wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backout changeset 9a57f0f347e3 for insufficient review.

Browse Source
This commit is contained in:
Ms2ger 2013-08-13 13:30:00 +02:00
parent 924122577c
commit f9ca076cae
20 changed files with 0 additions and 4889 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
build/dumbmake-dependencies
View File

@ -1,7 +1,4 @@
toolkit/library
dom
ipc
security/sandbox
ipc
netwerk/build
netwerk

28
configure.in
View File

@ -4213,8 +4213,6 @@ MOZ_TIME_MANAGER=
MOZ_PAY=
MOZ_AUDIO_CHANNEL_MANAGER=
NSS_NO_LIBPKIX=
MOZ_CONTENT_SANDBOX=
MOZ_CONTENT_SANDBOX_REPORTER=
case "$target_os" in
mingw*)
@ -6498,32 +6496,6 @@ if test -n "$NSS_NO_LIBPKIX"; then
fi
AC_SUBST(NSS_NO_LIBPKIX)
dnl ========================================================
dnl = Content process sandboxing
dnl ========================================================
if test -n "$gonkdir"; then
MOZ_CONTENT_SANDBOX=1
fi
MOZ_ARG_ENABLE_BOOL(content-sandbox,
[ --enable-content-sandbox Enable sandboxing support for content-processes],
MOZ_CONTENT_SANDBOX=1)
if test -n "$MOZ_CONTENT_SANDBOX"; then
AC_DEFINE(MOZ_CONTENT_SANDBOX)
fi
AC_SUBST(MOZ_CONTENT_SANDBOX)
MOZ_ARG_ENABLE_BOOL(content-sandbox-reporter,
[ --enable-content-sandbox-reporter Enable syscall reporter to troubleshoot syscalls denied by the content-processes sandbox],
MOZ_CONTENT_SANDBOX_REPORTER=1)
if test -n "$MOZ_CONTENT_SANDBOX_REPORTER"; then
AC_DEFINE(MOZ_CONTENT_SANDBOX_REPORTER)
fi
AC_SUBST(MOZ_CONTENT_SANDBOX_REPORTER)
dnl ========================================================
dnl =

10
dom/ipc/ContentChild.cpp
View File

@ -30,9 +30,6 @@
#include "mozilla/layers/PCompositorChild.h"
#include "mozilla/net/NeckoChild.h"
#include "mozilla/Preferences.h"
#ifdef MOZ_CONTENT_SANDBOX
#include "mozilla/Sandbox.h"
#endif
#include "mozilla/unused.h"
#include "nsIMemoryReporter.h"
@ -549,13 +546,6 @@ ContentChild::RecvSetProcessPrivileges(const ChildPrivileges& aPrivs)
aPrivs;
// If this fails, we die.
SetCurrentProcessPrivileges(privs);
#ifdef MOZ_CONTENT_SANDBOX
// SetCurrentProcessSandbox should be moved close to process initialization
// time if/when possible. SetCurrentProcessPrivileges should probably be
// moved as well. Right now this is set ONLY if we receive the
// RecvSetProcessPrivileges message. See bug 880808.
SetCurrentProcessSandbox();
#endif
return true;
}

27
security/sandbox/LICENSE
View File

@ -1,27 +0,0 @@
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

20
security/sandbox/Makefile.in
View File

@ -1,20 +0,0 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
DEPTH = @DEPTH@
topsrcdir = @top_srcdir@
srcdir = @srcdir@
VPATH = @srcdir@
include $(DEPTH)/config/autoconf.mk
LIBRARY_NAME = sandbox_s
LIBXUL_LIBRARY = 1
EXPORT_LIBRARY = 1
FAIL_ON_WARNINGS = 1
include $(topsrcdir)/config/config.mk
include $(topsrcdir)/ipc/chromium/chromium-config.mk
include $(topsrcdir)/config/rules.mk

