searching for reviewer(gcp)
c068d136d7a3ab89937cf54b769f6379b20ff6d8: Bug 1802513 - Allow readlink(/proc/self/exe) in Utility sandbox for FFVPX r=gcp
Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org> - Wed, 30 Nov 2022 10:10:22 +0000 - rev 644137
Push 174035 by alissy@mozilla.com at Wed, 30 Nov 2022 16:16:54 +0000
Bug 1802513 - Allow readlink(/proc/self/exe) in Utility sandbox for FFVPX r=gcp Differential Revision: https://phabricator.services.mozilla.com/D163227
2dad8bc349e6cad29f20514f011e50f95069f58e: Bug 1799562 - update version of Cylance to blocklist r=gcp
Greg Stoll <gstoll@mozilla.com> - Tue, 22 Nov 2022 12:33:34 +0000 - rev 643200
Push 173476 by gstoll@mozilla.com at Tue, 22 Nov 2022 12:35:56 +0000
Bug 1799562 - update version of Cylance to blocklist r=gcp Differential Revision: https://phabricator.services.mozilla.com/D162693
9832e48a30c5ac6e2a189ab7838249ea6ee6d6fb: Bug 1794064 - Block older crash-prone versions of Avast Antivirus r=gcp
Gabriele Svelto <gsvelto@mozilla.com> - Fri, 07 Oct 2022 13:07:04 +0000 - rev 637218
Push 170758 by gpascutto@mozilla.com at Fri, 07 Oct 2022 13:18:38 +0000
Bug 1794064 - Block older crash-prone versions of Avast Antivirus r=gcp Differential Revision: https://phabricator.services.mozilla.com/D158836
708bd57a7057bd44e25db0cb7bf3aa97ad0a2517: Bug 1790419 - cache BinaryPath value on OpenBSD r=gcp
Landry Breuil <landry@openbsd.org> - Thu, 06 Oct 2022 12:08:57 +0000 - rev 637118
Push 170692 by gpascutto@mozilla.com at Thu, 06 Oct 2022 12:24:29 +0000
Bug 1790419 - cache BinaryPath value on OpenBSD r=gcp Differential Revision: https://phabricator.services.mozilla.com/D157554
5ff886a06c2f0c0b400c91e261ce619603c548ed: Bug 1780312 - Part 2: Allow fstatfs in the Linux RDD sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 21 Sep 2022 17:57:54 +0000 - rev 636017
Push 170139 by jedavis@mozilla.com at Wed, 21 Sep 2022 18:00:21 +0000
Bug 1780312 - Part 2: Allow fstatfs in the Linux RDD sandbox policy. r=gcp As discussed in the last patch, allowing `fstatfs` will also make `statfs` work on any path that the process could open for reading (subject to sandbox policy). Differential Revision: https://phabricator.services.mozilla.com/D157542
42d3c880806e564f35bc80d024861aacddfb760b: Bug 1780312 - Part 1: Move the statfs replacement into the common sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 21 Sep 2022 17:57:54 +0000 - rev 636016
Push 170139 by jedavis@mozilla.com at Wed, 21 Sep 2022 18:00:21 +0000
Bug 1780312 - Part 1: Move the statfs replacement into the common sandbox policy. r=gcp We have code to handle `statfs` calls in content processes by intercepting them and calling `open` and `fstatfs` instead; the former is then recursively intercepted and brokered. This patch moves that feature into the common policy, but does not allow `fstatfs` in any other sandbox types (yet; see next patch). This doesn't affect security because the caller could have attempted the `open` and `fstatfs` syscalls itself. Differential Revision: https://phabricator.services.mozilla.com/D157541
8e1a65ad0c4d3b0ca9a076521252f2ba28fa898b: Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 09 Aug 2022 00:35:18 +0000 - rev 626496
Push 167558 by jedavis@mozilla.com at Tue, 09 Aug 2022 00:37:42 +0000
Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp We uninstall signal handlers in child processes after clone(), because they probably won't do the right thing if invoked in that context. However, the current code also resets signals which were ignored; if that disposition was set by an outside program like `nohup`, the expectation is that it should be inherited. This patch omits those signals when resetting handlers (similar to what `exec` does). Differential Revision: https://phabricator.services.mozilla.com/D151336
d0b98aadc143b0fb633fc581ea852d99125c0ed9: Bug 1782027 - Fix bustage in simulated early-beta Windows builds r=gcp
Ray Kraesig <rkraesig@mozilla.com> - Thu, 28 Jul 2022 19:11:20 +0000 - rev 625447
Push 166983 by rkraesig@mozilla.com at Thu, 28 Jul 2022 19:21:56 +0000
