This also removes turning off optimization for the Load function. That was an
attempt to fix the side-by-side loading. It may also have helped with ensuring
that the memsets were not optimized, but that has been fixed by Bug 1208892.
Bonus fix: don't start the chroot helper unless we're going to use
it. For this to matter, you'd need a system with unprivileged user
namespaces but no seccomp-bpf (or fake it with env vars) *and* to set
media.gmp.insecure.allow, so this is more to set a good example for
future changes to this code than for functional reasons.
The patch removes 455 occurrences of FAIL_ON_WARNINGS from moz.build files, and
adds 78 instances of ALLOW_COMPILER_WARNINGS. About half of those 78 are in
code we control and which should be removable with a little effort.
This also moves the initialization of the sandbox TargetServices to earlier in
plugin-container.cpp content_process_main, because it needs to happen before
xul.dll loads.
This gives us a logging macro that's safe to use in async signal context
(cf. bug 1046210, where we needed this and didn't have it).
This patch also changes one of the format strings to work with
SafeSPrintf's format string dialect; upstream would probably take a
patch to handle those letters, but this is easier.
This also imports the unit tests but doesn't arrange to run them.
Including the tests in our xul-gtest is possible but not trivial: there
are logging dependencies, and they use a different #include path for
gtest.h (which we'd need to patch).
Upstream revision: df7cc6c04725630dd4460f29d858a77507343b24.
This gives us a logging macro that's safe to use in async signal context
(cf. bug 1046210, where we needed this and didn't have it).
This patch also changes one of the format strings to work with
SafeSPrintf's format string dialect; upstream would probably take a
patch to handle those letters, but this is easier.
This does not include the upstream unit tests. Including the tests
in our xul-gtest is possible but not trivial: there are logging
dependencies, and they use a different #include path for gtest.h (which
we'd need to patch).
Upstream revision: df7cc6c04725630dd4460f29d858a77507343b24.
We can now keep the part of the policy implemented by upcalls to
userspace in the same place as the part of the policy that's handled
entirely in the kernel. This will become more useful in the future
(e.g., bug 930258).
This is more complicated than I'd like it to be, because we don't have
a good way to combine a specific trap function's knowledge that we want
to get a crash dump with the SIGSYS handler's copy of the unprocessed
signal info (which breakpad wants). The bpf_dsl interface requires a
specific trap function type (via the TrapRegistry superclass), so even
if we implement our own registry we can't change what's passed to it.
Normally we could use thread-local storage to get around that, but it's
not async signal safe.
As a result there is an imperfect compromise: the trap function returns
a failure with ENOSYS, Chromium's SIGSYS handler writes it into the
context, our SIGSYS handler reads it back out and uses a copy of
the original signal context for the crash dump. Other error codes
(and returning ENOSYS via the seccomp-bpf policy itself) are handled
normally.
This completely rewrites SandboxFilter.cpp and removes SandboxAssembler.
System calls are now loosely grouped by what they do, now that order
doesn't matter, and most of the intersection the content and media
plugin whitelists is moved into a common superclass. Hopefully this
improves the readability and comprehensibility of the syscall policies.
Also, the macros that take the syscall name are gone, because a plain
case label usually suffices now (the CASES_FOR_thing macros are a little
unsightly, but they're relatively simple), and at one point we saw
strange macro expansion issues with system header files that #define'd
some syscall names.
The signal handling is not migrated yet, so Trap() actions can't be used
yet; the next patch will take care of that, and to keep the intermediate
state working there's a minimal shim.
Bonus fix: non-const global variables use the "g" prefix; "s" is for
static class members and static variables in a function (where the
default is to allocate a separate copy per instance/activation).
