Browse Source

Remove sandbox ductwork conditional code.

pull/1/head
wolfbeast 4 years ago committed by Roy Tam
parent
commit
c8462db202
  1. 25
      application/palemoon/app/nsBrowserApp.cpp
  2. 15
      application/palemoon/installer/package-manifest.in
  3. 16
      browser/app/moz.build
  4. 26
      browser/app/nsBrowserApp.cpp
  5. 26
      browser/app/profile/firefox.js
  6. 15
      browser/installer/package-manifest.in
  7. 1
      build/directive4.py
  8. 6
      dom/ipc/moz.build
  9. 34
      dom/media/gmp/GMPProcessParent.cpp
  10. 8
      dom/media/gmp/rlz/GMPDeviceBinding.cpp
  11. 7
      dom/media/gmp/rlz/moz.build
  12. 19
      dom/plugins/base/nsPluginTags.cpp
  13. 10
      dom/plugins/ipc/PluginProcessChild.cpp
  14. 85
      dom/plugins/ipc/PluginProcessParent.cpp
  15. 6
      dom/plugins/ipc/moz.build
  16. 37
      ipc/app/moz.build
  17. 11
      ipc/app/pie/moz.build
  18. 5
      ipc/contentproc/moz.build
  19. 40
      ipc/contentproc/plugin-container.cpp
  20. 217
      ipc/glue/GeckoChildProcessHost.cpp
  21. 13
      ipc/glue/GeckoChildProcessHost.h
  22. 16
      ipc/glue/ProtocolUtils.cpp
  23. 7
      ipc/glue/moz.build
  24. 16
      js/xpconnect/shell/moz.build
  25. 7
      js/xpconnect/shell/xpcshell.cpp
  26. 13
      js/xpconnect/src/XPCShellImpl.cpp
  27. 5
      mobile/android/installer/package-manifest.in
  28. 20
      old-configure.in
  29. 2
      security/sandbox/chromium/base/time/time.cc
  30. 4
      security/sandbox/chromium/base/time/time.h
  31. 21
      toolkit/content/aboutSupport.js
  32. 14
      toolkit/content/aboutSupport.xhtml
  33. 2
      toolkit/locales/en-US/chrome/global/aboutSupport.dtd
  34. 7
      toolkit/modules/AppConstants.jsm
  35. 20
      toolkit/modules/Troubleshoot.jsm
  36. 6
      toolkit/toolkit.mozbuild
  37. 6
      toolkit/xre/moz.build
  38. 42
      toolkit/xre/nsAppRunner.cpp
  39. 16
      toolkit/xre/nsEmbedFunctions.cpp
  40. 27
      xpcom/base/nsSystemInfo.cpp
  41. 19
      xpcom/build/XREChildData.h
  42. 12
      xpcom/build/XREShellData.h
  43. 13
      xpcom/build/nsXREAppData.h
  44. 4
      xpcom/glue/AppData.cpp

25
application/palemoon/app/nsBrowserApp.cpp

@ -31,9 +31,6 @@
#endif
#define XRE_WANT_ENVIRON
#define strcasecmp _stricmp
#ifdef MOZ_SANDBOX
#include "mozilla/sandboxing/SandboxInitialization.h"
#endif
#endif
#include "BinaryPath.h"
@ -43,8 +40,7 @@
#include "mozilla/Telemetry.h"
#include "mozilla/WindowsDllBlocklist.h"
#if !defined(MOZ_WIDGET_COCOA) && !defined(MOZ_WIDGET_ANDROID) \
&& !(defined(XP_LINUX) && defined(MOZ_SANDBOX))
#if !defined(MOZ_WIDGET_COCOA) && !defined(MOZ_WIDGET_ANDROID)
#define MOZ_BROWSER_CAN_BE_CONTENTPROC
#include "../../ipc/contentproc/plugin-container.cpp"
#endif
@ -207,10 +203,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
}
XREShellData shellData;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
shellData.sandboxBrokerServices =
sandboxing::GetInitializedBrokerServices();
#endif
return XRE_XPCShellMain(--argc, argv, envp, &shellData);
}
@ -262,12 +254,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
DllBlocklist_CheckStatus() ? NS_XRE_DLL_BLOCKLIST_ENABLED : 0;
#endif
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
sandbox::BrokerServices* brokerServices =
sandboxing::GetInitializedBrokerServices();
appData.sandboxBrokerServices = brokerServices;
#endif
#ifdef LIBFUZZER
if (getenv("LIBFUZZER"))
XRE_LibFuzzerSetMain(argc, argv, libfuzzer_main);
@ -369,15 +355,6 @@ int main(int argc, char* argv[], char* envp[])
// We are launching as a content process, delegate to the appropriate
// main
if (argc > 1 && IsArg(argv[1], "contentproc")) {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
// We need to initialize the sandbox TargetServices before InitXPCOMGlue
// because we might need the sandbox broker to give access to some files.
if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
Output("Failed to initialize the sandbox target services.");
return 255;
}
#endif
nsresult rv = InitXPCOMGlue(argv[0], nullptr);
if (NS_FAILED(rv)) {
return 255;