Bug 1782027 - Fix bustage in simulated early-beta Windows builds r=gcp ... which was entirely due to a trivial error on my part. Differential Revision: https://phabricator.services.mozilla.com/D153109
1ba53f776c9af5a94799e30e713e13fa08b6d893: Bug 1780312 - Turn off the Linux nvidia driver's shader cache in the RDD process. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 28 Jul 2022 19:07:30 +0000 - rev 625446
Push 166982 by jedavis@mozilla.com at Thu, 28 Jul 2022 19:21:24 +0000
Bug 1780312 - Turn off the Linux nvidia driver's shader cache in the RDD process. r=gcp We were already turning off Mesa's shader cache in the RDD process, because it's not useful given that we're only using video codec acceleration and moving images around, and it does a few things related to trying to access the cache that the sandbox would have to accomodate. This patch does the equivalent thing for the nvidia proprietary driver; we don't support it for media codec acceleration, but it can still be loaded in that process (e.g., on multi-GPU systems) and it's trying to call `statfs` on startup which may be related. Differential Revision: https://phabricator.services.mozilla.com/D152932
1e4c845297d75fc1352b0b142139bdc79d58f74a: Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 08 Jul 2022 22:19:37 +0000 - rev 623410
Push 165899 by jedavis@mozilla.com at Fri, 08 Jul 2022 22:22:03 +0000
Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp We uninstall signal handlers in child processes after clone(), because they probably won't do the right thing if invoked in that context. However, the current code also resets signals which were ignored; if that disposition was set by an outside program like `nohup`, the expectation is that it should be inherited. This patch omits those signals when resetting handlers (similar to what `exec` does). Differential Revision: https://phabricator.services.mozilla.com/D151336
1221f3ce857cd3faec2784bd2b618b45bd3945c9: Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:09 +0000 - rev 623251
Push 165812 by dlee@mozilla.com at Thu, 07 Jul 2022 15:03:46 +0000
Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp We can use this telemetry to track the statistics of using RemoteSettings to serve Safe Browsing data. The can help us understand if we can roll out this feature to more users. Depends on D135990 Differential Revision: https://phabricator.services.mozilla.com/D136107
9dd22b2b2196494a21378a6ce6647ea50ae18891: Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:09 +0000 - rev 623250
Push 165812 by dlee@mozilla.com at Thu, 07 Jul 2022 15:03:46 +0000
Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp Depends on D135989 Differential Revision: https://phabricator.services.mozilla.com/D135990
792934b2ee566152071c0543ab60cdd2795d7f74: Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:08 +0000 - rev 623249
Push 165812 by dlee@mozilla.com at Thu, 07 Jul 2022 15:03:46 +0000
Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem This patch implements UrlClassifierRemoteSettingsService to get SafeBrowsing data (protocol v2) from RemoteSettings instead of from the Shavar server. This is only used by data provided by Mozilla. To distinguish if the data should be coming from RemoteSettings or Shavar, We added a custom scheme "moz-sbrs" to denote that the data should be retrieved from Remote Setting. This is done by changing the value of pref "browser.safebrowsing.provider.mozilla.updateURL" to something like "moz-sbrf://tracking-protection-list". (Note that the hostname is not used at this point). The goal of this patch is to make the new architecture compatible with the original Safe Browsing design. So we don't notify Safe Browsing there is new data available (via "sync" event of RemoteSettings). We still follow how Safe Browsing periodically checks whether there is a newer version of list. Note. This patch changes the flow comparing with how we usualy receive SafeBrowsing response from Shavar. In Shavar case, the list data response usually comes with "n:21600\ni:listname1\nu:redirectURL1\ni:listname2\nu:redirectURL2 ..." first. And then we fetch the data again from the redirectURL for each list. But in the current implementation, responses don't contain redirectURL anymore (since we already have the data). So the mocked response will contain all the data needed in one response. For example: "n:21600\ni:listname1\n:chunkdata1\ni:listname2\n:chunkdata2...". Differential Revision: https://phabricator.services.mozilla.com/D135989
