| author | Coroiu Cristina <ccoroiu@mozilla.com> |
| Fri, 12 Oct 2018 21:00:41 +0300 | |
| changeset 441046 | 32af88ce76dab548742417a74be9a13043540143 |
| parent 441045 | a9cb7624c15de659ef31809a19bac825d46e4b18 |
| child 441047 | 7c1aecbca3ddeb55c60b943a123eb65a052f8594 |
| push id | 108898 |
| push user | aciure@mozilla.com |
| push date | Sat, 13 Oct 2018 09:41:13 +0000 |
| treeherder | mozilla-inbound@27ce80745049 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| bugs | 1488439 |
| milestone | 64.0a1 |
| backs out | 74b2087ee696eb7369b65727b81fc67121789f7d 85575fc37555213a204b8565bbadef7270edd19e |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -1094,25 +1094,22 @@ pref("security.sandbox.content.syscall_w // broad list for now, has to be refined over time pref("security.sandbox.pledge.main", "stdio rpath wpath cpath inet proc exec prot_exec flock ps sendfd recvfd dns vminfo tty drm unix fattr getpw mcast"); #if defined(MOZ_CONTENT_SANDBOX) pref("security.sandbox.content.level", 1); pref("security.sandbox.pledge.content", "stdio rpath wpath cpath inet recvfd sendfd prot_exec unix drm ps"); #endif #endif -#if defined(MOZ_SANDBOX) -#if defined(MOZ_CONTENT_SANDBOX) +#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX) // ID (a UUID when set by gecko) that is used to form the name of a // sandbox-writable temporary directory to be used by content processes // when a temporary writable file is required in a level 1 sandbox. pref("security.sandbox.content.tempDirSuffix", ""); #endif -pref("security.sandbox.plugin.tempDirSuffix", ""); -#endif #if defined(MOZ_SANDBOX) // This pref determines if messages relevant to sandbox violations are // logged. #if defined(XP_WIN) || defined(XP_MACOSX) pref("security.sandbox.logging.enabled", false); #endif #endif
--- a/dom/plugins/ipc/FunctionBroker.h +++ b/dom/plugins/ipc/FunctionBroker.h @@ -284,18 +284,16 @@ inline bool ParameterEquality(const char * A type map _from_ the type of a parameter in the original function * we are brokering _to_ a type that we can marshal. We must be able * to Copy() the marshaled type using the parameter type. * The default maps from type T back to type T. */ template<typename OrigType> struct IPCTypeMap { typedef OrigType ipc_type; }; template<> struct IPCTypeMap<char*> { typedef nsDependentCSubstring ipc_type; }; template<> struct IPCTypeMap<const char*> { typedef nsDependentCSubstring ipc_type; }; -template<> struct IPCTypeMap<wchar_t*> { typedef nsString ipc_type; }; -template<> struct IPCTypeMap<const wchar_t*> { typedef nsString ipc_type; }; template<> struct IPCTypeMap<long> { typedef int32_t ipc_type; }; template<> struct IPCTypeMap<unsigned long> { typedef uint32_t ipc_type; }; #if defined(XP_WIN) template<> struct IPCTypeMap<PSecHandle> { typedef uint64_t ipc_type; }; template<> struct IPCTypeMap<PTimeStamp> { typedef uint64_t ipc_type; }; template<> struct IPCTypeMap<void*> { typedef uint64_t ipc_type; }; // HANDLEs template<> struct IPCTypeMap<HWND> { typedef NativeWindowHandle ipc_type; }; @@ -501,27 +499,16 @@ struct BaseEndpointHandler<CLIENT,SelfTy // In the client, we just bind to the caller's string if (aSrc) { aDest.Rebind(aSrc, strlen(aSrc)); } else { aDest.SetIsVoid(true); } } - inline static void Copy(nsString& aDest, wchar_t* const& aSrc) - { - if (aSrc) { - // We are using nsString as a "raw" container for a wchar_t string. We - // just use its