15
application/palemoon/installer/package-manifest.in

@ -334,21 +334,6 @@
@RESPATH@/chrome/pippki@JAREXT@
@RESPATH@/chrome/pippki.manifest
; For process sandboxing
#if defined(MOZ_SANDBOX)
#if defined(XP_WIN)
#if defined(WOW_HELPER)
@BINPATH@/wow_helper.exe
#endif
#endif
#endif
#if defined(MOZ_SANDBOX)
#if defined(XP_LINUX)
@BINPATH@/@DLL_PREFIX@mozsandbox@DLL_SUFFIX@
#endif
#endif
; for Solaris SPARC
#ifdef SOLARIS
bin/libfreebl_32fpu_3.so

16
browser/app/moz.build

@ -48,22 +48,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
for cdm in CONFIG['MOZ_EME_MODULES']:
DEFINES['MOZ_%s_EME' % cdm.upper()] = True
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
# For sandbox includes and the include dependencies those have
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
USE_LIBS += [
'sandbox_s',
]
DELAYLOAD_DLLS += [
'winmm.dll',
'user32.dll',
]
# Control the default heap size.
# This is the heap returned by GetProcessHeap().
# As we use the CRT heap, the default size is too large and wastes VM.

26
browser/app/nsBrowserApp.cpp

@ -31,9 +31,6 @@
#endif
#define XRE_WANT_ENVIRON
#define strcasecmp _stricmp
#ifdef MOZ_SANDBOX
#include "mozilla/sandboxing/SandboxInitialization.h"
#endif
#endif
#include "BinaryPath.h"
@ -43,8 +40,7 @@
#include "mozilla/Telemetry.h"
#include "mozilla/WindowsDllBlocklist.h"
#if !defined(MOZ_WIDGET_COCOA) && !defined(MOZ_WIDGET_ANDROID) \
&& !(defined(XP_LINUX) && defined(MOZ_SANDBOX))
#if !defined(MOZ_WIDGET_COCOA) && !defined(MOZ_WIDGET_ANDROID)
#define MOZ_BROWSER_CAN_BE_CONTENTPROC
#include "../../ipc/contentproc/plugin-container.cpp"
#endif
@ -207,11 +203,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
}
XREShellData shellData;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
shellData.sandboxBrokerServices =
sandboxing::GetInitializedBrokerServices();
#endif
return XRE_XPCShellMain(--argc, argv, envp, &shellData);
}
@ -262,12 +253,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
DllBlocklist_CheckStatus() ? NS_XRE_DLL_BLOCKLIST_ENABLED : 0;
#endif
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
sandbox::BrokerServices* brokerServices =
sandboxing::GetInitializedBrokerServices();
appData.sandboxBrokerServices = brokerServices;
#endif
#ifdef LIBFUZZER
if (getenv("LIBFUZZER"))
XRE_LibFuzzerSetMain(argc, argv, libfuzzer_main);
@ -369,15 +354,6 @@ int main(int argc, char* argv[], char* envp[])
// We are launching as a content process, delegate to the appropriate
// main
if (argc > 1 && IsArg(argv[1], "contentproc")) {
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
// We need to initialize the sandbox TargetServices before InitXPCOMGlue
// because we might need the sandbox broker to give access to some files.
if (IsSandboxedProcess() && !sandboxing::GetInitializedTargetServices()) {
Output("Failed to initialize the sandbox target services.");
return 255;
}
#endif
nsresult rv = InitXPCOMGlue(argv[0], nullptr);
if (NS_FAILED(rv)) {
return 255;

26
browser/app/profile/firefox.js

@ -921,32 +921,6 @@ pref("dom.ipc.shims.enabledWarnings", false);
pref("browser.tabs.remote.autostart", false);
pref("browser.tabs.remote.desktopbehavior", true);
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
// When this pref is true the Windows process sandbox will set up dummy
// interceptions and log to the browser console when calls fail in the sandboxed
// process and also if they are subsequently allowed by the broker process.
// This will require a restart.
pref("security.sandbox.windows.log", false);
// Controls whether and how the Windows NPAPI plugin process is sandboxed.
// To get a different setting for a particular plugin replace "default", with
// the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
// On windows these levels are:
// 0 - no sandbox
// 1 - sandbox with USER_NON_ADMIN access token level
// 2 - a more strict sandbox, which might cause functionality issues. This now
// includes running at low integrity.
// 3 - the strongest settings we seem to be able to use without breaking
// everything, but will probably cause some functionality restrictions
pref("dom.ipc.plugins.sandbox-level.default", 0);
#if defined(_AMD64_)
// The lines in PluginModuleParent.cpp should be changed in line with this.
pref("dom.ipc.plugins.sandbox-level.flash", 2);
#else
pref("dom.ipc.plugins.sandbox-level.flash", 0);
#endif
#endif
// This pref governs whether we attempt to work around problems caused by
// plugins using OS calls to manipulate the cursor while running out-of-
// process. These workarounds all involve intercepting (hooking) certain

15
browser/installer/package-manifest.in

@ -744,21 +744,6 @@
@RESPATH@/components/pipnss.xpt
@RESPATH@/components/pippki.xpt
; For process sandboxing
#if defined(MOZ_SANDBOX)
#if defined(XP_WIN)
#if defined(WOW_HELPER)
@BINPATH@/wow_helper.exe
#endif
#endif
#endif
#if defined(MOZ_SANDBOX)
#if defined(XP_LINUX)
@BINPATH@/@DLL_PREFIX@mozsandbox@DLL_SUFFIX@
#endif
#endif
; for Solaris SPARC
#ifdef SOLARIS
bin/libfreebl_32fpu_3.so

