Bug 1289718 - Add a minimal policy and log many things.
MozReview-Commit-ID: cXrlXNlEwh
--- a/security/sandbox/linux/broker/SandboxBroker.cpp
+++ b/security/sandbox/linux/broker/SandboxBroker.cpp
@@ -441,34 +441,34 @@ SandboxBroker::ThreadMain(void)
// And now perform the operation if allowed.
if (perms & CRASH_INSTEAD) {
// This is somewhat nonmodular, but it works.
resp.mError = ENOSYS;
} else if (permissive || perms & MAY_ACCESS) {
// If the operation was only allowed because of permissive mode, log it.
if (permissive && !(perms & MAY_ACCESS)) {
- AuditDenial(req.mOp, req.mFlags, pathBuf);
- } else if (!permissive) {
- AuditAllow(req.mOp, req.mFlags, perms, pathBuf);
+ AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
}
switch(req.mOp) {
case SANDBOX_FILE_OPEN:
if (permissive || AllowOpen(req.mFlags, perms)) {
// Permissions for O_CREAT hardwired to 0600; if that's
// ever a problem we can change the protocol (but really we
// should be trying to remove uses of MAY_CREATE, not add
// new ones).
openedFd = open(pathBuf, req.mFlags | kRequiredOpenFlags, 0600);
if (openedFd >= 0) {
resp.mError = 0;
} else {
resp.mError = errno;
}
+ } else {
+ AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
}
break;
case SANDBOX_FILE_ACCESS:
if (permissive || AllowAccess(req.mFlags, perms)) {
// This can't use access() itself because that uses the ruid
// and not the euid. In theory faccessat() with AT_EACCESS
// would work, but Linux doesn't actually implement the
@@ -479,71 +479,58 @@ SandboxBroker::ThreadMain(void)
// Instead, because we've already checked the requested
// r/w/x bits against the policy, just return success if the
// file exists and hope that's close enough.
if (stat(pathBuf, &statBuf) == 0) {
resp.mError = 0;
} else {
resp.mError = errno;
}
+ } else {
+ AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
}
break;
case SANDBOX_FILE_STAT:
if (DoStat(pathBuf, &statBuf, req.mFlags) == 0) {
resp.mError = 0;
ios[1].iov_base = &statBuf;
ios[1].iov_len = sizeof(statBuf);
} else {
resp.mError = errno;
}
break;
}
} else {
MOZ_ASSERT(perms == 0);
+ AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
}
const size_t numIO = ios[1].iov_len > 0 ? 2 : 1;
DebugOnly<const ssize_t> sent = SendWithFd(respfd, ios, numIO, openedFd);
close(respfd);
MOZ_ASSERT(sent < 0 ||
static_cast<size_t>(sent) == ios[0].iov_len + ios[1].iov_len);
if (openedFd >= 0) {
close(openedFd);
}
}
}
void
-SandboxBroker::AuditDenial(int aOp, int aFlags, const char* aPath)
+SandboxBroker::AuditDenial(int aOp, int aFlags, int aPerms, const char* aPath)
{
- MOZ_RELEASE_ASSERT(SandboxInfo::Get().Test(SandboxInfo::kPermissive));
+ // MOZ_RELEASE_ASSERT(SandboxInfo::Get().Test(SandboxInfo::kPermissive));
struct stat statBuf;
if (lstat(aPath, &statBuf) == 0) {
// Path exists, set errno to 0 to indicate "success".
errno = 0;
}
- SANDBOX_LOG_ERROR("SandboxBroker: denied op=%d rflags=%o path=%s for pid=%d" \
- " permissive=1 error=\"%s\"", aOp, aFlags, aPath, mChildPid,
- strerror(errno));
-}
-
-void
-SandboxBroker::AuditAllow(int aOp, int aFlags, int aPerms, const char* aPath)
-{
- struct stat statBuf;
-
- if (lstat(aPath, &statBuf) == 0) {
- // Path exists, set errno to 0 to indicate "success".
- errno = 0;
- }
-
- SANDBOX_LOG_ERROR("SandboxBroker: allowing op=%d rflags=%o perms=%d path=%s for pid=%d" \
+ SANDBOX_LOG_ERROR("SandboxBroker: denied op=%d rflags=%o perms=%d path=%s for pid=%d" \
" permissive=1 error=\"%s\"", aOp, aFlags, aPerms, aPath, mChildPid,
strerror(errno));
}
-
} // namespace mozilla--- a/security/sandbox/linux/broker/SandboxBroker.h
+++ b/security/sandbox/linux/broker/SandboxBroker.h
@@ -112,18 +112,17 @@ class SandboxBroker final
PlatformThreadHandle mThread;
int mFileDesc;
const int mChildPid;
const UniquePtr<const Policy> mPolicy;
SandboxBroker(UniquePtr<const Policy> aPolicy, int aChildPid,
int& aClientFd);
void ThreadMain(void) override;
- void AuditDenial(int aOp, int aFlags, const char* aPath);
- void AuditAllow(int aOp, int aFlags, int aPerms, const char* aPath);
+ void AuditDenial(int aOp, int aFlags, int aPerms, const char* aPath);
// Holding a UniquePtr should disallow copying, but to make that explicit:
SandboxBroker(const SandboxBroker&) = delete;
void operator=(const SandboxBroker&) = delete;
};
} // namespace mozilla
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -113,17 +113,21 @@ SandboxBrokerPolicyFactory::SandboxBroke
policy->AddTree(rdonly, "/system//usr/share/zoneinfo");
policy->AddPath(rdonly, "/data/local/tmp/profiler.options",
SandboxBroker::Policy::AddAlways); // bug 1029337
mCommonContentPolicy.reset(policy);
#elif defined(MOZ_CONTENT_SANDBOX) && defined(XP_LINUX)
SandboxBroker::Policy* policy = new SandboxBroker::Policy;
- policy->AddDir(rdwrcr, "/");
+ policy->AddDir(rdonly, "/");
+ //policy->AddDir(rdwrcr, "/tmp");
+ //policy->AddDir(rdwrcr, "/usr/tmp");
+ //policy->AddDir(rdwrcr, "/var/tmp");
+ policy->AddDir(rdwrcr, "/dev/shm");
mCommonContentPolicy.reset(policy);
#endif
}
#ifdef MOZ_CONTENT_SANDBOX
UniquePtr<SandboxBroker::Policy>
SandboxBrokerPolicyFactory::GetContentPolicy(int aPid)
{