data as a wchar_t* later (so the reinterpret_cast is safe). - aDest.Rebind(reinterpret_cast<char16_t*>(aSrc), wcslen(aSrc)); - } else { - aDest.SetIsVoid(true); - } - } - inline static void Copy(char*& aDest, const nsDependentCSubstring& aSrc) { MOZ_ASSERT_UNREACHABLE("Returning char* parameters is not yet suported."); } #if defined(XP_WIN) inline static void Copy(uint32_t& aDest, const LPDWORD& aSrc) { @@ -589,37 +576,16 @@ struct BaseEndpointHandler<SERVER, SelfT inline static void Copy(ServerCallData* aScd, const char*& aDest, const nsDependentCSubstring& aSrc) { char* nonConstDest; Copy(aScd, nonConstDest, aSrc); aDest = nonConstDest; } - inline static void Copy(ServerCallData* aScd, wchar_t*& aDest, const nsString& aSrc) - { - // Allocating the string with aScd means it will last during the server call - // and be freed when the call is complete. - MOZ_ASSERT(aScd); - if (aSrc.IsVoid()) { - aDest = nullptr; - return; - } - aScd->AllocateMemory((aSrc.Length() + 1)*sizeof(wchar_t), aDest); - memcpy(aDest, aSrc.Data(), aSrc.Length() * sizeof(wchar_t)); - aDest[aSrc.Length()] = L'\0'; - } - - inline static void Copy(ServerCallData* aScd, const wchar_t*& aDest, const nsString& aSrc) - { - wchar_t* nonConstDest; - Copy(aScd, nonConstDest, aSrc); - aDest = nonConstDest; - } - #if defined(XP_WIN) inline static void Copy(uint32_t& aDest, const LPDWORD& aSrc) { aDest = *aSrc; } inline static void Copy(LPDWORD& aDest, const uint32_t& aSrc) {
--- a/dom/plugins/ipc/FunctionBrokerIPCUtils.h +++ b/dom/plugins/ipc/FunctionBrokerIPCUtils.h @@ -43,17 +43,16 @@ enum FunctionHookId , ID_HttpEndRequestA , ID_InternetQueryOptionA , ID_InternetErrorDlg , ID_AcquireCredentialsHandleA , ID_QueryCredentialsAttributesA , ID_FreeCredentialsHandle , ID_PrintDlgW , ID_CreateMutexW - , ID_GetFileAttributesW , ID_FunctionHookCount #else // defined(XP_WIN) ID_FunctionHookCount #endif // defined(XP_WIN) }; // Max number of bytes to show when logging a blob of raw memory static const uint32_t MAX_BLOB_CHARS_TO_LOG = 12;
--- a/dom/plugins/ipc/FunctionHook.cpp +++ b/dom/plugins/ipc/FunctionHook.cpp @@ -6,17 +6,16 @@ #include "FunctionHook.h" #include "FunctionBroker.h" #include "nsClassHashtable.h" #include "mozilla/ClearOnShutdown.h" #if defined(XP_WIN) #include <shlobj.h> -#include "PluginModuleChild.h" #endif namespace mozilla { namespace plugins { StaticAutoPtr<FunctionHookArray> FunctionHook::sFunctionHooks; bool AlwaysHook(int) { return true; } @@ -304,66 +303,30 @@ void FunctionHook::HookProtectedMode() // Legacy code. Uses the nsWindowsDLLInterceptor directly instead of // using the FunctionHook sKernel32Intercept.Init("kernel32.dll"); MOZ_ASSERT(XRE_GetProcessType() == GeckoProcessType_Plugin); sCreateFileWStub.Set(sKernel32Intercept, "CreateFileW", &CreateFileWHookFn); sCreateFileAStub.Set(sKernel32Intercept, "CreateFileA", &CreateFileAHookFn); } -/* GetFileAttributesW */ - -typedef BasicFunctionHook<ID_GetFileAttributesW, decltype(GetFileAttributesW)> GetFileAttributesWFH; - -DWORD WINAPI GetFileAttributesWHook(LPCWSTR aFilename) -{ - MOZ_ASSERT(ID_GetFileAttributesW < FunctionHook::GetHooks()->Length()); - GetFileAttributesWFH* functionHook = - static_cast<GetFileAttributesWFH*>(FunctionHook::GetHooks()->ElementAt(ID_GetFileAttributesW)); - if (!functionHook->OriginalFunction()) { - NS_ASSERTION(FALSE, "Something is horribly wrong in GetFileAttributesWHook!"); - return