Enable sandbox file broker and log all the things.
MozReview-Commit-ID: DW415ABoaeN
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -982,17 +982,17 @@ pref("security.sandbox.content.level", 1
// to whitelist more system calls.
//
// So the purpose of this setting is to allow nightly users to disable the
// sandbox while we fix their problems. This way, they won't have to wait for
// another nightly release which disables seccomp-bpf again.
//
// This setting may not be required anymore once we decide to permanently
// enable the content sandbox.
-pref("security.sandbox.content.level", 1);
+pref("security.sandbox.content.level", 2);
#endif
#if defined(XP_MACOSX) || defined(XP_WIN)
#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// ID (a UUID when set by gecko) that is used to form the name of a
// sandbox-writable temporary directory to be used by content processes
// when a temporary writable file is required in a level 1 sandbox.
pref("security.sandbox.content.tempDirSuffix", "");
--- a/security/sandbox/linux/broker/SandboxBroker.cpp
+++ b/security/sandbox/linux/broker/SandboxBroker.cpp
@@ -435,16 +435,18 @@ SandboxBroker::ThreadMain(void)
// And now perform the operation if allowed.
if (perms & CRASH_INSTEAD) {
// This is somewhat nonmodular, but it works.
resp.mError = ENOSYS;
} else if (permissive || perms & MAY_ACCESS) {
// If the operation was only allowed because of permissive mode, log it.
if (permissive && !(perms & MAY_ACCESS)) {
AuditDenial(req.mOp, req.mFlags, pathBuf);
+ } else if (!permissive) {
+ AuditAllow(req.mOp, req.mFlags, perms, pathBuf);
}
switch(req.mOp) {
case SANDBOX_FILE_OPEN:
if (permissive || AllowOpen(req.mFlags, perms)) {
// Permissions for O_CREAT hardwired to 0600; if that's
// ever a problem we can change the protocol (but really we
// should be trying to remove uses of MAY_CREATE, not add
@@ -516,9 +518,25 @@ SandboxBroker::AuditDenial(int aOp, int
errno = 0;
}
SANDBOX_LOG_ERROR("SandboxBroker: denied op=%d rflags=%o path=%s for pid=%d" \
" permissive=1 error=\"%s\"", aOp, aFlags, aPath, mChildPid,
strerror(errno));
}
+void
+SandboxBroker::AuditAllow(int aOp, int aFlags, int aPerms, const char* aPath)
+{
+ struct stat statBuf;
+
+ if (lstat(aPath, &statBuf) == 0) {
+ // Path exists, set errno to 0 to indicate "success".
+ errno = 0;
+ }
+
+ SANDBOX_LOG_ERROR("SandboxBroker: allowing op=%d rflags=%o perms=%d path=%s for pid=%d" \
+ " permissive=1 error=\"%s\"", aOp, aFlags, aPerms, aPath, mChildPid,
+ strerror(errno));
+}
+
+
} // namespace mozilla
--- a/security/sandbox/linux/broker/SandboxBroker.h
+++ b/security/sandbox/linux/broker/SandboxBroker.h
@@ -113,16 +113,17 @@ class SandboxBroker final
int mFileDesc;
const int mChildPid;
const UniquePtr<const Policy> mPolicy;
SandboxBroker(UniquePtr<const Policy> aPolicy, int aChildPid,
int& aClientFd);
void ThreadMain(void) override;
void AuditDenial(int aOp, int aFlags, const char* aPath);
+ void AuditAllow(int aOp, int aFlags, int aPerms, const char* aPath);
// Holding a UniquePtr should disallow copying, but to make that explicit:
SandboxBroker(const SandboxBroker&) = delete;
void operator=(const SandboxBroker&) = delete;
};
} // namespace mozilla
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -31,21 +31,25 @@ SandboxBrokerPolicyFactory::IsSystemSupp
return true;
}
// When broker is running in permissive mode, we enable it
// automatically regardless of the device.
if (SandboxInfo::Get().Test(SandboxInfo::kPermissive)) {
return true;
}
+#elif defined(XP_LINUX)
+ // XXX: is this check needed?
+ if (SandboxInfo::Get().Test(SandboxInfo::kHasSeccompBPF))
+ return true;
#endif
return false;
}
-#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK)
+#if defined(MOZ_CONTENT_SANDBOX)
namespace {
static const int rdonly = SandboxBroker::MAY_READ;
static const int wronly = SandboxBroker::MAY_WRITE;
static const int rdwr = rdonly | wronly;
static const int wrlog = wronly | SandboxBroker::MAY_CREATE;
}
#endif
@@ -106,16 +110,20 @@ SandboxBrokerPolicyFactory::SandboxBroke
// Bug 1198401: timezones. Yes, we need both of these; see bug.
policy->AddTree(rdonly, "/system/usr/share/zoneinfo");
policy->AddTree(rdonly, "/system//usr/share/zoneinfo");
policy->AddPath(rdonly, "/data/local/tmp/profiler.options",
SandboxBroker::Policy::AddAlways); // bug 1029337
mCommonContentPolicy.reset(policy);
+#elif defined(MOZ_CONTENT_SANDBOX) && defined(XP_LINUX)
+ SandboxBroker::Policy* policy = new SandboxBroker::Policy;
+ policy->AddDir(rdwr, "/");
+ mCommonContentPolicy.reset(policy);
#endif
}
#ifdef MOZ_CONTENT_SANDBOX
UniquePtr<SandboxBroker::Policy>
SandboxBrokerPolicyFactory::GetContentPolicy(int aPid)
{
// Allow overriding "unsupported"ness with a pref, for testing.
@@ -140,16 +148,20 @@ SandboxBrokerPolicyFactory::GetContentPo
// Bug 1198550: the profiler's replacement for dl_iterate_phdr
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/maps", aPid).get());
// Bug 1198552: memory reporting.
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/statm", aPid).get());
policy->AddPath(rdonly, nsPrintfCString("/proc/%d/smaps", aPid).get());
return policy;
-#else // MOZ_WIDGET_GONK
- // Not implemented for desktop yet.
- return nullptr;
+#elif defined(XP_LINUX)
+ MOZ_ASSERT(NS_IsMainThread());
+ MOZ_ASSERT(mCommonContentPolicy);
+ UniquePtr<SandboxBroker::Policy>
+ policy(new SandboxBroker::Policy(*mCommonContentPolicy));
+ // Return the common policy.
+ return policy;
#endif
}
#endif // MOZ_CONTENT_SANDBOX
} // namespace mozilla