182
security/sandbox/Sandbox.cpp
View File

@ -1,182 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <unistd.h>
#include <stdio.h>
#include <sys/ptrace.h>
#include <signal.h>
#include "mozilla/Util.h"
#if defined(ANDROID)
#include "android_ucontext.h"
#endif
#include "seccomp_filter.h"
#include "linux_seccomp.h"
#ifdef MOZ_LOGGING
#define FORCE_PR_LOG 1
#endif
#include "prlog.h"
namespace mozilla {
#ifdef PR_LOGGING
static PRLogModuleInfo* gSeccompSandboxLog;
#endif
struct sock_filter seccomp_filter[] = {
VALIDATE_ARCHITECTURE,
EXAMINE_SYSCALL,
SECCOMP_WHITELIST,
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
TRAP_PROCESS,
#else
KILL_PROCESS,
#endif
};
struct sock_fprog seccomp_prog = {
len: (unsigned short)MOZ_ARRAY_LENGTH(seccomp_filter),
filter: seccomp_filter,
};
/**
* This is the SIGSYS handler function. It is used to report to the user
* which system call has been denied by Seccomp.
* This function also makes the process exit as denying the system call
* will otherwise generally lead to unexpected behavior from the process,
* since we don't know if all functions will handle such denials gracefully.
*
* @see InstallSyscallReporter() function.
*/
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
static void
Reporter(int nr, siginfo_t *info, void *void_context)
{
ucontext_t *ctx = static_cast<ucontext_t*>(void_context);
unsigned int syscall, arg1;
if (nr != SIGSYS) {
return;
}
if (info->si_code != SYS_SECCOMP) {
return;
}
if (!ctx) {
return;
}
syscall = SECCOMP_SYSCALL(ctx);
arg1 = SECCOMP_PARM1(ctx);
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("PID %u is missing syscall %u, arg1 %u\n", getpid(), syscall, arg1));
_exit(127);
}
/**
* The reporter is called when the process receives a SIGSYS signal.
* The signal is sent by the kernel when Seccomp encounter a system call
* that has not been allowed.
* We register an action for that signal (calling the Reporter function).
*
* This function should not be used in production and thus generally be
* called from debug code. In production, the process is directly killed.
* For this reason, the function is ifdef'd, as there is no reason to
* compile it while unused.
*
* @return 0 on success, -1 on failure.
* @see Reporter() function.
*/
static int
InstallSyscallReporter(void)
{
struct sigaction act;
sigset_t mask;
memset(&act, 0, sizeof(act));
sigemptyset(&mask);
sigaddset(&mask, SIGSYS);
act.sa_sigaction = &Reporter;
act.sa_flags = SA_SIGINFO | SA_NODEFER;
if (sigaction(SIGSYS, &act, NULL) < 0) {
return -1;
}
if (sigemptyset(&mask) ||
sigaddset(&mask, SIGSYS) ||
sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
return -1;
}
return 0;
}
#endif
/**
* This function installs the syscall filter, a.k.a. seccomp.
* PR_SET_NO_NEW_PRIVS ensures that it is impossible to grant more
* syscalls to the process beyond this point (even after fork()).
* SECCOMP_MODE_FILTER is the "bpf" mode of seccomp which allows
* to pass a bpf program (in our case, it contains a syscall
* whitelist).
*
* @return 0 on success, 1 on failure.
* @see sock_fprog (the seccomp_prog).
*/
static int
InstallSyscallFilter(void)
{
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
return 1;
}
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_prog, 0, 0)) {
return 1;
}
return 0;
}
/**
* Starts the seccomp sandbox for this process.
* Generally called just after SetCurrentProcessPrivileges.
* Should be called only once, and before any potentially harmful content is loaded.
*
* Should normally make the process exit on failure.
*/
void
SetCurrentProcessSandbox(void)
{
#ifdef PR_LOGGING
if (!gSeccompSandboxLog) {
gSeccompSandboxLog = PR_NewLogModule("SeccompSandbox");
}
PR_ASSERT(gSeccompSandboxLog);
#endif
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
if (InstallSyscallReporter()) {
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_reporter() failed\n"));
/* This is disabled so that we do not exit if seccomp-bpf is not available
* This will be re-enabled when all B2G devices are required to support seccomp-bpf
* See bug 880797 for reversal
*/
/* _exit(127); */
}
#endif
if (InstallSyscallFilter()) {
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_filter() failed\n"));
/* This is disabled so that we do not exit if seccomp-bpf is not available
* This will be re-enabled when all B2G devices are required to support seccomp-bpf
* See bug 880797 for reversal
*/
/* _exit(127); */
}
}
} // namespace mozilla

