Browse Source

Remove content process sandbox code.

pull/1/head
wolfbeast 4 years ago committed by Roy Tam
parent
commit
369378d566
  1. 25
      accessible/ipc/DocAccessibleParent.cpp
  2. 27
      accessible/windows/msaa/HTMLWin32ObjectAccessible.cpp
  3. 7
      accessible/windows/msaa/HTMLWin32ObjectAccessible.h
  4. 6
      application/palemoon/app/nsBrowserApp.cpp
  5. 6
      browser/app/nsBrowserApp.cpp
  6. 68
      browser/app/profile/firefox.js
  7. 196
      dom/ipc/ContentChild.cpp
  8. 21
      dom/ipc/ContentChild.h
  9. 60
      dom/ipc/ContentParent.cpp
  10. 11
      dom/ipc/ContentParent.h
  11. 118
      dom/ipc/ContentProcess.cpp
  12. 8
      dom/ipc/ContentProcess.h
  13. 5
      dom/ipc/moz.build
  14. 4
      ipc/contentproc/plugin-container.cpp
  15. 38
      ipc/glue/GeckoChildProcessHost.cpp
  16. 5
      ipc/mscom/InterceptorLog.cpp
  17. 42
      old-configure.in
  18. 9
      security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
  19. 28
      security/sandbox/linux/Sandbox.cpp
  20. 8
      security/sandbox/linux/Sandbox.h
  21. 489
      security/sandbox/linux/SandboxFilter.cpp
  22. 6
      security/sandbox/linux/SandboxFilter.h
  23. 8
      security/sandbox/linux/SandboxInfo.cpp
  24. 144
      security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
  25. 4
      security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
  26. 124
      security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
  27. 3
      security/sandbox/win/src/sandboxbroker/sandboxBroker.h
  28. 12
      toolkit/crashreporter/nsExceptionHandler.cpp
  29. 7
      toolkit/modules/AppConstants.jsm
  30. 5
      toolkit/modules/Troubleshoot.jsm
  31. 4
      toolkit/modules/tests/browser/browser_Troubleshoot.js
  32. 11
      toolkit/xre/nsAppRunner.cpp
  33. 22
      toolkit/xre/nsEmbedFunctions.cpp
  34. 209
      toolkit/xre/nsXREDirProvider.cpp
  35. 9
      toolkit/xre/nsXREDirProvider.h
  36. 8
      xpcom/io/SpecialSystemDirectory.cpp
  37. 3
      xpcom/io/SpecialSystemDirectory.h
  38. 29
      xpcom/io/nsAppDirectoryServiceDefs.h
  39. 27
      xpcom/io/nsDirectoryService.cpp
  40. 4
      xpcom/io/nsDirectoryServiceAtomList.h
  41. 4
      xpcom/io/nsDirectoryServiceDefs.h

25
accessible/ipc/DocAccessibleParent.cpp

@ -492,32 +492,7 @@ bool
DocAccessibleParent::RecvGetWindowedPluginIAccessible(
const WindowsHandle& aHwnd, IAccessibleHolder* aPluginCOMProxy)
{
#if defined(MOZ_CONTENT_SANDBOX)
// We don't actually want the accessible object for aHwnd, but rather the
// one that belongs to its child (see HTMLWin32ObjectAccessible).
HWND childWnd = ::GetWindow(reinterpret_cast<HWND>(aHwnd), GW_CHILD);
if (!childWnd) {
// We're seeing this in the wild - the plugin is windowed but we no longer
// have a window.
return true;
}
IAccessible* rawAccPlugin = nullptr;
HRESULT hr = ::AccessibleObjectFromWindow(childWnd, OBJID_WINDOW,
IID_IAccessible,
(void**)&rawAccPlugin);
if (FAILED(hr)) {
// This might happen if the plugin doesn't handle WM_GETOBJECT properly.
// We should not consider that a failure.
return true;
}
aPluginCOMProxy->Set(IAccessibleHolder::COMPtrType(rawAccPlugin));
return true;
#else
return false;
#endif
}
#endif // defined(XP_WIN)

27
accessible/windows/msaa/HTMLWin32ObjectAccessible.cpp

@ -62,25 +62,6 @@ HTMLWin32ObjectAccessible::HTMLWin32ObjectAccessible(void* aHwnd,
{
mHwnd = aHwnd;
if (mHwnd) {
#if defined(MOZ_CONTENT_SANDBOX)
if (XRE_IsContentProcess()) {
DocAccessibleChild* ipcDoc = aDoc->IPCDoc();
MOZ_ASSERT(ipcDoc);
if (!ipcDoc) {
return;
}
IAccessibleHolder proxyHolder;
if (!ipcDoc->SendGetWindowedPluginIAccessible(
reinterpret_cast<uintptr_t>(mHwnd), &proxyHolder)) {
return;
}
mCOMProxy.reset(proxyHolder.Release());
return;
}
#endif
// The plugin is not windowless. In this situation we use
// use its inner child owned by the plugin so that we don't get
// in an infinite loop, where the WM_GETOBJECT's get forwarded
@ -92,14 +73,6 @@ HTMLWin32ObjectAccessible::HTMLWin32ObjectAccessible(void* aHwnd,
void
HTMLWin32ObjectAccessible::GetNativeInterface(void** aNativeAccessible)
{
#if defined(MOZ_CONTENT_SANDBOX)
if (XRE_IsContentProcess()) {
RefPtr<IAccessible> addRefed = mCOMProxy.get();
addRefed.forget(aNativeAccessible);
return;
}
#endif
if (mHwnd) {
::AccessibleObjectFromWindow(static_cast<HWND>(mHwnd),
OBJID_WINDOW, IID_IAccessible,

