mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Backout changeset 9a57f0f347e3 for insufficient review.
This commit is contained in:
parent
924122577c
commit
f9ca076cae
@ -1,7 +1,4 @@
|
||||
toolkit/library
|
||||
dom
|
||||
ipc
|
||||
security/sandbox
|
||||
ipc
|
||||
netwerk/build
|
||||
netwerk
|
||||
|
28
configure.in
28
configure.in
@ -4213,8 +4213,6 @@ MOZ_TIME_MANAGER=
|
||||
MOZ_PAY=
|
||||
MOZ_AUDIO_CHANNEL_MANAGER=
|
||||
NSS_NO_LIBPKIX=
|
||||
MOZ_CONTENT_SANDBOX=
|
||||
MOZ_CONTENT_SANDBOX_REPORTER=
|
||||
|
||||
case "$target_os" in
|
||||
mingw*)
|
||||
@ -6498,32 +6496,6 @@ if test -n "$NSS_NO_LIBPKIX"; then
|
||||
fi
|
||||
AC_SUBST(NSS_NO_LIBPKIX)
|
||||
|
||||
dnl ========================================================
|
||||
dnl = Content process sandboxing
|
||||
dnl ========================================================
|
||||
if test -n "$gonkdir"; then
|
||||
MOZ_CONTENT_SANDBOX=1
|
||||
fi
|
||||
|
||||
MOZ_ARG_ENABLE_BOOL(content-sandbox,
|
||||
[ --enable-content-sandbox Enable sandboxing support for content-processes],
|
||||
MOZ_CONTENT_SANDBOX=1)
|
||||
|
||||
if test -n "$MOZ_CONTENT_SANDBOX"; then
|
||||
AC_DEFINE(MOZ_CONTENT_SANDBOX)
|
||||
fi
|
||||
|
||||
AC_SUBST(MOZ_CONTENT_SANDBOX)
|
||||
|
||||
MOZ_ARG_ENABLE_BOOL(content-sandbox-reporter,
|
||||
[ --enable-content-sandbox-reporter Enable syscall reporter to troubleshoot syscalls denied by the content-processes sandbox],
|
||||
MOZ_CONTENT_SANDBOX_REPORTER=1)
|
||||
|
||||
if test -n "$MOZ_CONTENT_SANDBOX_REPORTER"; then
|
||||
AC_DEFINE(MOZ_CONTENT_SANDBOX_REPORTER)
|
||||
fi
|
||||
|
||||
AC_SUBST(MOZ_CONTENT_SANDBOX_REPORTER)
|
||||
|
||||
dnl ========================================================
|
||||
dnl =
|
||||
|
@ -30,9 +30,6 @@
|
||||
#include "mozilla/layers/PCompositorChild.h"
|
||||
#include "mozilla/net/NeckoChild.h"
|
||||
#include "mozilla/Preferences.h"
|
||||
#ifdef MOZ_CONTENT_SANDBOX
|
||||
#include "mozilla/Sandbox.h"
|
||||
#endif
|
||||
#include "mozilla/unused.h"
|
||||
|
||||
#include "nsIMemoryReporter.h"
|
||||
@ -549,13 +546,6 @@ ContentChild::RecvSetProcessPrivileges(const ChildPrivileges& aPrivs)
|
||||
aPrivs;
|
||||
// If this fails, we die.
|
||||
SetCurrentProcessPrivileges(privs);
|
||||
#ifdef MOZ_CONTENT_SANDBOX
|
||||
// SetCurrentProcessSandbox should be moved close to process initialization
|
||||
// time if/when possible. SetCurrentProcessPrivileges should probably be
|
||||
// moved as well. Right now this is set ONLY if we receive the
|
||||
// RecvSetProcessPrivileges message. See bug 880808.
|
||||
SetCurrentProcessSandbox();
|
||||
#endif
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@ -1,27 +0,0 @@
|
||||
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// * Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
// * Redistributions in binary form must reproduce the above
|
||||
// copyright notice, this list of conditions and the following disclaimer
|
||||
// in the documentation and/or other materials provided with the
|
||||
// distribution.