17
security/sandbox/Sandbox.h
View File

@ -1,17 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_Sandbox_h
#define mozilla_Sandbox_h
namespace mozilla {
void SetCurrentProcessSandbox(void);
} // namespace mozilla
#endif // mozilla_Sandbox_h

36
security/sandbox/android_arm_ucontext.h
View File

@ -1,36 +0,0 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/* This file has been imported from
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/services/android_arm_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
*/
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_
#define SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_
#if !defined(__BIONIC_HAVE_UCONTEXT_T)
#include <asm/sigcontext.h>
// We also need greg_t for the sandbox, include it in this header as well.
typedef unsigned long greg_t;
//typedef unsigned long sigset_t;
typedef struct ucontext {
unsigned long uc_flags;
struct ucontext *uc_link;
stack_t uc_stack;
struct sigcontext uc_mcontext;
sigset_t uc_sigmask;
/* Allow for uc_sigmask growth. Glibc uses a 1024-bit sigset_t. */
int __not_used[32 - (sizeof (sigset_t) / sizeof (int))];
/* Last for extensibility. Eight byte aligned because some
coprocessors require eight byte alignment. */
unsigned long uc_regspace[128] __attribute__((__aligned__(8)));
} ucontext_t;
#else
#include <sys/ucontext.h>
#endif // __BIONIC_HAVE_UCONTEXT_T
#endif // SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_

83
security/sandbox/android_i386_ucontext.h
View File

@ -1,83 +0,0 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/* This file has been imported from
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/services/android_i386_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
*/
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_
#define SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_
// We do something compatible with glibc. Hopefully, at some point Android will
// provide that for us, and __BIONIC_HAVE_UCONTEXT_T should be defined.
// This is mostly copied from breakpad (common/android/include/sys/ucontext.h),
// except we do use sigset_t for uc_sigmask instead of a custom type.
#if !defined(__BIONIC_HAVE_UCONTEXT_T)
#include <asm/sigcontext.h>
/* 80-bit floating-point register */
struct _libc_fpreg {
unsigned short significand[4];
unsigned short exponent;
};
/* Simple floating-point state, see FNSTENV instruction */
struct _libc_fpstate {
unsigned long cw;
unsigned long sw;
unsigned long tag;
unsigned long ipoff;
unsigned long cssel;
unsigned long dataoff;
unsigned long datasel;
struct _libc_fpreg _st[8];
unsigned long status;
};
typedef uint32_t greg_t;
typedef struct {
uint32_t gregs[19];
struct _libc_fpstate* fpregs;
uint32_t oldmask;
uint32_t cr2;
} mcontext_t;
enum {
REG_GS = 0,
REG_FS,
REG_ES,
REG_DS,
REG_EDI,
REG_ESI,
REG_EBP,
REG_ESP,
REG_EBX,
REG_EDX,
REG_ECX,
REG_EAX,
REG_TRAPNO,
REG_ERR,
REG_EIP,
REG_CS,
REG_EFL,
REG_UESP,
REG_SS,
};
typedef struct ucontext {
uint32_t uc_flags;
struct ucontext* uc_link;
stack_t uc_stack;
mcontext_t uc_mcontext;
sigset_t uc_sigmask;
struct _libc_fpstate __fpregs_mem;
} ucontext_t;
#else
#include <sys/ucontext.h>
#endif // __BIONIC_HAVE_UCONTEXT_T
#endif // SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_

26
security/sandbox/android_ucontext.h
View File

@ -1,26 +0,0 @@
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/* This file has been imported from
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob_plain;f=sandbox/linux/services/android_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
*/
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_
#define SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_
#if defined(__ANDROID__)
#if defined(__arm__)
#include "android_arm_ucontext.h"
#elif defined(__i386__)
#include "android_i386_ucontext.h"
#else
#error "No support for your architecture in Android header"
#endif
#else // __ANDROID__
#error "Android header file included on non Android."
#endif // __ANDROID__
#endif // SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_