1
build/directive4.py

@ -33,7 +33,6 @@ if ('MOZ_OFFICIAL_BRANDING' in listConfig) or (strBrandingDirectory.endswith("br
# Applies to Pale Moon and Basilisk
if ('MC_BASILISK' in listConfig) or ('MC_PALEMOON' in listConfig):
listViolations += [
'MOZ_SANDBOX',
'MOZ_SYSTEM_LIBEVENT',
'MOZ_SYSTEM_NSS',
'MOZ_SYSTEM_NSPR',

6
dom/ipc/moz.build

@ -140,12 +140,6 @@ LOCAL_INCLUDES += [
'/xpcom/threads',
]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
if CONFIG['OS_ARCH'] != 'WINNT':
LOCAL_INCLUDES += [
'/modules/libjar',

34
dom/media/gmp/GMPProcessParent.cpp

@ -8,9 +8,6 @@
#include "GMPUtils.h"
#include "nsIFile.h"
#include "nsIRunnable.h"
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
#include "WinUtils.h"
#endif
#include "base/string_util.h"
#include "base/process_util.h"
@ -56,38 +53,7 @@ GMPProcessParent::Launch(int32_t aTimeoutMs)
vector<string> args;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
std::wstring wGMPPath = UTF8ToWide(mGMPPath.c_str());
// The sandbox doesn't allow file system rules where the paths contain
// symbolic links or junction points. Sometimes the Users folder has been
// moved to another drive using a junction point, so allow for this specific
// case. See bug 1236680 for details.
if (!widget::WinUtils::ResolveJunctionPointsAndSymLinks(wGMPPath)) {
GMP_LOG("ResolveJunctionPointsAndSymLinks failed for GMP path=%S",
wGMPPath.c_str());
NS_WARNING("ResolveJunctionPointsAndSymLinks failed for GMP path.");
return false;
}
GMP_LOG("GMPProcessParent::Launch() resolved path to %S", wGMPPath.c_str());
// If the GMP path is a network path that is not mapped to a drive letter,
// then we need to fix the path format for the sandbox rule.
wchar_t volPath[MAX_PATH];
if (::GetVolumePathNameW(wGMPPath.c_str(), volPath, MAX_PATH) &&
::GetDriveTypeW(volPath) == DRIVE_REMOTE &&
wGMPPath.compare(0, 2, L"\\\\") == 0) {
std::wstring sandboxGMPPath(wGMPPath);
sandboxGMPPath.insert(1, L"??\\UNC");
mAllowedFilesRead.push_back(sandboxGMPPath + L"\\*");
} else {
mAllowedFilesRead.push_back(wGMPPath + L"\\*");
}
args.push_back(WideToUTF8(wGMPPath));
#else
args.push_back(mGMPPath);
#endif
args.push_back(string(voucherPath.BeginReading(), voucherPath.EndReading()));

8
dom/media/gmp/rlz/GMPDeviceBinding.cpp

@ -12,10 +12,6 @@
#ifdef XP_WIN
#include "windows.h"
#ifdef MOZ_SANDBOX
#include <intrin.h>
#include <assert.h>
#endif
#endif
#if defined(HASH_NODE_ID_WITH_DEVICE_ID)
@ -35,10 +31,6 @@
#ifdef XP_WIN
#include "windows.h"
#ifdef MOZ_SANDBOX
#include <intrin.h>
#include <assert.h>
#endif
#endif
#ifdef XP_MACOSX

7
dom/media/gmp/rlz/moz.build

@ -13,13 +13,6 @@ UNIFIED_SOURCES += [
'GMPDeviceBinding.cpp',
]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] in ['WINNT', 'Darwin']:
DEFINES['HASH_NODE_ID_WITH_DEVICE_ID'] = 1;
UNIFIED_SOURCES += [
'lib/string_utils.cc',
'sha256.c',
]
if CONFIG['OS_TARGET'] == 'WINNT':
UNIFIED_SOURCES += [
'win/lib/machine_id_win.cc',

19
dom/plugins/base/nsPluginTags.cpp

@ -427,24 +427,7 @@ void nsPluginTag::InitMime(const char* const* aMimeTypes,
void
nsPluginTag::InitSandboxLevel()
{
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
nsAutoCString sandboxPref("dom.ipc.plugins.sandbox-level.");
sandboxPref.Append(GetNiceFileName());
if (NS_FAILED(Preferences::GetInt(sandboxPref.get(), &mSandboxLevel))) {
mSandboxLevel = Preferences::GetInt("dom.ipc.plugins.sandbox-level.default"
);
}
#if defined(_AMD64_)
// As level 2 is now the default NPAPI sandbox level for 64-bit flash, we
// don't want to allow a lower setting unless this environment variable is
// set. This should be changed if the firefox.js pref file is changed.
if (mIsFlashPlugin &&
!PR_GetEnv("MOZ_ALLOW_WEAKER_SANDBOX") && mSandboxLevel < 2) {
mSandboxLevel = 2;
}
#endif
#endif
/* STUB */
}
#if !defined(XP_WIN) && !defined(XP_MACOSX)