|
||||
// * Neither the name of Google Inc. nor the names of its
|
||||
// contributors may be used to endorse or promote products derived from
|
||||
// this software without specific prior written permission.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
@ -1,20 +0,0 @@
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
DEPTH = @DEPTH@
|
||||
topsrcdir = @top_srcdir@
|
||||
srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
|
||||
include $(DEPTH)/config/autoconf.mk
|
||||
|
||||
LIBRARY_NAME = sandbox_s
|
||||
LIBXUL_LIBRARY = 1
|
||||
EXPORT_LIBRARY = 1
|
||||
FAIL_ON_WARNINGS = 1
|
||||
|
||||
include $(topsrcdir)/config/config.mk
|
||||
include $(topsrcdir)/ipc/chromium/chromium-config.mk
|
||||
include $(topsrcdir)/config/rules.mk
|
||||
|
@ -1,182 +0,0 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/ptrace.h>
|
||||
#include <signal.h>
|
||||
|
||||
#include "mozilla/Util.h"
|
||||
#if defined(ANDROID)
|
||||
#include "android_ucontext.h"
|
||||
#endif
|
||||
#include "seccomp_filter.h"
|
||||
|
||||
#include "linux_seccomp.h"
|
||||
#ifdef MOZ_LOGGING
|
||||
#define FORCE_PR_LOG 1
|
||||
#endif
|
||||
#include "prlog.h"
|
||||
|
||||
namespace mozilla {
|
||||
#ifdef PR_LOGGING
|
||||
static PRLogModuleInfo* gSeccompSandboxLog;
|
||||
#endif
|
||||
|
||||
struct sock_filter seccomp_filter[] = {
|
||||
VALIDATE_ARCHITECTURE,
|
||||
EXAMINE_SYSCALL,
|
||||
SECCOMP_WHITELIST,
|
||||
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
|
||||
TRAP_PROCESS,
|
||||
#else
|
||||
KILL_PROCESS,
|
||||
#endif
|
||||
};
|
||||
|
||||
struct sock_fprog seccomp_prog = {
|
||||
len: (unsigned short)MOZ_ARRAY_LENGTH(seccomp_filter),
|
||||
filter: seccomp_filter,
|
||||
};
|
||||
|
||||
/**
|
||||
* This is the SIGSYS handler function. It is used to report to the user
|
||||
* which system call has been denied by Seccomp.
|
||||
* This function also makes the process exit as denying the system call
|
||||
* will otherwise generally lead to unexpected behavior from the process,
|
||||
* since we don't know if all functions will handle such denials gracefully.
|
||||
*
|
||||
* @see InstallSyscallReporter() function.
|
||||
*/
|
||||
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
|
||||
static void
|
||||
Reporter(int nr, siginfo_t *info, void *void_context)
|
||||
{
|
||||
ucontext_t *ctx = static_cast<ucontext_t*>(void_context);
|
||||
unsigned int syscall, arg1;
|
||||
|
||||
if (nr != SIGSYS) {
|
||||
return;
|
||||
}
|
||||
if (info->si_code != SYS_SECCOMP) {
|
||||
return;
|
||||
}
|
||||
if (!ctx) {
|
||||
return;
|
||||
}
|
||||
|
||||
syscall = SECCOMP_SYSCALL(ctx);
|
||||
arg1 = SECCOMP_PARM1(ctx);
|
||||
|
||||
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("PID %u is missing syscall %u, arg1 %u\n", getpid(), syscall, arg1));
|
||||
|
||||
_exit(127);
|
||||
}
|
||||
|
||||
/**
|
||||
* The reporter is called when the process receives a SIGSYS signal.
|
||||
* The signal is sent by the kernel when Seccomp encounter a system call
|
||||
* that has not been allowed.
|
||||
* We register an action for that signal (calling the Reporter function).
|
||||
*
|
||||
* This function should not be used in production and thus generally be
|
||||
* called from debug code. In production, the process is directly killed.
|
||||
* For this reason, the function is ifdef'd, as there is no reason to
|
||||
* compile it while unused.
|
||||
*
|
||||
* @return 0 on success, -1 on failure.
|
||||
* @see Reporter() function.