1381
security/sandbox/arm_linux_syscalls.h
View File

File diff suppressed because it is too large Load Diff

263
security/sandbox/linux_seccomp.h
View File

@ -1,263 +0,0 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/* This file has been initially imported from
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/linux_seccomp.h;h=0de0259da39ecdb745e5923b9a6ff3961c13be00;hb=2362c9abea79cae475921bdeee58f9e3910d211c
*
* Contains code for macro for common filters from:
* http://outflux.net/teach-seccomp/step-5/seccomp-bpf.h
*
* Contains code for arch_seccomp_data and arch_sigsys from:
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/sandbox_bpf.h;h=3d269916070c97b8be8938503b9b799f12d79ca6;hb=2362c9abea79cae475921bdeee58f9e3910d211c
*
* For more information about Seccomp, see also:
* Documentation/prctl/seccomp_filter.txt and
* samples/seccomp in the Linux kernel directory, for any kernel >= 3.5.0.
*/
#ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
#define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
struct arch_seccomp_data {
int nr;
uint32_t arch;
uint64_t instruction_pointer;
uint64_t args[6];
};
struct arch_sigsys {
void *ip;
int nr;
unsigned int arch;
};
// The Seccomp2 kernel ABI is not part of older versions of glibc.
// As we can't break compilation with these versions of the library,
// we explicitly define all missing symbols.
// If we ever decide that we can now rely on system headers, the following
// include files should be enabled:
// #include <linux/audit.h>
// #include <linux/seccomp.h>
#include <asm/unistd.h>
#include <linux/filter.h>
// From <linux/elf.h> and <linux/audit.h>
// This is necessary as we can't expect recent audit headers.
#ifndef EM_ARM
#define EM_ARM 40
#endif
#ifndef EM_386
#define EM_386 3
#endif
#ifndef EM_X86_64
#define EM_X86_64 62
#endif
#ifndef __AUDIT_ARCH_64BIT
#define __AUDIT_ARCH_64BIT 0x80000000
#endif
#ifndef __AUDIT_ARCH_LE
#define __AUDIT_ARCH_LE 0x40000000
#endif
#ifndef AUDIT_ARCH_ARM
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
#endif
#ifndef AUDIT_ARCH_I386
#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
#endif
#ifndef AUDIT_ARCH_X86_64
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#endif
// From <linux/prctl.h>
// This is necessary as we can't expect recent prctl headers.
#ifndef PR_SET_SECCOMP
#define PR_SET_SECCOMP 22
#define PR_GET_SECCOMP 21
#endif
#ifndef PR_SET_NO_NEW_PRIVS
#define PR_SET_NO_NEW_PRIVS 38
#define PR_GET_NO_NEW_PRIVS 39
#endif
#ifndef IPC_64
#define IPC_64 0x0100
#endif
#ifndef BPF_MOD
#define BPF_MOD 0x90
#endif
#ifndef BPF_XOR
#define BPF_XOR 0xA0
#endif
// From <linux/seccomp.h>
// This is necessary as we can't expect recent seccomp headers.
#ifndef SECCOMP_MODE_FILTER
#define SECCOMP_MODE_DISABLED 0
#define SECCOMP_MODE_STRICT 1
#define SECCOMP_MODE_FILTER 2 // User user-supplied filter (seccomp-bpf)
#endif
#ifndef SECCOMP_RET_KILL
// Return values supported for BPF filter programs. Please note that the
// "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
// ever be used internally, and would result in the kernel killing our process.
#define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately
#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
#define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS
#define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno
#define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow
#define SECCOMP_RET_ALLOW 0x7fff0000U // Allow
#define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value
#define SECCOMP_RET_DATA 0x0000ffffU // sections
#else
#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
#endif
#ifndef SYS_SECCOMP
#define SYS_SECCOMP 1
#endif
// Impose some reasonable maximum BPF program size. Realistically, the
// kernel probably has much lower limits. But by limiting to less than
// 30 bits, we can ease requirements on some of our data types.
#define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
#if defined(__i386__)
#define MIN_SYSCALL 0u
#define MAX_PUBLIC_SYSCALL 1024u
#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
#define SECCOMP_ARCH AUDIT_ARCH_I386
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 4)
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 0)
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 4)
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 0)
#elif defined(__x86_64__)
#define MIN_SYSCALL 0u
#define MAX_PUBLIC_SYSCALL 1024u
#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
#define SECCOMP_ARCH AUDIT_ARCH_X86_64
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 4)
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 0)
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 4)
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 0)
#elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
// ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
// and a "ghost syscall private to the kernel", cmpxchg,
// at |__ARM_NR_BASE+0x00fff0|.
// See </arch/arm/include/asm/unistd.h> in the Linux kernel.
#define MIN_SYSCALL ((unsigned int)__NR_SYSCALL_BASE)
#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u)
#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)
#define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u)
#define MIN_GHOST_SYSCALL ((unsigned int)__ARM_NR_BASE + 0xfff0u)
#define MAX_SYSCALL (MIN_GHOST_SYSCALL + 4u)
#define SECCOMP_ARCH AUDIT_ARCH_ARM
// ARM sigcontext_t is different from i386/x86_64.
// See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
// ARM EABI syscall convention.
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 4)
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
instruction_pointer) + 0)
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 4)
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
8*(nr) + 0)
#else
#error Unsupported target platform
#endif
/* Macros to common filters */
#define VALIDATE_ARCHITECTURE \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_ARCH_IDX), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define EXAMINE_SYSCALL \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_NR_IDX)
#define ALLOW_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#if defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
#define ALLOW_ARM_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __ARM_NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#endif
#define DENY_SYSCALL(name) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define KILL_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
#define TRAP_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
#define ALLOW_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define TRACE_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
#define ERRNO_PROCESS \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO)
#endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__