10
dom/plugins/ipc/PluginProcessChild.cpp

@ -22,10 +22,6 @@ extern "C" CGError CGSSetDebugOptions(int options);
#ifdef XP_WIN
bool ShouldProtectPluginCurrentDirectory(char16ptr_t pluginFilePath);
#if defined(MOZ_SANDBOX)
#define TARGET_SANDBOX_EXPORTS
#include "mozilla/sandboxTarget.h"
#endif
#endif
using mozilla::ipc::IOThreadChild;
@ -107,12 +103,6 @@ PluginProcessChild::Init()
pluginFilename = WideToUTF8(values[0]);
#if defined(MOZ_SANDBOX)
// This is probably the earliest we would want to start the sandbox.
// As we attempt to tighten the sandbox, we may need to consider moving this
// to later in the plugin initialization.
mozilla::SandboxTarget::Instance()->StartSandbox();
#endif
#else
# error Sorry
#endif

85
dom/plugins/ipc/PluginProcessParent.cpp

@ -14,10 +14,6 @@
#include "mozilla/Telemetry.h"
#include "nsThreadUtils.h"
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
#include "nsDirectoryServiceDefs.h"
#endif
using std::vector;
using std::string;
@ -40,95 +36,14 @@ PluginProcessParent::~PluginProcessParent()
{
}
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
static void
AddSandboxAllowedFile(vector<std::wstring>& aAllowedFiles, nsIProperties* aDirSvc,
const char* aDir, const nsAString& aSuffix = EmptyString())
{
nsCOMPtr<nsIFile> userDir;
nsresult rv = aDirSvc->Get(aDir, NS_GET_IID(nsIFile), getter_AddRefs(userDir));
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
nsAutoString userDirPath;
rv = userDir->GetPath(userDirPath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
if (!aSuffix.IsEmpty()) {
userDirPath.Append(aSuffix);
}
aAllowedFiles.push_back(std::wstring(userDirPath.get()));
return;
}
static void
AddSandboxAllowedFiles(int32_t aSandboxLevel,
vector<std::wstring>& aAllowedFilesRead,
vector<std::wstring>& aAllowedFilesReadWrite,
vector<std::wstring>& aAllowedDirectories)
{
if (aSandboxLevel < 2) {
return;
}
nsresult rv;
nsCOMPtr<nsIProperties> dirSvc =
do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
// Higher than level 2 currently removes the users own rights.
if (aSandboxLevel > 2) {
AddSandboxAllowedFile(aAllowedFilesRead, dirSvc, NS_WIN_HOME_DIR);
AddSandboxAllowedFile(aAllowedFilesRead, dirSvc, NS_WIN_HOME_DIR,
NS_LITERAL_STRING("\\*"));
}
// Level 2 and above is now using low integrity, so we need to give write
// access to the Flash directories.
// This should be made Flash specific (Bug 1171396).
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*"));
AddSandboxAllowedFile(aAllowedFilesReadWrite, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Adobe\\Flash Player\\*"));
// Access also has to be given to create the parent directories as they may
// not exist.
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia"));
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia"));
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_LOCAL_APPDATA_DIR,
NS_LITERAL_STRING("\\Macromedia\\Flash Player"));
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Adobe"));
AddSandboxAllowedFile(aAllowedDirectories, dirSvc, NS_WIN_APPDATA_DIR,
NS_LITERAL_STRING("\\Adobe\\Flash Player"));
}
#endif
bool
PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask,
int32_t aSandboxLevel)
{
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
mSandboxLevel = aSandboxLevel;
AddSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead,
mAllowedFilesReadWrite, mAllowedDirectories);
#else
if (aSandboxLevel != 0) {
MOZ_ASSERT(false,
"Can't enable an NPAPI process sandbox for platform/build.");
}
#endif
ProcessArchitecture currentArchitecture = base::GetCurrentProcessArchitecture();
uint32_t containerArchitectures = GetSupportedArchitecturesForProcessType(GeckoProcessType_Plugin);

6
dom/plugins/ipc/moz.build

@ -125,12 +125,6 @@ LOCAL_INCLUDES += [
'/xpcom/base/',
]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
DEFINES['FORCE_PR_LOG'] = True
if CONFIG['MOZ_WIDGET_TOOLKIT'] != 'gtk3':

37
ipc/app/moz.build

@ -43,47 +43,10 @@ if CONFIG['OS_ARCH'] == 'WINNT':
'nss3.dll',
]
if CONFIG['MOZ_SANDBOX']:
# For sandbox includes and the include dependencies those have
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
USE_LIBS += [
'sandbox_s',
]
DELAYLOAD_DLLS += [
'winmm.dll',
'user32.dll',
]
DELAYLOAD_DLLS += [
'xul.dll',
]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] in ('Linux', 'Android'):
USE_LIBS += [
'mozsandbox',
]
# gcc lto likes to put the top level asm in syscall.cc in a different partition
# from the function using it which breaks the build. Work around that by
# forcing there to be only one partition.
if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']:
LDFLAGS += ['--param lto-partitions=1']
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin':
# For sandbox includes and the include dependencies those have
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
USE_LIBS += [
'mozsandbox',
]
if CONFIG['_MSC_VER']:
# Always enter a Windows program through wmain, whether or not we're
# a console application.

