Bug 985227 - Part 2: Flatten out the #define maze in the seccomp filter. r=kang

2024-09-13 09:24:08 -07:00 · 2014-03-20 10:19:42 -04:00 · 2014-03-20 10:19:42 -04:00 · d43d0dfdd4
commit d43d0dfdd4
parent a66e7db1f0
1 changed files with 226 additions and 286 deletions
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -15,295 +15,235 @@

 namespace mozilla {

-/* Architecture-specific frequently used syscalls */
-#if defined(__arm__)
-#define SECCOMP_WHITELIST_ARCH_HIGH \
-  ALLOW_SYSCALL(recvmsg), \
-  ALLOW_SYSCALL(sendmsg), \
-  ALLOW_SYSCALL(mmap2),
-#elif defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_HIGH \
-  ALLOW_SYSCALL(ipc), \
-  ALLOW_SYSCALL(mmap2),
-#elif defined(__x86_64__)
-#define SECCOMP_WHITELIST_ARCH_HIGH \
-  ALLOW_SYSCALL(recvmsg), \
-  ALLOW_SYSCALL(sendmsg),
-#else
-#define SECCOMP_WHITELIST_ARCH_HIGH
-#endif
-
-/* Architecture-specific infrequently used syscalls */
-#if defined(__arm__)
-#define SECCOMP_WHITELIST_ARCH_LOW \
-  ALLOW_SYSCALL(_newselect), \
-  ALLOW_SYSCALL(_llseek), \
-  ALLOW_SYSCALL(getuid32), \
-  ALLOW_SYSCALL(geteuid32), \
-  ALLOW_SYSCALL(sigreturn), \
-  ALLOW_SYSCALL(fcntl64),
-#elif defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_LOW \
-  ALLOW_SYSCALL(_newselect), \
-  ALLOW_SYSCALL(_llseek), \
-  ALLOW_SYSCALL(getuid32), \
-  ALLOW_SYSCALL(geteuid32), \
-  ALLOW_SYSCALL(sigreturn), \
-  ALLOW_SYSCALL(fcntl64),
-#else
-#define SECCOMP_WHITELIST_ARCH_LOW \
-  ALLOW_SYSCALL(select),
-#endif
-
-/* Architecture-specific very infrequently used syscalls */
-#if defined(__arm__)
-#define SECCOMP_WHITELIST_ARCH_LAST \
-  ALLOW_SYSCALL(sigaction), \
-  ALLOW_SYSCALL(rt_sigaction), \
-  ALLOW_ARM_SYSCALL(breakpoint), \
-  ALLOW_ARM_SYSCALL(cacheflush), \
-  ALLOW_ARM_SYSCALL(usr26), \
-  ALLOW_ARM_SYSCALL(usr32), \
-  ALLOW_ARM_SYSCALL(set_tls),
-#elif defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_LAST \
-  ALLOW_SYSCALL(sigaction), \
-  ALLOW_SYSCALL(rt_sigaction),
-#elif defined(__x86_64__)
-#define SECCOMP_WHITELIST_ARCH_LAST \
-  ALLOW_SYSCALL(rt_sigaction),
-#else
-#define SECCOMP_WHITELIST_ARCH_LAST
-#endif
-
-/* System calls used by the profiler */
-#ifdef MOZ_PROFILING
-#define SECCOMP_WHITELIST_PROFILING \
-  ALLOW_SYSCALL(tgkill),
-#else
-#define SECCOMP_WHITELIST_PROFILING
-#endif
-
-/* Architecture-specific syscalls that should eventually be removed */
-#if defined(__arm__)
-#define SECCOMP_WHITELIST_ARCH_TOREMOVE \
-  ALLOW_SYSCALL(fstat64), \
-  ALLOW_SYSCALL(stat64), \
-  ALLOW_SYSCALL(lstat64), \