7
accessible/windows/msaa/HTMLWin32ObjectAccessible.h

@ -8,10 +8,6 @@
#include "BaseAccessibles.h"
#if defined(MOZ_CONTENT_SANDBOX)
#include "mozilla/mscom/Ptr.h"
#endif
struct IAccessible;
namespace mozilla {
@ -59,9 +55,6 @@ public:
protected:
void* mHwnd;
#if defined(MOZ_CONTENT_SANDBOX)
mscom::ProxyUniquePtr<IAccessible> mCOMProxy;
#endif
};
} // namespace a11y

6
application/palemoon/app/nsBrowserApp.cpp

@ -265,12 +265,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
sandbox::BrokerServices* brokerServices =
sandboxing::GetInitializedBrokerServices();
#if defined(MOZ_CONTENT_SANDBOX)
if (!brokerServices) {
Output("Couldn't initialize the broker services.\n");
return 255;
}
#endif
appData.sandboxBrokerServices = brokerServices;
#endif

6
browser/app/nsBrowserApp.cpp

@ -265,12 +265,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
sandbox::BrokerServices* brokerServices =
sandboxing::GetInitializedBrokerServices();
#if defined(MOZ_CONTENT_SANDBOX)
if (!brokerServices) {
Output("Couldn't initialize the broker services.\n");
return 255;
}
#endif
appData.sandboxBrokerServices = brokerServices;
#endif

68
browser/app/profile/firefox.js

@ -945,74 +945,6 @@ pref("dom.ipc.plugins.sandbox-level.flash", 2);
#else
pref("dom.ipc.plugins.sandbox-level.flash", 0);
#endif
#if defined(MOZ_CONTENT_SANDBOX)
// This controls the strength of the Windows content process sandbox for testing
// purposes. This will require a restart.
// On windows these levels are:
// See - security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
// SetSecurityLevelForContentProcess() for what the different settings mean.
#if defined(NIGHTLY_BUILD)
pref("security.sandbox.content.level", 2);
#else
pref("security.sandbox.content.level", 1);
#endif
// This controls the depth of stack trace that is logged when Windows sandbox
// logging is turned on. This is only currently available for the content
// process because the only other sandbox (for GMP) has too strict a policy to
// allow stack tracing. This does not require a restart to take effect.
pref("security.sandbox.windows.log.stackTraceDepth", 0);
#endif
#endif
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// This pref is discussed in bug 1083344, the naming is inspired from its
// Windows counterpart, but on Mac it's an integer which means:
// 0 -> "no sandbox"
// 1 -> "preliminary content sandboxing enabled: write access to
// home directory is prevented"
// 2 -> "preliminary content sandboxing enabled with profile protection:
// write access to home directory is prevented, read and write access
// to ~/Library and profile directories are prevented (excluding
// $PROFILE/{extensions,weave})"
// This setting is read when the content process is started. On Mac the content
// process is killed when all windows are closed, so a change will take effect
// when the 1st window is opened.
#if defined(NIGHTLY_BUILD)
pref("security.sandbox.content.level", 2);
#else
pref("security.sandbox.content.level", 1);
#endif
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// This pref is introduced as part of bug 742434, the naming is inspired from
// its Windows/Mac counterpart, but on Linux it's an integer which means:
// 0 -> "no sandbox"
// 1 -> "content sandbox using seccomp-bpf when available"
// 2 -> "seccomp-bpf + file broker"
// Content sandboxing on Linux is currently in the stage of
// 'just getting it enabled', which includes a very permissive whitelist. We
// enable seccomp-bpf on nightly to see if everything is running, or if we need
// to whitelist more system calls.
//
// So the purpose of this setting is to allow nightly users to disable the
// sandbox while we fix their problems. This way, they won't have to wait for
// another nightly release which disables seccomp-bpf again.
//
// This setting may not be required anymore once we decide to permanently
// enable the content sandbox.
pref("security.sandbox.content.level", 2);
#endif
#if defined(XP_MACOSX) || defined(XP_WIN)
#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// ID (a UUID when set by gecko) that is used to form the name of a
// sandbox-writable temporary directory to be used by content processes
// when a temporary writable file is required in a level 1 sandbox.
pref("security.sandbox.content.tempDirSuffix", "");
#endif
#endif
// This pref governs whether we attempt to work around problems caused by

