From 4613b91ecac2745252c40be64e73de5ff920b02b Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 3 May 2018 01:24:31 +0200 Subject: Remove sandbox ductwork conditional code. --- ipc/app/moz.build | 37 ------ ipc/app/pie/moz.build | 11 -- ipc/contentproc/moz.build | 5 - ipc/contentproc/plugin-container.cpp | 40 ------- ipc/glue/GeckoChildProcessHost.cpp | 217 ----------------------------------- ipc/glue/GeckoChildProcessHost.h | 13 --- ipc/glue/ProtocolUtils.cpp | 16 --- ipc/glue/moz.build | 7 -- 8 files changed, 346 deletions(-) (limited to 'ipc') diff --git a/ipc/app/moz.build b/ipc/app/moz.build index 55c338cb8..a5bf66737 100644 --- a/ipc/app/moz.build +++ b/ipc/app/moz.build @@ -43,47 +43,10 @@ if CONFIG['OS_ARCH'] == 'WINNT': 'nss3.dll', ] - if CONFIG['MOZ_SANDBOX']: - # For sandbox includes and the include dependencies those have - LOCAL_INCLUDES += [ - '/security/sandbox/chromium', - '/security/sandbox/chromium-shim', - ] - - USE_LIBS += [ - 'sandbox_s', - ] - - DELAYLOAD_DLLS += [ - 'winmm.dll', - 'user32.dll', - ] - DELAYLOAD_DLLS += [ 'xul.dll', ] -if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] in ('Linux', 'Android'): - USE_LIBS += [ - 'mozsandbox', - ] - - # gcc lto likes to put the top level asm in syscall.cc in a different partition - # from the function using it which breaks the build. Work around that by - # forcing there to be only one partition. - if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']: - LDFLAGS += ['--param lto-partitions=1'] - -if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin': - # For sandbox includes and the include dependencies those have - LOCAL_INCLUDES += [ - '/security/sandbox/chromium', - '/security/sandbox/chromium-shim', - ] - USE_LIBS += [ - 'mozsandbox', - ] - if CONFIG['_MSC_VER']: # Always enter a Windows program through wmain, whether or not we're # a console application. diff --git a/ipc/app/pie/moz.build b/ipc/app/pie/moz.build index 0247b25b4..6924199b5 100644 --- a/ipc/app/pie/moz.build +++ b/ipc/app/pie/moz.build @@ -16,15 +16,4 @@ LOCAL_INCLUDES += [ '/xpcom/base', ] -if CONFIG['MOZ_SANDBOX']: - USE_LIBS += [ - 'mozsandbox', - ] - - # gcc lto likes to put the top level asm in syscall.cc in a different partition - # from the function using it which breaks the build. Work around that by - # forcing there to be only one partition. - if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']: - LDFLAGS += ['--param lto-partitions=1'] - LDFLAGS += ['-pie'] diff --git a/ipc/contentproc/moz.build b/ipc/contentproc/moz.build index 07cf0b97c..f9ded56ec 100644 --- a/ipc/contentproc/moz.build +++ b/ipc/contentproc/moz.build @@ -18,8 +18,3 @@ if CONFIG['OS_ARCH'] == 'WINNT': '/xpcom/base', ] -if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT': - LOCAL_INCLUDES += [ - '/security/sandbox/chromium', - '/security/sandbox/chromium-shim', - ] diff --git a/ipc/contentproc/plugin-container.cpp b/ipc/contentproc/plugin-container.cpp index 82ed16a90..6a9341d7f 100644 --- a/ipc/contentproc/plugin-container.cpp +++ b/ipc/contentproc/plugin-container.cpp @@ -22,11 +22,6 @@ #include "GMPLoader.h" -#if defined(XP_WIN) && defined(MOZ_SANDBOX) -#include "mozilla/sandboxing/SandboxInitialization.h" -#include "mozilla/sandboxing/sandboxLogging.h" -#endif - #ifdef MOZ_WIDGET_GONK # include # include @@ -62,26 +57,10 @@ InitializeBinder(void *aDummy) { } #endif -#if defined(XP_WIN) && defined(MOZ_SANDBOX) -class WinSandboxStarter : public mozilla::gmp::SandboxStarter { -public: - virtual bool Start(const char *aLibPath) override { - if (IsSandboxedProcess()) { - mozilla::sandboxing::LowerSandbox(); - } - return true; - } -}; -#endif - mozilla::gmp::SandboxStarter* MakeSandboxStarter() { -#if defined(XP_WIN) && defined(MOZ_SANDBOX) - return new WinSandboxStarter(); -#else return nullptr; -#endif } int @@ -95,27 +74,8 @@ content_process_main(int argc, char* argv[]) XREChildData childData; -#if defined(XP_WIN) && defined(MOZ_SANDBOX) - if (IsSandboxedProcess()) { - childData.sandboxTargetServices = - mozilla::sandboxing::GetInitializedTargetServices(); - if (!childData.sandboxTargetServices) { - return 1; - } - - childData.ProvideLogFunction = mozilla::sandboxing::ProvideLogFunction; - } -#endif - XRE_SetProcessType(argv[--argc]); -#if defined(XP_LINUX) && defined(MOZ_SANDBOX) - // This has to happen while we're still single-threaded, and on - // B2G that means before the Android Binder library is - // initialized. - mozilla::SandboxEarlyInit(XRE_GetProcessType()); -#endif - #ifdef MOZ_WIDGET_GONK // This creates a ThreadPool for binder ipc. A ThreadPool is necessary to // receive binder calls, though not necessary to send binder calls. diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp index fc376d703..9ab9cc4d4 100644 --- a/ipc/glue/GeckoChildProcessHost.cpp +++ b/ipc/glue/GeckoChildProcessHost.cpp @@ -39,12 +39,6 @@ #ifdef XP_WIN #include "nsIWinTaskbar.h" #define NS_TASKBAR_CONTRACTID "@mozilla.org/windows-taskbar;1" - -#if defined(MOZ_SANDBOX) -#include "mozilla/Preferences.h" -#include "mozilla/sandboxing/sandboxLogging.h" -#include "nsDirectoryServiceUtils.h" -#endif #endif #include "nsTArray.h" @@ -97,10 +91,6 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType, mPrivileges(aPrivileges), mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"), mProcessState(CREATING_CHANNEL), -#if defined(MOZ_SANDBOX) && defined(XP_WIN) - mEnableSandboxLogging(false), - mSandboxLevel(0), -#endif mChildProcessHandle(0) #if defined(MOZ_WIDGET_COCOA) , mChildTask(MACH_PORT_NULL) @@ -307,14 +297,6 @@ GeckoChildProcessHost::PrepareLaunch() if (mProcessType == GeckoProcessType_Plugin) { InitWindowsGroupID(); } - -#if defined(MOZ_SANDBOX) - // For other process types we can't rely on them being launched on main - // thread and they may not have access to prefs in the child process, so allow - // them to turn on logging via an environment variable. - mEnableSandboxLogging = mEnableSandboxLogging - || !!PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING"); -#endif #endif } @@ -599,91 +581,6 @@ AddAppDirToCommandLine(std::vector& aCmdLine) } } -#if defined(XP_WIN) && defined(MOZ_SANDBOX) -static void -MaybeAddNsprLogFileAccess(std::vector& aAllowedFilesReadWrite) -{ - const char* nsprLogFileEnv = PR_GetEnv("NSPR_LOG_FILE"); - if (!nsprLogFileEnv) { - return; - } - - nsDependentCString nsprLogFilePath(nsprLogFileEnv); - nsCOMPtr nsprLogFile; - nsresult rv = NS_NewNativeLocalFile(nsprLogFilePath, true, - getter_AddRefs(nsprLogFile)); - if (NS_FAILED(rv)) { - // Not an absolute path, try it as a relative one. - nsresult rv = NS_GetSpecialDirectory(NS_OS_CURRENT_WORKING_DIR, - getter_AddRefs(nsprLogFile)); - if (NS_FAILED(rv) || !nsprLogFile) { - NS_WARNING("Failed to get current working directory"); - return; - } - - rv = nsprLogFile->AppendRelativeNativePath(nsprLogFilePath); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - } - - nsAutoString resolvedFilePath; - rv = nsprLogFile->GetPath(resolvedFilePath); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - - // Update the environment variable as well as adding the rule, because the - // Chromium sandbox can only allow access to fully qualified file paths. This - // only affects the environment for the child process we're about to create, - // because this will get reset to the original value in PerformAsyncLaunch. - aAllowedFilesReadWrite.push_back(std::wstring(resolvedFilePath.get())); - nsAutoCString resolvedEnvVar("NSPR_LOG_FILE="); - AppendUTF16toUTF8(resolvedFilePath, resolvedEnvVar); - PR_SetEnv(resolvedEnvVar.get()); -} - -static void -AddContentSandboxAllowedFiles(int32_t