From 755e1020782fb42863e97d58a3e44d2eca760bb0 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 2 May 2018 21:58:04 +0200 Subject: Remove content process sandbox code. --- .../chromium-shim/sandbox/win/loggingCallbacks.h | 9 - security/sandbox/linux/Sandbox.cpp | 28 -- security/sandbox/linux/Sandbox.h | 8 - security/sandbox/linux/SandboxFilter.cpp | 489 --------------------- security/sandbox/linux/SandboxFilter.h | 6 - security/sandbox/linux/SandboxInfo.cpp | 8 - .../linux/broker/SandboxBrokerPolicyFactory.cpp | 144 ------ .../linux/broker/SandboxBrokerPolicyFactory.h | 4 - .../win/src/sandboxbroker/sandboxBroker.cpp | 124 ------ .../sandbox/win/src/sandboxbroker/sandboxBroker.h | 3 - 10 files changed, 823 deletions(-) (limited to 'security/sandbox') diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h index f9402c527..27b6e5239 100644 --- a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h +++ b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h @@ -89,15 +89,6 @@ InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb) if (Preferences::GetBool("security.sandbox.windows.log") || PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) { aProvideLogFunctionCb(Log); - -#if defined(MOZ_CONTENT_SANDBOX) - // We can only log the stack trace on process types where we know that the - // sandbox won't prevent it. - if (XRE_IsContentProcess()) { - Preferences::AddUintVarCache(&sStackTraceDepth, - "security.sandbox.windows.log.stackTraceDepth"); - } -#endif } } diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp index 7f1182be9..65ca467ca 100644 --- a/security/sandbox/linux/Sandbox.cpp +++ b/security/sandbox/linux/Sandbox.cpp @@ -626,34 +626,6 @@ SandboxEarlyInit(GeckoProcessType aType) } } -#ifdef MOZ_CONTENT_SANDBOX -/** - * Starts the seccomp sandbox for a content process. Should be called - * only once, and before any potentially harmful content is loaded. - * - * Will normally make the process exit on failure. -*/ -bool -SetContentProcessSandbox(int aBrokerFd) -{ - if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForContent)) { - if (aBrokerFd >= 0) { - close(aBrokerFd); - } - return false; - } - - // This needs to live until the process exits. - static Maybe sBroker; - if (aBrokerFd >= 0) { - sBroker.emplace(aBrokerFd); - } - - SetCurrentProcessSandbox(GetContentSandboxPolicy(sBroker.ptrOr(nullptr))); - return true; -} -#endif // MOZ_CONTENT_SANDBOX - #ifdef MOZ_GMP_SANDBOX /** * Starts the seccomp sandbox for a media plugin process. Should be diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h index 94b26e25b..aefdda22d 100644 --- a/security/sandbox/linux/Sandbox.h +++ b/security/sandbox/linux/Sandbox.h @@ -19,14 +19,6 @@ namespace mozilla { // This must be called early, while the process is still single-threaded. MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType); -#ifdef MOZ_CONTENT_SANDBOX -// Call only if SandboxInfo::CanSandboxContent() returns true. -// (No-op if MOZ_DISABLE_CONTENT_SANDBOX is set.) -// aBrokerFd is the filesystem broker client file descriptor, -// or -1 to allow direct filesystem access. -MOZ_EXPORT bool SetContentProcessSandbox(int aBrokerFd); -#endif - #ifdef MOZ_GMP_SANDBOX // Call only if SandboxInfo::CanSandboxMedia() returns true. // (No-op if MOZ_DISABLE_GMP_SANDBOX is set.) diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index f8db9dc80..da7e54300 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -340,495 +340,6 @@ public: // The process-type-specific syscall rules start here: -#ifdef MOZ_CONTENT_SANDBOX -// The seccomp-bpf filter for content processes is not a true sandbox -// on its own; its purpose is attack surface reduction and syscall -// interception in support of a semantic sandboxing layer. On B2G -// this is the Android process permission model; on desktop, -// namespaces and chroot() will be used. -class ContentSandboxPolicy : public SandboxPolicyCommon { - SandboxBrokerClient* mBroker; - - // Trap handlers for filesystem brokering. - // (The amount of code duplication here could be improved....) -#ifdef __NR_open - static intptr_t OpenTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto flags = static_cast(aArgs.args[1]); - return broker->Open(path, flags); - } -#endif - - static intptr_t OpenAtTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto fd = static_cast(aArgs.args[0]); - auto path = reinterpret_cast(aArgs.args[1]); - auto flags = static_cast(aArgs.args[2]); - if (fd != AT_FDCWD && path[0] != '/') { - SANDBOX_LOG_ERROR("unsupported fd-relative openat(%d, \"%s\", 0%o)", - fd, path, flags); - return BlockedSyscallTrap(aArgs, nullptr); - } - return