FALSE; - } - - DWORD ret = functionHook->OriginalFunction()(aFilename); - if (ret != INVALID_FILE_ATTRIBUTES) { - return ret; - } - - // If aFilename is a parent of PluginModuleChild::GetFlashRoamingPath then - // assume it was blocked by the sandbox and just report it as a plain directory. - size_t len = wcslen(aFilename); - std::wstring roamingPath = PluginModuleChild::GetFlashRoamingPath(); - bool isParent = - (len > 0) && (aFilename[len - 1] == L'\\') && - (_wcsnicmp(aFilename, roamingPath.c_str(), len) == 0); - if (!isParent) { - return ret; - } - return FILE_ATTRIBUTE_DIRECTORY; -} - #endif // defined(XP_WIN) #define FUN_HOOK(x) static_cast<FunctionHook*>(x) void FunctionHook::AddFunctionHooks(FunctionHookArray& aHooks) { // We transfer ownership of the FunctionHook objects to the array. #if defined(XP_WIN) aHooks[ID_GetWindowInfo] = FUN_HOOK(new GetWindowInfoFH("user32.dll", "GetWindowInfo", &GetWindowInfo, &GetWindowInfoHook)); aHooks[ID_PrintDlgW] = FUN_HOOK(new PrintDlgWFH("comdlg32.dll", "PrintDlgW", &PrintDlgW, PrintDlgWHook)); - aHooks[ID_GetFileAttributesW] = - FUN_HOOK(new GetFileAttributesWFH("kernel32.dll", "GetFileAttributesW", - &GetFileAttributesW, - &GetFileAttributesWHook)); #endif // defined(XP_WIN) } #undef FUN_HOOK } // namespace plugins } // namespace mozilla
--- a/dom/plugins/ipc/IpdlTuple.h +++ b/dom/plugins/ipc/IpdlTuple.h @@ -34,23 +34,23 @@ public: const MaybeVariantType& GetVariant() const { return mValue; } private: MaybeVariantType mValue; }; #if defined(XP_WIN) typedef MaybeVariant<int8_t,uint8_t,int16_t,uint16_t,int32_t,uint32_t, - int64_t,uint64_t,nsCString,nsString,bool,OpenFileNameIPC, + int64_t,uint64_t,nsCString,bool,OpenFileNameIPC, OpenFileNameRetIPC,NativeWindowHandle, IPCSchannelCred,IPCInternetBuffers,StringArray, IPCPrintDlg> IpdlTupleElement; #else typedef MaybeVariant<int8_t,uint8_t,int16_t,uint16_t,int32_t,uint32_t, - int64_t,uint64_t,nsCString,nsString,bool> IpdlTupleElement; + int64_t,uint64_t,nsCString,bool> IpdlTupleElement; #endif // defined(XP_WIN) } // namespace internal } // namespace plugins } // namespace mozilla DECLARE_USE_COPY_CONSTRUCTORS(mozilla::plugins::internal::IpdlTupleElement)
--- a/dom/plugins/ipc/PluginModuleChild.cpp +++ b/dom/plugins/ipc/PluginModuleChild.cpp @@ -60,19 +60,16 @@ using namespace mozilla; using namespace mozilla::ipc; using namespace mozilla::plugins; using namespace mozilla::widget; #if defined(XP_WIN) const wchar_t * kFlashFullscreenClass = L"ShockwaveFlashFullScreen"; -#if defined(MOZ_SANDBOX) -std::wstring sRoamingPath; -#endif #endif namespace { // see PluginModuleChild::GetChrome() PluginModuleChild* gChromeInstance = nullptr; } // namespace #ifdef XP_WIN @@ -206,44 +203,24 @@ PluginModuleChild::RecvDisableFlashProte void PluginModuleChild::EnableFlashSandbox(int aLevel, bool aShouldEnableLogging) { mFlashSandboxLevel = aLevel; mEnableFlashSandboxLogging = aShouldEnableLogging; } #endif -#if defined(OS_WIN) && defined(MOZ_SANDBOX) -/* static */ void -PluginModuleChild::SetFlashRoamingPath(const std::wstring& aRoamingPath) -{ - MOZ_ASSERT(sRoamingPath.empty()); - sRoamingPath = aRoamingPath; -} - -/* static */ std::wstring -PluginModuleChild::GetFlashRoamingPath() -{ - return sRoamingPath; -} -#endif - bool PluginModuleChild::InitForChrome(const std::string& aPluginFilename, base::ProcessId aParentPid, MessageLoop* aIOLoop, IPC::Channel* aChannel) { NS_ASSERTION(aChannel, "need a channel"); -#if defined(OS_WIN) && defined(MOZ_SANDBOX) - MOZ_ASSERT(!sRoamingPath.empty(), - "Should have already called SetFlashRoamingPath"); -#endif - if (!InitGraphics()) return false; mPluginFilename = aPluginFilename.c_str(); nsCOMPtr<nsIFile> localFile; NS_NewLocalFile(NS_ConvertUTF8toUTF16(mPluginFilename), true, getter_AddRefs(localFile));