29
security/sandbox/linux_syscalls.h
View File

@ -1,29 +0,0 @@
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/* This file has been imported from
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob_plain;f=sandbox/linux/services/linux_syscalls.h;h=77c1be8b82a0fe4aca308ca40547ebf7a008d24a;hb=2362c9abea79cae475921bdeee58f9e3910d211c
*/
// This header will be kept up to date so that we can compile system-call
// policies even when system headers are old.
// System call numbers are accessible through __NR_syscall_name.
#ifndef SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_
#define SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_
#if defined(__x86_64__)
#include "x86_64_linux_syscalls.h"
#endif
#if defined(__i386__)
#include "x86_32_linux_syscalls.h"
#endif
#if defined(__arm__) && defined(__ARM_EABI__)
#include "arm_linux_syscalls.h"
#endif
#endif // SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_

16
security/sandbox/moz.build
View File

@ -1,16 +0,0 @@
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
MODULE = 'sandbox'
EXPORTS.mozilla += [
'Sandbox.h',
]
CPP_SOURCES += [
'Sandbox.cpp',
]

88
security/sandbox/seccomp_filter.h
View File

@ -1,88 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include "linux_seccomp.h"
#include "linux_syscalls.h"
/* This is the actual seccomp whitelist.
* This is used for B2G content-processes.
*/
/* Architecture specific syscalls, required to function on ARM */
#ifdef ALLOW_ARM_SYSCALL
#define SECCOMP_WHITELIST_ADD \
ALLOW_ARM_SYSCALL(breakpoint), \
ALLOW_ARM_SYSCALL(cacheflush), \
ALLOW_ARM_SYSCALL(usr26), \
ALLOW_ARM_SYSCALL(usr32), \
ALLOW_ARM_SYSCALL(set_tls),
#else
#define SECCOMP_WHITELIST_ADD
#endif
/* Most used system calls should be at the top of the whitelist
* for performance reasons. The whitelist BPF filter exits after
* processing any ALLOW_SYSCALL macro.
*
* How are those syscalls found?
* 1) via strace -p <child pid> or/and
* 2) with MOZ_CONTENT_SANDBOX_REPORTER set, the child will report which system call
* has been denied by seccomp-bpf, just before exiting, via NSPR.
* System call number to name mapping is found in:
* bionic/libc/kernel/arch-arm/asm/unistd.h
* or your libc's unistd.h/kernel headers.
*
* Current list order has been optimized through manual guess-work.
* It could be further optimized by analyzing the output of:
* 'strace -c -p <child pid>' for most used web apps.
*/
#define SECCOMP_WHITELIST \
/* These are calls we're ok to allow */ \
ALLOW_SYSCALL(recv), \
ALLOW_SYSCALL(msgget), \