broker->Open(path, flags); - } - -#ifdef __NR_access - static intptr_t AccessTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto mode = static_cast(aArgs.args[1]); - return broker->Access(path, mode); - } -#endif - - static intptr_t AccessAtTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto fd = static_cast(aArgs.args[0]); - auto path = reinterpret_cast(aArgs.args[1]); - auto mode = static_cast(aArgs.args[2]); - // Linux's faccessat syscall has no "flags" argument. Attempting - // to handle the flags != 0 case is left to userspace; this is - // impossible to do correctly in all cases, but that's not our - // problem. - if (fd != AT_FDCWD && path[0] != '/') { - SANDBOX_LOG_ERROR("unsupported fd-relative faccessat(%d, \"%s\", %d)", - fd, path, mode); - return BlockedSyscallTrap(aArgs, nullptr); - } - return broker->Access(path, mode); - } - - static intptr_t StatTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto buf = reinterpret_cast(aArgs.args[1]); - return broker->Stat(path, buf); - } - - static intptr_t LStatTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto buf = reinterpret_cast(aArgs.args[1]); - return broker->LStat(path, buf); - } - - static intptr_t StatAtTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto fd = static_cast(aArgs.args[0]); - auto path = reinterpret_cast(aArgs.args[1]); - auto buf = reinterpret_cast(aArgs.args[2]); - auto flags = static_cast(aArgs.args[3]); - if (fd != AT_FDCWD && path[0] != '/') { - SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, %d)", - fd, path, buf, flags); - return BlockedSyscallTrap(aArgs, nullptr); - } - if ((flags & ~AT_SYMLINK_NOFOLLOW) != 0) { - SANDBOX_LOG_ERROR("unsupported flags %d in fstatat(%d, \"%s\", %p, %d)", - (flags & ~AT_SYMLINK_NOFOLLOW), fd, path, buf, flags); - return BlockedSyscallTrap(aArgs, nullptr); - } - return (flags & AT_SYMLINK_NOFOLLOW) == 0 - ? broker->Stat(path, buf) - : broker->LStat(path, buf); - } - - static intptr_t ChmodTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto mode = static_cast(aArgs.args[1]); - return broker->Chmod(path, mode); - } - - static intptr_t LinkTrap(ArgsRef aArgs, void *aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto path2 = reinterpret_cast(aArgs.args[1]); - return broker->Link(path, path2); - } - - static intptr_t SymlinkTrap(ArgsRef aArgs, void *aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto path2 = reinterpret_cast(aArgs.args[1]); - return broker->Symlink(path, path2); - } - - static intptr_t RenameTrap(ArgsRef aArgs, void *aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto path2 = reinterpret_cast(aArgs.args[1]); - return broker->Rename(path, path2); - } - - static intptr_t MkdirTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto mode = static_cast(aArgs.args[1]); - return broker->Mkdir(path, mode); - } - - static intptr_t RmdirTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - return broker->Rmdir(path); - } - - static intptr_t UnlinkTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - return broker->Unlink(path); - } - - static intptr_t ReadlinkTrap(ArgsRef aArgs, void* aux) { - auto broker = static_cast(aux); - auto path = reinterpret_cast(aArgs.args[0]); - auto buf = reinterpret_cast(aArgs.args[1]); - auto size = static_cast(aArgs.args[2]); - return broker->Readlink(path, buf, size); - } - - static intptr_t GetPPidTrap(ArgsRef aArgs, void* aux) { - // In a pid namespace, getppid() will return 0. We will return 0 instead - // of the real parent pid to see what breaks when we introduce the - // pid namespace (Bug 1151624). - return 0; - } - -public: - explicit ContentSandboxPolicy(SandboxBrokerClient* aBroker):mBroker(aBroker) { } - virtual ~ContentSandboxPolicy() { } - virtual ResultExpr PrctlPolicy() const override { - // Ideally this should be restricted to a whitelist, but content - // uses enough things that it's not trivial to determine it. - return Allow(); - } - virtual Maybe EvaluateSocketCall(int aCall) const override { - switch(aCall) { - case SYS_RECVFROM: - case SYS_SENDTO: - return Some(Allow()); - - case SYS_SOCKETPAIR: { - // See bug 1066750. - if (!kSocketCallHasArgs) { - // We can't filter the args if the platform passes them by pointer. - return Some(Allow()); - } - Arg domain(0), type(1); - return Some(If(AllOf(domain == AF_UNIX, - AnyOf(type == SOCK_STREAM, type == SOCK_SEQPACKET)), - Allow()) - .Else(InvalidSyscall())); - } - -#ifdef ANDROID - case SYS_SOCKET: - return Some(Error(EACCES)); -#else // #ifdef DESKTOP - case SYS_RECV: - case SYS_SEND: - case SYS_SOCKET: // DANGEROUS - case SYS_CONNECT: // DANGEROUS - case SYS_ACCEPT: - case SYS_ACCEPT4: - case SYS_BIND: - case SYS_LISTEN: - case SYS_GETSOCKOPT: - case SYS_SETSOCKOPT: - case SYS_GETSOCKNAME: - case SYS_GETPEERNAME: - case SYS_SHUTDOWN: - return Some(Allow()); -#endif - default: - return SandboxPolicyCommon::EvaluateSocketCall(aCall); - } - } - -#ifdef DESKTOP - virtual Maybe EvaluateIpcCall(int aCall) const override { - switch(aCall) { - // These are a problem: SysV shared memory follows the Unix - // "same uid policy" and can't be restricted/brokered like file - // access. But the graphics layer might not be using them - // anymore; this needs to be studied. - case SHMGET: - case SHMCTL: - case SHMAT: - case SHMDT: - case SEMGET: - case SEMCTL: - case SEMOP: - case MSGGET: - return Some(Allow()); - default: - return SandboxPolicyCommon::EvaluateIpcCall(aCall); - } - } -#endif - - virtual ResultExpr EvaluateSyscall(int sysno) const override { - if (mBroker) { - // Have broker; route the appropriate syscalls to it. - switch (sysno) { - case __NR_open: - return Trap(OpenTrap, mBroker); - case __NR_openat: - return Trap(OpenAtTrap, mBroker); - case __NR_access: - return Trap(AccessTrap, mBroker); - case __NR_faccessat: - return Trap(AccessAtTrap, mBroker); - CASES_FOR_stat: - return Trap(StatTrap, mBroker); - CASES_FOR_lstat: - return Trap(LStatTrap, mBroker); - CASES_FOR_fstatat: - return Trap(StatAtTrap, mBroker); - case __NR_chmod: - return Trap(ChmodTrap, mBroker); - case __NR_link: - return Trap(LinkTrap, mBroker); - case __NR_mkdir: - return Trap(MkdirTrap, mBroker); - case __NR_symlink: - return Trap(SymlinkTrap, mBroker); - case __NR_rename: - return Trap(RenameTrap, mBroker); - case __NR_rmdir: - return Trap(RmdirTrap, mBroker); - case __NR_unlink: - return Trap(UnlinkTrap, mBroker); - case __NR_readlink: - return Trap(ReadlinkTrap, mBroker); - } - } else { - // No broker; allow the syscalls directly. )-: - switch(sysno) { - case __NR_open: - case __NR_openat: - case __NR_access: - case __NR_faccessat: - CASES_FOR_stat: - CASES_FOR_lstat: - CASES_FOR_fstatat: - case __NR_chmod: - case __NR_link: - case __NR_mkdir: - case __NR_symlink: - case __NR_rename: - case __NR_rmdir: - case __NR_unlink: - case __NR_readlink: - return Allow(); - } - } - - switch (sysno) { -#ifdef DESKTOP - case __NR_getppid: - return Trap(GetPPidTrap, nullptr); - - // Filesystem syscalls that need more work to determine who's - // using them, if they need to be, and what we intend to about it. - case __NR_getcwd: - CASES_FOR_statfs: - CASES_FOR_fstatfs: - case __NR_quotactl: - CASES_FOR_fchown: - case __NR_fchmod: - case __NR_flock: -#endif - return Allow(); - - case __NR_readlinkat: -#ifdef DESKTOP - // Bug 1290896 - return Allow(); -#else - // Workaround for bug 964455: - return Error(EINVAL); -#endif - - CASES_FOR_select: - case __NR_pselect6: - return Allow(); - - CASES_FOR_getdents: - CASES_FOR_ftruncate: - case __NR_writev: - case __NR_pread64: -#ifdef DESKTOP - case __NR_pwrite64: - case __NR_readahead: -#endif - return Allow(); - - case __NR_ioctl: - // ioctl() is for GL. Remove when GL proxy is implemented. - // Additionally ioctl() might be a place where we want to have - // argument filtering - return Allow(); - - CASES_FOR_fcntl: - // Some fcntls have significant side effects like sending - // arbitrary signals, and there's probably nontrivial kernel - // attack surface; this should be locked down more if possible. - return Allow(); - - case __NR_mprotect: - case __NR_brk: - case __NR_madvise: -#if !defined(MOZ_MEMORY) - // libc's realloc uses mremap (Bug 1286119). - case __NR_mremap: -#endif - return Allow(); - - case __NR_sigaltstack: - return Allow(); - -#ifdef __NR_set_thread_area - case __NR_set_thread_area: - return Allow(); -#endif - - case __NR_getrusage: - case __NR_times: - return Allow(); - - case __NR_dup: - return Allow(); - - CASES_FOR_getuid: - CASES_FOR_getgid: - CASES_FOR_geteuid: - CASES_FOR_getegid: - return Allow(); - - case __NR_fsync: - case __NR_msync: - return Allow(); - - case __NR_getpriority: - case __NR_setpriority: - case __NR_sched_get_priority_min: - case __NR_sched_get_priority_max: - case __NR_sched_getscheduler: - case __NR_sched_setscheduler: - case __NR_sched_getparam: - case __NR_sched_setparam: -#ifdef DESKTOP - case __NR_sched_getaffinity: -#endif - return Allow(); - -#ifdef DESKTOP - case __NR_pipe2: - return Allow(); - - CASES_FOR_getrlimit: - case __NR_clock_getres: - CASES_FOR_getresuid: - CASES_FOR_getresgid: - return Allow(); - - case __NR_umask: - case __NR_kill: - case __NR_wait4: -#ifdef __NR_waitpid - case __NR_waitpid: -#endif -#ifdef __NR_arch_prctl - case __NR_arch_prctl: -#endif - return Allow(); - - case __NR_eventfd2: - case __NR_inotify_init1: - case __NR_inotify_add_watch: - case __NR_inotify_rm_watch: - return Allow(); - -#ifdef __NR_memfd_create - case __NR_memfd_create: - return Allow(); -#endif - -#ifdef __NR_rt_tgsigqueueinfo - // Only allow to send signals within the process. - case __NR_rt_tgsigqueueinfo: { - Arg tgid(0); - return If(tgid == getpid(), Allow()) - .Else(InvalidSyscall()); - } -#endif - - case __NR_mlock: - case __NR_munlock: - return Allow(); - - // We can't usefully allow fork+exec, even on a temporary basis; - // the child would inherit the seccomp-bpf policy and almost - // certainly die from an unexpected SIGSYS. We also can't have - // fork() crash, currently, because there are too many system - // libraries/plugins that try to run commands. But they can - // usually do something reasonable on error. - case __NR_clone: - return ClonePolicy(Error(EPERM)); - -#ifdef __NR_fadvise64 - case __NR_fadvise64: - return Allow(); -#endif - -#ifdef __NR_fadvise64_64 - case __NR_fadvise64_64: - return Allow(); -#endif - - case __NR_fallocate: - return Allow(); - - case __NR_get_mempolicy: - return Allow(); - -#endif // DESKTOP - -#ifdef __NR_getrandom - case __NR_getrandom: - return Allow(); -#endif - - // nsSystemInfo uses uname (and we cache an instance, so - // the info remains present even if we block the syscall) - case __NR_uname: -#ifdef DESKTOP - case __NR_sysinfo: -#endif - return Allow(); - -#ifdef MOZ_JPROF - case __NR_setitimer: - return Allow(); -#endif // MOZ_JPROF - - default: - return SandboxPolicyCommon::EvaluateSyscall(sysno); - } - } -}; - -UniquePtr -GetContentSandboxPolicy(SandboxBrokerClient* aMaybeBroker) -{ - return UniquePtr(new ContentSandboxPolicy(aMaybeBroker)); -} -#endif // MOZ_CONTENT_SANDBOX - - #ifdef MOZ_GMP_SANDBOX // Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs // to be an effective sandbox by itself, because we allow GMP on Linux diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h index 6b1cb47f4..ecd2e610b 100644 --- a/security/sandbox/linux/SandboxFilter.h +++ b/security/sandbox/linux/SandboxFilter.h @@ -18,12 +18,6 @@ class Policy; namespace mozilla { -#ifdef MOZ_CONTENT_SANDBOX -class SandboxBrokerClient; - -UniquePtr GetContentSandboxPolicy(SandboxBrokerClient* aMaybeBroker); -#endif - #ifdef MOZ_GMP_SANDBOX struct SandboxOpenedFile { const char *mPath; diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp index f813fb026..4d0c1d584 100644 --- a/security/sandbox/linux/SandboxInfo.cpp +++ b/security/sandbox/linux/SandboxInfo.cpp @@ -225,14 +225,6 @@ SandboxInfo::SandboxInfo() { } } -#ifdef MOZ_CONTENT_SANDBOX - if (!getenv("MOZ_DISABLE_CONTENT_SANDBOX")) { - flags |= kEnabledForContent; - } - if (getenv("MOZ_PERMISSIVE_CONTENT_SANDBOX")) { - flags |= kPermissive; - } -#endif #ifdef MOZ_GMP_SANDBOX if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) { flags |= kEnabledForMedia; diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp index 8e698606e..c3a15ea3d 100644 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp @@ -41,154 +41,10 @@ SandboxBrokerPolicyFactory::IsSystemSupported() { return false; } -#if defined(MOZ_CONTENT_SANDBOX) -namespace { -static const int rdonly = SandboxBroker::MAY_READ; -static const int wronly = SandboxBroker::MAY_WRITE; -static const int rdwr = rdonly | wronly; -static const int rdwrcr = rdwr | SandboxBroker::MAY_CREATE; -#if defined(MOZ_WIDGET_GONK) -static const int wrlog = wronly | SandboxBroker::MAY_CREATE; -#endif -} -#endif - SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() { // Policy entries that are the same in every process go here, and // are cached over the lifetime of the factory. -#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK) - SandboxBroker::Policy* policy = new SandboxBroker::Policy; - - // Devices that need write access: - policy->AddPath(rdwr, "/dev/genlock"); // bug 980924 - policy->AddPath(rdwr, "/dev/ashmem"); // bug 980947 - policy->AddTree(wronly, "/dev/log"); // bug 1199857 - // Graphics devices are a significant source of attack surface, but - // there's not much we can do about it without proxying (which is - // very difficult and a perforamnce hit). - policy->AddPrefix(rdwr, "/dev", "kgsl"); // bug 995072 - policy->AddPath(rdwr, "/dev/qemu_pipe"); // but 1198410: goldfish gralloc. - - // Bug 1198475: mochitest logs. (This is actually passed in via URL - // query param to the mochitest page, and is configurable, so this - // isn't enough in general, but hopefully it's good enough for B2G.) - // Conditional on tests being run, using the same check seen in - // DirectoryProvider.js to set ProfD. - if (access("/data/local/tests/profile", R_OK) == 0) { - policy->AddPath(wrlog, "/data/local/tests/log/mochitest.log"); - } - - // Read-only items below this line. - - policy->AddPath(rdonly, "/dev/urandom"); // bug 964500, bug 995069 - policy->AddPath(rdonly, "/dev/ion"); // bug 980937 - policy->AddPath(rdonly, "/proc/cpuinfo"); // bug 995067 - policy->AddPath(rdonly, "/proc/meminfo"); // bug 1025333 - policy->AddPath(rdonly, "/sys/devices/system/cpu/present"); // bug 1025329 - policy->AddPath(rdonly, "/sys/devices/system/soc/soc0/id"); // bug 1025339 - policy->AddPath(rdonly, "/etc/media_profiles.xml"); // bug 1198419 - policy->AddPath(rdonly, "/etc/media_codecs.xml"); // bug 1198460 - policy->AddTree(rdonly, "/system/fonts"); // bug 1026063 - - // Bug 1199051 (crossplatformly, this is NS_GRE_DIR). - policy->AddTree(rdonly, "/system/b2g"); - - // Bug 1026356: dynamic library loading from assorted frameworks we - // don't control (media codecs, maybe others). - // - // Bug 1198515: Also, the profiler calls breakpad code to get info - // on all loaded ELF objects, which opens those files. - policy->AddTree(rdonly, "/system/lib"); - policy->AddTree(rdonly, "/vendor/lib"); - policy->AddPath(rdonly, "/system/bin/linker"); // (profiler only) - - // Bug 1199866: EGL/WebGL. - policy->AddPath(rdonly, "/system/lib/egl"); - policy->AddPath(rdonly, "/vendor/lib/egl"); - - // Bug 1198401: timezones. Yes, we need both of these; see bug. - policy->AddTree(rdonly, "/system/usr/share/zoneinfo"); - policy->AddTree(rdonly, "/system//usr/share/zoneinfo"); - - policy->AddPath(rdonly, "/data/local/tmp/profiler.options", - SandboxBroker::Policy::AddAlways); // bug 1029337 - - mCommonContentPolicy.reset(policy); -#elif defined(MOZ_CONTENT_SANDBOX) - SandboxBroker::Policy* policy = new SandboxBroker::Policy; - policy->AddDir(rdonly, "/"); - policy->AddDir(rdwrcr, "/dev/shm"); - // Add write permissions on the temporary directory. This can come - // from various environment variables (TMPDIR,TMP,TEMP,...) so - // make sure to use the full logic. - nsCOMPtr tmpDir; - nsresult rv = GetSpecialSystemDirectory(OS_TemporaryDirectory, - getter_AddRefs(tmpDir)); - if (NS_SUCCEEDED(rv)) { - nsAutoCString tmpPath; - rv = tmpDir->GetNativePath(tmpPath); - if (NS_SUCCEEDED(rv)) { - policy->AddDir(rdwrcr, tmpPath.get()); - } - } - // If the above fails at any point, fall back to a very good guess. - if (NS_FAILED(rv)) { - policy->AddDir(rdwrcr, "/tmp"); - } - - // Bug 1308851: NVIDIA proprietary driver when using WebGL - policy->AddPrefix(rdwr, "/dev", "nvidia"); - - // Bug 1312678: radeonsi/Intel with DRI when using WebGL - policy->AddDir(rdwr, "/dev/dri"); - - mCommonContentPolicy.reset(policy); -#endif -} - -#ifdef MOZ_CONTENT_SANDBOX -UniquePtr -SandboxBrokerPolicyFactory::GetContentPolicy(int aPid) -{ - // Policy entries that vary per-process (currently the only reason - // that can happen is because they contain the pid) are added here. - - MOZ_ASSERT(NS_IsMainThread()); - // File broker usage is controlled through a pref. - if (Preferences::GetInt("security.sandbox.content.level") <= 1) { - return nullptr; - } - - MOZ_ASSERT(mCommonContentPolicy); -#if defined(MOZ_WIDGET_GONK) - // Allow overriding "unsupported"ness with a pref, for testing. - if (!IsSystemSupported()) { - return nullptr; - } - UniquePtr - policy(new SandboxBroker::Policy(*mCommonContentPolicy)); - - // Bug 1029337: where the profiler writes the data. - nsPrintfCString profilerLogPath("/data/local/tmp/profile_%d_%d.txt", - GeckoProcessType_Content, aPid); - policy->AddPath(wrlog, profilerLogPath.get()); - - // Bug 1198550: the profiler's replacement for dl_iterate_phdr - policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get()); - - // Bug 1198552: memory reporting. - policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get()); - policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get()); - - return policy; -#else - UniquePtr - policy(new SandboxBroker::Policy(*mCommonContentPolicy)); - // Return the common policy. - return policy; -#endif } -#endif // MOZ_CONTENT_SANDBOX } // namespace mozilla diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h index c66a09189..bf9be9856 100644 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h @@ -15,10 +15,6 @@ class SandboxBrokerPolicyFactory { public: SandboxBrokerPolicyFactory(); -#ifdef MOZ_CONTENT_SANDBOX - UniquePtr GetContentPolicy(int aPid); -#endif - private: UniquePtr mCommonContentPolicy; // B2G devices tend to have hardware-specific paths used by device diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp index 10b796268..d3aab815f 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -90,130 +90,6 @@ SandboxBroker::LaunchApp(const wchar_t *aPath, return true; } -#if defined(MOZ_CONTENT_SANDBOX) -void -SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel) -{ - MOZ_RELEASE_ASSERT(mPolicy, "mPolicy must be set before this call."); - - sandbox::JobLevel jobLevel; - sandbox::TokenLevel accessTokenLevel; - sandbox::IntegrityLevel initialIntegrityLevel; - sandbox::IntegrityLevel delayedIntegrityLevel; - - // The setting of these levels is pretty arbitrary, but they are a useful (if - // crude) tool while we are tightening the policy. Gaps are left to try and - // avoid changing their meaning. - MOZ_RELEASE_ASSERT(aSandboxLevel >= 1, "Should not be called with aSandboxLevel < 1"); - if (aSandboxLevel >= 20) { - jobLevel = sandbox::JOB_LOCKDOWN; - accessTokenLevel = sandbox::USER_LOCKDOWN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_UNTRUSTED; - } else if (aSandboxLevel >= 10) { - jobLevel = sandbox::JOB_RESTRICTED; - accessTokenLevel = sandbox::USER_LIMITED; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel >= 2) { - jobLevel = sandbox::JOB_INTERACTIVE; - accessTokenLevel = sandbox::USER_INTERACTIVE; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } else if (aSandboxLevel == 1) { - jobLevel = sandbox::JOB_NONE; - accessTokenLevel = sandbox::USER_NON_ADMIN; - initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; - } - - sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel, - 0 /* ui_exceptions */); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); - - // If the delayed access token is not restricted we don't want the initial one - // to be either, because it can interfere with running from a network drive. - sandbox::TokenLevel initialAccessTokenLevel = - (accessTokenLevel == sandbox::USER_UNPROTECTED || - accessTokenLevel == sandbox::USER_NON_ADMIN) - ? sandbox::USER_UNPROTECTED : sandbox::USER_RESTRICTED_SAME_ACCESS; - - result = mPolicy->SetTokenLevel(initialAccessTokenLevel, accessTokenLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS"); - - result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetIntegrityLevel should never fail, what happened?"); - result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "SetDelayedIntegrityLevel should never fail, what happened?"); - - if (aSandboxLevel > 2) { - result = mPolicy->SetAlternateDesktop(true); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Failed to create alternate desktop for sandbox."); - } - - sandbox::MitigationFlags mitigations = - sandbox::MITIGATION_BOTTOM_UP_ASLR | - sandbox::MITIGATION_HEAP_TERMINATE | - sandbox::MITIGATION_SEHOP | - sandbox::MITIGATION_DEP_NO_ATL_THUNK | - sandbox::MITIGATION_DEP; - - result = mPolicy->SetProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetProcessMitigations."); - - mitigations = - sandbox::MITIGATION_STRICT_HANDLE_CHECKS | - sandbox::MITIGATION_DLL_SEARCH_ORDER; - - result = mPolicy->SetDelayedProcessMitigations(mitigations); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "Invalid flags for SetDelayedProcessMitigations."); - - // Add the policy for the client side of a pipe. It is just a file - // in the \pipe\ namespace. We restrict it to pipes that start with - // "chrome." so the sandboxed process cannot connect to system services. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\chrome.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // Add the policy for the client side of the crash server pipe. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, - L"\\??\\pipe\\gecko-crash-server-pipe.*"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate named pipes back to the - // broker process, which are File type handles. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"File"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - - // The content process needs to be able to duplicate shared memory handles, - // which are Section handles, to the broker process and other child processes. - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_BROKER, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES, - sandbox::TargetPolicy::HANDLES_DUP_ANY, - L"Section"); - MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); -} -#endif - #define SANDBOX_ENSURE_SUCCESS(result, message) \ do { \ MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \ diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h index 3f73ec890..7f1f1597f 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h @@ -31,9 +31,6 @@ public: virtual ~SandboxBroker(); // Security levels for different types of processes -#if defined(MOZ_CONTENT_SANDBOX) - void SetSecurityLevelForContentProcess(int32_t