11
ipc/app/pie/moz.build

@ -16,15 +16,4 @@ LOCAL_INCLUDES += [
'/xpcom/base',
]
if CONFIG['MOZ_SANDBOX']:
USE_LIBS += [
'mozsandbox',
]
# gcc lto likes to put the top level asm in syscall.cc in a different partition
# from the function using it which breaks the build. Work around that by
# forcing there to be only one partition.
if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']:
LDFLAGS += ['--param lto-partitions=1']
LDFLAGS += ['-pie']

5
ipc/contentproc/moz.build

@ -18,8 +18,3 @@ if CONFIG['OS_ARCH'] == 'WINNT':
'/xpcom/base',
]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]

40
ipc/contentproc/plugin-container.cpp

@ -22,11 +22,6 @@
#include "GMPLoader.h"
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
#include "mozilla/sandboxing/SandboxInitialization.h"
#include "mozilla/sandboxing/sandboxLogging.h"
#endif
#ifdef MOZ_WIDGET_GONK
# include <sys/time.h>
# include <sys/resource.h>
@ -62,26 +57,10 @@ InitializeBinder(void *aDummy) {
}
#endif
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
class WinSandboxStarter : public mozilla::gmp::SandboxStarter {
public:
virtual bool Start(const char *aLibPath) override {
if (IsSandboxedProcess()) {
mozilla::sandboxing::LowerSandbox();
}
return true;
}
};
#endif
mozilla::gmp::SandboxStarter*
MakeSandboxStarter()
{
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
return new WinSandboxStarter();
#else
return nullptr;
#endif
}
int
@ -95,27 +74,8 @@ content_process_main(int argc, char* argv[])
XREChildData childData;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
if (IsSandboxedProcess()) {
childData.sandboxTargetServices =
mozilla::sandboxing::GetInitializedTargetServices();
if (!childData.sandboxTargetServices) {
return 1;
}
childData.ProvideLogFunction = mozilla::sandboxing::ProvideLogFunction;
}
#endif
XRE_SetProcessType(argv[--argc]);
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
// This has to happen while we're still single-threaded, and on
// B2G that means before the Android Binder library is
// initialized.
mozilla::SandboxEarlyInit(XRE_GetProcessType());
#endif
#ifdef MOZ_WIDGET_GONK
// This creates a ThreadPool for binder ipc. A ThreadPool is necessary to
// receive binder calls, though not necessary to send binder calls.