-  ALLOW_SYSCALL(socketpair), \
-  ALLOW_SYSCALL(sigprocmask), \
-  DENY_SYSCALL(socket, EACCES),
-#elif defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_TOREMOVE \
-  ALLOW_SYSCALL(fstat64), \
-  ALLOW_SYSCALL(stat64), \
-  ALLOW_SYSCALL(lstat64), \
-  ALLOW_SYSCALL(sigprocmask),
-#else
-#define SECCOMP_WHITELIST_ARCH_TOREMOVE \
-  ALLOW_SYSCALL(socketpair), \
-  DENY_SYSCALL(socket, EACCES),
-#endif
-
-/* Architecture-specific syscalls for desktop linux */
-#if defined(__arm__)
-#define SECCOMP_WHITELIST_ARCH_DESKTOP_LINUX
-#elif defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_DESKTOP_LINUX
-#elif defined(__x86_64__)
-#define SECCOMP_WHITELIST_ARCH_DESKTOP_LINUX
-#else
-#define SECCOMP_WHITELIST_ARCH_DESKTOP_LINUX
-#endif
-
-/* Architecture-specific syscalls for B2G */
-#if defined(__i386__)
-#define SECCOMP_WHITELIST_ARCH_B2G_LOW
-#else
-#define SECCOMP_WHITELIST_ARCH_B2G_LOW \
-  ALLOW_SYSCALL(sendto), \
-  ALLOW_SYSCALL(recvfrom),
-#endif
-
-/* B2G specific syscalls */
-#if defined(MOZ_B2G)
-
-#define SECCOMP_WHITELIST_B2G_HIGH \
-  ALLOW_SYSCALL(clock_gettime), \
-  ALLOW_SYSCALL(epoll_wait), \
-  ALLOW_SYSCALL(gettimeofday),
-
-#define SECCOMP_WHITELIST_B2G_MED \
-  ALLOW_SYSCALL(getpid), \
-  ALLOW_SYSCALL(rt_sigreturn), \
-  ALLOW_SYSCALL(poll),
-
-#define SECCOMP_WHITELIST_B2G_LOW \
-  SECCOMP_WHITELIST_ARCH_B2G_LOW \
-  ALLOW_SYSCALL(getdents64), \
-  ALLOW_SYSCALL(epoll_ctl), \
-  ALLOW_SYSCALL(sched_yield), \
-  ALLOW_SYSCALL(sched_getscheduler), \
-  ALLOW_SYSCALL(sched_setscheduler), \
-  ALLOW_SYSCALL(sigaltstack),
-
-#else
-#define SECCOMP_WHITELIST_B2G_HIGH
-#define SECCOMP_WHITELIST_B2G_MED
-#define SECCOMP_WHITELIST_B2G_LOW
-#endif
-/* End of B2G specific syscalls */
-
-
-/* Desktop Linux specific syscalls */
-#if defined(MOZ_CONTENT_SANDBOX) && !defined(MOZ_B2G) && defined(XP_UNIX) && !defined(XP_MACOSX)
-
-/* We should remove all of the following in the future (possibly even more) */
-#define SECCOMP_WHITELIST_DESKTOP_LINUX_TO_REMOVE \
-  ALLOW_SYSCALL(socket), \
-  ALLOW_SYSCALL(chmod), \
-  ALLOW_SYSCALL(execve), \
-  ALLOW_SYSCALL(rename), \
-  ALLOW_SYSCALL(symlink), \
-  ALLOW_SYSCALL(connect), \
-  ALLOW_SYSCALL(quotactl), \
-  ALLOW_SYSCALL(kill), \
-  ALLOW_SYSCALL(sendto),
-
-#define SECCOMP_WHITELIST_DESKTOP_LINUX \
-  SECCOMP_WHITELIST_ARCH_DESKTOP_LINUX \
-  ALLOW_SYSCALL(stat), \
-  ALLOW_SYSCALL(getdents), \
-  ALLOW_SYSCALL(lstat), \
-  ALLOW_SYSCALL(mmap), \
-  ALLOW_SYSCALL(openat), \
-  ALLOW_SYSCALL(fcntl), \
-  ALLOW_SYSCALL(fstat), \