aSandboxLevel); -#endif bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel); enum SandboxLevel { LockDown, -- cgit v1.2.3 From e1490c07e29f5e4715f73088b7ca7aab4ada90a6 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 2 May 2018 23:30:36 +0200 Subject: Remove GMP sandbox code. --- security/sandbox/linux/Sandbox.cpp | 56 -------------- security/sandbox/linux/Sandbox.h | 7 -- security/sandbox/linux/SandboxFilter.cpp | 129 ------------------------------- security/sandbox/linux/SandboxFilter.h | 9 --- security/sandbox/linux/SandboxInfo.cpp | 5 -- 5 files changed, 206 deletions(-) (limited to 'security/sandbox') diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp index 65ca467ca..80a18f855 100644 --- a/security/sandbox/linux/Sandbox.cpp +++ b/security/sandbox/linux/Sandbox.cpp @@ -76,13 +76,6 @@ namespace mozilla { // This is initialized by SandboxSetCrashFunc(). SandboxCrashFunc gSandboxCrashFunc; -#ifdef MOZ_GMP_SANDBOX -// For media plugins, we can start the sandbox before we dlopen the -// module, so we have to pre-open the file and simulate the sandboxed -// open(). -static SandboxOpenedFile gMediaPluginFile; -#endif - static UniquePtr gChrootHelper; static void (*gChromiumSigSysHandler)(int, siginfo_t*, void*); @@ -525,19 +518,6 @@ SandboxEarlyInit(GeckoProcessType aType) case GeckoProcessType_Default: MOZ_ASSERT(false, "SandboxEarlyInit in parent process"); return; -#ifdef MOZ_GMP_SANDBOX - case GeckoProcessType_GMPlugin: - if (!info.Test(SandboxInfo::kEnabledForMedia)) { - break; - } - canUnshareNet = true; - canUnshareIPC = true; - // Need seccomp-bpf to intercept open(). - canChroot = info.Test(SandboxInfo::kHasSeccompBPF); - break; -#endif - // In the future, content processes will be able to use some of - // these. default: // Other cases intentionally left blank. break; @@ -626,40 +606,4 @@ SandboxEarlyInit(GeckoProcessType aType) } } -#ifdef MOZ_GMP_SANDBOX -/** - * Starts the seccomp sandbox for a media plugin process. Should be - * called only once, and before any potentially harmful content is - * loaded -- including the plugin itself, if it's considered untrusted. - * - * The file indicated by aFilePath, if non-null, can be open()ed - * read-only, once, after the sandbox starts; it should be the .so - * file implementing the not-yet-loaded plugin. - * - * Will normally make the process exit on failure. -*/ -void -SetMediaPluginSandbox(const char *aFilePath) -{ - if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForMedia)) { - return; - } - - MOZ_ASSERT(!gMediaPluginFile.mPath); - if (aFilePath) { - gMediaPluginFile.mPath = strdup(aFilePath); - gMediaPluginFile.mFd = open(aFilePath, O_RDONLY | O_CLOEXEC); - if (gMediaPluginFile.mFd == -1) { - SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", - aFilePath, strerror(errno)); - MOZ_CRASH(); - } - } else { - gMediaPluginFile.mFd = -1; - } - // Finally, start the sandbox. - SetCurrentProcessSandbox(GetMediaSandboxPolicy(&gMediaPluginFile)); -} -#endif // MOZ_GMP_SANDBOX - } // namespace mozilla diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h index aefdda22d..9d1c3d4b3 100644 --- a/security/sandbox/linux/Sandbox.h +++ b/security/sandbox/linux/Sandbox.h @@ -19,13 +19,6 @@ namespace mozilla { // This must be called early, while the process is still single-threaded. MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType); -#ifdef MOZ_GMP_SANDBOX -// Call only if SandboxInfo::CanSandboxMedia() returns true. -// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.) -// aFilePath is the path to the plugin file. -MOZ_EXPORT void SetMediaPluginSandbox(const char *aFilePath); -#endif - } // namespace mozilla #endif // mozilla_Sandbox_h diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index da7e54300..afaf53cec 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -340,133 +340,4 @@ public: // The process-type-specific syscall rules start here: -#ifdef MOZ_GMP_SANDBOX -// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs -// to be an effective sandbox by itself, because we allow GMP on Linux -// systems where that's the only sandboxing mechanism we can use. -// -// Be especially careful about what this policy allows. -class GMPSandboxPolicy : public SandboxPolicyCommon { - static intptr_t OpenTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - auto plugin = static_cast(aux); - const char* path; - int flags; - - switch (aArgs.nr) { -#ifdef __NR_open - case __NR_open: - path = reinterpret_cast(aArgs.args[0]); - flags = static_cast(aArgs.args[1]); - break; -#endif - case __NR_openat: - // The path has to be absolute to match the pre-opened file (see - // assertion in ctor) so