3bfb4a4cbf1be7f6544790e9936570159c410d1a: Bug 1777910 - Adjust Mesa environment variables for change/deprecation in 22.1. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 06 Jul 2022 21:20:06 +0000 - rev 623198
Push 165777 by jedavis@mozilla.com at Wed, 06 Jul 2022 21:22:32 +0000
Bug 1777910 - Adjust Mesa environment variables for change/deprecation in 22.1. r=gcp Mesa 22.1.0 changed the env var name MESA_GLSL_CACHE_DISABLE to MESA_SHADER_CACHE_DISABLE; it still accepts the old name, but prints a deprecation warning. If we set both env vars, then we can support both old and new Mesas correctly (the warning won't be printed if the new env var is also set). Differential Revision: https://phabricator.services.mozilla.com/D151094
cd77f62da01f296789ecca679ef43d601df8140d: Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:27 +0000 - rev 622663
Push 165495 by dlee@mozilla.com at Thu, 30 Jun 2022 07:59:02 +0000
Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp We can use this telemetry to track the statistics of using RemoteSettings to serve Safe Browsing data. The can help us understand if we can roll out this feature to more users. Depends on D135990 Differential Revision: https://phabricator.services.mozilla.com/D136107
d3f805b9199bd4500ff5267165cd6ce2e7d49d7c: Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:26 +0000 - rev 622662
Push 165495 by dlee@mozilla.com at Thu, 30 Jun 2022 07:59:02 +0000
Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp Depends on D135989 Differential Revision: https://phabricator.services.mozilla.com/D135990
19899fa89d05cbf4edcf1ef42e61f48d1892a252: Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:26 +0000 - rev 622661
Push 165495 by dlee@mozilla.com at Thu, 30 Jun 2022 07:59:02 +0000
Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem This patch implements UrlClassifierRemoteSettingsService to get SafeBrowsing data (protocol v2) from RemoteSettings instead of from the Shavar server. This is only used by data provided by Mozilla. To distinguish if the data should be coming from RemoteSettings or Shavar, We added a custom scheme "moz-sbrs" to denote that the data should be retrieved from Remote Setting. This is done by changing the value of pref "browser.safebrowsing.provider.mozilla.updateURL" to something like "moz-sbrf://tracking-protection-list". (Note that the hostname is not used at this point). The goal of this patch is to make the new architecture compatible with the original Safe Browsing design. So we don't notify Safe Browsing there is new data available (via "sync" event of RemoteSettings). We still follow how Safe Browsing periodically checks whether there is a newer version of list. Note. This patch changes the flow comparing with how we usualy receive SafeBrowsing response from Shavar. In Shavar case, the list data response usually comes with "n:21600\ni:listname1\nu:redirectURL1\ni:listname2\nu:redirectURL2 ..." first. And then we fetch the data again from the redirectURL for each list. But in the current implementation, responses don't contain redirectURL anymore (since we already have the data). So the mocked response will contain all the data needed in one response. For example: "n:21600\ni:listname1\n:chunkdata1\ni:listname2\n:chunkdata2...". Differential Revision: https://phabricator.services.mozilla.com/D135989
2e18d27a4d708825c3faf4264f221fb172427f80: Bug 1771382 - Adjust the Linux RDD sandbox to handle the nvidia driver being loaded but not used. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 23 Jun 2022 00:00:54 +0000 - rev 621853
Push 165078 by jedavis@mozilla.com at Thu, 23 Jun 2022 00:03:20 +0000