-  ALLOW_SYSCALL(readlink), \
-  ALLOW_SYSCALL(getsockname), \
-  /* duplicate rt_sigaction in SECCOMP_WHITELIST_PROFILING */ \
-  ALLOW_SYSCALL(rt_sigaction), \
-  ALLOW_SYSCALL(getuid), \
-  ALLOW_SYSCALL(geteuid), \
-  ALLOW_SYSCALL(mkdir), \
-  ALLOW_SYSCALL(getcwd), \
-  ALLOW_SYSCALL(readahead), \
-  ALLOW_SYSCALL(pread64), \
-  ALLOW_SYSCALL(statfs), \
-  ALLOW_SYSCALL(pipe), \
-  ALLOW_SYSCALL(ftruncate), \
-  ALLOW_SYSCALL(getrlimit), \
-  ALLOW_SYSCALL(shutdown), \
-  ALLOW_SYSCALL(getpeername), \
-  ALLOW_SYSCALL(eventfd2), \
-  ALLOW_SYSCALL(clock_getres), \
-  ALLOW_SYSCALL(sysinfo), \
-  ALLOW_SYSCALL(getresuid), \
-  ALLOW_SYSCALL(umask), \
-  ALLOW_SYSCALL(getresgid), \
-  ALLOW_SYSCALL(poll), \
-  ALLOW_SYSCALL(getegid), \
-  ALLOW_SYSCALL(inotify_init1), \
-  ALLOW_SYSCALL(wait4), \
-  ALLOW_SYSCALL(shmctl), \
-  ALLOW_SYSCALL(set_robust_list), \
-  ALLOW_SYSCALL(rmdir), \
-  ALLOW_SYSCALL(recvfrom), \
-  ALLOW_SYSCALL(shmdt), \
-  ALLOW_SYSCALL(pipe2), \
-  ALLOW_SYSCALL(setsockopt), \
-  ALLOW_SYSCALL(shmat), \
-  ALLOW_SYSCALL(set_tid_address), \
-  ALLOW_SYSCALL(inotify_add_watch), \
-  ALLOW_SYSCALL(rt_sigprocmask), \
-  ALLOW_SYSCALL(shmget), \
-  ALLOW_SYSCALL(getgid), \
-  ALLOW_SYSCALL(utime), \
-  ALLOW_SYSCALL(arch_prctl), \
-  ALLOW_SYSCALL(sched_getaffinity), \
-  SECCOMP_WHITELIST_DESKTOP_LINUX_TO_REMOVE
-#else
-#define SECCOMP_WHITELIST_DESKTOP_LINUX
-#endif
-/* End of Desktop Linux specific syscalls */
-
-
-/* Most used system calls should be at the top of the whitelist
- * for performance reasons. The whitelist BPF filter exits after
- * processing any ALLOW_SYSCALL macro.
- *
- * How are those syscalls found?
- * 1) via strace -p <child pid> or/and
- * 2) with MOZ_CONTENT_SANDBOX_REPORTER set, the child will report which system call
- *    has been denied by seccomp-bpf, just before exiting, via NSPR.
- * System call number to name mapping is found in:
- * bionic/libc/kernel/arch-arm/asm/unistd.h
- * or your libc's unistd.h/kernel headers.
- *
- * Current list order has been optimized through manual guess-work.
- * It could be further optimized by analyzing the output of:
- * 'strace -c -p <child pid>' for most used web apps.
- */
-#define SECCOMP_WHITELIST \
-  /* These are calls we're ok to allow */ \
-  ALLOW_SYSCALL(futex), \
-  SECCOMP_WHITELIST_ARCH_HIGH \
-  SECCOMP_WHITELIST_B2G_HIGH \
-  ALLOW_SYSCALL(read), \
-  ALLOW_SYSCALL(write), \
-  ALLOW_SYSCALL(lseek), \
-  /* ioctl() is for GL. Remove when GL proxy is implemented.