|
||||
*/
|
||||
static int
|
||||
InstallSyscallReporter(void)
|
||||
{
|
||||
struct sigaction act;
|
||||
sigset_t mask;
|
||||
memset(&act, 0, sizeof(act));
|
||||
sigemptyset(&mask);
|
||||
sigaddset(&mask, SIGSYS);
|
||||
|
||||
act.sa_sigaction = &Reporter;
|
||||
act.sa_flags = SA_SIGINFO | SA_NODEFER;
|
||||
if (sigaction(SIGSYS, &act, NULL) < 0) {
|
||||
return -1;
|
||||
}
|
||||
if (sigemptyset(&mask) ||
|
||||
sigaddset(&mask, SIGSYS) ||
|
||||
sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* This function installs the syscall filter, a.k.a. seccomp.
|
||||
* PR_SET_NO_NEW_PRIVS ensures that it is impossible to grant more
|
||||
* syscalls to the process beyond this point (even after fork()).
|
||||
* SECCOMP_MODE_FILTER is the "bpf" mode of seccomp which allows
|
||||
* to pass a bpf program (in our case, it contains a syscall
|
||||
* whitelist).
|
||||
*
|
||||
* @return 0 on success, 1 on failure.
|
||||
* @see sock_fprog (the seccomp_prog).
|
||||
*/
|
||||
static int
|
||||
InstallSyscallFilter(void)
|
||||
{
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &seccomp_prog, 0, 0)) {
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Starts the seccomp sandbox for this process.
|
||||
* Generally called just after SetCurrentProcessPrivileges.
|
||||
* Should be called only once, and before any potentially harmful content is loaded.
|
||||
*
|
||||
* Should normally make the process exit on failure.
|
||||
*/
|
||||
void
|
||||
SetCurrentProcessSandbox(void)
|
||||
{
|
||||
#ifdef PR_LOGGING
|
||||
if (!gSeccompSandboxLog) {
|
||||
gSeccompSandboxLog = PR_NewLogModule("SeccompSandbox");
|
||||
}
|
||||
PR_ASSERT(gSeccompSandboxLog);
|
||||
#endif
|
||||
|
||||
#ifdef MOZ_CONTENT_SANDBOX_REPORTER
|
||||
if (InstallSyscallReporter()) {
|
||||
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_reporter() failed\n"));
|
||||
/* This is disabled so that we do not exit if seccomp-bpf is not available
|
||||
* This will be re-enabled when all B2G devices are required to support seccomp-bpf
|
||||
* See bug 880797 for reversal
|
||||
*/
|
||||
|
||||
/* _exit(127); */
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
if (InstallSyscallFilter()) {
|
||||
PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_filter() failed\n"));
|
||||
/* This is disabled so that we do not exit if seccomp-bpf is not available
|
||||
* This will be re-enabled when all B2G devices are required to support seccomp-bpf
|
||||
* See bug 880797 for reversal
|
||||
*/
|
||||
|
||||
/* _exit(127); */
|
||||
}
|
||||
|
||||
}
|
||||
} // namespace mozilla
|
||||
|
@ -1,17 +0,0 @@
|
||||
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef mozilla_Sandbox_h
|
||||
#define mozilla_Sandbox_h
|
||||
|
||||
namespace mozilla {
|
||||
|
||||
void SetCurrentProcessSandbox(void);
|
||||
|
||||
} // namespace mozilla
|
||||
|
||||
#endif // mozilla_Sandbox_h
|
||||
|
@ -1,36 +0,0 @@
|
||||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
/* This file has been imported from
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/services/android_arm_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
|
||||
*/
|
||||
|
||||
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_
|
||||
#define SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_
|
||||
|
||||
#if !defined(__BIONIC_HAVE_UCONTEXT_T)
|
||||
#include <asm/sigcontext.h>
|
||||
|
||||
// We also need greg_t for the sandbox, include it in this header as well.