196
dom/ipc/ContentChild.cpp

@ -65,21 +65,6 @@
#include "imgLoader.h"
#include "GMPServiceChild.h"
#if defined(MOZ_CONTENT_SANDBOX)
#if defined(XP_WIN)
#define TARGET_SANDBOX_EXPORTS
#include "mozilla/sandboxTarget.h"
#elif defined(XP_LINUX)
#include "mozilla/Sandbox.h"
#include "mozilla/SandboxInfo.h"
// Remove this include with Bug 1104619
#include "CubebUtils.h"
#elif defined(XP_MACOSX)
#include "mozilla/Sandbox.h"
#endif
#endif
#include "mozilla/Unused.h"
#include "mozInlineSpellChecker.h"
@ -1250,192 +1235,11 @@ ContentChild::AllocPProcessHangMonitorChild(Transport* aTransport,
return CreateHangMonitorChild(aTransport, aOtherProcess);
}
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
#include <stdlib.h>
static bool
GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath, nsCString &aAppDir)
{
nsAutoCString appPath;
nsAutoCString appBinaryPath(
(CommandLine::ForCurrentProcess()->argv()[0]).c_str());
nsAutoCString::const_iterator start, end;
appBinaryPath.BeginReading(start);
appBinaryPath.EndReading(end);
if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) {
end = start;
++end; ++end; ++end; ++end;
appBinaryPath.BeginReading(start);
appPath.Assign(Substring(start, end));
} else {
return false;
}
nsCOMPtr<nsIFile> app, appBinary;
nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath),
true, getter_AddRefs(app));
if (NS_FAILED(rv)) {
return false;
}
rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath),
true, getter_AddRefs(appBinary));
if (NS_FAILED(rv)) {
return false;
}
nsCOMPtr<nsIFile> appDir;
nsCOMPtr<nsIProperties> dirSvc =
do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID);
if (!dirSvc) {
return false;
}
rv = dirSvc->Get(NS_XPCOM_CURRENT_PROCESS_DIR,
NS_GET_IID(nsIFile), getter_AddRefs(appDir));
if (NS_FAILED(rv)) {
return false;
}
bool exists;
rv = appDir->Exists(&exists);
if (NS_FAILED(rv) || !exists) {
return false;
}
bool isLink;
app->IsSymlink(&isLink);
if (isLink) {
app->GetNativeTarget(aAppPath);
} else {
app->GetNativePath(aAppPath);
}
appBinary->IsSymlink(&isLink);
if (isLink) {
appBinary->GetNativeTarget(aAppBinaryPath);
} else {
appBinary->GetNativePath(aAppBinaryPath);
}
appDir->IsSymlink(&isLink);
if (isLink) {
appDir->GetNativeTarget(aAppDir);
} else {
appDir->GetNativePath(aAppDir);
}
return true;
}
static bool
StartMacOSContentSandbox()
{
int sandboxLevel = Preferences::GetInt("security.sandbox.content.level");
if (sandboxLevel < 1) {
return false;
}
nsAutoCString appPath, appBinaryPath, appDir;
if (!GetAppPaths(appPath, appBinaryPath, appDir)) {
MOZ_CRASH("Error resolving child process path");
}
// During sandboxed content process startup, before reaching
// this point, NS_OS_TEMP_DIR is modified to refer to a sandbox-
// writable temporary directory
nsCOMPtr<nsIFile> tempDir;
nsresult rv = nsDirectoryService::gService->Get(NS_OS_TEMP_DIR,
NS_GET_IID(nsIFile), getter_AddRefs(tempDir));
if (NS_FAILED(rv)) {
MOZ_CRASH("Failed to get NS_OS_TEMP_DIR");
}
nsAutoCString tempDirPath;
tempDir->Normalize();
rv = tempDir->GetNativePath(tempDirPath);
if (NS_FAILED(rv)) {
MOZ_CRASH("Failed to get NS_OS_TEMP_DIR path");
}
nsCOMPtr<nsIFile> profileDir;
ContentChild::GetSingleton()->GetProfileDir(getter_AddRefs(profileDir));
nsCString profileDirPath;
if (profileDir) {
rv = profileDir->GetNativePath(profileDirPath);
if (NS_FAILED(rv) || profileDirPath.IsEmpty()) {
MOZ_CRASH("Failed to get profile path");
}
}
MacSandboxInfo info;
info.type = MacSandboxType_Content;
info.level = info.level = sandboxLevel;
info.appPath.assign(appPath.get());
info.appBinaryPath.assign(appBinaryPath.get());
info.appDir.assign(appDir.get());
info.appTempDir.assign(tempDirPath.get());
if (profileDir) {
info.hasSandboxedProfile = true;
info.profileDir.assign(profileDirPath.get());
} else {
info.hasSandboxedProfile = false;
}
std::string err;
if (!mozilla::StartMacSandbox(info, err)) {
NS_WARNING(err.c_str());
MOZ_CRASH("sandbox_init() failed");
}
return true;
}
#endif
bool
ContentChild::RecvSetProcessSandbox(const MaybeFileDesc& aBroker)
{
// We may want to move the sandbox initialization somewhere else
// at some point; see bug 880808.
#if defined(MOZ_CONTENT_SANDBOX)
bool sandboxEnabled = true;
#if defined(XP_LINUX)
#if defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19
// For B2G >= KitKat, sandboxing is mandatory; this has already
// been enforced by ContentParent::StartUp().
MOZ_ASSERT(SandboxInfo::Get().CanSandboxContent());
#else
// Otherwise, sandboxing is best-effort.
if (!SandboxInfo::Get().CanSandboxContent()) {
sandboxEnabled = false;
} else {
// This triggers the initialization of cubeb, which needs to happen
// before seccomp is enabled (Bug 1259508). It also increases the startup
// time of the content process, because cubeb is usually initialized
// when it is actually needed. This call here is no longer required
// once Bug 1104619 (remoting audio) is resolved.
Unused << CubebUtils::GetCubebContext();
}
#endif /* MOZ_WIDGET_GONK && ANDROID_VERSION >= 19 */
if (sandboxEnabled) {
int brokerFd = -1;
if (aBroker.type() == MaybeFileDesc::TFileDescriptor) {
auto fd = aBroker.get_FileDescriptor().ClonePlatformHandle();
brokerFd = fd.release();
// brokerFd < 0 means to allow direct filesystem access, so
// make absolutely sure that doesn't happen if the parent
// didn't intend it.
MOZ_RELEASE_ASSERT(brokerFd >= 0);
}
sandboxEnabled = SetContentProcessSandbox(brokerFd);
}
#elif defined(XP_WIN)
mozilla::SandboxTarget::Instance()->StartSandbox();
#elif defined(XP_MACOSX)
sandboxEnabled = StartMacOSContentSandbox();
#endif
#endif /* MOZ_CONTENT_SANDBOX */
return true;
}