-   * Additionally ioctl() might be a place where we want to have
-   * argument filtering */ \
-  ALLOW_SYSCALL(ioctl), \
-  ALLOW_SYSCALL(close), \
-  ALLOW_SYSCALL(munmap), \
-  ALLOW_SYSCALL(mprotect), \
-  ALLOW_SYSCALL(writev), \
-  ALLOW_SYSCALL(clone), \
-  ALLOW_SYSCALL(brk), \
-  SECCOMP_WHITELIST_B2G_MED \
-  ALLOW_SYSCALL(gettid), \
-  ALLOW_SYSCALL(getrusage), \
-  ALLOW_SYSCALL(madvise), \
-  ALLOW_SYSCALL(dup), \
-  ALLOW_SYSCALL(nanosleep), \
-  SECCOMP_WHITELIST_ARCH_LOW \
-  /* Must remove all of the following in the future, when no longer used */ \
-  /* open() is for some legacy APIs such as font loading. */ \
-  /* See bug 906996 for removing unlink(). */ \
-  SECCOMP_WHITELIST_ARCH_TOREMOVE \
-  ALLOW_SYSCALL(open), \
-  ALLOW_SYSCALL(readlink), /* Workaround for bug 964455 */ \
-  ALLOW_SYSCALL(prctl), \
-  ALLOW_SYSCALL(access), \
-  ALLOW_SYSCALL(unlink), \
-  ALLOW_SYSCALL(fsync), \
-  ALLOW_SYSCALL(msync), \
-  /* Should remove all of the following in the future, if possible */ \
-  ALLOW_SYSCALL(getpriority), \
-  ALLOW_SYSCALL(sched_get_priority_min), \
-  ALLOW_SYSCALL(sched_get_priority_max), \
-  ALLOW_SYSCALL(setpriority), \
-  SECCOMP_WHITELIST_PROFILING \
-  SECCOMP_WHITELIST_B2G_LOW \
-  /* Always last and always OK calls */ \
-  SECCOMP_WHITELIST_ARCH_LAST \
-  /* restart_syscall is called internally, generally when debugging */ \
-  ALLOW_SYSCALL(restart_syscall), \
-  /* linux desktop is not as performance critical as B2G */ \
-  /* we can place desktop syscalls at the end */ \
-  SECCOMP_WHITELIST_DESKTOP_LINUX \
-  /* nsSystemInfo uses uname (and we cache an instance, so */ \
-  /* the info remains present even if we block the syscall) */ \
-  ALLOW_SYSCALL(uname), \
-  ALLOW_SYSCALL(exit_group), \
-  ALLOW_SYSCALL(exit)
-
 static struct sock_filter seccomp_filter[] = {
  VALIDATE_ARCHITECTURE,
  EXAMINE_SYSCALL,
-  SECCOMP_WHITELIST,
+
+  /* Most used system calls should be at the top of the whitelist
+   * for performance reasons. The whitelist BPF filter exits after
+   * processing any ALLOW_SYSCALL macro.
+   *
+   * How are those syscalls found?
+   * 1) via strace -p <child pid> or/and
+   * 2) with MOZ_CONTENT_SANDBOX_REPORTER set, the child will report which system call
+   *    has been denied by seccomp-bpf, just before exiting, via NSPR.
+   * System call number to name mapping is found in:
+   * bionic/libc/kernel/arch-arm/asm/unistd.h
+   * or your libc's unistd.h/kernel headers.
+   *
+   * Current list order has been optimized through manual guess-work.
+   * It could be further optimized by analyzing the output of:
+   * 'strace -c -p <child pid>' for most used web apps.
+   */
+
+  ALLOW_SYSCALL(futex),
+
+  /* Architecture-specific frequently used syscalls */
+#if defined(__arm__)
+  ALLOW_SYSCALL(recvmsg),
+  ALLOW_SYSCALL(sendmsg),
+  ALLOW_SYSCALL(mmap2),
+#elif defined(__i386__)
+  ALLOW_SYSCALL(ipc),
+  ALLOW_SYSCALL(mmap2),
+#elif defined(__x86_64__)
+  ALLOW_SYSCALL(recvmsg),
+  ALLOW_SYSCALL(sendmsg),
+#endif
+
+  /* B2G specific high-frequency syscalls */
+#ifdef MOZ_WIDGET_GONK
+  ALLOW_SYSCALL(clock_gettime),
+  ALLOW_SYSCALL(epoll_wait),
+  ALLOW_SYSCALL(gettimeofday),
+#endif
+  ALLOW_SYSCALL(read),
+  ALLOW_SYSCALL(write),
+  ALLOW_SYSCALL(lseek),
+
+  /* ioctl() is for GL. Remove when GL proxy is implemented.