|
||||
typedef unsigned long greg_t;
|
||||
|
||||
//typedef unsigned long sigset_t;
|
||||
typedef struct ucontext {
|
||||
unsigned long uc_flags;
|
||||
struct ucontext *uc_link;
|
||||
stack_t uc_stack;
|
||||
struct sigcontext uc_mcontext;
|
||||
sigset_t uc_sigmask;
|
||||
/* Allow for uc_sigmask growth. Glibc uses a 1024-bit sigset_t. */
|
||||
int __not_used[32 - (sizeof (sigset_t) / sizeof (int))];
|
||||
/* Last for extensibility. Eight byte aligned because some
|
||||
coprocessors require eight byte alignment. */
|
||||
unsigned long uc_regspace[128] __attribute__((__aligned__(8)));
|
||||
} ucontext_t;
|
||||
|
||||
#else
|
||||
#include <sys/ucontext.h>
|
||||
#endif // __BIONIC_HAVE_UCONTEXT_T
|
||||
|
||||
#endif // SANDBOX_LINUX_SERVICES_ANDROID_ARM_UCONTEXT_H_
|
@ -1,83 +0,0 @@
|
||||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
/* This file has been imported from
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/services/android_i386_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
|
||||
*/
|
||||
|
||||
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_
|
||||
#define SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_
|
||||
|
||||
// We do something compatible with glibc. Hopefully, at some point Android will
|
||||
// provide that for us, and __BIONIC_HAVE_UCONTEXT_T should be defined.
|
||||
// This is mostly copied from breakpad (common/android/include/sys/ucontext.h),
|
||||
// except we do use sigset_t for uc_sigmask instead of a custom type.
|
||||
|
||||
#if !defined(__BIONIC_HAVE_UCONTEXT_T)
|
||||
#include <asm/sigcontext.h>
|
||||
|
||||
/* 80-bit floating-point register */
|
||||
struct _libc_fpreg {
|
||||
unsigned short significand[4];
|
||||
unsigned short exponent;
|
||||
};
|
||||
|
||||
/* Simple floating-point state, see FNSTENV instruction */
|
||||
struct _libc_fpstate {
|
||||
unsigned long cw;
|
||||
unsigned long sw;
|
||||
unsigned long tag;
|
||||
unsigned long ipoff;
|
||||
unsigned long cssel;
|
||||
unsigned long dataoff;
|
||||
unsigned long datasel;
|
||||
struct _libc_fpreg _st[8];
|
||||
unsigned long status;
|
||||
};
|
||||
|
||||
typedef uint32_t greg_t;
|
||||
|
||||
typedef struct {
|
||||
uint32_t gregs[19];
|
||||
struct _libc_fpstate* fpregs;
|
||||
uint32_t oldmask;
|
||||
uint32_t cr2;
|
||||
} mcontext_t;
|
||||
|
||||
enum {
|
||||
REG_GS = 0,
|
||||
REG_FS,
|
||||
REG_ES,
|
||||
REG_DS,
|
||||
REG_EDI,
|
||||
REG_ESI,
|
||||
REG_EBP,
|
||||
REG_ESP,
|
||||
REG_EBX,
|
||||
REG_EDX,
|
||||
REG_ECX,
|
||||
REG_EAX,
|
||||
REG_TRAPNO,
|
||||
REG_ERR,
|
||||
REG_EIP,
|
||||
REG_CS,
|
||||
REG_EFL,
|
||||
REG_UESP,
|
||||
REG_SS,
|
||||
};
|
||||
|
||||
typedef struct ucontext {
|
||||
uint32_t uc_flags;
|
||||
struct ucontext* uc_link;
|
||||
stack_t uc_stack;
|
||||
mcontext_t uc_mcontext;
|
||||
sigset_t uc_sigmask;
|
||||
struct _libc_fpstate __fpregs_mem;
|
||||
} ucontext_t;
|
||||
|
||||
#else
|
||||
#include <sys/ucontext.h>
|
||||
#endif // __BIONIC_HAVE_UCONTEXT_T
|
||||
|
||||
#endif // SANDBOX_LINUX_SERVICES_ANDROID_I386_UCONTEXT_H_
|
@ -1,26 +0,0 @@
|
||||
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
/* This file has been imported from
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob_plain;f=sandbox/linux/services/android_ucontext.h;hb=99b3e83972e478a42fa72da1ffefee58413e87d4
|
||||
*/
|
||||
|
||||
#ifndef SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_
|
||||
#define SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_
|
||||
|
||||
#if defined(__ANDROID__)
|
||||
|
||||
#if defined(__arm__)
|
||||
#include "android_arm_ucontext.h"
|
||||
#elif defined(__i386__)
|
||||
#include "android_i386_ucontext.h"
|
||||
#else
|
||||
#error "No support for your architecture in Android header"
|
||||
#endif
|
||||
|
||||
#else // __ANDROID__
|
||||
#error "Android header file included on non Android."