Bug 1771382 - Adjust the Linux RDD sandbox to handle the nvidia driver being loaded but not used. r=gcp On multi-GPU systems, even though the GPU we're going to use for accelerated video decoding is driven by Mesa, sometimes the nvidia proprietary driver can be loaded and attempt to probe devices. This patch attempts to make the sandbox policy quietly return errors for those syscalls, instead of treating them as unexpected (and crashing on Nightly). Differential Revision: https://phabricator.services.mozilla.com/D149652
9a4be9c8c0c631596e5a7aa96612a0b4b842c668: Bug 1770905 - Allow GeckoMediaPlugin processes on Linux to be profiled if memfd_create is available. r=gcp,mstange,media-playback-reviewers,padenot
Jed Davis <jld@mozilla.com> - Wed, 15 Jun 2022 20:55:24 +0000 - rev 621040
Push 164626 by jedavis@mozilla.com at Wed, 15 Jun 2022 20:57:54 +0000
Bug 1770905 - Allow GeckoMediaPlugin processes on Linux to be profiled if memfd_create is available. r=gcp,mstange,media-playback-reviewers,padenot There are two parts to this patch; both affect only Linux: 1. The GMP sandbox policy is adjusted to allow certain syscalls used in shared memory creation (ftruncate and fallocate). However, the file broker is not used; the process still has no access to files in /dev/shm. 2. The profiler is not initialized for GMP processes unless memfd_create is available (so the process can create shared memory to send profiling data back, without filesystem access), or the GMP sandbox is disabled (either at runtime or build time). As of this patch, profiling GMP processes on Linux should succeed on distros with kernel >=3.17 (Oct. 2014), but native stack frames won't have symbols (and may be incorrectly unwound, not that it matters much without symbols); see the bug for more info. Pseudo-stack frames and markers should work, however. Differential Revision: https://phabricator.services.mozilla.com/D148470
4280a7d0ee17883fb994e22afc43b0ac8ea9416c: Bug 1770905 - Quietly reject `readlink` in the Linux GeckoMediaPlugin sandbox. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 15 Jun 2022 20:55:23 +0000 - rev 621039
Push 164626 by jedavis@mozilla.com at Wed, 15 Jun 2022 20:57:54 +0000
Bug 1770905 - Quietly reject `readlink` in the Linux GeckoMediaPlugin sandbox. r=gcp The profiler may try to readlink `/proc/self/exe` to determine the executable name; currently, its attempt to get information about loaded objects is broken for other reasons, so this isn't helpful. Thus, this patch has it fail with `EINVAL` (meaning "not a symbolic link) instead of being treated as unexpected. (In the future, if we need to, we could simulate that syscall by recording the target of `/proc/self/exe` before sandboxing, and recognizing that specific case in a trap function.) Differential Revision: https://phabricator.services.mozilla.com/D148469
42d0594d9b9ce11e99a503c915b9302ce630fa52: Bug 1773043 - Remove flashblock from SafeBrowsing r=perftest-reviewers,gcp,sparky
Dimi <dlee@mozilla.com> - Wed, 15 Jun 2022 12:55:26 +0000 - rev 620991
Push 164595 by dlee@mozilla.com at Wed, 15 Jun 2022 12:58:04 +0000
Bug 1773043 - Remove flashblock from SafeBrowsing r=perftest-reviewers,gcp,sparky Depends on D149129 Differential Revision: https://phabricator.services.mozilla.com/D149130
7f88718e8d4626041f9582cc1fe322d85a8e8e29: Bug 1772142 - Fix the RDD sandbox to deal with Snap moving some config files. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 10 Jun 2022 19:03:55 +0000 - rev 620558
Push 164367 by jedavis@mozilla.com at Fri, 10 Jun 2022 19:06:17 +0000
Bug 1772142 - Fix the RDD sandbox to deal with Snap moving some config files. r=gcp In the Snap environment, some system config files aren't in their usual places, but rather in a subtree rooted at `$SNAP/gnome-platform`, which seems to also be `$SNAP_DESKTOP_RUNTIME`. This includes some subdirectories of `/usr/share` that we need for EGL to work. This could probably also have been fixed in the Snap packaging, given that [Mozilla's][] and [Ubuntu's][] specs both put `/usr/share/libdrm` back into its normal location, but for now it's easiest to adjust the sandbox, given that (I think?) anything under `$SNAP` is public information so we lose nothing by allowing read access. (See also bug 1732580.) [Mozilla's]: https://searchfox.org/mozilla-central/rev/973000acec0cbf7211e0fad89ca00c352aeb8384/taskcluster/docker/firefox-snap/firefox.snapcraft.yaml.in#50-52 [Ubuntu's]: https://git.launchpad.net/~mozilla-snaps/firefox-snap/+git/firefox-snap/tree/snapcraft.yaml?id=a24fb4a3f92d190299e4126ecc4132087c2aed3d#n85 Differential Revision: https://phabricator.services.mozilla.com/D148925