21
dom/ipc/ContentChild.h

@ -21,10 +21,6 @@
#include "nsWeakPtr.h"
#include "nsIWindowProvider.h"
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
#include "nsIFile.h"
#endif
struct ChromePackage;
class nsIObserver;
struct SubstitutionMapping;
@ -118,19 +114,6 @@ public:
void GetProcessName(nsACString& aName) const;
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
void GetProfileDir(nsIFile** aProfileDir) const
{
*aProfileDir = mProfileDir;
NS_IF_ADDREF(*aProfileDir);
}
void SetProfileDir(nsIFile* aProfileDir)
{
mProfileDir = aProfileDir;
}
#endif
bool IsAlive() const;
bool IsShuttingDown() const;
@ -679,10 +662,6 @@ private:
nsCOMPtr<nsIDomainPolicy> mPolicy;
nsCOMPtr<nsITimer> mForceKillTimer;
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
nsCOMPtr<nsIFile> mProfileDir;
#endif
// Hashtable to keep track of the pending GetFilesHelper objects.
// This GetFilesHelperChild objects are removed when RecvGetFilesResponse is
// received.

60
dom/ipc/ContentParent.cpp

@ -230,12 +230,6 @@ using namespace mozilla::system;
#include "mozilla/dom/SpeechSynthesisParent.h"
#endif
#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_LINUX)
#include "mozilla/SandboxInfo.h"
#include "mozilla/SandboxBroker.h"
#include "mozilla/SandboxBrokerPolicyFactory.h"
#endif
#ifdef MOZ_TOOLKIT_SEARCH
#include "nsIBrowserSearchService.h"
#endif
@ -503,9 +497,6 @@ nsTArray<ContentParent*>* ContentParent::sNonAppContentParents;
nsTArray<ContentParent*>* ContentParent::sLargeAllocationContentParents;
nsTArray<ContentParent*>* ContentParent::sPrivateContent;
StaticAutoPtr<LinkedList<ContentParent> > ContentParent::sContentParents;
#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
UniquePtr<SandboxBrokerPolicyFactory> ContentParent::sSandboxBrokerPolicyFactory;
#endif
// This is true when subprocess launching is enabled. This is the
// case between StartUp() and ShutDown() or JoinAllSubprocesses().
@ -637,18 +628,6 @@ ContentParent::StartUp()
return;
}
#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19
// Require sandboxing on B2G >= KitKat. This condition must stay
// in sync with ContentChild::RecvSetProcessSandbox.
if (!SandboxInfo::Get().CanSandboxContent()) {
// MOZ_CRASH strings are only for debug builds; make sure the
// message is clear on non-debug builds as well:
printf_stderr("Sandboxing support is required on this platform. "
"Recompile kernel with CONFIG_SECCOMP_FILTER=y\n");
MOZ_CRASH("Sandboxing support is required on this platform.");
}
#endif
// Note: This reporter measures all ContentParents.
RegisterStrongMemoryReporter(new ContentParentsMemoryReporter());
@ -662,10 +641,6 @@ ContentParent::StartUp()
PreallocatedProcessManager::AllocateAfterDelay();
sDisableUnsafeCPOWWarnings = PR_GetEnv("DISABLE_UNSAFE_CPOW_WARNINGS");
#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
sSandboxBrokerPolicyFactory = MakeUnique<SandboxBrokerPolicyFactory>();
#endif
}
/*static*/ void
@ -674,10 +649,6 @@ ContentParent::ShutDown()
// No-op for now. We rely on normal process shutdown and
// ClearOnShutdown() to clean up our state.
sCanLaunchSubprocesses = false;
#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
sSandboxBrokerPolicyFactory = nullptr;
#endif
}
/*static*/ void
@ -2244,37 +2215,6 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
}
}
#ifdef MOZ_CONTENT_SANDBOX
bool shouldSandbox = true;
MaybeFileDesc brokerFd = void_t();
#ifdef XP_LINUX
// XXX: Checking the pref here makes it possible to enable/disable sandboxing
// during an active session. Currently the pref is only used for testing
// purpose. If the decision is made to permanently rely on the pref, this
// should be changed so that it is required to restart firefox for the change
// of value to take effect.
shouldSandbox = (Preferences::GetInt("security.sandbox.content.level") > 0) &&
!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
if (shouldSandbox) {
MOZ_ASSERT(!mSandboxBroker);
UniquePtr<SandboxBroker::Policy> policy =
sSandboxBrokerPolicyFactory->GetContentPolicy(Pid());
if (policy) {
brokerFd = FileDescriptor();
mSandboxBroker = SandboxBroker::Create(Move(policy), Pid(), brokerFd);
if (!mSandboxBroker) {
KillHard("SandboxBroker::Create failed");
return;
}
MOZ_ASSERT(static_cast<const FileDescriptor&>(brokerFd).IsValid());
}
}
#endif
if (shouldSandbox && !SendSetProcessSandbox(brokerFd)) {
KillHard("SandboxInitFailed");
}
#endif
#if defined(XP_WIN)
// Send the info needed to join the browser process's audio session.
nsID id;