|
||||
#endif // __ANDROID__
|
||||
|
||||
#endif // SANDBOX_LINUX_SERVICES_ANDROID_UCONTEXT_H_
|
File diff suppressed because it is too large
Load Diff
@ -1,263 +0,0 @@
|
||||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
/* This file has been initially imported from
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/linux_seccomp.h;h=0de0259da39ecdb745e5923b9a6ff3961c13be00;hb=2362c9abea79cae475921bdeee58f9e3910d211c
|
||||
*
|
||||
* Contains code for macro for common filters from:
|
||||
* http://outflux.net/teach-seccomp/step-5/seccomp-bpf.h
|
||||
*
|
||||
* Contains code for arch_seccomp_data and arch_sigsys from:
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob;f=sandbox/linux/seccomp-bpf/sandbox_bpf.h;h=3d269916070c97b8be8938503b9b799f12d79ca6;hb=2362c9abea79cae475921bdeee58f9e3910d211c
|
||||
*
|
||||
* For more information about Seccomp, see also:
|
||||
* Documentation/prctl/seccomp_filter.txt and
|
||||
* samples/seccomp in the Linux kernel directory, for any kernel >= 3.5.0.
|
||||
*/
|
||||
|
||||
#ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
|
||||
#define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
|
||||
|
||||
struct arch_seccomp_data {
|
||||
int nr;
|
||||
uint32_t arch;
|
||||
uint64_t instruction_pointer;
|
||||
uint64_t args[6];
|
||||
};
|
||||
|
||||
struct arch_sigsys {
|
||||
void *ip;
|
||||
int nr;
|
||||
unsigned int arch;
|
||||
};
|
||||
|
||||
// The Seccomp2 kernel ABI is not part of older versions of glibc.
|
||||
// As we can't break compilation with these versions of the library,
|
||||
// we explicitly define all missing symbols.
|
||||
// If we ever decide that we can now rely on system headers, the following
|
||||
// include files should be enabled:
|
||||
// #include <linux/audit.h>
|
||||
// #include <linux/seccomp.h>
|
||||
|
||||
#include <asm/unistd.h>
|
||||
#include <linux/filter.h>
|
||||
|
||||
// From <linux/elf.h> and <linux/audit.h>
|
||||
// This is necessary as we can't expect recent audit headers.
|
||||
#ifndef EM_ARM
|
||||
#define EM_ARM 40
|
||||
#endif
|
||||
#ifndef EM_386
|
||||
#define EM_386 3
|
||||
#endif
|
||||
#ifndef EM_X86_64
|
||||
#define EM_X86_64 62
|
||||
#endif
|
||||
|
||||
#ifndef __AUDIT_ARCH_64BIT
|
||||
#define __AUDIT_ARCH_64BIT 0x80000000
|
||||
#endif
|
||||
#ifndef __AUDIT_ARCH_LE
|
||||
#define __AUDIT_ARCH_LE 0x40000000
|
||||
#endif
|
||||
#ifndef AUDIT_ARCH_ARM
|
||||
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
|
||||
#endif
|
||||
#ifndef AUDIT_ARCH_I386
|
||||
#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
|
||||
#endif
|
||||
#ifndef AUDIT_ARCH_X86_64
|
||||
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
|
||||
#endif
|
||||
|
||||
// From <linux/prctl.h>
|
||||
// This is necessary as we can't expect recent prctl headers.
|
||||
#ifndef PR_SET_SECCOMP
|
||||
#define PR_SET_SECCOMP 22
|
||||
#define PR_GET_SECCOMP 21
|
||||
#endif
|
||||
#ifndef PR_SET_NO_NEW_PRIVS
|
||||
#define PR_SET_NO_NEW_PRIVS 38
|
||||
#define PR_GET_NO_NEW_PRIVS 39
|
||||
#endif
|
||||
#ifndef IPC_64
|
||||
#define IPC_64 0x0100
|
||||
#endif
|
||||
|
||||
#ifndef BPF_MOD
|
||||
#define BPF_MOD 0x90
|
||||
#endif
|
||||
#ifndef BPF_XOR
|
||||
#define BPF_XOR 0xA0
|
||||
#endif
|
||||
|
||||
// From <linux/seccomp.h>
|
||||
// This is necessary as we can't expect recent seccomp headers.