--- a/dom/plugins/ipc/PluginModuleChild.h +++ b/dom/plugins/ipc/PluginModuleChild.h @@ -120,23 +120,16 @@ protected: virtual mozilla::ipc::IPCResult AnswerModuleSupportsAsyncRender(bool* aResult) override; public: explicit PluginModuleChild(bool aIsChrome); virtual ~PluginModuleChild(); void CommonInit(); -#if defined(OS_WIN) && defined(MOZ_SANDBOX) - // Path to the roaming Flash Player folder. This is used to restore some - // behavior blocked by the sandbox. - static void SetFlashRoamingPath(const std::wstring& aRoamingPath); - static std::wstring GetFlashRoamingPath(); -#endif - // aPluginFilename is UTF8, not native-charset! bool InitForChrome(const std::string& aPluginFilename, base::ProcessId aParentPid, MessageLoop* aIOLoop, IPC::Channel* aChannel); bool InitForContent(Endpoint<PPluginModuleChild>&& aEndpoint);
--- a/dom/plugins/ipc/PluginProcessChild.cpp +++ b/dom/plugins/ipc/PluginProcessChild.cpp @@ -24,45 +24,28 @@ // An undocumented CoreGraphics framework method, present in the same form // since at least OS X 10.5. extern "C" CGError CGSSetDebugOptions(int options); #endif #ifdef XP_WIN #if defined(MOZ_SANDBOX) #include "mozilla/sandboxTarget.h" -#include "ProcessUtils.h" -#include "nsDirectoryService.h" #endif #endif using mozilla::ipc::IOThreadChild; #ifdef OS_WIN #include <algorithm> #endif namespace mozilla { namespace plugins { -#if defined(XP_WIN) && defined(MOZ_SANDBOX) -static void -SetSandboxTempPath(const std::wstring& aFullTmpPath) -{ - // Save the TMP environment variable so that is is picked up by GetTempPath(). - // Note that we specifically write to the TMP variable, as that is the first - // variable that is checked by GetTempPath() to determine its output. - Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TMP", aFullTmpPath.c_str())); - - // We also set TEMP in case there is naughty third-party code that is - // referencing the environment variable directly. - Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TEMP", aFullTmpPath.c_str())); -} -#endif - bool PluginProcessChild::Init(int aArgc, char* aArgv[]) { nsDebugImpl::SetMultiprocessMode("NPAPI"); #if defined(XP_MACOSX) // Remove the trigger for "dyld interposing" that we added in // GeckoChildProcessHost::PerformAsyncLaunch(), in the host @@ -131,39 +114,27 @@ PluginProcessChild::Init(int aArgc, char } #endif #elif defined(OS_WIN) std::vector<std::wstring> values = CommandLine::ForCurrentProcess()->GetLooseValues(); MOZ_ASSERT(values.size() >= 1, "not enough loose args"); - // parameters are: - // values[0] is path to plugin DLL - // values[1] is path to folder that should be used for temp files - // values[2] is path to the Flash Player roaming folder - // (this is always that Flash folder, regardless of what plugin is being run) pluginFilename = WideToUTF8(values[0]); // We don't initialize XPCOM but we need the thread manager and the // logging framework for the FunctionBroker. NS_SetMainThread(); mozilla::TimeStamp::Startup(); NS_LogInit(); mozilla::LogModule::Init(aArgc, aArgv); nsThreadManager::get().Init(); #if