startup, before reaching - // this point, NS_OS_TEMP_DIR is modified to refer to a sandbox- - // writable temporary directory - nsCOMPtr tempDir; - nsresult rv = nsDirectoryService::gService->Get(NS_OS_TEMP_DIR, - NS_GET_IID(nsIFile), getter_AddRefs(tempDir)); - if (NS_FAILED(rv)) { - MOZ_CRASH("Failed to get NS_OS_TEMP_DIR"); - } - - nsAutoCString tempDirPath; - tempDir->Normalize(); - rv = tempDir->GetNativePath(tempDirPath); - if (NS_FAILED(rv)) { - MOZ_CRASH("Failed to get NS_OS_TEMP_DIR path"); - } - - nsCOMPtr profileDir; - ContentChild::GetSingleton()->GetProfileDir(getter_AddRefs(profileDir)); - nsCString profileDirPath; - if (profileDir) { - rv = profileDir->GetNativePath(profileDirPath); - if (NS_FAILED(rv) || profileDirPath.IsEmpty()) { - MOZ_CRASH("Failed to get profile path"); - } - } - - MacSandboxInfo info; - info.type = MacSandboxType_Content; - info.level = info.level = sandboxLevel; - info.appPath.assign(appPath.get()); - info.appBinaryPath.assign(appBinaryPath.get()); - info.appDir.assign(appDir.get()); - info.appTempDir.assign(tempDirPath.get()); - - if (profileDir) { - info.hasSandboxedProfile = true; - info.profileDir.assign(profileDirPath.get()); - } else { - info.hasSandboxedProfile = false; - } - - std::string err; - if (!mozilla::StartMacSandbox(info, err)) { - NS_WARNING(err.c_str()); - MOZ_CRASH("sandbox_init() failed"); - } - - return true; -} -#endif - bool ContentChild::RecvSetProcessSandbox(const MaybeFileDesc& aBroker) { // We may want to move the sandbox initialization somewhere else // at some point; see bug 880808. -#if defined(MOZ_CONTENT_SANDBOX) - bool sandboxEnabled = true; -#if defined(XP_LINUX) -#if defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19 - // For B2G >= KitKat, sandboxing is mandatory; this has already - // been enforced by ContentParent::StartUp(). - MOZ_ASSERT(SandboxInfo::Get().CanSandboxContent()); -#else - // Otherwise, sandboxing is best-effort. - if (!SandboxInfo::Get().CanSandboxContent()) { - sandboxEnabled = false; - } else { - // This triggers the initialization of cubeb, which needs to happen - // before seccomp is enabled (Bug 1259508). It also increases the startup - // time of the content process, because cubeb is usually initialized - // when it is actually needed. This call here is no longer required - // once Bug 1104619 (remoting audio) is resolved. - Unused << CubebUtils::GetCubebContext(); - } - -#endif /* MOZ_WIDGET_GONK && ANDROID_VERSION >= 19 */ - if (sandboxEnabled) { - int brokerFd = -1; - if (aBroker.type() == MaybeFileDesc::TFileDescriptor) { - auto fd = aBroker.get_FileDescriptor().ClonePlatformHandle(); - brokerFd = fd.release(); - // brokerFd < 0 means to allow direct filesystem access, so - // make absolutely sure that doesn't happen if the parent - // didn't intend it. - MOZ_RELEASE_ASSERT(brokerFd >= 0); - } - sandboxEnabled = SetContentProcessSandbox(brokerFd); - } -#elif defined(XP_WIN) - mozilla::SandboxTarget::Instance()->StartSandbox(); -#elif defined(XP_MACOSX) - sandboxEnabled = StartMacOSContentSandbox(); -#endif - -#endif /* MOZ_CONTENT_SANDBOX */ - return true; } diff --git a/dom/ipc/ContentChild.h b/dom/ipc/ContentChild.h index cb718aff9..c78f951f0 100644 --- a/dom/ipc/ContentChild.h +++ b/dom/ipc/ContentChild.h @@ -21,10 +21,6 @@ #include "nsWeakPtr.h" #include "nsIWindowProvider.h" -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) -#include "nsIFile.h" -#endif - struct ChromePackage; class nsIObserver; struct SubstitutionMapping; @@ -118,19 +114,6 @@ public: void GetProcessName(nsACString& aName) const; -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) - void GetProfileDir(nsIFile** aProfileDir) const - { - *aProfileDir = mProfileDir; - NS_IF_ADDREF(*aProfileDir); - } - - void SetProfileDir(nsIFile* aProfileDir) - { - mProfileDir = aProfileDir; - } -#endif - bool IsAlive() const; bool IsShuttingDown() const; @@ -679,10 +662,6 @@ private: nsCOMPtr mPolicy; nsCOMPtr mForceKillTimer; -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) - nsCOMPtr mProfileDir; -#endif - // Hashtable to keep track of the pending GetFilesHelper objects. // This GetFilesHelperChild objects are removed when RecvGetFilesResponse is // received. diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp index 286f1d851..ee0f8090a 100644 --- a/dom/ipc/ContentParent.cpp +++ b/dom/ipc/ContentParent.cpp @@ -230,12 +230,6 @@ using namespace mozilla::system; #include "mozilla/dom/SpeechSynthesisParent.h" #endif -#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_LINUX) -#include "mozilla/SandboxInfo.h" -#include "mozilla/SandboxBroker.h" -#include "mozilla/SandboxBrokerPolicyFactory.h" -#endif - #ifdef MOZ_TOOLKIT_SEARCH #include "nsIBrowserSearchService.h" #endif @@ -503,9 +497,6 @@ nsTArray* ContentParent::sNonAppContentParents; nsTArray* ContentParent::sLargeAllocationContentParents; nsTArray* ContentParent::sPrivateContent; StaticAutoPtr > ContentParent::sContentParents; -#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX) -UniquePtr ContentParent::sSandboxBrokerPolicyFactory; -#endif // This is true when subprocess launching is enabled. This is the // case between StartUp() and ShutDown() or JoinAllSubprocesses(). @@ -637,18 +628,6 @@ ContentParent::StartUp() return; } -#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19 - // Require sandboxing on B2G >= KitKat. This condition must stay - // in sync with ContentChild::RecvSetProcessSandbox. - if (!SandboxInfo::Get().CanSandboxContent()) { - // MOZ_CRASH strings are only for debug builds; make sure the - // message is clear on non-debug builds as well: - printf_stderr("Sandboxing support is required on this platform. " - "Recompile kernel with CONFIG_SECCOMP_FILTER=y\n"); - MOZ_CRASH("Sandboxing support is required on this platform."); - } -#endif - // Note: This reporter measures all ContentParents. RegisterStrongMemoryReporter(new ContentParentsMemoryReporter()); @@ -662,10 +641,6 @@ ContentParent::StartUp() PreallocatedProcessManager::AllocateAfterDelay(); sDisableUnsafeCPOWWarnings = PR_GetEnv("DISABLE_UNSAFE_CPOW_WARNINGS"); - -#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX) - sSandboxBrokerPolicyFactory = MakeUnique(); -#endif } /*static*/ void @@ -674,10 +649,6 @@ ContentParent::ShutDown() // No-op for now. We rely on normal process shutdown and // ClearOnShutdown() to clean up our state. sCanLaunchSubprocesses = false; - -#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX) - sSandboxBrokerPolicyFactory = nullptr; -#endif } /*static*/ void @@ -2244,37 +2215,6 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority, } } -#ifdef MOZ_CONTENT_SANDBOX - bool shouldSandbox = true; - MaybeFileDesc brokerFd = void_t(); -#ifdef XP_LINUX - // XXX: Checking the pref here makes it possible to enable/disable sandboxing - // during an active session. Currently the pref is only used for testing - // purpose. If the decision is made to permanently rely on the pref, this - // should be changed so that it is required to restart firefox for the change - // of value to take effect. - shouldSandbox = (Preferences::GetInt("security.sandbox.content.level") > 0) && - !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX"); - - if (shouldSandbox) { - MOZ_ASSERT(!mSandboxBroker); - UniquePtr policy = - sSandboxBrokerPolicyFactory->GetContentPolicy(Pid()); - if (policy) { - brokerFd = FileDescriptor(); - mSandboxBroker = SandboxBroker::Create(Move(policy), Pid(), brokerFd); - if (!mSandboxBroker) { - KillHard("SandboxBroker::Create failed"); - return; - } - MOZ_ASSERT(static_cast(brokerFd).IsValid()); - } - } -#endif - if (shouldSandbox && !SendSetProcessSandbox(brokerFd)) { - KillHard("SandboxInitFailed"); - } -#endif #if defined(XP_WIN) // Send the info needed to join the browser process's audio session. nsID id; diff --git a/dom/ipc/ContentParent.h b/dom/ipc/ContentParent.h index a3750de1a..3f74b10e1 100644 --- a/dom/ipc/ContentParent.h +++ b/dom/ipc/ContentParent.h @@ -46,11 +46,6 @@ class PRemoteSpellcheckEngineParent; class ProfileGatherer; #endif -#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX) -class SandboxBroker; -class SandboxBrokerPolicyFactory; -#endif - namespace embedding { class PrintingParent; } @@ -1152,12 +1147,6 @@ private: UniquePtr mDriverCrashGuard; -#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX) - mozilla::UniquePtr mSandboxBroker; - static mozilla::UniquePtr - sSandboxBrokerPolicyFactory; -#endif - #ifdef NS_PRINTING RefPtr mPrintingParent; #endif diff --git a/dom/ipc/ContentProcess.cpp b/dom/ipc/ContentProcess.cpp index 2413d8808..986617f55 100644 --- a/dom/ipc/ContentProcess.cpp +++ b/dom/ipc/ContentProcess.cpp @@ -8,122 +8,17 @@ #include "ContentProcess.h" -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) -#include -#endif - -#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) -#include "mozilla/Preferences.h" -#include "nsAppDirectoryServiceDefs.h" -#include "nsDirectoryService.h" -#include "nsDirectoryServiceDefs.h" -#endif - using mozilla::ipc::IOThreadChild; namespace mozilla { namespace dom { -#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX) -static bool -IsSandboxTempDirRequired() -{ - // On Windows, a sandbox-writable temp directory is only used - // when sandbox pref level >= 1. - return Preferences::GetInt("security.sandbox.content.level") >= 1; -} - -static void -SetTmpEnvironmentVariable(nsIFile* aValue) -{ - // Save the TMP environment variable so that is is picked up by GetTempPath(). - // Note that we specifically write to the TMP variable, as that is the first - // variable that is checked by GetTempPath() to determine its output. - nsAutoString fullTmpPath; - nsresult rv = aValue->GetPath(fullTmpPath); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TMP", fullTmpPath.get())); - // We also set TEMP in case there is naughty third-party code that is - // referencing the environment variable directly. - Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TEMP", fullTmpPath.get())); -} -#endif - -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) -static bool -IsSandboxTempDirRequired() -{ - // On OSX, use the sandbox-writable temp when the pref level >= 1. - return (Preferences::GetInt("security.sandbox.content.level") >= 1); -} - -static void -SetTmpEnvironmentVariable(nsIFile* aValue) -{ - nsAutoCString fullTmpPath; - nsresult rv = aValue->GetNativePath(fullTmpPath); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - Unused << NS_WARN_IF(setenv("TMPDIR", fullTmpPath.get(), 1) != 0); -} -#endif - -#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) -static void -SetUpSandboxEnvironment() -{ - MOZ_ASSERT(nsDirectoryService::gService, - "SetUpSandboxEnvironment relies on nsDirectoryService being initialized"); - - if (!IsSandboxTempDirRequired()) { - return; - } - - nsCOMPtr sandboxedContentTemp; - nsresult rv = - nsDirectoryService::gService->Get(NS_APP_CONTENT_PROCESS_TEMP_DIR, - NS_GET_IID(nsIFile), - getter_AddRefs(sandboxedContentTemp)); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - - // Change the gecko defined temp directory to our sandbox-writable one. - // Undefine returns a failure if the property is not already set. - Unused << nsDirectoryService::gService->Undefine(NS_OS_TEMP_DIR); - rv = nsDirectoryService::gService->Set(NS_OS_TEMP_DIR, sandboxedContentTemp); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - - SetTmpEnvironmentVariable(sandboxedContentTemp); -} -#endif - void ContentProcess::SetAppDir(const nsACString& aPath) { mXREEmbed.SetAppDir(aPath); } -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) -void -ContentProcess::SetProfile(const nsACString& aProfile) -{ - bool flag; - nsresult rv = - XRE_GetFileFromPath(aProfile.BeginReading(), getter_AddRefs(mProfileDir)); - if (NS_FAILED(rv) || - NS_FAILED(mProfileDir->Exists(&flag)) || !flag) { - NS_WARNING("Invalid profile directory passed to content process."); - mProfileDir = nullptr; - } -} -#endif - bool ContentProcess::Init() { @@ -134,14 +29,6 @@ ContentProcess::Init() mContent.InitXPCOM(); mContent.InitGraphicsDeviceData(); -#if (defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) - mContent.SetProfileDir(mProfileDir); -#endif - -#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) - SetUpSandboxEnvironment(); -#endif - return true; } diff --git a/dom/ipc/ContentProcess.h b/dom/ipc/ContentProcess.h index bf9968f8c..3950368bd 100644 --- a/dom/ipc/ContentProcess.h +++ b/dom/ipc/ContentProcess.h @@ -39,18 +39,10 @@ public: void SetAppDir(const nsACString& aPath); -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) - void SetProfile(const nsACString& aProfile); -#endif - private: ContentChild mContent; mozilla::ipc::ScopedXREEmbed mXREEmbed; -#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX) - nsCOMPtr mProfileDir; -#endif - #if defined(XP_WIN) // This object initializes and configures COM. mozilla::mscom::MainThreadRuntime mCOMRuntime; diff --git a/dom/ipc/moz.build b/dom/ipc/moz.build index 71d193d44..1a0527dae 100644 --- a/dom/ipc/moz.build +++ b/dom/ipc/moz.build @@ -112,11 +112,6 @@ if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin': 'mozsandbox', ] -if CONFIG['MOZ_CONTENT_SANDBOX'] and CONFIG['OS_ARCH'] == 'Linux': - USE_LIBS += [ - 'mozsandbox', - ] - LOCAL_INCLUDES += [ '/caps', '/chrome', -- cgit v1.2.3