+   * Additionally ioctl() might be a place where we want to have
+   * argument filtering */
+  ALLOW_SYSCALL(ioctl),
+  ALLOW_SYSCALL(close),
+  ALLOW_SYSCALL(munmap),
+  ALLOW_SYSCALL(mprotect),
+  ALLOW_SYSCALL(writev),
+  ALLOW_SYSCALL(clone),
+  ALLOW_SYSCALL(brk),
+
+  /* B2G specific medium-frequency syscalls */
+#ifdef MOZ_WIDGET_GONK
+  ALLOW_SYSCALL(getpid),
+  ALLOW_SYSCALL(rt_sigreturn),
+#endif
+  ALLOW_SYSCALL(poll),
+  ALLOW_SYSCALL(gettid),
+  ALLOW_SYSCALL(getrusage),
+  ALLOW_SYSCALL(madvise),
+  ALLOW_SYSCALL(dup),
+  ALLOW_SYSCALL(nanosleep),
+
+  /* Architecture-specific infrequently used syscalls */
+#if defined(__arm__)
+  ALLOW_SYSCALL(_newselect),
+  ALLOW_SYSCALL(_llseek),
+  ALLOW_SYSCALL(getuid32),
+  ALLOW_SYSCALL(geteuid32),
+  ALLOW_SYSCALL(sigreturn),
+  ALLOW_SYSCALL(fcntl64),
+#elif defined(__i386__)
+  ALLOW_SYSCALL(_newselect),
+  ALLOW_SYSCALL(_llseek),
+  ALLOW_SYSCALL(getuid32),
+  ALLOW_SYSCALL(geteuid32),
+  ALLOW_SYSCALL(sigreturn),
+  ALLOW_SYSCALL(fcntl64),
+#else
+  ALLOW_SYSCALL(select),
+#endif
+
+  /* Must remove all of the following in the future, when no longer used */
+  /* open() is for some legacy APIs such as font loading. */
+  /* See bug 906996 for removing unlink(). */
+#if defined(__arm__)
+  ALLOW_SYSCALL(fstat64),
+  ALLOW_SYSCALL(stat64),
+  ALLOW_SYSCALL(lstat64),
+  ALLOW_SYSCALL(socketpair),
+  ALLOW_SYSCALL(sigprocmask),
+  DENY_SYSCALL(socket, EACCES),
+#elif defined(__i386__)
+  ALLOW_SYSCALL(fstat64),
+  ALLOW_SYSCALL(stat64),
+  ALLOW_SYSCALL(lstat64),
+  ALLOW_SYSCALL(sigprocmask),
+#else
+  ALLOW_SYSCALL(socketpair),
+  DENY_SYSCALL(socket, EACCES),
+#endif
+  ALLOW_SYSCALL(open),
+  ALLOW_SYSCALL(readlink), /* Workaround for bug 964455 */
+  ALLOW_SYSCALL(prctl),
+  ALLOW_SYSCALL(access),
+  ALLOW_SYSCALL(unlink),
+  ALLOW_SYSCALL(fsync),
+  ALLOW_SYSCALL(msync),
+
+  /* Should remove all of the following in the future, if possible */
+  ALLOW_SYSCALL(getpriority),
+  ALLOW_SYSCALL(sched_get_priority_min),
+  ALLOW_SYSCALL(sched_get_priority_max),
+  ALLOW_SYSCALL(setpriority),
+
+  /* System calls used by the profiler */
+#ifdef MOZ_PROFILING
+  ALLOW_SYSCALL(tgkill),
+#endif
+
+  /* B2G specific low-frequency syscalls */
+#ifdef MOZ_WIDGET_GONK
+#if !defined(__i386__)
+  ALLOW_SYSCALL(sendto),
+  ALLOW_SYSCALL(recvfrom),
+#endif
+  ALLOW_SYSCALL(getdents64),
+  ALLOW_SYSCALL(epoll_ctl),
+  ALLOW_SYSCALL(sched_yield),
+  ALLOW_SYSCALL(sched_getscheduler),
+  ALLOW_SYSCALL(sched_setscheduler),
+#endif
+
+  /* Always last and always OK calls */
+  /* Architecture-specific very infrequently used syscalls */