11
dom/ipc/ContentParent.h

@ -46,11 +46,6 @@ class PRemoteSpellcheckEngineParent;
class ProfileGatherer;
#endif
#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
class SandboxBroker;
class SandboxBrokerPolicyFactory;
#endif
namespace embedding {
class PrintingParent;
}
@ -1152,12 +1147,6 @@ private:
UniquePtr<gfx::DriverCrashGuard> mDriverCrashGuard;
#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
mozilla::UniquePtr<SandboxBroker> mSandboxBroker;
static mozilla::UniquePtr<SandboxBrokerPolicyFactory>
sSandboxBrokerPolicyFactory;
#endif
#ifdef NS_PRINTING
RefPtr<embedding::PrintingParent> mPrintingParent;
#endif

118
dom/ipc/ContentProcess.cpp

@ -8,127 +8,17 @@
#include "ContentProcess.h"
#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
#include "mozilla/WindowsVersion.h"
#endif
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
#include <stdlib.h>
#endif
#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
#include "mozilla/Preferences.h"
#include "nsAppDirectoryServiceDefs.h"
#include "nsDirectoryService.h"
#include "nsDirectoryServiceDefs.h"
#endif
using mozilla::ipc::IOThreadChild;
namespace mozilla {
namespace dom {
#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
static bool
IsSandboxTempDirRequired()
{
// On Windows, a sandbox-writable temp directory is only used
// for Vista or later with sandbox pref level >= 1.
return (IsVistaOrLater() &&
(Preferences::GetInt("security.sandbox.content.level") >= 1));
}
static void
SetTmpEnvironmentVariable(nsIFile* aValue)
{
// Save the TMP environment variable so that is is picked up by GetTempPath().
// Note that we specifically write to the TMP variable, as that is the first
// variable that is checked by GetTempPath() to determine its output.
nsAutoString fullTmpPath;
nsresult rv = aValue->GetPath(fullTmpPath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TMP", fullTmpPath.get()));
// We also set TEMP in case there is naughty third-party code that is
// referencing the environment variable directly.
Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TEMP", fullTmpPath.get()));
}
#endif
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
static bool
IsSandboxTempDirRequired()
{
// On OSX, use the sandbox-writable temp when the pref level >= 1.
return (Preferences::GetInt("security.sandbox.content.level") >= 1);
}
static void
SetTmpEnvironmentVariable(nsIFile* aValue)
{
nsAutoCString fullTmpPath;
nsresult rv = aValue->GetNativePath(fullTmpPath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
Unused << NS_WARN_IF(setenv("TMPDIR", fullTmpPath.get(), 1) != 0);
}
#endif
#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
static void
SetUpSandboxEnvironment()
{
MOZ_ASSERT(nsDirectoryService::gService,
"SetUpSandboxEnvironment relies on nsDirectoryService being initialized");
if (!IsSandboxTempDirRequired()) {
return;
}
nsCOMPtr<nsIFile> sandboxedContentTemp;
nsresult rv =
nsDirectoryService::gService->Get(NS_APP_CONTENT_PROCESS_TEMP_DIR,
NS_GET_IID(nsIFile),
getter_AddRefs(sandboxedContentTemp));
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
// Change the gecko defined temp directory to our sandbox-writable one.
// Undefine returns a failure if the property is not already set.
Unused << nsDirectoryService::gService->Undefine(NS_OS_TEMP_DIR);
rv = nsDirectoryService::gService->Set(NS_OS_TEMP_DIR, sandboxedContentTemp);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
SetTmpEnvironmentVariable(sandboxedContentTemp);
}
#endif
void
ContentProcess::SetAppDir(const nsACString& aPath)
{
mXREEmbed.SetAppDir(aPath);
}
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
void
ContentProcess::SetProfile(const nsACString& aProfile)
{
bool flag;
nsresult rv =
XRE_GetFileFromPath(aProfile.BeginReading(), getter_AddRefs(mProfileDir));
if (NS_FAILED(rv) ||
NS_FAILED(mProfileDir->Exists(&flag)) || !flag) {
NS_WARNING("Invalid profile directory passed to content process.");
mProfileDir = nullptr;
}
}
#endif
bool
ContentProcess::Init()
{
@ -139,14 +29,6 @@ ContentProcess::Init()
mContent.InitXPCOM();
mContent.InitGraphicsDeviceData();
#if (defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
mContent.SetProfileDir(mProfileDir);
#endif
#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
SetUpSandboxEnvironment();
#endif
return true;
}

8
dom/ipc/ContentProcess.h

@ -39,18 +39,10 @@ public:
void SetAppDir(const nsACString& aPath);
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
void SetProfile(const nsACString& aProfile);
#endif
private:
ContentChild mContent;
mozilla::ipc::ScopedXREEmbed mXREEmbed;
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
nsCOMPtr<nsIFile> mProfileDir;
#endif
#if defined(XP_WIN)
// This object initializes and configures COM.
mozilla::mscom::MainThreadRuntime mCOMRuntime;

5
dom/ipc/moz.build

@ -112,11 +112,6 @@ if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin':
'mozsandbox',
]
if CONFIG['MOZ_CONTENT_SANDBOX'] and CONFIG['OS_ARCH'] == 'Linux':
USE_LIBS += [
'mozsandbox',
]
LOCAL_INCLUDES += [
'/caps',
'/chrome',