|
||||
#ifndef SECCOMP_MODE_FILTER
|
||||
#define SECCOMP_MODE_DISABLED 0
|
||||
#define SECCOMP_MODE_STRICT 1
|
||||
#define SECCOMP_MODE_FILTER 2 // User user-supplied filter (seccomp-bpf)
|
||||
#endif
|
||||
|
||||
#ifndef SECCOMP_RET_KILL
|
||||
// Return values supported for BPF filter programs. Please note that the
|
||||
// "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
|
||||
// ever be used internally, and would result in the kernel killing our process.
|
||||
#define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately
|
||||
#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
|
||||
#define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS
|
||||
#define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno
|
||||
#define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow
|
||||
#define SECCOMP_RET_ALLOW 0x7fff0000U // Allow
|
||||
#define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value
|
||||
#define SECCOMP_RET_DATA 0x0000ffffU // sections
|
||||
#else
|
||||
#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
|
||||
#endif
|
||||
|
||||
#ifndef SYS_SECCOMP
|
||||
#define SYS_SECCOMP 1
|
||||
#endif
|
||||
|
||||
// Impose some reasonable maximum BPF program size. Realistically, the
|
||||
// kernel probably has much lower limits. But by limiting to less than
|
||||
// 30 bits, we can ease requirements on some of our data types.
|
||||
#define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
|
||||
|
||||
#if defined(__i386__)
|
||||
#define MIN_SYSCALL 0u
|
||||
#define MAX_PUBLIC_SYSCALL 1024u
|
||||
#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
|
||||
#define SECCOMP_ARCH AUDIT_ARCH_I386
|
||||
|
||||
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
|
||||
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
|
||||
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
|
||||
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
|
||||
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
|
||||
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
|
||||
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
|
||||
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
|
||||
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
|
||||
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
|
||||
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
|
||||
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
|
||||
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 4)
|
||||
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 0)
|
||||
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 4)
|
||||
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 0)
|
||||
|
||||
#elif defined(__x86_64__)
|
||||
#define MIN_SYSCALL 0u
|
||||
#define MAX_PUBLIC_SYSCALL 1024u
|
||||
#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
|
||||
#define SECCOMP_ARCH AUDIT_ARCH_X86_64
|
||||
|
||||
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
|
||||
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
|
||||
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
|
||||
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
|
||||
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
|
||||
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
|
||||
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
|
||||
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
|
||||
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
|
||||
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
|
||||
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
|
||||
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
|
||||
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 4)
|
||||
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 0)
|
||||
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 4)
|
||||
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 0)
|
||||
|
||||
#elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
|
||||
// ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
|
||||
// and a "ghost syscall private to the kernel", cmpxchg,
|
||||
// at |__ARM_NR_BASE+0x00fff0|.
|
||||
// See </arch/arm/include/asm/unistd.h> in the Linux kernel.
|
||||
#define MIN_SYSCALL ((unsigned int)__NR_SYSCALL_BASE)
|
||||
#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u)
|
||||
#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)
|
||||
#define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u)
|
||||
#define MIN_GHOST_SYSCALL ((unsigned int)__ARM_NR_BASE + 0xfff0u)
|
||||
#define MAX_SYSCALL (MIN_GHOST_SYSCALL + 4u)
|
||||
|
||||
#define SECCOMP_ARCH AUDIT_ARCH_ARM
|
||||
|
||||
// ARM sigcontext_t is different from i386/x86_64.
|
||||
// See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
|
||||
#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
|
||||
// ARM EABI syscall convention.