217
ipc/glue/GeckoChildProcessHost.cpp

@ -39,12 +39,6 @@
#ifdef XP_WIN
#include "nsIWinTaskbar.h"
#define NS_TASKBAR_CONTRACTID "@mozilla.org/windows-taskbar;1"
#if defined(MOZ_SANDBOX)
#include "mozilla/Preferences.h"
#include "mozilla/sandboxing/sandboxLogging.h"
#include "nsDirectoryServiceUtils.h"
#endif
#endif
#include "nsTArray.h"
@ -97,10 +91,6 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
mPrivileges(aPrivileges),
mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
mProcessState(CREATING_CHANNEL),
#if defined(MOZ_SANDBOX) && defined(XP_WIN)
mEnableSandboxLogging(false),
mSandboxLevel(0),
#endif
mChildProcessHandle(0)
#if defined(MOZ_WIDGET_COCOA)
, mChildTask(MACH_PORT_NULL)
@ -307,14 +297,6 @@ GeckoChildProcessHost::PrepareLaunch()
if (mProcessType == GeckoProcessType_Plugin) {
InitWindowsGroupID();
}
#if defined(MOZ_SANDBOX)
// For other process types we can't rely on them being launched on main
// thread and they may not have access to prefs in the child process, so allow
// them to turn on logging via an environment variable.
mEnableSandboxLogging = mEnableSandboxLogging
|| !!PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING");
#endif
#endif
}
@ -599,91 +581,6 @@ AddAppDirToCommandLine(std::vector<std::string>& aCmdLine)
}
}
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
static void
MaybeAddNsprLogFileAccess(std::vector<std::wstring>& aAllowedFilesReadWrite)
{
const char* nsprLogFileEnv = PR_GetEnv("NSPR_LOG_FILE");
if (!nsprLogFileEnv) {
return;
}
nsDependentCString nsprLogFilePath(nsprLogFileEnv);
nsCOMPtr<nsIFile> nsprLogFile;
nsresult rv = NS_NewNativeLocalFile(nsprLogFilePath, true,
getter_AddRefs(nsprLogFile));
if (NS_FAILED(rv)) {
// Not an absolute path, try it as a relative one.
nsresult rv = NS_GetSpecialDirectory(NS_OS_CURRENT_WORKING_DIR,
getter_AddRefs(nsprLogFile));
if (NS_FAILED(rv) || !nsprLogFile) {
NS_WARNING("Failed to get current working directory");
return;
}
rv = nsprLogFile->AppendRelativeNativePath(nsprLogFilePath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
}
nsAutoString resolvedFilePath;
rv = nsprLogFile->GetPath(resolvedFilePath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
// Update the environment variable as well as adding the rule, because the
// Chromium sandbox can only allow access to fully qualified file paths. This
// only affects the environment for the child process we're about to create,
// because this will get reset to the original value in PerformAsyncLaunch.
aAllowedFilesReadWrite.push_back(std::wstring(resolvedFilePath.get()));
nsAutoCString resolvedEnvVar("NSPR_LOG_FILE=");
AppendUTF16toUTF8(resolvedFilePath, resolvedEnvVar);
PR_SetEnv(resolvedEnvVar.get());
}
static void
AddContentSandboxAllowedFiles(int32_t aSandboxLevel,
std::vector<std::wstring>& aAllowedFilesRead)
{
if (aSandboxLevel < 1) {
return;
}
nsCOMPtr<nsIFile> binDir;
nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(binDir));
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
nsAutoString binDirPath;
rv = binDir->GetPath(binDirPath);
if (NS_WARN_IF(NS_FAILED(rv))) {
return;
}
// If bin directory is on a remote drive add read access.
wchar_t volPath[MAX_PATH];
if (!::GetVolumePathNameW(binDirPath.get(), volPath, MAX_PATH)) {
return;
}
if (::GetDriveTypeW(volPath) != DRIVE_REMOTE) {
return;
}
// Convert network share path to format for sandbox policy.
if (Substring(binDirPath, 0, 2).Equals(L"\\\\")) {
binDirPath.InsertLiteral(u"??\\UNC", 1);
}
binDirPath.AppendLiteral(u"\\*");
aAllowedFilesRead.push_back(std::wstring(binDirPath.get()));
}
#endif
bool
GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExtraOpts, base::ProcessArchitecture arch)
{
@ -808,27 +705,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
}
#endif // MOZ_WIDGET_GONK
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
// Preload libmozsandbox.so so that sandbox-related interpositions
// can be defined there instead of in the executable.
// (This could be made conditional on intent to use sandboxing, but
// it's harmless for non-sandboxed processes.)
{
nsAutoCString preload;
// Prepend this, because people can and do preload libpthread.
// (See bug 1222500.)
preload.AssignLiteral("libmozsandbox.so");
if (const char* oldPreload = PR_GetEnv("LD_PRELOAD")) {
// Doesn't matter if oldPreload is ""; extra separators are ignored.
preload.Append(' ');
preload.Append(oldPreload);
}
// Explicitly construct the std::string to make it clear that this
// isn't retaining a pointer to the nsCString's buffer.
newEnvVars["LD_PRELOAD"] = std::string(preload.get());
}
#endif
// remap the IPC socket fd to a well-known int, as the OS does for
// STDOUT_FILENO, for example
int srcChannelFd, dstChannelFd;
@ -994,74 +870,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
}
}
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
bool shouldSandboxCurrentProcess = false;
// XXX: Bug 1124167: We should get rid of the process specific logic for
// sandboxing in this class at some point. Unfortunately it will take a bit
// of reorganizing so I don't think this patch is the right time.
switch (mProcessType) {
case GeckoProcessType_Content:
break;
case GeckoProcessType_Plugin:
if (mSandboxLevel > 0 &&
!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
bool ok = mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel);
if (!ok) {
return false;
}
shouldSandboxCurrentProcess = true;
}
break;
case GeckoProcessType_IPDLUnitTest:
// XXX: We don't sandbox this process type yet
break;
case GeckoProcessType_GMPlugin:
if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) {
// The Widevine CDM on Windows can only load at USER_RESTRICTED,
// not at USER_LOCKDOWN. So look in the command line arguments
// to see if we're loading the path to the Widevine CDM, and if
// so use sandbox level USER_RESTRICTED instead of USER_LOCKDOWN.
bool isWidevine = std::any_of(aExtraOpts.begin(), aExtraOpts.end(),
[](const std::string arg) { return arg.find("gmp-widevinecdm") != std::string::npos; });
auto level = isWidevine ? SandboxBroker::Restricted : SandboxBroker::LockDown;
bool ok = mSandboxBroker.SetSecurityLevelForGMPlugin(level);
if (!ok) {
return false;
}
shouldSandboxCurrentProcess = true;
}
break;
case GeckoProcessType_GPU:
break;
case GeckoProcessType_Default:
default:
MOZ_CRASH("Bad process type in GeckoChildProcessHost");
break;
};
if (shouldSandboxCurrentProcess) {
MaybeAddNsprLogFileAccess(mAllowedFilesReadWrite);
for (auto it = mAllowedFilesRead.begin();
it != mAllowedFilesRead.end();
++it) {
mSandboxBroker.AllowReadFile(it->c_str());
}
for (auto it = mAllowedFilesReadWrite.begin();
it != mAllowedFilesReadWrite.end();
++it) {
mSandboxBroker.AllowReadWriteFile(it->c_str());
}
for (auto it = mAllowedDirectories.begin();
it != mAllowedDirectories.end();
++it) {
mSandboxBroker.AllowDirectory(it->c_str());
}
}
#endif // XP_WIN && MOZ_SANDBOX
// Add the application directory path (-appdir path)
AddAppDirToCommandLine(cmdLine);
@ -1078,33 +886,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
// Process type
cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
if (shouldSandboxCurrentProcess) {
if (mSandboxBroker.LaunchApp(cmdLine.program().c_str(),
cmdLine.command_line_string().c_str(),
mEnableSandboxLogging,
&process)) {
EnvironmentLog("MOZ_PROCESS_LOG").print(
"==> process %d launched child process %d (%S)\n",
base::GetCurrentProcId(), base::GetProcId(process),
cmdLine.command_line_string().c_str());
}
} else
#endif
{
base::LaunchApp(cmdLine, false, false, &process);
#ifdef MOZ_SANDBOX
// We need to be able to duplicate handles to some types of non-sandboxed
// child processes.
if (mProcessType == GeckoProcessType_Content ||
mProcessType == GeckoProcessType_GPU ||
mProcessType == GeckoProcessType_GMPlugin) {
if (!mSandboxBroker.AddTargetPeer(process)) {
NS_WARNING("Failed to add content process as target peer.");
}
}
#endif
}
#else