4
ipc/contentproc/plugin-container.cpp

@ -49,10 +49,6 @@
"Gecko:MozillaRntimeMain", __VA_ARGS__)) \
: (void)0 )
# ifdef MOZ_CONTENT_SANDBOX
# include "mozilla/Sandbox.h"
# endif
#endif // MOZ_WIDGET_GONK
#ifdef MOZ_WIDGET_GONK

38
ipc/glue/GeckoChildProcessHost.cpp

@ -23,10 +23,6 @@
#include "prenv.h"
#include "nsXPCOMPrivate.h"
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
#include "nsAppDirectoryServiceDefs.h"
#endif
#include "nsExceptionHandler.h"
#include "nsDirectoryServiceDefs.h"
@ -312,15 +308,6 @@ GeckoChildProcessHost::PrepareLaunch()
InitWindowsGroupID();
}
#if defined(MOZ_CONTENT_SANDBOX)
// We need to get the pref here as the process is launched off main thread.
if (mProcessType == GeckoProcessType_Content) {
mSandboxLevel = Preferences::GetInt("security.sandbox.content.level");
mEnableSandboxLogging =
Preferences::GetBool("security.sandbox.windows.log");
}
#endif
#if defined(MOZ_SANDBOX)
// For other process types we can't rely on them being launched on main
// thread and they may not have access to prefs in the child process, so allow
@ -608,20 +595,6 @@ AddAppDirToCommandLine(std::vector<std::string>& aCmdLine)
aCmdLine.push_back(path.get());
#endif
}
#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
// Full path to the profile dir
nsCOMPtr<nsIFile> profileDir;
rv = directoryService->Get(NS_APP_USER_PROFILE_50_DIR,
NS_GET_IID(nsIFile),
getter_AddRefs(profileDir));
if (NS_SUCCEEDED(rv)) {
nsAutoCString path;
MOZ_ALWAYS_SUCCEEDS(profileDir->GetNativePath(path));
aCmdLine.push_back("-profile");
aCmdLine.push_back(path.get());
}
#endif
}
}
}
@ -1029,17 +1002,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
// of reorganizing so I don't think this patch is the right time.
switch (mProcessType) {
case GeckoProcessType_Content:
#if defined(MOZ_CONTENT_SANDBOX)
if (mSandboxLevel > 0 &&
!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
// For now we treat every failure as fatal in SetSecurityLevelForContentProcess
// and just crash there right away. Should this change in the future then we
// should also handle the error here.
mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
shouldSandboxCurrentProcess = true;
AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
}
#endif // MOZ_CONTENT_SANDBOX
break;
case GeckoProcessType_Plugin:
if (mSandboxLevel > 0 &&

5
ipc/mscom/InterceptorLog.cpp

@ -98,13 +98,8 @@ Logger::Logger(const nsACString& aLeafBaseName)
rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR, getter_AddRefs(logFileName));
} else if (procType == GeckoProcessType_Content) {
leafName.AppendLiteral("-Content-");
#if defined(MOZ_CONTENT_SANDBOX)
rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
getter_AddRefs(logFileName));
#else
rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR,
getter_AddRefs(logFileName));
#endif // defined(MOZ_CONTENT_SANDBOX)
} else {
return;
}

42
old-configure.in

@ -2311,7 +2311,6 @@ MOZ_INSTALL_TRACKING=
ACCESSIBILITY=1
MOZ_TIME_MANAGER=
MOZ_AUDIO_CHANNEL_MANAGER=
MOZ_CONTENT_SANDBOX=
MOZ_GMP_SANDBOX=
MOZ_SANDBOX=
MOZ_BINARY_EXTENSIONS=
@ -3943,45 +3942,6 @@ if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then
esac
fi
dnl ========================================================
dnl = Content process sandboxing
dnl ========================================================
if test -n "$gonkdir"; then
MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
fi
case "$OS_TARGET:$NIGHTLY_BUILD" in
WINNT:*)
MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
;;
Darwin:*)
MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
;;
Linux:1)
case $CPU_ARCH in
x86_64|x86)
MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
;;
esac
;;
esac
MOZ_ARG_ENABLE_BOOL(content-sandbox,
[ --enable-content-sandbox Enable sandboxing support for content-processes
--disable-content-sandbox Disable sandboxing support for content-processes],
MOZ_CONTENT_SANDBOX=1,
MOZ_CONTENT_SANDBOX=)
if test -n "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_SANDBOX"; then
AC_MSG_ERROR([--enable-content-sandbox and --disable-sandbox are conflicting options])
fi
if test -n "$MOZ_CONTENT_SANDBOX"; then
AC_DEFINE(MOZ_CONTENT_SANDBOX)
fi
AC_SUBST(MOZ_CONTENT_SANDBOX)
dnl ========================================================
dnl = Gecko Media Plugin sandboxing
dnl ========================================================
@ -4007,7 +3967,7 @@ fi
AC_SUBST(MOZ_GMP_SANDBOX)
if test -z "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_GMP_SANDBOX"; then
if test -z "$MOZ_GMP_SANDBOX"; then
MOZ_SANDBOX=
fi