|
||||
#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
|
||||
#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
|
||||
#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
|
||||
#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
|
||||
#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
|
||||
#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
|
||||
#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
|
||||
#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
|
||||
#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
|
||||
#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
|
||||
#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
|
||||
#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 4)
|
||||
#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
|
||||
instruction_pointer) + 0)
|
||||
#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 4)
|
||||
#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
|
||||
8*(nr) + 0)
|
||||
|
||||
#else
|
||||
#error Unsupported target platform
|
||||
|
||||
#endif
|
||||
|
||||
/* Macros to common filters */
|
||||
#define VALIDATE_ARCHITECTURE \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_ARCH_IDX), \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH, 1, 0), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||
|
||||
#define EXAMINE_SYSCALL \
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, SECCOMP_NR_IDX)
|
||||
|
||||
#define ALLOW_SYSCALL(name) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
|
||||
#if defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
|
||||
#define ALLOW_ARM_SYSCALL(name) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __ARM_NR_##name, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
#endif
|
||||
|
||||
#define DENY_SYSCALL(name) \
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||
|
||||
#define KILL_PROCESS \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
|
||||
|
||||
#define TRAP_PROCESS \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
|
||||
|
||||
#define ALLOW_PROCESS \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
|
||||
#define TRACE_PROCESS \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
|
||||
|
||||
#define ERRNO_PROCESS \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO)
|
||||
|
||||
#endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__
|
@ -1,29 +0,0 @@
|
||||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
/* This file has been imported from
|
||||
* http://git.chromium.org/gitweb/?p=chromium.git;a=blob_plain;f=sandbox/linux/services/linux_syscalls.h;h=77c1be8b82a0fe4aca308ca40547ebf7a008d24a;hb=2362c9abea79cae475921bdeee58f9e3910d211c
|
||||
*/
|
||||
|
||||
// This header will be kept up to date so that we can compile system-call
|
||||
// policies even when system headers are old.
|
||||
// System call numbers are accessible through __NR_syscall_name.
|
||||
|
||||
#ifndef SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_
|
||||
#define SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_
|
||||
|
||||
#if defined(__x86_64__)
|
||||
#include "x86_64_linux_syscalls.h"
|
||||
#endif
|
||||
|
||||
#if defined(__i386__)
|
||||
#include "x86_32_linux_syscalls.h"
|
||||
#endif
|
||||
|
||||
#if defined(__arm__) && defined(__ARM_EABI__)
|
||||
#include "arm_linux_syscalls.h"
|
||||
#endif
|
||||
|
||||
#endif // SANDBOX_LINUX_SERVICES_LINUX_SYSCALLS_H_
|
||||
|
@ -1,16 +0,0 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
MODULE = 'sandbox'
|
||||
|
||||
EXPORTS.mozilla += [
|
||||
'Sandbox.h',
|
||||
]
|
||||
|
||||
CPP_SOURCES += [
|
||||
'Sandbox.cpp',
|
||||
]
|
||||
|
@ -1,88 +0,0 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*/
|
||||
|
||||
#include "linux_seccomp.h"
|
||||
#include "linux_syscalls.h"
|
||||
|
||||
/* This is the actual seccomp whitelist.
|
||||
* This is used for B2G content-processes.
|
||||
*/
|
||||
|
||||
/* Architecture specific syscalls, required to function on ARM */
|
||||
#ifdef ALLOW_ARM_SYSCALL
|
||||
#define SECCOMP_WHITELIST_ADD \
|
||||
ALLOW_ARM_SYSCALL(breakpoint), \
|
||||
ALLOW_ARM_SYSCALL(cacheflush), \
|
||||
ALLOW_ARM_SYSCALL(usr26), \
|
||||
ALLOW_ARM_SYSCALL(usr32), \
|
||||
ALLOW_ARM_SYSCALL(set_tls),
|
||||
#else
|
||||
#define SECCOMP_WHITELIST_ADD
|
||||
#endif
|
||||
|
||||
/* Most used system calls should be at the top of the whitelist
|
||||
* for performance reasons. The whitelist BPF filter exits after
|
||||
* processing any ALLOW_SYSCALL macro.
|
||||
*
|
||||
* How are those syscalls found?
|
||||
* 1) via strace -p <child pid> or/and
|
||||
* 2) with MOZ_CONTENT_SANDBOX_REPORTER set, the child will report which system call
|
||||
* has been denied by seccomp-bpf, just before exiting, via NSPR.
|
||||
* System call number to name mapping is found in:
|
||||
* bionic/libc/kernel/arch-arm/asm/unistd.h
|
||||
* or your libc's unistd.h/kernel headers.
|
||||
*
|
||||
* Current list order has been optimized through manual guess-work.
|
||||
* It could be further optimized by analyzing the output of:
|
||||
* 'strace -c -p <child pid>' for most used web apps.