aSandboxLevel, - std::vector& aAllowedFilesRead) -{ - if (aSandboxLevel < 1) { - return; - } - - nsCOMPtr binDir; - nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(binDir)); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - - nsAutoString binDirPath; - rv = binDir->GetPath(binDirPath); - if (NS_WARN_IF(NS_FAILED(rv))) { - return; - } - - // If bin directory is on a remote drive add read access. - wchar_t volPath[MAX_PATH]; - if (!::GetVolumePathNameW(binDirPath.get(), volPath, MAX_PATH)) { - return; - } - - if (::GetDriveTypeW(volPath) != DRIVE_REMOTE) { - return; - } - - // Convert network share path to format for sandbox policy. - if (Substring(binDirPath, 0, 2).Equals(L"\\\\")) { - binDirPath.InsertLiteral(u"??\\UNC", 1); - } - - binDirPath.AppendLiteral(u"\\*"); - - aAllowedFilesRead.push_back(std::wstring(binDirPath.get())); -} -#endif - bool GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExtraOpts, base::ProcessArchitecture arch) { @@ -808,27 +705,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt } #endif // MOZ_WIDGET_GONK -#if defined(XP_LINUX) && defined(MOZ_SANDBOX) - // Preload libmozsandbox.so so that sandbox-related interpositions - // can be defined there instead of in the executable. - // (This could be made conditional on intent to use sandboxing, but - // it's harmless for non-sandboxed processes.) - { - nsAutoCString preload; - // Prepend this, because people can and do preload libpthread. - // (See bug 1222500.) - preload.AssignLiteral("libmozsandbox.so"); - if (const char* oldPreload = PR_GetEnv("LD_PRELOAD")) { - // Doesn't matter if oldPreload is ""; extra separators are ignored. - preload.Append(' '); - preload.Append(oldPreload); - } - // Explicitly construct the std::string to make it clear that this - // isn't retaining a pointer to the nsCString's buffer. - newEnvVars["LD_PRELOAD"] = std::string(preload.get()); - } -#endif - // remap the IPC socket fd to a well-known int, as the OS does for // STDOUT_FILENO, for example int srcChannelFd, dstChannelFd; @@ -994,74 +870,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt } } -#if defined(XP_WIN) && defined(MOZ_SANDBOX) - bool shouldSandboxCurrentProcess = false; - - // XXX: Bug 1124167: We should get rid of the process specific logic for - // sandboxing in this class at some point. Unfortunately it will take a bit - // of reorganizing so I don't think this patch is the right time. - switch (mProcessType) { - case GeckoProcessType_Content: - break; - case GeckoProcessType_Plugin: - if (mSandboxLevel > 0 && - !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) { - bool ok = mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel); - if (!ok) { - return false; - } - shouldSandboxCurrentProcess = true; - } - break; - case GeckoProcessType_IPDLUnitTest: - // XXX: We don't sandbox this process type yet - break; - case GeckoProcessType_GMPlugin: - if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) { - // The Widevine CDM on Windows can only load at USER_RESTRICTED, - // not at USER_LOCKDOWN. So look in the command line arguments - // to see if we're loading the path to the Widevine CDM, and if - // so use sandbox level USER_RESTRICTED instead of USER_LOCKDOWN. - bool isWidevine = std::any_of(aExtraOpts.begin(), aExtraOpts.end(), - [](const std::string arg) { return arg.find("gmp-widevinecdm") != std::string::npos; }); - auto level = isWidevine ? SandboxBroker::Restricted : SandboxBroker::LockDown; - bool ok = mSandboxBroker.SetSecurityLevelForGMPlugin(level); - if (!ok) { - return false; - } - shouldSandboxCurrentProcess = true; - } - break; - case GeckoProcessType_GPU: - break; - case GeckoProcessType_Default: - default: - MOZ_CRASH("Bad process type in GeckoChildProcessHost"); - break; - }; - - if (shouldSandboxCurrentProcess) { - MaybeAddNsprLogFileAccess(mAllowedFilesReadWrite); - for (auto it = mAllowedFilesRead.begin(); - it != mAllowedFilesRead.end(); - ++it) { - mSandboxBroker.AllowReadFile(it->c_str()); - } - - for (auto it = mAllowedFilesReadWrite.begin(); - it != mAllowedFilesReadWrite.end(); - ++it) { - mSandboxBroker.AllowReadWriteFile(it->c_str()); - } - - for (auto it = mAllowedDirectories.begin(); - it != mAllowedDirectories.end(); - ++it) { - mSandboxBroker.AllowDirectory(it->c_str()); - } - } -#endif // XP_WIN && MOZ_SANDBOX - // Add the application directory path (-appdir path) AddAppDirToCommandLine(cmdLine); @@ -1078,33 +886,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector& aExt // Process type cmdLine.AppendLooseValue(UTF8ToWide(childProcessType)); -#if defined(XP_WIN) && defined(MOZ_SANDBOX) - if (shouldSandboxCurrentProcess) { - if (mSandboxBroker.LaunchApp(cmdLine.program().c_str(), - cmdLine.command_line_string().c_str(), - mEnableSandboxLogging, - &process)) { - EnvironmentLog("MOZ_PROCESS_LOG").print( - "==> process %d launched child process %d (%S)\n", - base::GetCurrentProcId(), base::GetProcId(process), - cmdLine.command_line_string().c_str()); - } - } else -#endif { base::LaunchApp(cmdLine, false, false, &process); - -#ifdef MOZ_SANDBOX - // We need to be able to duplicate handles to some types of non-sandboxed - // child processes. - if (mProcessType == GeckoProcessType_Content || - mProcessType == GeckoProcessType_GPU || - mProcessType == GeckoProcessType_GMPlugin) { - if (!mSandboxBroker.AddTargetPeer(process)) { - NS_WARNING("Failed to add content process as target peer."); - } - } -#endif } #else diff --git a/ipc/glue/GeckoChildProcessHost.h b/ipc/glue/GeckoChildProcessHost.h index 3d55564ac..d278d8928 100644 --- a/ipc/glue/GeckoChildProcessHost.h +++ b/ipc/glue/GeckoChildProcessHost.h @@ -21,10 +21,6 @@ #include "nsXULAppAPI.h" // for GeckoProcessType #include "nsString.h" -#if defined(XP_WIN) && defined(MOZ_SANDBOX) -#include "sandboxBroker.h" -#endif - namespace mozilla { namespace ipc { @@ -153,15 +149,6 @@ protected: #ifdef XP_WIN void InitWindowsGroupID(); nsString mGroupId; - -#ifdef MOZ_SANDBOX - SandboxBroker mSandboxBroker; - std::vector mAllowedFilesRead; - std::vector mAllowedFilesReadWrite; - std::vector mAllowedDirectories; - bool mEnableSandboxLogging; - int32_t mSandboxLevel; -#endif #endif // XP_WIN #if defined(OS_POSIX) diff --git a/ipc/glue/ProtocolUtils.cpp b/ipc/glue/ProtocolUtils.cpp index 4de131469..7d8a1153c 100644 --- a/ipc/glue/ProtocolUtils.cpp +++ b/ipc/glue/ProtocolUtils.cpp @@ -20,11 +20,6 @@ #include "mozilla/Unused.h" #include "nsPrintfCString.h" -#if defined(MOZ_SANDBOX) && defined(XP_WIN) -#define TARGET_SANDBOX_EXPORTS -#include "mozilla/sandboxTarget.h" -#endif - #include "nsAutoPtr.h" using namespace IPC; @@ -162,17 +157,6 @@ bool DuplicateHandle(HANDLE aSourceHandle, } -#if defined(MOZ_SANDBOX) - // Try the broker next (will fail if not sandboxed). - if (SandboxTarget::Instance()->BrokerDuplicateHandle(aSourceHandle, - aTargetProcessId, - aTargetHandle, - aDesiredAccess, - aOptions)) { - return true; - } -#endif - // Finally, see if we already have access to the process. ScopedProcessHandle targetProcess(OpenProcess(PROCESS_DUP_HANDLE, FALSE, diff --git a/ipc/glue/moz.build b/ipc/glue/moz.build index dd3a2e1ba..8caee1ffe 100644 --- a/ipc/glue/moz.build +++ b/ipc/glue/moz.build @@ -196,12 +196,5 @@ for var in ('MOZ_CHILD_PROCESS_NAME', 'MOZ_CHILD_PROCESS_NAME_PIE', 'MOZ_CHILD_PROCESS_BUNDLE', 'DLL_PREFIX', 'DLL_SUFFIX'): DEFINES[var] = '"%s"' % CONFIG[var] -if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT': - LOCAL_INCLUDES += [ - '/security/sandbox/chromium', - '/security/sandbox/chromium-shim', - '/security/sandbox/win/src/sandboxbroker', - ] - if CONFIG['GNU_CXX']: CXXFLAGS += ['-Wno-shadow'] -- cgit v1.2.3