9
security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h

@ -89,15 +89,6 @@ InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb)
if (Preferences::GetBool("security.sandbox.windows.log") ||
PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
aProvideLogFunctionCb(Log);
#if defined(MOZ_CONTENT_SANDBOX)
// We can only log the stack trace on process types where we know that the
// sandbox won't prevent it.
if (XRE_IsContentProcess()) {
Preferences::AddUintVarCache(&sStackTraceDepth,
"security.sandbox.windows.log.stackTraceDepth");
}
#endif
}
}

28
security/sandbox/linux/Sandbox.cpp

@ -626,34 +626,6 @@ SandboxEarlyInit(GeckoProcessType aType)
}
}
#ifdef MOZ_CONTENT_SANDBOX
/**
* Starts the seccomp sandbox for a content process. Should be called
* only once, and before any potentially harmful content is loaded.
*
* Will normally make the process exit on failure.
*/
bool
SetContentProcessSandbox(int aBrokerFd)
{
if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForContent)) {
if (aBrokerFd >= 0) {
close(aBrokerFd);
}
return false;
}
// This needs to live until the process exits.
static Maybe<SandboxBrokerClient> sBroker;
if (aBrokerFd >= 0) {
sBroker.emplace(aBrokerFd);
}
SetCurrentProcessSandbox(GetContentSandboxPolicy(sBroker.ptrOr(nullptr)));
return true;
}
#endif // MOZ_CONTENT_SANDBOX
#ifdef MOZ_GMP_SANDBOX
/**
* Starts the seccomp sandbox for a media plugin process. Should be

8
security/sandbox/linux/Sandbox.h

@ -19,14 +19,6 @@ namespace mozilla {
// This must be called early, while the process is still single-threaded.
MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);
#ifdef MOZ_CONTENT_SANDBOX
// Call only if SandboxInfo::CanSandboxContent() returns true.
// (No-op if MOZ_DISABLE_CONTENT_SANDBOX is set.)
// aBrokerFd is the filesystem broker client file descriptor,
// or -1 to allow direct filesystem access.
MOZ_EXPORT bool SetContentProcessSandbox(int aBrokerFd);
#endif
#ifdef MOZ_GMP_SANDBOX
// Call only if SandboxInfo::CanSandboxMedia() returns true.
// (No-op if MOZ_DISABLE_GMP_SANDBOX is set.)