bb37f59772bf9931b541a5640c9aa317cf252703: Bug 1772101 - Part 46: Use plain object for lazy getter in toolkit/components/url-classifier/. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Tue, 07 Jun 2022 04:31:06 +0000 - rev 619927
Push 164066 by arai_a@mac.com at Tue, 07 Jun 2022 04:36:39 +0000
Bug 1772101 - Part 46: Use plain object for lazy getter in toolkit/components/url-classifier/. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D147987
7d16dadf837aa05be8c04349e8df58b7ff52329e: Bug 1770523 - Return to not allowing X11 access in the RDD process. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 01 Jun 2022 16:42:53 +0000 - rev 619451
Push 163821 by jedavis@mozilla.com at Wed, 01 Jun 2022 16:45:20 +0000
Bug 1770523 - Return to not allowing X11 access in the RDD process. r=gcp The patch for bug 1769499 lets the RDD process create a headless EGL context using GBM, which needs access only to the GPU device files, not the display server. This means that the X11 access recently added in bug 1769182 can be turned back off. Differential Revision: https://phabricator.services.mozilla.com/D147792
f5495c74793db90bdc7a1b75dad36e61938d1066: Bug 1770703 - Duplicated ioctl() case when building with MOZ_ASAN r=gcp
Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org> - Mon, 23 May 2022 09:51:28 +0000 - rev 618529
Push 163312 by alissy@mozilla.com at Mon, 23 May 2022 09:58:16 +0000
Bug 1770703 - Duplicated ioctl() case when building with MOZ_ASAN r=gcp Differential Revision: https://phabricator.services.mozilla.com/D147057
cd0c2d8c609262d6713d6b20804cf283a0c9c330: Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:33 +0000 - rev 618280
Push 163160 by jedavis@mozilla.com at Thu, 19 May 2022 17:44:06 +0000
Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp This patch mostly turns on the features set up by the earlier patches: allow connecting to the X server and reading various related things (.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's shader cache in the RDD process; that shouldn't be needed here, and disabling it lets us avoid dealing with a few things in the sandbox policy that we'd rather not (e.g., `getpwuid`). Differential Revision: https://phabricator.services.mozilla.com/D146275
f38d02e551731ee13eb5855d7ae276aaadef81d0: Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:32 +0000 - rev 618279
Push 163160 by jedavis@mozilla.com at Thu, 19 May 2022 17:44:06 +0000
Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp This patch moves a lot of text but the idea is relatively simple and no functional change is intended: factor out the parts of the content sandbox policy needed to create and use an EGL context under X11. (The `AddDriPaths` function already has some of the dependencies in a conveniently separated form, but there are others.) Differential Revision: https://phabricator.services.mozilla.com/D146274
e0907e204b986033f48b3b1858843cfa8fda8259: Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:32 +0000 - rev 618278
Push 163160 by jedavis@mozilla.com at Thu, 19 May 2022 17:44:06 +0000
Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp These syscalls (at least send/recv) are used by X11 client libraries, and allowing them doesn't really change anything about security or attack surface, because they're strict subsets of sendmsg/recvmsg which we already allow everywhere for use by IPC. So, this patch allows them in all process types instead of only content. Differential Revision: https://phabricator.services.mozilla.com/D146273
06426a1dbd1aef35df77dd423674cbb3875e2b0f: Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:31 +0000 - rev 618277
Push 163160 by jedavis@mozilla.com at Thu, 19 May 2022 17:44:06 +0000
Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp We're going to want to let the RDD process make a (brokered) connection to a local X server, but the seccomp-bpf plumbing for that mostly lives in the content process sandbox policy. This moves it into the common policy, and subclasses can opt in. Differential Revision: https://phabricator.services.mozilla.com/D146272
0f9452f00ff91bd7d08656a43d232169a9f02cf5: Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:31 +0000 - rev 618276
Push 163160 by jedavis@mozilla.com at Thu, 19 May 2022 17:44:06 +0000
Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp The arguments to the SandboxPolicyCommon contructor will get more complicated as more optional features are added (e.g., the one added in the next patch), and they're basically just mapped to boolean member variables, so this patch lets the subclasses set them directly, to keep things simpler and more readable. Differential Revision: https://phabricator.services.mozilla.com/D146271
f4e4de791d7fdc9cd6707fe28798a1c6d2d1ce58: Bug 1770126 - Make WindowsLocationProvider::Watch() not try to watch for events if already watching. r=gcp
Emilio Cobos Álvarez <emilio@crisal.io> - Thu, 19 May 2022 09:28:59 +0000 - rev 618233
Push 163128 by ealvarez@mozilla.com at Thu, 19 May 2022 09:33:14 +0000
Bug 1770126 - Make WindowsLocationProvider::Watch() not try to watch for events if already watching. r=gcp The second call would fail and thus fall back to MLS, but only null out mLocation (not unregister the existing listener), so Windows would think we're still using the location permission forever. Differential Revision: https://phabricator.services.mozilla.com/D146785
16856951218b2c0148382d12645cc690ceb19039: Bug 1770126 - Make WindowsLocationProvider::Startup() deal correctly with already-initialized instances. r=gcp
Emilio Cobos Álvarez <emilio@crisal.io> - Thu, 19 May 2022 09:28:59 +0000 - rev 618232
Push 163128 by ealvarez@mozilla.com at Thu, 19 May 2022 09:33:14 +0000
Bug 1770126 - Make WindowsLocationProvider::Startup() deal correctly with already-initialized instances. r=gcp We can call Startup() on an already-running instance, and that would cause us to not unregister notifications from a pre-existing ILocation instance, which seems likely to cause things like bug 1766770. Other location providers deal correctly with this. Differential Revision: https://phabricator.services.mozilla.com/D146783
1797d55fa1534a8f9329461a7b70cc8649db6062: Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp
Bob Owen <bobowencode@gmail.com> - Sat, 14 May 2022 22:48:34 +0000 - rev 617343
Push 162859 by bobowencode@gmail.com at Sat, 14 May 2022 22:50:57 +0000
Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp The version from a fresh install from Sophos website is 3.8.19.923. Only blocking in child processes. Differential Revision: https://phabricator.services.mozilla.com/D146382
f5b71a28f28b38132c332644015e755be475a9e5: Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617317
Push 162844 by jedavis@mozilla.com at Sat, 14 May 2022 01:09:54 +0000
Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp This patch mostly turns on the features set up by the earlier patches: allow connecting to the X server and reading various related things (.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's shader cache in the RDD process; that shouldn't be needed here, and disabling it lets us avoid dealing with a few things in the sandbox policy that we'd rather not (e.g., `getpwuid`). Differential Revision: https://phabricator.services.mozilla.com/D146275
7a64faec004f287f237bda7c2f8363fe03ce3036: Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617316
Push 162844 by jedavis@mozilla.com at Sat, 14 May 2022 01:09:54 +0000
Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp This patch moves a lot of text but the idea is relatively simple and no functional change is intended: factor out the parts of the content sandbox policy needed to create and use an EGL context under X11. (The `AddDriPaths` function already has some of the dependencies in a conveniently separated form, but there are others.) Differential Revision: https://phabricator.services.mozilla.com/D146274
