Commit Graph

37 Commits

Author SHA1 Message Date
Jed Davis
d06bc434b1 Bug 985227 - Part 2: Flatten out the #define maze in the seccomp filter. r=kang 2014-03-20 10:19:42 -04:00
Jed Davis
893f056ba5 Bug 985227 - Part 1: Move the seccomp filter into its own translation unit. r=kang
--HG--
rename : security/sandbox/linux/seccomp_filter.h => security/sandbox/linux/SandboxFilter.cpp
2014-03-20 10:19:42 -04:00
Jed Davis
a8a37995ce Bug 975273 - Add missing include to unbreak desktop seccomp build. r=kang 2014-03-20 09:27:28 -04:00
Guillaume Destuynder
fc8cf73ff1 Bug 983518: Fix running B2G-1.4 on KitKat by whitelisting sigalstack in the sandbox. r=kang r=jld 2014-03-14 18:54:20 -07:00
Vicamo Yang
3bcd1c9eb8 Bug 944625 - B2G Emulator-x86: fix undeclared __NR_sendto, __NR_recvfrom. r=jld,kang 2014-03-13 13:44:43 +09:00
Jed Davis
f8d175ce14 Bug 977859 - Drop uid 0 in all content processes immediately after fork. r=bent r=kang
Now all regular child processes, including preallocated, are deprivileged.
Only Nuwa needs uid 0, because each of its children has a different uid/gid.
2014-03-12 15:48:15 -07:00
Jed Davis
685530a9a5 Bug 979686 - Fix the non-(ARM|x86|x86_64) desktop build. r=kang 2014-03-06 12:23:06 -08:00
Jed Davis
cfaafc654d Bug 946407 - Disable sandbox when DMDing. r=njn r=kang
See also bug 956961.
2014-03-04 18:27:14 -08:00
Jed Davis
b8c81fc6e2 Bug 970676 - Turn on sandboxing on all relevant threads. r=dhylands r=bent f=kang 2014-02-27 13:18:01 -08:00
Jed Davis
1467d9b632 Bug 971128 - Add sched_yield to seccomp whitelist. r=kang 2014-02-22 18:58:59 -08:00
Jed Davis
3027739852 Bug 970562 - Add sched_getscheduler to seccomp whitelist. r=kang 2014-02-22 18:58:59 -08:00
Jed Davis
6549f56f18 Bug 974230 - Adjust sandbox so that socket() simply fails. r=kang
This is a workaround for issues with the SCTP code (bug 969715) and
NSPR's IPv6 support (bug 936320).
2014-02-20 09:35:44 -05:00
Jed Davis
bd5a8731fc Bug 966547 - Switch sipcc from named to anonymous sockets on Unix. r=jesup, r=kang 2014-02-20 09:35:26 -05:00
Jed Davis
cbefd9bed0 Bug 974227 - Allow readlink while sandboxed to work around bug 964455. r=kang 2014-02-19 15:55:42 -05:00
Wes Kocher
ee5da0ab00 Merge m-c to inbound on a CLOSED TREE 2014-02-13 18:50:08 -08:00
Jed Davis
5ea5299c58 Bug 971370 - Fix seccomp whitelist errors caused by strace bug. r=kang 2014-02-13 09:47:16 -05:00
Guillaume Destuynder
cb244dcc84 bug 948620 - Add env variable MOZ_DISABLE_CONTENT_SANDBOX to disable sandbox at runtime. r=jld 2014-02-13 16:26:28 -08:00
Jed Davis
ebe6274bbf Bug 945504 - Include JS stack in sandbox reporter logs. r=kang 2014-02-07 10:46:38 -05:00
Eric Rahm
c1dd0bb669 Bug 969126 - Fix sandbox build for b2g on OS X. r=kang 2014-02-06 16:11:53 -08:00
Jed Davis
230a08b7ab Bug 945498 - Use breakpad to report seccomp violations as crashes. r=ted, r=kang
Upstream issue for breakpad patch: https://breakpad.appspot.com/1114003/
2014-02-05 13:29:51 -05:00
Jed Davis
bbc239ca00 Bug 964427 - Whitelist msync (asm.js cache) and sched_get_priority_m{in,ax} (webrtc). r=kang 2014-01-28 09:04:39 -05:00
Jed Davis
e233c87fdd Bug 960365 - Whitelist uname for nsSystemInfo. r=kang 2014-01-21 15:48:00 -05:00
Jed Davis
81f5ace514 Bug 945330 - Reword and slightly improve sandbox violation log message. r=kang
The main goal is to have a message that unambiguously indicates a crash,
so mozharness can grep for it even if some of the details change later.