the dirfd argument is ignored. - path = reinterpret_cast(aArgs.args[1]); - flags = static_cast(aArgs.args[2]); - break; - default: - MOZ_CRASH("unexpected syscall number"); - } - - if (strcmp(path, plugin->mPath) != 0) { - SANDBOX_LOG_ERROR("attempt to open file %s (flags=0%o) which is not the" - " media plugin %s", path, flags, plugin->mPath); - return -EPERM; - } - if ((flags & O_ACCMODE) != O_RDONLY) { - SANDBOX_LOG_ERROR("non-read-only open of file %s attempted (flags=0%o)", - path, flags); - return -EPERM; - } - int fd = plugin->mFd.exchange(-1); - if (fd < 0) { - SANDBOX_LOG_ERROR("multiple opens of media plugin file unimplemented"); - return -ENOSYS; - } - return fd; - } - - static intptr_t SchedTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - const pid_t tid = syscall(__NR_gettid); - if (aArgs.args[0] == static_cast(tid)) { - return syscall(aArgs.nr, - 0, - aArgs.args[1], - aArgs.args[2], - aArgs.args[3], - aArgs.args[4], - aArgs.args[5]); - } - SANDBOX_LOG_ERROR("unsupported tid in SchedTrap"); - return BlockedSyscallTrap(aArgs, nullptr); - } - - SandboxOpenedFile* mPlugin; -public: - explicit GMPSandboxPolicy(SandboxOpenedFile* aPlugin) - : mPlugin(aPlugin) - { - MOZ_ASSERT(aPlugin->mPath[0] == '/', "plugin path should be absolute"); - } - - virtual ~GMPSandboxPolicy() { } - - virtual ResultExpr EvaluateSyscall(int sysno) const override { - switch (sysno) { - // Simulate opening the plugin file. -#ifdef __NR_open - case __NR_open: -#endif - case __NR_openat: - return Trap(OpenTrap, mPlugin); - - // ipc::Shmem - case __NR_mprotect: - return Allow(); - case __NR_madvise: { - Arg advice(2); - return If(advice == MADV_DONTNEED, Allow()) - .ElseIf(advice == MADV_FREE, Allow()) -#ifdef MOZ_ASAN - .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) - .ElseIf(advice == MADV_DONTDUMP, Allow()) -#endif - .Else(InvalidSyscall()); - } - case __NR_brk: - CASES_FOR_geteuid: - return Allow(); - case __NR_sched_getparam: - case __NR_sched_getscheduler: - case __NR_sched_get_priority_min: - case __NR_sched_get_priority_max: - case __NR_sched_setscheduler: { - Arg pid(0); - return If(pid == 0, Allow()) - .Else(Trap(SchedTrap, nullptr)); - } - - // For clock(3) on older glibcs; bug 1304220. - case __NR_times: - return Allow(); - - default: - return SandboxPolicyCommon::EvaluateSyscall(sysno); - } - } -}; - -UniquePtr -GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin) -{ - return UniquePtr(new GMPSandboxPolicy(aPlugin)); -} - -#endif // MOZ_GMP_SANDBOX - } diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h index ecd2e610b..b6031d30e 100644 --- a/security/sandbox/linux/SandboxFilter.h +++ b/security/sandbox/linux/SandboxFilter.h @@ -18,15 +18,6 @@ class Policy; namespace mozilla { -#ifdef MOZ_GMP_SANDBOX -struct SandboxOpenedFile { - const char *mPath; - Atomic mFd; -}; - -UniquePtr GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin); -#endif - } // namespace mozilla #endif diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp index 4d0c1d584..2eb65e39c 100644 --- a/security/sandbox/linux/SandboxInfo.cpp +++ b/security/sandbox/linux/SandboxInfo.cpp @@ -225,11 +225,6 @@ SandboxInfo::SandboxInfo() { } } -#ifdef MOZ_GMP_SANDBOX - if (!getenv("MOZ_DISABLE_GMP_SANDBOX")) { - flags |= kEnabledForMedia; - } -#endif if (getenv("MOZ_SANDBOX_VERBOSE")) { flags |= kVerbose; } -- cgit v1.2.3 From 4613b91ecac2745252c40be64e73de5ff920b02b Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 3 May 2018 01:24:31 +0200 Subject: Remove sandbox ductwork conditional code. --- security/sandbox/chromium/base/time/time.cc | 2 -- security/sandbox/chromium/base/time/time.h | 4 ---- 2 files changed, 6 deletions(-) (limited to 'security/sandbox') diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chromium/base/time/time.cc index 9188887e2..76ffeb744 100644 --- a/security/sandbox/chromium/base/time/time.cc +++ b/security/sandbox/chromium/base/time/time.cc @@ -242,7 +242,6 @@ Time Time::LocalMidnight() const { return FromLocalExploded(exploded); } -#if !defined(MOZ_SANDBOX) // static bool Time::FromStringInternal(const char* time_string, bool is_local, @@ -263,7 +262,6 @@ bool Time::FromStringInternal(const char* time_string, *parsed_time = Time(result_time); return true; } -#endif std::ostream& operator<<(std::ostream& os, Time time) { Time::Exploded exploded; diff --git a/security/sandbox/chromium/base/time/time.h b/security/sandbox/chromium/base/time/time.h index ea19d7ed9..066d91083 100644 --- a/security/sandbox/chromium/base/time/time.h +++ b/security/sandbox/chromium/base/time/time.h @@ -522,7 +522,6 @@ class BASE_EXPORT Time : public time_internal::TimeBase