c7833370362acd8e209396d7971549b88b7259fb: Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617315
Push 162844 by jedavis@mozilla.com at Sat, 14 May 2022 01:09:54 +0000
Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp These syscalls (at least send/recv) are used by X11 client libraries, and allowing them doesn't really change anything about security or attack surface, because they're strict subsets of sendmsg/recvmsg which we already allow everywhere for use by IPC. So, this patch allows them in all process types instead of only content. Differential Revision: https://phabricator.services.mozilla.com/D146273
b91adae9bb5996dc1ce5f2133ce00d1d3d8f13e3: Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:55 +0000 - rev 617314
Push 162844 by jedavis@mozilla.com at Sat, 14 May 2022 01:09:54 +0000
Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp We're going to want to let the RDD process make a (brokered) connection to a local X server, but the seccomp-bpf plumbing for that mostly lives in the content process sandbox policy. This moves it into the common policy, and subclasses can opt in. Differential Revision: https://phabricator.services.mozilla.com/D146272
cf7bb9b7414d8564eee6ff0722abc595c7d3d2ad: Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:55 +0000 - rev 617313
Push 162844 by jedavis@mozilla.com at Sat, 14 May 2022 01:09:54 +0000
Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp The arguments to the SandboxPolicyCommon contructor will get more complicated as more optional features are added (e.g., the one added in the next patch), and they're basically just mapped to boolean member variables, so this patch lets the subclasses set them directly, to keep things simpler and more readable. Differential Revision: https://phabricator.services.mozilla.com/D146271
339351d0136a57e4e975e2ab88deb69c874ee89a: Bug 1768800: Remove EARLY_BETA_OR_EARLIER guards for safaweb*.dll blocking. r=gcp
Bob Owen <bobowencode@gmail.com> - Wed, 11 May 2022 08:39:32 +0000 - rev 616980
Push 162627 by bobowencode@gmail.com at Wed, 11 May 2022 08:41:57 +0000
Bug 1768800: Remove EARLY_BETA_OR_EARLIER guards for safaweb*.dll blocking. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D146048
84bb3b358b96c3a784e3bcec22a44096c5516c15: Bug 1767993 p2: Remove EARLY_BETA_OR_EARLIER guards for qipcap*.dll blocking. r=gcp
Bob Owen <bobowencode@gmail.com> - Wed, 11 May 2022 07:26:55 +0000 - rev 616978
Push 162625 by bobowencode@gmail.com at Wed, 11 May 2022 07:29:21 +0000
Bug 1767993 p2: Remove EARLY_BETA_OR_EARLIER guards for qipcap*.dll blocking. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D146043
f557fc59b1bf7faf1a9b6bb75a39b69e976489c3: Bug 1767993: Block Forcepoint qipcap*.dll v7.7.819.1 and earlier for high crash rate. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 17:42:45 +0000 - rev 616894
Push 162582 by bobowencode@gmail.com at Tue, 10 May 2022 17:45:13 +0000
Bug 1767993: Block Forcepoint qipcap*.dll v7.7.819.1 and earlier for high crash rate. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D145957
0e94ec1aa0ec6e0ffb6d0874a09196175e3d6dd1: Bug 1766029: Block safaweb* DLLs in child processes due to win32k lockdown crash. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 15:38:27 +0000 - rev 616883
Push 162572 by bobowencode@gmail.com at Tue, 10 May 2022 15:40:54 +0000
Bug 1766029: Block safaweb* DLLs in child processes due to win32k lockdown crash. r=gcp The version is the last one for which we have seen crashes. Differential Revision: https://phabricator.services.mozilla.com/D145899
53032d7125127400ad88d999921039ae69c6ca3f: Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 06:07:17 +0000 - rev 616802
Push 162539 by bobowencode@gmail.com at Tue, 10 May 2022 07:03:12 +0000
Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin Depends on D145872 Differential Revision: https://phabricator.services.mozilla.com/D145873
6afde84567715e73da3d9438a362a18e9b5b849a: Bug 1768014 p1: Transfer mitigations to sandboxed child process. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 06:07:16 +0000 - rev 616801
Push 162539 by bobowencode@gmail.com at Tue, 10 May 2022 07:03:12 +0000
