Bug 1123245 Part 3: Add prefs for the Windows NPAPI process sandbox. r=bsmedberg

2024-09-13 09:24:08 -07:00 · 2015-01-23 08:32:21 +00:00 · 2015-01-23 08:32:21 +00:00 · 0ab45dda9a
commit 0ab45dda9a
parent b9c17ba63a
6 changed files with 40 additions and 4 deletions
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -1182,6 +1182,12 @@ pref("browser.tabs.remote.desktopbehavior", true);
 // This will require a restart.
 pref("security.sandbox.windows.log", false);

+// Controls whether the Windows NPAPI plugin process is sandboxed by default.
+// To get a different setting for a particular plugin replace "default", with
+// the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
+pref("dom.ipc.plugins.sandbox.default", false);
+pref("dom.ipc.plugins.sandbox.flash", false);
+
 #if defined(MOZ_CONTENT_SANDBOX)
 // This controls whether the Windows content process sandbox is using a more
 // strict sandboxing policy.  This will require a restart.
--- a/dom/plugins/ipc/PluginModuleParent.cpp
+++ b/dom/plugins/ipc/PluginModuleParent.cpp
@ -391,11 +391,21 @@ PluginModuleChromeParent::LoadModule(const char* aFilePath, uint32_t aPluginId,
 {
    PLUGIN_LOG_DEBUG_FUNCTION;

+    bool enableSandbox = false;
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    nsAutoCString sandboxPref("dom.ipc.plugins.sandbox.");
+    sandboxPref.Append(aPluginTag->GetNiceFileName());
+    if (NS_FAILED(Preferences::GetBool(sandboxPref.get(), &enableSandbox))) {
+      enableSandbox = Preferences::GetBool("dom.ipc.plugins.sandbox.default");
+    }
+#endif
+
    nsAutoPtr<PluginModuleChromeParent> parent(new PluginModuleChromeParent(aFilePath, aPluginId));
    UniquePtr<LaunchCompleteTask> onLaunchedRunnable(new LaunchedTask(parent));
    parent->mSubprocess->SetCallRunnableImmediately(!parent->mIsStartingAsync);
    TimeStamp launchStart = TimeStamp::Now();
-    bool launched = parent->mSubprocess->Launch(Move(onLaunchedRunnable));
+    bool launched = parent->mSubprocess->Launch(Move(onLaunchedRunnable),
+                                                enableSandbox);
    if (!launched) {
        // We never reached open
        parent->mShutdown = true;
--- a/dom/plugins/ipc/PluginProcessParent.cpp
+++ b/dom/plugins/ipc/PluginProcessParent.cpp
@ -43,8 +43,18 @@ PluginProcessParent::~PluginProcessParent()
 }

 bool
-PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask)
+PluginProcessParent::Launch(mozilla::UniquePtr<LaunchCompleteTask> aLaunchCompleteTask,
+                            bool aEnableSandbox)
 {
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    mEnableNPAPISandbox = aEnableSandbox;
+#else
+    if (aEnableSandbox) {
+        MOZ_ASSERT(false,
+                   "Can't enable an NPAPI process sandbox for platform/build.");
+    }
+#endif
+
    ProcessArchitecture currentArchitecture = base::GetCurrentProcessArchitecture();
    uint32_t containerArchitectures = GetSupportedArchitecturesForProcessType(GeckoProcessType_Plugin);

--- a/dom/plugins/ipc/PluginProcessParent.h
+++ b/dom/plugins/ipc/PluginProcessParent.h
@ -50,8 +50,11 @@ public:
     *
     * @param aLaunchCompleteTask Task that is executed on the main
     * thread once the asynchonous launch has completed.
+     * @param aEnableSandbox Enables a process sandbox if one is available for
+     * this platform/build. Will assert if true passed and one is not available.
     */
-    bool Launch(UniquePtr<LaunchCompleteTask> aLaunchCompleteTask = UniquePtr<LaunchCompleteTask>());
+    bool Launch(UniquePtr<LaunchCompleteTask> aLaunchCompleteTask = UniquePtr<LaunchCompleteTask>(),
+                bool aEnableSandbox = false);

    void Delete();

--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -97,6 +97,7 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
    mDelegate(nullptr),
 #if defined(MOZ_SANDBOX) && defined(XP_WIN)
    mEnableSandboxLogging(false),
+    mEnableNPAPISandbox(false),
 #if defined(MOZ_CONTENT_SANDBOX)
    mMoreStrictContentSandbox(false),
 #endif
@ -813,7 +814,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
 #endif // MOZ_CONTENT_SANDBOX
      break;
    case GeckoProcessType_Plugin:
-      if (!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
+      if (mEnableNPAPISandbox &&
+          !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
        mSandboxBroker.SetSecurityLevelForPluginProcess();
        cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
        shouldSandboxCurrentProcess = true;
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@ -172,6 +172,11 @@ protected:
  SandboxBroker mSandboxBroker;
  std::vector<std::wstring> mAllowedFilesRead;
  bool mEnableSandboxLogging;
+
+  // XXX: Bug 1124167: We should get rid of the process specific logic for
+  // sandboxing in this class at some point. Unfortunately it will take a bit
+  // of reorganizing so I don't think this patch is the right time.
+  bool mEnableNPAPISandbox;
 #if defined(MOZ_CONTENT_SANDBOX)
  bool mMoreStrictContentSandbox;
 #endif