489
security/sandbox/linux/SandboxFilter.cpp

@ -340,495 +340,6 @@ public:
// The process-type-specific syscall rules start here:
#ifdef MOZ_CONTENT_SANDBOX
// The seccomp-bpf filter for content processes is not a true sandbox
// on its own; its purpose is attack surface reduction and syscall
// interception in support of a semantic sandboxing layer. On B2G
// this is the Android process permission model; on desktop,
// namespaces and chroot() will be used.
class ContentSandboxPolicy : public SandboxPolicyCommon {
SandboxBrokerClient* mBroker;
// Trap handlers for filesystem brokering.
// (The amount of code duplication here could be improved....)
#ifdef __NR_open
static intptr_t OpenTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto flags = static_cast<int>(aArgs.args[1]);
return broker->Open(path, flags);
}
#endif
static intptr_t OpenAtTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto fd = static_cast<int>(aArgs.args[0]);
auto path = reinterpret_cast<const char*>(aArgs.args[1]);
auto flags = static_cast<int>(aArgs.args[2]);
if (fd != AT_FDCWD && path[0] != '/') {
SANDBOX_LOG_ERROR("unsupported fd-relative openat(%d, \"%s\", 0%o)",
fd, path, flags);
return BlockedSyscallTrap(aArgs, nullptr);
}
return broker->Open(path, flags);
}
#ifdef __NR_access
static intptr_t AccessTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto mode = static_cast<int>(aArgs.args[1]);
return broker->Access(path, mode);
}
#endif
static intptr_t AccessAtTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto fd = static_cast<int>(aArgs.args[0]);
auto path = reinterpret_cast<const char*>(aArgs.args[1]);
auto mode = static_cast<int>(aArgs.args[2]);
// Linux's faccessat syscall has no "flags" argument. Attempting
// to handle the flags != 0 case is left to userspace; this is
// impossible to do correctly in all cases, but that's not our
// problem.
if (fd != AT_FDCWD && path[0] != '/') {
SANDBOX_LOG_ERROR("unsupported fd-relative faccessat(%d, \"%s\", %d)",
fd, path, mode);
return BlockedSyscallTrap(aArgs, nullptr);
}
return broker->Access(path, mode);
}
static intptr_t StatTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
return broker->Stat(path, buf);
}
static intptr_t LStatTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
return broker->LStat(path, buf);
}
static intptr_t StatAtTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto fd = static_cast<int>(aArgs.args[0]);
auto path = reinterpret_cast<const char*>(aArgs.args[1]);
auto buf = reinterpret_cast<statstruct*>(aArgs.args[2]);
auto flags = static_cast<int>(aArgs.args[3]);
if (fd != AT_FDCWD && path[0] != '/') {
SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, %d)",
fd, path, buf, flags);
return BlockedSyscallTrap(aArgs, nullptr);
}
if ((flags & ~AT_SYMLINK_NOFOLLOW) != 0) {
SANDBOX_LOG_ERROR("unsupported flags %d in fstatat(%d, \"%s\", %p, %d)",
(flags & ~AT_SYMLINK_NOFOLLOW), fd, path, buf, flags);
return BlockedSyscallTrap(aArgs, nullptr);
}
return (flags & AT_SYMLINK_NOFOLLOW) == 0
? broker->Stat(path, buf)
: broker->LStat(path, buf);
}
static intptr_t ChmodTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto mode = static_cast<mode_t>(aArgs.args[1]);
return broker->Chmod(path, mode);
}
static intptr_t LinkTrap(ArgsRef aArgs, void *aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
return broker->Link(path, path2);
}
static intptr_t SymlinkTrap(ArgsRef aArgs, void *aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
return broker->Symlink(path, path2);
}
static intptr_t RenameTrap(ArgsRef aArgs, void *aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
return broker->Rename(path, path2);
}
static intptr_t MkdirTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto mode = static_cast<mode_t>(aArgs.args[1]);
return broker->Mkdir(path, mode);
}
static intptr_t RmdirTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
return broker->Rmdir(path);
}
static intptr_t UnlinkTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
return broker->Unlink(path);
}
static intptr_t ReadlinkTrap(ArgsRef aArgs, void* aux) {
auto broker = static_cast<SandboxBrokerClient*>(aux);
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
auto buf = reinterpret_cast<char*>(aArgs.args[1]);
auto size = static_cast<size_t>(aArgs.args[2]);
return broker->Readlink(path, buf, size);
}
static intptr_t GetPPidTrap(ArgsRef aArgs, void* aux) {
// In a pid namespace, getppid() will return 0. We will return 0 instead
// of the real parent pid to see what breaks when we introduce the
// pid namespace (Bug 1151624).
return 0;
}
public:
explicit ContentSandboxPolicy(SandboxBrokerClient* aBroker):mBroker(aBroker) { }
virtual ~ContentSandboxPolicy() { }
virtual ResultExpr PrctlPolicy() const override {
// Ideally this should be restricted to a whitelist, but content
// uses enough things that it's not trivial to determine it.
return Allow();
}
virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
switch(aCall) {
case SYS_RECVFROM:
case SYS_SENDTO:
return Some(Allow());
case SYS_SOCKETPAIR: {
// See bug 1066750.
if (!kSocketCallHasArgs) {
// We can't filter the args if the platform passes them by pointer.
return Some(Allow());
}
Arg<int> domain(0), type(1);
return Some(If(AllOf(domain == AF_UNIX,
AnyOf(type == SOCK_STREAM, type == SOCK_SEQPACKET)),
Allow())
.Else(InvalidSyscall()));
}
#ifdef ANDROID
case SYS_SOCKET:
return Some(Error(EACCES));
#else // #ifdef DESKTOP
case SYS_RECV:
case SYS_SEND:
case SYS_SOCKET: // DANGEROUS
case SYS_CONNECT: // DANGEROUS
case SYS_ACCEPT:
case SYS_ACCEPT4:
case SYS_BIND:
case SYS_LISTEN:
case SYS_GETSOCKOPT:
case SYS_SETSOCKOPT:
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
case SYS_SHUTDOWN:
return Some(Allow());
#endif
default:
return SandboxPolicyCommon::EvaluateSocketCall(aCall);
}
}
#ifdef DESKTOP
virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
switch(aCall) {
// These are a problem: SysV shared memory follows the Unix
// "same uid policy" and can't be restricted/brokered like file
// access. But the graphics layer might not be using them
// anymore; this needs to be studied.
case SHMGET:
case SHMCTL:
case SHMAT:
case SHMDT:
case SEMGET:
case SEMCTL:
case SEMOP:
case MSGGET:
return Some(Allow());
default:
return SandboxPolicyCommon::EvaluateIpcCall(aCall);
}
}
#endif
virtual ResultExpr EvaluateSyscall(int sysno) const override {
if (mBroker) {
// Have broker; route the appropriate syscalls to it.
switch (sysno) {
case __NR_open:
return Trap(OpenTrap, mBroker);
case __NR_openat:
return Trap(OpenAtTrap, mBroker);
case __NR_access:
return Trap(AccessTrap, mBroker);
case __NR_faccessat:
return Trap(AccessAtTrap, mBroker);
CASES_FOR_stat:
return Trap(StatTrap, mBroker);
CASES_FOR_lstat:
return Trap(LStatTrap, mBroker);
CASES_FOR_fstatat:
return Trap(StatAtTrap, mBroker);
case __NR_chmod:
return Trap(ChmodTrap, mBroker);
case __NR_link:
return Trap(LinkTrap, mBroker);
case __NR_mkdir:
return Trap(MkdirTrap, mBroker);
case __NR_symlink:
return Trap(SymlinkTrap, mBroker);
case __NR_rename:
return Trap(RenameTrap, mBroker);
case __NR_rmdir:
return Trap(RmdirTrap, mBroker);
case __NR_unlink:
return Trap(UnlinkTrap, mBroker);
case __NR_readlink:
return Trap(ReadlinkTrap, mBroker);
}
} else {
// No broker; allow the syscalls directly. )-:
switch(sysno) {
case __NR_open:
case __NR_openat:
case __NR_access:
case __NR_faccessat:
CASES_FOR_stat:
CASES_FOR_lstat:
CASES_FOR_fstatat:
case __NR_chmod:
case __NR_link:
case __NR_mkdir:
case __NR_symlink:
case __NR_rename:
case __NR_rmdir:
case __NR_unlink:
case __NR_readlink:
return Allow();
}
}
switch (sysno) {
#ifdef DESKTOP
case __NR_getppid:
return Trap(GetPPidTrap, nullptr);
// Filesystem syscalls that need more work to determine who's