Bug 1768014 p1: Transfer mitigations to sandboxed child process. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D145872
743e4a955fea6b94c88ea984b52c22e65f4e3128: Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp
Bob Owen <bobowencode@gmail.com> - Thu, 05 May 2022 18:14:03 +0000 - rev 616333
Push 162305 by bobowencode@gmail.com at Thu, 05 May 2022 18:18:15 +0000
Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D145618
9e8c4348b179b3cde398141d1843fdb2fef1973e: Bug 1765750 - Part 2: Stop using global this in UrlClassifierListManager.jsm. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Thu, 28 Apr 2022 14:52:45 +0000 - rev 615602
Push 161887 by arai_a@mac.com at Thu, 28 Apr 2022 14:55:08 +0000
Bug 1765750 - Part 2: Stop using global this in UrlClassifierListManager.jsm. r=gcp Depends on D144943 Differential Revision: https://phabricator.services.mozilla.com/D144944
daa0037cc772e164a883d8e67d09c28262c30015: Bug 1765750 - Part 1: Stop exposing the global this object in UrlClassifierLib.jsm. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Thu, 28 Apr 2022 14:52:45 +0000 - rev 615601
Push 161887 by arai_a@mac.com at Thu, 28 Apr 2022 14:55:08 +0000
Bug 1765750 - Part 1: Stop exposing the global this object in UrlClassifierLib.jsm. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D144943
09a4ccbe6d7407f68fc88fa57a385bf2e03ccf92: Bug 1766022: Add videocapturer* to the child process DLL blocklist. r=gcp
Bob Owen <bobowencode@gmail.com> - Fri, 22 Apr 2022 19:31:11 +0000 - rev 615146
Push 161577 by bobowencode@gmail.com at Fri, 22 Apr 2022 19:33:33 +0000
Bug 1766022: Add videocapturer* to the child process DLL blocklist. r=gcp This has been found to cause crashes when win32k lockdown is enabled. Differential Revision: https://phabricator.services.mozilla.com/D144459
4abd973f77d53c7ada1e663387fb2a837c44b912: Bug 1766033: Change win32k lockdown default to @IS_EARLY_BETA_OR_EARLIER@ to allow for staged rollout. r=gcp
Bob Owen <bobowencode@gmail.com> - Fri, 22 Apr 2022 17:56:50 +0000 - rev 615141
Push 161572 by bobowencode@gmail.com at Fri, 22 Apr 2022 17:59:12 +0000
Bug 1766033: Change win32k lockdown default to @IS_EARLY_BETA_OR_EARLIER@ to allow for staged rollout. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D144456
d6c728f02fb429e97df61e19d3c749248ffe0364: Bug 1759196 - Fix the Linux sandbox's handling of 32-bit arguments on 64-bit platforms. r=gcp,bobowen
Jed Davis <jld@mozilla.com> - Fri, 22 Apr 2022 02:00:51 +0000 - rev 615069
Push 161525 by jedavis@mozilla.com at Fri, 22 Apr 2022 02:03:15 +0000
Bug 1759196 - Fix the Linux sandbox's handling of 32-bit arguments on 64-bit platforms. r=gcp,bobowen Background: When 32-bit types are passed in registers on x86-64 (and probably other platforms?), the function call ABI does not specify the contents of the upper half, and the Linux kernel syscall ABI appears to have the same behavior. In practice, the upper half is usually zero (or maybe sign-extended from the lower half), because 64-bit operations aren't cheaper than 32-bit, and 32-bit operations zero-extend their outputs; therefore, this case usually doesn't happen in the first place, and any kind of spill or register move will zero the upper half. However, arbitrary values are possible, and a case like this has occurred with the Firefox profiler using `clock_gettime`. (This paragraph is applicable to x86-64 and ARM64; other 64-bit architecutures may behave differently.) But the Chromium seccomp-bpf compiler, when testing the value of a 32-bit argument on a 64-bit platform, requires that the value be zero-extended or sign-extended, and (incorrectly, as far as I can tell) considers anything else an ABI violation. With this patch, when that case is detected, we use the `SIGSYS` handler to zero-extend the problematic argument and re-issue the syscall. (It would also be possible to just ignore the upper half, and that would be faster, but that could lead to subtle security holes if the type used in `bpf_dsl` is incorrect and the kernel really does treat it as 64-bit.) Differential Revision: https://phabricator.services.mozilla.com/D143964