+#if defined(__arm__)
+  ALLOW_SYSCALL(sigaction),
+  ALLOW_SYSCALL(rt_sigaction),
+  ALLOW_ARM_SYSCALL(breakpoint),
+  ALLOW_ARM_SYSCALL(cacheflush),
+  ALLOW_ARM_SYSCALL(usr26),
+  ALLOW_ARM_SYSCALL(usr32),
+  ALLOW_ARM_SYSCALL(set_tls),
+#elif defined(__i386__)
+  ALLOW_SYSCALL(sigaction),
+  ALLOW_SYSCALL(rt_sigaction),
+#elif defined(__x86_64__)
+  ALLOW_SYSCALL(rt_sigaction),
+#endif
+
+  /* restart_syscall is called internally, generally when debugging */
+  ALLOW_SYSCALL(restart_syscall),
+
+  /* linux desktop is not as performance critical as B2G */
+  /* we can place desktop syscalls at the end */
+#ifndef MOZ_WIDGET_GONK
+  ALLOW_SYSCALL(stat),
+  ALLOW_SYSCALL(getdents),
+  ALLOW_SYSCALL(lstat),
+  ALLOW_SYSCALL(mmap),
+  ALLOW_SYSCALL(openat),
+  ALLOW_SYSCALL(fcntl),
+  ALLOW_SYSCALL(fstat),
+  ALLOW_SYSCALL(readlink),
+  ALLOW_SYSCALL(getsockname),
+  /* duplicate rt_sigaction in SECCOMP_WHITELIST_PROFILING */
+  ALLOW_SYSCALL(rt_sigaction),
+  ALLOW_SYSCALL(getuid),
+  ALLOW_SYSCALL(geteuid),
+  ALLOW_SYSCALL(mkdir),
+  ALLOW_SYSCALL(getcwd),
+  ALLOW_SYSCALL(readahead),
+  ALLOW_SYSCALL(pread64),
+  ALLOW_SYSCALL(statfs),
+  ALLOW_SYSCALL(pipe),
+  ALLOW_SYSCALL(ftruncate),
+  ALLOW_SYSCALL(getrlimit),
+  ALLOW_SYSCALL(shutdown),
+  ALLOW_SYSCALL(getpeername),
+  ALLOW_SYSCALL(eventfd2),
+  ALLOW_SYSCALL(clock_getres),
+  ALLOW_SYSCALL(sysinfo),
+  ALLOW_SYSCALL(getresuid),
+  ALLOW_SYSCALL(umask),
+  ALLOW_SYSCALL(getresgid),
+  ALLOW_SYSCALL(poll),
+  ALLOW_SYSCALL(getegid),
+  ALLOW_SYSCALL(inotify_init1),
+  ALLOW_SYSCALL(wait4),
+  ALLOW_SYSCALL(shmctl),
+  ALLOW_SYSCALL(set_robust_list),
+  ALLOW_SYSCALL(rmdir),
+  ALLOW_SYSCALL(recvfrom),
+  ALLOW_SYSCALL(shmdt),
+  ALLOW_SYSCALL(pipe2),
+  ALLOW_SYSCALL(setsockopt),
+  ALLOW_SYSCALL(shmat),
+  ALLOW_SYSCALL(set_tid_address),
+  ALLOW_SYSCALL(inotify_add_watch),
+  ALLOW_SYSCALL(rt_sigprocmask),
+  ALLOW_SYSCALL(shmget),
+  ALLOW_SYSCALL(getgid),
+  ALLOW_SYSCALL(utime),
+  ALLOW_SYSCALL(arch_prctl),
+  ALLOW_SYSCALL(sched_getaffinity),
+  /* We should remove all of the following in the future (possibly even more) */
+  ALLOW_SYSCALL(socket),
+  ALLOW_SYSCALL(chmod),
+  ALLOW_SYSCALL(execve),
+  ALLOW_SYSCALL(rename),
+  ALLOW_SYSCALL(symlink),
+  ALLOW_SYSCALL(connect),
+  ALLOW_SYSCALL(quotactl),
+  ALLOW_SYSCALL(kill),
+  ALLOW_SYSCALL(sendto),
+#endif
+
+  /* nsSystemInfo uses uname (and we cache an instance, so */
+  /* the info remains present even if we block the syscall) */
+  ALLOW_SYSCALL(uname),
+  ALLOW_SYSCALL(exit_group),
+  ALLOW_SYSCALL(exit),
+
 #ifdef MOZ_CONTENT_SANDBOX_REPORTER
  TRAP_PROCESS,
 #else