Bug 1098428 - Add Linux sandboxing information to Telemetry. r?gfritzsche
MozReview-Commit-ID: GtIPsRqq5hr
--- a/security/sandbox/linux/common/SandboxInfo.cpp
+++ b/security/sandbox/linux/common/SandboxInfo.cpp
@@ -14,16 +14,17 @@
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
#include "base/posix/eintr_wrapper.h"
#include "mozilla/Assertions.h"
#include "mozilla/ArrayUtils.h"
+#include "mozilla/Telemetry.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
#include "sandbox/linux/services/linux_syscalls.h"
// A note about assertions: in general, the worst thing this module
// should be able to do is disable sandboxing features, so release
// asserts or MOZ_CRASH should be avoided, even for seeming
// impossibilities like an unimplemented syscall returning success
// (which has happened: https://crbug.com/439795 ).
@@ -249,9 +250,33 @@ SandboxInfo::ThreadingCheck()
// they wouldn't be using NSPR; we have to hope for the best.)
setenv("MOZ_SANDBOX_UNEXPECTED_THREADS", "1", 0);
int flags = sSingleton.mFlags;
flags |= kUnexpectedThreads;
flags &= ~(kHasUserNamespaces | kHasPrivilegedUserNamespaces);
sSingleton.mFlags = static_cast<Flags>(flags);
}
+/* static */ void
+SandboxInfo::SubmitTelemetry()
+{
+ SandboxInfo sandboxInfo = Get();
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_SECCOMP_BPF,
+ sandboxInfo.Test(SandboxInfo::kHasSeccompBPF));
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_SECCOMP_TSYNC,
+ sandboxInfo.Test(SandboxInfo::kHasSeccompTSync));
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_USER_NAMESPACES_PRIVILEGED,
+ sandboxInfo.Test(SandboxInfo::kHasPrivilegedUserNamespaces));
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_USER_NAMESPACES,
+ sandboxInfo.Test(SandboxInfo::kHasUserNamespaces));
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_ENABLED_CONTENT,
+ sandboxInfo.Test(SandboxInfo::kEnabledForContent));
+ Telemetry::Accumulate(
+ Telemetry::SANDBOX_CAPABILITIES_ENABLED_MEDIA,
+ sandboxInfo.Test(SandboxInfo::kEnabledForMedia));
+}
+
} // namespace mozilla
--- a/security/sandbox/linux/common/SandboxInfo.h
+++ b/security/sandbox/linux/common/SandboxInfo.h
@@ -52,16 +52,18 @@ public:
}
// Returns true if SetMediaPluginSandbox may be called.
bool CanSandboxMedia() const
{
return !Test(kEnabledForMedia) || Test(kHasSeccompBPF);
}
+ static void SubmitTelemetry();
+
// For bug 1222500 or anything else like it: On desktop, this is
// called in the parent process at a point when it should still be
// single-threaded, to check that the SandboxEarlyInit() call in a
// child process is early enough to be single-threaded. If not,
// kUnexpectedThreads is set and affected flags (user namespaces;
// possibly others in the future) are cleared.
static void ThreadingCheck();
private:
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -10675,16 +10675,64 @@
},
"SANDBOX_BROKER_INITIALIZED": {
"alert_emails": ["bowen@mozilla.com"],
"bug_numbers": [1256992],
"expires_in_version": "55",
"kind": "boolean",
"description": "Result of call to SandboxBroker::Initialize"
},
+ "SANDBOX_CAPABILITIES_SECCOMP_BPF": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether the system has seccomp-bpf capability"
+ },
+ "SANDBOX_CAPABILITIES_SECCOMP_TSYNC": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether the system has seccomp-bpf thread-sync capability"
+ },
+ "SANDBOX_CAPABILITIES_USER_NAMESPACES": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether our process succedeed in creating a user namespace"
+ },
+ "SANDBOX_CAPABILITIES_USER_NAMESPACES_PRIVILEGED": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether the system has the capability to create privileged user namespaces"
+ },
+ "SANDBOX_CAPABILITIES_ENABLED_MEDIA": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether the sandbox is enabled for media/GMP plugins"
+ },
+ "SANDBOX_CAPABILITIES_ENABLED_CONTENT": {
+ "alert_emails": ["gcp@mozilla.com"],
+ "bug_numbers": [1098428],
+ "expires_in_version": "55",
+ "kind": "flag",
+ "cpp_guard": "XP_LINUX",
+ "description": "Whether the sandbox is enabled for the content process"
+ },
"SYNC_WORKER_OPERATION": {
"alert_emails": ["amarchesini@mozilla.com", "khuey@mozilla.com" ],
"bug_numbers": [1267904],
"expires_in_version": "never",
"kind": "exponential",
"high": 5000,
"n_buckets": 20,
"keyed": true,
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@@ -4356,16 +4356,21 @@ XREMain::XRE_mainRun()
#ifdef MOZ_INSTRUMENT_EVENT_LOOP
if (PR_GetEnv("MOZ_INSTRUMENT_EVENT_LOOP")) {
bool logToConsole = true;
mozilla::InitEventTracing(logToConsole);
}
#endif /* MOZ_INSTRUMENT_EVENT_LOOP */
+#if defined(MOZ_SANDBOX) && defined(XP_LINUX)
+ // If we're on Linux, we now have information about the OS capabilities
+ // available to us.
+ SandboxInfo::SubmitTelemetry();
+#endif
#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
SetUpSandboxEnvironment();
#endif
{
rv = appStartup->Run();
if (NS_FAILED(rv)) {
NS_ERROR("failed to run appstartup");