defined(MOZ_SANDBOX) - MOZ_ASSERT(values.size() >= 3, "not enough loose args for sandboxed plugin process"); - - // The sandbox closes off the default location temp file location so we set - // a new one here (regardless of whether or not we are sandboxing). - SetSandboxTempPath(values[1]); - PluginModuleChild::SetFlashRoamingPath(values[2]); - // This is probably the earliest we would want to start the sandbox. // As we attempt to tighten the sandbox, we may need to consider moving this // to later in the plugin initialization. mozilla::SandboxTarget::Instance()->StartSandbox(); #endif #else # error Sorry #endif
--- a/dom/plugins/ipc/PluginProcessParent.cpp +++ b/dom/plugins/ipc/PluginProcessParent.cpp @@ -4,21 +4,16 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "mozilla/plugins/PluginProcessParent.h" #include "base/string_util.h" #include "base/process_util.h" -#include "nsAppDirectoryServiceDefs.h" -#include "nsDirectoryServiceDefs.h" -#include "nsIProperties.h" -#include "nsServiceManagerUtils.h" - #include "mozilla/ipc/BrowserProcessSubThread.h" #include "mozilla/plugins/PluginMessageUtils.h" #include "mozilla/Telemetry.h" #include "nsThreadUtils.h" using std::vector; using std::string; @@ -88,50 +83,16 @@ PluginProcessParent::Launch(mozilla::Uni #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) if (aSandboxLevel > 0) { args.push_back("-flashSandboxLevel"); args.push_back(std::to_string(aSandboxLevel)); if (aIsSandboxLoggingEnabled) { args.push_back("-flashSandboxLogging"); } } -#elseif defined(XP_WIN) && defined(MOZ_SANDBOX) - nsresult rv; - nsCOMPtr<nsIProperties> dirSvc = - do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv); - if (NS_FAILED(rv)) { - MOZ_ASSERT(false, "Failed to get directory service."); - return false; - } - - nsCOMPtr<nsIFile> dir; - rv = - dirSvc->Get(NS_APP_PLUGIN_PROCESS_TEMP_DIR, NS_GET_IID(nsIFile), - getter_AddRefs(dir)); - if (NS_FAILED(rv)) { - NS_WARNING("Failed to get plugin process temp directory."); - return false; - } - - nsAutoString tempDir; - MOZ_ALWAYS_SUCCEEDS(dir->GetPath(tempDir)); - args.push_back(NS_ConvertUTF16toUTF8(tempDir).get()); - - rv = - dirSvc->Get(NS_WIN_APPDATA_DIR, NS_GET_IID(nsIFile), - getter_AddRefs(dir)); - if (NS_FAILED(rv)) { - NS_WARNING("Failed to get appdata directory."); - return false; - } - - nsAutoString appdataDir; - MOZ_ALWAYS_SUCCEEDS(dir->GetPath(appdataDir)); - appdataDir.Append(L"\\Adobe\\"); - args.push_back(NS_ConvertUTF16toUTF8(appdataDir).get()); #endif bool result = AsyncLaunch(args); if (!result) { mLaunchCompleteTask = nullptr; } return result; }
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -39,17 +39,16 @@ sandbox::BrokerServices *SandboxBroker:: // fundamental things when running from a network drive. We default to false in // case those checks fail as that gives us the strongest policy. bool SandboxBroker::sRunningFromNetworkDrive = false; // Cached special directories used for adding policy rules. static UniquePtr<nsString> sBinDir; static UniquePtr<nsString> sProfileDir; static UniquePtr<nsString> sContentTempDir; -static UniquePtr<nsString> sPluginTempDir; static UniquePtr<nsString> sRoamingAppDataDir; static UniquePtr<nsString> sLocalAppDataDir; static UniquePtr<nsString> sUserExtensionsDevDir; #ifdef ENABLE_SYSTEM_EXTENSION_DIRS static UniquePtr<nsString> sUserExtensionsDir; #endif // Cached prefs which are needed off main thread. @@ -111,17 +110,16 @@ SandboxBroker::GeckoDependentInitialize( MOZ_ASSERT(false, "Failed to get directory service, cannot cache directories for rules."); LOG_E("Failed to get directory service, cannot cache directories for rules."); return; } CacheDirAndAutoClear(dirSvc, NS_GRE_DIR, &sBinDir); CacheDirAndAutoClear(dirSvc, NS_APP_USER_PROFILE_50_DIR, &sProfileDir); CacheDirAndAutoClear(dirSvc, NS_APP_CONTENT_PROCESS_TEMP_DIR, &sContentTempDir); - CacheDirAndAutoClear(dirSvc, NS_APP_PLUGIN_PROCESS_TEMP_DIR, &sPluginTempDir); CacheDirAndAutoClear(dirSvc, NS_WIN_APPDATA_DIR, &sRoamingAppDataDir); CacheDirAndAutoClear(dirSvc, NS_WIN_LOCAL_APPDATA_DIR, &sLocalAppDataDir); CacheDirAndAutoClear(dirSvc, XRE_USER_SYS_EXTENSION_DEV_DIR, &sUserExtensionsDevDir); #ifdef ENABLE_SYSTEM_EXTENSION_DIRS CacheDirAndAutoClear(dirSvc, XRE_USER_SYS_EXTENSION_DIR, &sUserExtensionsDir); #endif // Create sLaunchErrors up front because ClearOnShutdown must be called on the @@ -696,16 +694,21 @@ SandboxBroker::SetSecurityLevelForPlugin delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW; } else { jobLevel = sandbox::JOB_NONE; accessTokenLevel = sandbox::USER_NON_ADMIN; initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM; delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM; } +#ifndef NIGHTLY_BUILD + // We are experimenting with using restricting SIDs in the nightly builds + mPolicy->SetDoNotUseRestrictingSIDs(); +#endif + sandbox::ResultCode result = SetJobLevel(mPolicy, jobLevel, 0 /* ui_exceptions */); SANDBOX_ENSURE_SUCCESS(result, "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?"); result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, accessTokenLevel); SANDBOX_ENSURE_SUCCESS(result, @@ -741,25 +744,16 @@ SandboxBroker::SetSecurityLevelForPlugin sandbox::MitigationFlags delayedMitigations = sandbox::MITIGATION_DLL_SEARCH_ORDER; result = mPolicy->SetDelayedProcessMitigations(delayedMitigations); SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetDelayedProcessMitigations."); -#ifndef NIGHTLY_BUILD - // We are experimenting with using restricting SIDs in the nightly builds - mPolicy->SetDoNotUseRestrictingSIDs(); -#else - // Add rule to allow read / write access to a special plugin temp dir. - AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY, - sPluginTempDir, NS_LITERAL_STRING("\\*")); -#endif - if (aSandboxLevel >= 2) { // Level 2 and above uses low integrity, so we need to give write access to // the Flash directories. AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY, sRoamingAppDataDir, NS_LITERAL_STRING("\\Macromedia\\Flash Player\\*")); AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY, sLocalAppDataDir,
--- a/toolkit/xre/nsXREDirProvider.cpp +++ b/toolkit/xre/nsXREDirProvider.cpp @@ -77,21 +77,21 @@ #define APP_REGISTRY_NAME "registry.dat" #else #define APP_REGISTRY_NAME "appreg" #endif #define PREF_OVERRIDE_DIRNAME "preferences" #if defined(MOZ_CONTENT_SANDBOX) -static already_AddRefed<nsIFile> GetProcessSandboxTempDir(GeckoProcessType type); +static already_AddRefed<nsIFile> GetContentProcessSandboxTempDir(); static nsresult DeleteDirIfExists(nsIFile *dir); static bool IsContentSandboxDisabled(); -static const char* GetProcessTempBaseDirKey(); -static already_AddRefed<nsIFile> CreateProcessSandboxTempDir(GeckoProcessType procType); +static const