13
ipc/glue/GeckoChildProcessHost.h

@ -21,10 +21,6 @@
#include "nsXULAppAPI.h" // for GeckoProcessType
#include "nsString.h"
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
#include "sandboxBroker.h"
#endif
namespace mozilla {
namespace ipc {
@ -153,15 +149,6 @@ protected:
#ifdef XP_WIN
void InitWindowsGroupID();
nsString mGroupId;
#ifdef MOZ_SANDBOX
SandboxBroker mSandboxBroker;
std::vector<std::wstring> mAllowedFilesRead;
std::vector<std::wstring> mAllowedFilesReadWrite;
std::vector<std::wstring> mAllowedDirectories;
bool mEnableSandboxLogging;
int32_t mSandboxLevel;
#endif
#endif // XP_WIN
#if defined(OS_POSIX)

16
ipc/glue/ProtocolUtils.cpp

@ -20,11 +20,6 @@
#include "mozilla/Unused.h"
#include "nsPrintfCString.h"
#if defined(MOZ_SANDBOX) && defined(XP_WIN)
#define TARGET_SANDBOX_EXPORTS
#include "mozilla/sandboxTarget.h"
#endif
#include "nsAutoPtr.h"
using namespace IPC;
@ -162,17 +157,6 @@ bool DuplicateHandle(HANDLE aSourceHandle,
}
#if defined(MOZ_SANDBOX)
// Try the broker next (will fail if not sandboxed).
if (SandboxTarget::Instance()->BrokerDuplicateHandle(aSourceHandle,
aTargetProcessId,
aTargetHandle,
aDesiredAccess,
aOptions)) {
return true;
}
#endif
// Finally, see if we already have access to the process.
ScopedProcessHandle targetProcess(OpenProcess(PROCESS_DUP_HANDLE,
FALSE,

7
ipc/glue/moz.build

@ -196,12 +196,5 @@ for var in ('MOZ_CHILD_PROCESS_NAME', 'MOZ_CHILD_PROCESS_NAME_PIE',
'MOZ_CHILD_PROCESS_BUNDLE', 'DLL_PREFIX', 'DLL_SUFFIX'):
DEFINES[var] = '"%s"' % CONFIG[var]
if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
'/security/sandbox/win/src/sandboxbroker',
]
if CONFIG['GNU_CXX']:
CXXFLAGS += ['-Wno-shadow']

16
js/xpconnect/shell/moz.build

@ -35,22 +35,6 @@ if CONFIG['_MSC_VER']:
if CONFIG['OS_ARCH'] == 'WINNT':
RCINCLUDE = 'xpcshell.rc'
if CONFIG['MOZ_SANDBOX']:
# For sandbox includes and the include dependencies those have
LOCAL_INCLUDES += [
'/security/sandbox/chromium',
'/security/sandbox/chromium-shim',
]
USE_LIBS += [
'sandbox_s',
]
DELAYLOAD_DLLS += [
'winmm.dll',
'user32.dll',
]
DELAYLOAD_DLLS += [
'xul.dll',
]

7
js/xpconnect/shell/xpcshell.cpp

@ -22,9 +22,6 @@
#define XRE_DONT_PROTECT_DLL_LOAD
#define XRE_WANT_ENVIRON
#include "nsWindowsWMain.cpp"
#ifdef MOZ_SANDBOX
#include "mozilla/sandboxing/SandboxInitialization.h"
#endif
#endif
#ifdef MOZ_WIDGET_GTK
@ -54,10 +51,6 @@ main(int argc, char** argv, char** envp)
#endif
XREShellData shellData;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
shellData.sandboxBrokerServices =
mozilla::sandboxing::GetInitializedBrokerServices();
#endif
int result = XRE_XPCShellMain(argc, argv, envp, &shellData);

13
js/xpconnect/src/XPCShellImpl.cpp

@ -44,9 +44,6 @@
#ifdef XP_WIN
#include "mozilla/widget/AudioSession.h"
#include <windows.h>
#if defined(MOZ_SANDBOX)
#include "SandboxBroker.h"
#endif
#endif
// all this crap is needed to do the interactive shell stuff
@ -1484,16 +1481,6 @@ XRE_XPCShellMain(int argc, char** argv, char** envp,
// Plugin may require audio session if installed plugin can initialize
// asynchronized.
AutoAudioSession audioSession;
#if defined(MOZ_SANDBOX)
// Required for sandboxed child processes.
if (aShellData->sandboxBrokerServices) {
SandboxBroker::Initialize(aShellData->sandboxBrokerServices);
} else {
NS_WARNING("Failed to initialize broker services, sandboxed "
"processes will fail to start.");
}
#endif
#endif
{

5
mobile/android/installer/package-manifest.in

@ -502,11 +502,6 @@
;
@BINPATH@/components/pipnss.xpt
; For process sandboxing
#if defined(MOZ_SANDBOX)
@BINPATH@/@DLL_PREFIX@mozsandbox@DLL_SUFFIX@
#endif
[mobile]
@BINPATH@/chrome/chrome@JAREXT@
@BINPATH@/chrome/chrome.manifest