|
||||
*/
|
||||
#define SECCOMP_WHITELIST \
|
||||
/* These are calls we're ok to allow */ \
|
||||
ALLOW_SYSCALL(recv), \
|
||||
ALLOW_SYSCALL(msgget), \
|
||||
ALLOW_SYSCALL(semget), \
|
||||
ALLOW_SYSCALL(read), \
|
||||
ALLOW_SYSCALL(write), \
|
||||
ALLOW_SYSCALL(brk), \
|
||||
/* ioctl() is for GL. Remove when GL proxy is implemented.
|
||||
* Additionally ioctl() might be a place where we want to have
|
||||
* argument filtering */ \
|
||||
ALLOW_SYSCALL(ioctl), \
|
||||
ALLOW_SYSCALL(writev), \
|
||||
ALLOW_SYSCALL(close), \
|
||||
ALLOW_SYSCALL(clone), \
|
||||
ALLOW_SYSCALL(clock_gettime), \
|
||||
ALLOW_SYSCALL(lseek), \
|
||||
ALLOW_SYSCALL(_llseek), \
|
||||
ALLOW_SYSCALL(gettimeofday), \
|
||||
ALLOW_SYSCALL(getpid), \
|
||||
ALLOW_SYSCALL(gettid), \
|
||||
ALLOW_SYSCALL(getrusage), \
|
||||
ALLOW_SYSCALL(madvise), \
|
||||
ALLOW_SYSCALL(rt_sigreturn), \
|
||||
ALLOW_SYSCALL(sigreturn), \
|
||||
ALLOW_SYSCALL(epoll_wait), \
|
||||
ALLOW_SYSCALL(futex), \
|
||||
ALLOW_SYSCALL(fcntl64), \
|
||||
ALLOW_SYSCALL(munmap), \
|
||||
ALLOW_SYSCALL(mmap2), \
|
||||
ALLOW_SYSCALL(mprotect), \
|
||||
/* Must remove all of the following in the future, when no longer used */ \
|
||||
/* open() is for some legacy APIs such as font loading. */ \
|
||||
ALLOW_SYSCALL(open), \
|
||||
ALLOW_SYSCALL(fstat64), \
|
||||
ALLOW_SYSCALL(stat64), \
|
||||
ALLOW_SYSCALL(prctl), \
|
||||
ALLOW_SYSCALL(access), \
|
||||
ALLOW_SYSCALL(getdents64), \
|
||||
/* Should remove all of the following in the future, if possible */ \
|
||||
ALLOW_SYSCALL(getpriority), \
|
||||
ALLOW_SYSCALL(setpriority), \
|
||||
ALLOW_SYSCALL(sigprocmask), \
|
||||
/* Always last and always OK calls */ \
|
||||
SECCOMP_WHITELIST_ADD \
|
||||
ALLOW_SYSCALL(exit_group), \
|
||||
ALLOW_SYSCALL(exit)
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1068,7 +1068,6 @@ WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
<h1><a id="chromium"></a>Chromium License</h1>
|
||||
|
||||
<p>This license applies to parts of the code in
|
||||
<span class="path">security/sandbox/</span>,
|
||||
<span class="path">editor/libeditor/base/nsEditorEventListener.cpp</span>,
|
||||
<span class="path">widget/cocoa/GfxInfo.mm</span>
|
||||
and also some files in the directories
|
||||
|
@ -93,10 +93,6 @@ STATIC_LIBS += \
|
||||
dombindings_s \
|
||||
$(NULL)
|
||||
|
||||
ifdef MOZ_CONTENT_SANDBOX #{
|
||||
STATIC_LIBS += sandbox_s
|
||||
endif #}
|
||||
|
||||
ifdef MOZ_B2G_RIL #{
|
||||
STATIC_LIBS += mozril_s
|
||||
endif #}
|
||||
|
@ -17,9 +17,6 @@ if not CONFIG['MOZ_NATIVE_NSS']:
|
||||
|
||||
include('/config/js/js.mozbuild')
|
||||
|
||||
if CONFIG['MOZ_CONTENT_SANDBOX']:
|
||||
add_tier_dir('sandbox', 'security/sandbox')
|
||||
|
||||
# the signing related bits of libmar depend on nss
|
||||
if CONFIG['MOZ_UPDATER']:
|
||||
add_tier_dir('platform', 'modules/libmar')
|
||||
|
Loading…
Reference in New Issue
Block a user