ALLOW_SYSCALL(semget), \
ALLOW_SYSCALL(read), \
ALLOW_SYSCALL(write), \
ALLOW_SYSCALL(brk), \
/* ioctl() is for GL. Remove when GL proxy is implemented.
* Additionally ioctl() might be a place where we want to have
* argument filtering */ \
ALLOW_SYSCALL(ioctl), \
ALLOW_SYSCALL(writev), \
ALLOW_SYSCALL(close), \
ALLOW_SYSCALL(clone), \
ALLOW_SYSCALL(clock_gettime), \
ALLOW_SYSCALL(lseek), \
ALLOW_SYSCALL(_llseek), \
ALLOW_SYSCALL(gettimeofday), \
ALLOW_SYSCALL(getpid), \
ALLOW_SYSCALL(gettid), \
ALLOW_SYSCALL(getrusage), \
ALLOW_SYSCALL(madvise), \
ALLOW_SYSCALL(rt_sigreturn), \
ALLOW_SYSCALL(sigreturn), \
ALLOW_SYSCALL(epoll_wait), \
ALLOW_SYSCALL(futex), \
ALLOW_SYSCALL(fcntl64), \
ALLOW_SYSCALL(munmap), \
ALLOW_SYSCALL(mmap2), \
ALLOW_SYSCALL(mprotect), \
/* Must remove all of the following in the future, when no longer used */ \
/* open() is for some legacy APIs such as font loading. */ \
ALLOW_SYSCALL(open), \
ALLOW_SYSCALL(fstat64), \
ALLOW_SYSCALL(stat64), \
ALLOW_SYSCALL(prctl), \
ALLOW_SYSCALL(access), \
ALLOW_SYSCALL(getdents64), \
/* Should remove all of the following in the future, if possible */ \
ALLOW_SYSCALL(getpriority), \
ALLOW_SYSCALL(setpriority), \
ALLOW_SYSCALL(sigprocmask), \
/* Always last and always OK calls */ \
SECCOMP_WHITELIST_ADD \
ALLOW_SYSCALL(exit_group), \
ALLOW_SYSCALL(exit)

1402
security/sandbox/x86_32_linux_syscalls.h
View File

File diff suppressed because it is too large Load Diff

1270
security/sandbox/x86_64_linux_syscalls.h
View File

File diff suppressed because it is too large Load Diff

1
toolkit/content/license.html
View File

@ -1068,7 +1068,6 @@ WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
<h1><a id="chromium"></a>Chromium License</h1>
<p>This license applies to parts of the code in
<span class="path">security/sandbox/</span>,
<span class="path">editor/libeditor/base/nsEditorEventListener.cpp</span>,
<span class="path">widget/cocoa/GfxInfo.mm</span>
and also some files in the directories

4
toolkit/library/Makefile.in
View File

@ -93,10 +93,6 @@ STATIC_LIBS += \
dombindings_s \
$(NULL)
ifdef MOZ_CONTENT_SANDBOX #{
STATIC_LIBS += sandbox_s
endif #}
ifdef MOZ_B2G_RIL #{
STATIC_LIBS += mozril_s
endif #}

3
toolkit/toolkit.mozbuild
View File

@ -17,9 +17,6 @@ if not CONFIG['MOZ_NATIVE_NSS']:
include('/config/js/js.mozbuild')
if CONFIG['MOZ_CONTENT_SANDBOX']:
add_tier_dir('sandbox', 'security/sandbox')
# the signing related bits of libmar depend on nss
if CONFIG['MOZ_UPDATER']:
add_tier_dir('platform', 'modules/libmar')