Also now includes the entire argument list; most syscalls don't use all
six, so the last few will be meaningless, but it can't hurt to log them.
2014-01-10 08:22:58 -05:00
Ryan VanderMeulen
ca386608b9 Merge b2g-inbound to m-c. 2013-12-09 17:26:11 -05:00
Birunthan Mohanathas
759ab69b0a Bug 713082 - Part 2: Rename Util.h to ArrayUtils.h. r=Waldo
--HG--
rename : mfbt/Util.h => mfbt/ArrayUtils.h
2013-12-08 21:52:54 -05:00
Vicamo Yang
02b63a0803 Bug 944625 - B2G Emulator-x86: fix undeclared __NR_socketpair, __NR_sendmsg. r=kang,jld 2013-12-09 21:02:54 +08:00
Jed Davis
d1ffa9058b Bug 943774 - Allow sigaction when sandboxed, for the crash reporter. r=kang 2013-12-03 18:45:17 -05:00
Ms2ger
f56294acdb Bug 937258 - Part a: Remove empty makefiles; r=gps 2013-11-28 15:25:40 +01:00
Christoph Kerschbaumer
ad08ffe884 Bug 935111 - Enable seccomp-bpf for Linux. r=jld 2013-11-19 16:09:18 -08:00
Mike Hommey
a65383e1e9 Bug 939632 - Remove LIBRARY_NAME for leaf libraries. r=gps
Landing on a CLOSED TREE.
2013-11-19 11:50:54 +09:00
Mike Hommey
8ceb917350 Bug 939074 - Remove most LIBXUL_LIBRARY. rs=gps 2013-11-19 11:48:10 +09:00
Mike Hommey
bb6779efe3 Bug 939044 - Remove most definitions of MODULE. r=mshal 2013-11-19 11:47:39 +09:00
Mike Hommey
d7b6f95761 Bug 935881 - Use FINAL_LIBRARY for all (fake) libraries that end up linked in a single other library. r=gps 2013-11-19 11:47:14 +09:00
Jed Davis
bdf5094b93 Bug 936163 - Fix profiling-specific sandbox whitelist for x86_64. r=kang
There is no sigaction, only rt_sigaction.
2013-11-08 13:30:05 -08:00
Jed Davis
7a807d7a56 Bug 936252 - Augment seccomp whitelist for b2g mochitests. r=kang
FormHistory invokes sqlite3, which calls fsync and geteuid.
A form test calls nsIFile's remove method, which uses lstat.
The crash reporter uses socketpair/sendmsg, to send a pipe back to the parent.
2013-11-11 09:11:43 -05:00
Jed Davis
5b0c9a29cf Bug 936145 - Clean up architecture-specific parts of seccomp whitelist. r=kang 2013-11-08 15:31:20 -05:00
Brian R. Bondy
f0bbd6b4f3 Bug 922756 - Build config for Chromium sandbox. r=bsmedberg
--HG--
rename : security/sandbox/LICENSE => security/sandbox/linux/LICENSE
rename : security/sandbox/Makefile.in => security/sandbox/linux/Makefile.in
rename : security/sandbox/Sandbox.cpp => security/sandbox/linux/Sandbox.cpp
rename : security/sandbox/Sandbox.h => security/sandbox/linux/Sandbox.h
rename : security/sandbox/android_arm_ucontext.h => security/sandbox/linux/android_arm_ucontext.h
rename : security/sandbox/android_i386_ucontext.h => security/sandbox/linux/android_i386_ucontext.h
rename : security/sandbox/android_ucontext.h => security/sandbox/linux/android_ucontext.h
rename : security/sandbox/arm_linux_syscalls.h => security/sandbox/linux/arm_linux_syscalls.h
rename : security/sandbox/linux_seccomp.h => security/sandbox/linux/linux_seccomp.h
rename : security/sandbox/linux_syscalls.h => security/sandbox/linux/linux_syscalls.h
rename : security/sandbox/moz.build => security/sandbox/linux/moz.build
rename : security/sandbox/seccomp_filter.h => security/sandbox/linux/seccomp_filter.h
rename : security/sandbox/x86_32_linux_syscalls.h => security/sandbox/linux/x86_32_linux_syscalls.h
rename : security/sandbox/x86_64_linux_syscalls.h => security/sandbox/linux/x86_64_linux_syscalls.h
2013-10-28 14:54:36 -07:00