20
old-configure.in

@ -2311,7 +2311,6 @@ MOZ_INSTALL_TRACKING=
ACCESSIBILITY=1
MOZ_TIME_MANAGER=
MOZ_AUDIO_CHANNEL_MANAGER=
MOZ_SANDBOX=
MOZ_BINARY_EXTENSIONS=
MOZ_JETPACK=1
MOZ_DEVTOOLS_SERVER=1
@ -3923,24 +3922,6 @@ if test -n "$MOZ_NO_SMART_CARDS"; then
fi
AC_SUBST(MOZ_NO_SMART_CARDS)
dnl ========================================================
dnl = Sandboxing support
dnl ========================================================
MOZ_ARG_ENABLE_BOOL(sandbox,
[ --enable-sandbox Enable sandboxing support],
MOZ_SANDBOX=1,
MOZ_SANDBOX=)
if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then
# Bug 1182565: TSan conflicts with sandboxing on Linux.
# Bug 1287971: LSan also conflicts with sandboxing on Linux.
case $OS_TARGET in
Linux|Android)
MOZ_SANDBOX=
;;
esac
fi
dnl ========================================================
dnl =
dnl = Module specific options
@ -5771,7 +5752,6 @@ MOZ_OFFICIAL_BRANDING=$MOZ_OFFICIAL_BRANDING
MOZ_BRANDING_DIRECTORY=$MOZ_BRANDING_DIRECTORY
MC_BASILISK=$MC_BASILISK
MC_PALEMOON=$MC_PALEMOON
MOZ_SANDBOX=$MOZ_SANDBOX
MOZ_EME=$MOZ_EME
MOZ_WEBRTC=$MOZ_WEBRTC
MOZ_SYSTEM_LIBEVENT=$MOZ_SYSTEM_LIBEVENT

2
security/sandbox/chromium/base/time/time.cc

@ -242,7 +242,6 @@ Time Time::LocalMidnight() const {
return FromLocalExploded(exploded);
}
#if !defined(MOZ_SANDBOX)
// static
bool Time::FromStringInternal(const char* time_string,
bool is_local,
@ -263,7 +262,6 @@ bool Time::FromStringInternal(const char* time_string,
*parsed_time = Time(result_time);
return true;
}
#endif
std::ostream& operator<<(std::ostream& os, Time time) {
Time::Exploded exploded;

4
security/sandbox/chromium/base/time/time.h

@ -522,7 +522,6 @@ class BASE_EXPORT Time : public time_internal::TimeBase<Time> {
return FromExploded(true, exploded);
}
#if !defined(MOZ_SANDBOX)
// Converts a string representation of time to a Time object.
// An example of a time string which is converted is as below:-
// "Tue, 15 Nov 1994 12:45:26 GMT". If the timezone is not specified
@ -537,7 +536,6 @@ class BASE_EXPORT Time : public time_internal::TimeBase<Time> {
static bool FromUTCString(const char* time_string, Time* parsed_time) {
return FromStringInternal(time_string, false, parsed_time);
}
#endif
// Fills the given exploded structure with either the local time or UTC from
// this time structure (containing UTC).
@ -565,7 +563,6 @@ class BASE_EXPORT Time : public time_internal::TimeBase<Time> {
// |is_local = true| or UTC |is_local = false|.
static Time FromExploded(bool is_local, const Exploded& exploded);
#if !defined(MOZ_SANDBOX)
// Converts a string representation of time to a Time object.
// An example of a time string which is converted is as below:-
// "Tue, 15 Nov 1994 12:45:26 GMT". If the timezone is not specified
@ -576,7 +573,6 @@ class BASE_EXPORT Time : public time_internal::TimeBase<Time> {
static bool FromStringInternal(const char* time_string,
bool is_local,
Time* parsed_time);
#endif
};
// Inline the TimeDelta factory methods, for fast TimeDelta construction.

21
toolkit/content/aboutSupport.js

@ -497,26 +497,7 @@ var snapshotFormatters = {
$("prefs-user-js-section").style.display = "";
// Clear the no-copy class
$("prefs-user-js-section").className = "";
},
sandbox: function sandbox(data) {
if (!AppConstants.MOZ_SANDBOX)
return;
let strings = stringBundle();
let tbody = $("sandbox-tbody");
for (let key in data) {
// Simplify the display a little in the common case.
if (key === "hasPrivilegedUserNamespaces" &&
data[key] === data["hasUserNamespaces"]) {
continue;
}
tbody.appendChild($.new("tr", [
$.new("th", strings.GetStringFromName(key), "column"),
$.new("td", data[key])
]));
}
},
}
};
var $ = document.getElementById.bind(document);

14
toolkit/content/aboutSupport.xhtml

@ -475,20 +475,6 @@
</tbody>
</table>
<!-- - - - - - - - - - - - - - - - - - - - - -->
#if defined(MOZ_SANDBOX)
<h2 class="major-section" id="sandbox">
&aboutSupport.sandboxTitle;
</h2>
<table>
<tbody id="sandbox-tbody">
</tbody>
</table>
#endif
</div>
</body>

2
toolkit/locales/en-US/chrome/global/aboutSupport.dtd

@ -109,8 +109,6 @@ variant of aboutSupport.showDir.label. -->
<!ENTITY aboutSupport.copyTextToClipboard.label "Copy text to clipboard">
<!ENTITY aboutSupport.copyRawDataToClipboard.label "Copy raw data to clipboard">
<!ENTITY aboutSupport.sandboxTitle "Sandbox">
<!ENTITY aboutSupport.safeModeTitle "Try Safe Mode">
<!ENTITY aboutSupport.restartInSafeMode.label "Restart with Add-ons Disabled…">

7
toolkit/modules/AppConstants.jsm

@ -81,13 +81,6 @@ this.AppConstants = Object.freeze({
false,