char* GetContentProcessTempBaseDirKey(); +static already_AddRefed<nsIFile> CreateContentProcessSandboxTempDir(); #endif nsXREDirProvider* gDirServiceProvider = nullptr; nsIFile* gDataDirHomeLocal = nullptr; nsIFile* gDataDirHome = nullptr; // These are required to allow nsXREDirProvider to be usable in xpcshell tests. // where gAppData is null. @@ -521,25 +521,17 @@ nsXREDirProvider::GetFile(const char* aP } #if defined(MOZ_CONTENT_SANDBOX) else if (!strcmp(aProperty, NS_APP_CONTENT_PROCESS_TEMP_DIR)) { if (!mContentTempDir && NS_FAILED((rv = LoadContentProcessTempDir()))) { return rv; } rv = mContentTempDir->Clone(getter_AddRefs(file)); } -#endif // defined(MOZ_CONTENT_SANDBOX) -#if defined(MOZ_SANDBOX) - else if (0 == strcmp(aProperty, NS_APP_PLUGIN_PROCESS_TEMP_DIR)) { - if (!mPluginTempDir && NS_FAILED((rv = LoadPluginProcessTempDir()))) { - return rv; - } - rv = mPluginTempDir->Clone(getter_AddRefs(file)); - } -#endif // defined(MOZ_SANDBOX) +#endif // defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX) else if (NS_SUCCEEDED(GetProfileStartupDir(getter_AddRefs(file)))) { // We need to allow component, xpt, and chrome registration to // occur prior to the profile-after-change notification. if (!strcmp(aProperty, NS_APP_USER_CHROME_DIR)) { rv = file->AppendNative(NS_LITERAL_CSTRING("chrome")); } } @@ -669,47 +661,42 @@ nsXREDirProvider::GetFiles(const char* a rv = NS_NewUnionEnumerator(aResult, appEnum, xreEnum); if (NS_FAILED(rv)) return rv; return NS_SUCCESS_AGGREGATE_RESULT; } -#if defined(MOZ_SANDBOX) +#if defined(MOZ_CONTENT_SANDBOX) static const char* -GetProcessTempBaseDirKey() +GetContentProcessTempBaseDirKey() { #if defined(XP_WIN) return NS_WIN_LOW_INTEGRITY_TEMP_BASE; #else return NS_OS_TEMP_DIR; #endif } -#if defined(MOZ_CONTENT_SANDBOX) // // Sets mContentTempDir so that it refers to the appropriate temp dir. // If the sandbox is enabled, NS_APP_CONTENT_PROCESS_TEMP_DIR, otherwise // NS_OS_TEMP_DIR is used. // nsresult nsXREDirProvider::LoadContentProcessTempDir() { // The parent is responsible for creating the sandbox temp dir. if (XRE_IsParentProcess()) { - mContentProcessSandboxTempDir = - CreateProcessSandboxTempDir(GeckoProcessType_Content); + mContentProcessSandboxTempDir = CreateContentProcessSandboxTempDir(); mContentTempDir = mContentProcessSandboxTempDir; } else { - mContentTempDir = - !IsContentSandboxDisabled() ? - GetProcessSandboxTempDir(GeckoProcessType_Content) : - nullptr; + mContentTempDir = GetContentProcessSandboxTempDir(); } if (!mContentTempDir) { nsresult rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR, getter_AddRefs(mContentTempDir)); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } @@ -721,127 +708,76 @@ nsXREDirProvider::LoadContentProcessTemp // reject those rules. if (!mozilla::widget::WinUtils::ResolveJunctionPointsAndSymLinks(mContentTempDir)) { NS_WARNING("Failed to resolve Content Temp Dir."); } #endif return NS_OK; } -#endif - -// -// Sets mPluginTempDir so that it refers to the appropriate temp dir. -// If NS_APP_PLUGIN_PROCESS_TEMP_DIR fails for any reason, NS_OS_TEMP_DIR -// is used. -// -nsresult -nsXREDirProvider::LoadPluginProcessTempDir() -{ - // The parent is responsible for creating the sandbox temp dir. - if (XRE_IsParentProcess()) { - mPluginProcessSandboxTempDir = - CreateProcessSandboxTempDir(GeckoProcessType_Plugin); - mPluginTempDir = mPluginProcessSandboxTempDir; - } else { - MOZ_ASSERT(XRE_IsPluginProcess()); - mPluginTempDir = GetProcessSandboxTempDir(GeckoProcessType_Plugin); - } - - if (!mPluginTempDir) { - nsresult rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR, - getter_AddRefs(mPluginTempDir)); - if (NS_WARN_IF(NS_FAILED(rv))) { - return rv; - } - } - -#if defined(XP_WIN) - // The temp dir is used in sandbox rules, so we need to make sure - // it doesn't contain any junction points or symlinks or the sandbox will - // reject those rules. - if (!mozilla::widget::WinUtils::ResolveJunctionPointsAndSymLinks(mPluginTempDir)) { - NS_WARNING("Failed to resolve plugin temp dir."); - } -#endif - - return NS_OK; -} static bool IsContentSandboxDisabled() { return !BrowserTabsRemoteAutostart() || (!IsContentSandboxEnabled()); } // -// If a process sandbox temp dir is to be used, returns an nsIFile -// for the directory. Returns null if an error occurs. +// If a content process sandbox temp dir is to be used, returns an nsIFile +// for the directory. Returns null if the content sandbox is disabled or +// an error occurs. // static already_AddRefed<nsIFile> -GetProcessSandboxTempDir(GeckoProcessType type) +GetContentProcessSandboxTempDir() { + if (IsContentSandboxDisabled()) { + return nullptr; + } + nsCOMPtr<nsIFile> localFile; - nsresult rv = NS_GetSpecialDirectory(GetProcessTempBaseDirKey(), + nsresult rv = NS_GetSpecialDirectory(GetContentProcessTempBaseDirKey(), getter_AddRefs(localFile)); if (NS_WARN_IF(NS_FAILED(rv))) { return nullptr; } - MOZ_ASSERT((type == GeckoProcessType_Content) || - (type == GeckoProcessType_Plugin)); - - const char* prefKey = - (type == GeckoProcessType_Content) ? - "security.sandbox.content.tempDirSuffix" : - "security.sandbox.plugin.tempDirSuffix"; - nsAutoString tempDirSuffix; - rv = Preferences::GetString(prefKey, tempDirSuffix); + rv = Preferences::GetString("security.sandbox.content.tempDirSuffix", + tempDirSuffix); if (NS_WARN_IF(NS_FAILED(rv)) || tempDirSuffix.IsEmpty()) { return nullptr; } rv = localFile->Append(NS_LITERAL_STRING("Temp-") + tempDirSuffix); if (NS_WARN_IF(NS_FAILED(rv))) { return nullptr; } return localFile.forget(); } // -// Create a temporary directory for use from sandboxed processes. +// Create a temporary directory for use from sandboxed content processes. // Only called in the parent. The path is derived from a UUID stored in a -// pref which is available to content and plugin processes. Returns null -// if the content sandbox is disabled or if an error occurs. +// pref which is available to content processes. Returns null if the +// content sandbox is disabled or if an error occurs. // static already_AddRefed<nsIFile> -CreateProcessSandboxTempDir(GeckoProcessType procType) +CreateContentProcessSandboxTempDir() { -#if defined(MOZ_CONTENT_SANDBOX) - if ((procType == GeckoProcessType_Content) && - IsContentSandboxDisabled()) { + if (IsContentSandboxDisabled()) { return nullptr; } -#endif - - MOZ_ASSERT((procType == GeckoProcessType_Content) || - (procType == GeckoProcessType_Plugin)); // Get (and create if blank) temp directory suffix pref. - const char* pref = - (procType == GeckoProcessType_Content) ? - "security.sandbox.content.tempDirSuffix" : - "security.sandbox.plugin.tempDirSuffix"; - nsresult rv; nsAutoString tempDirSuffix; - Preferences::GetString(pref, tempDirSuffix); + Preferences::GetString("security.sandbox.content.tempDirSuffix", + tempDirSuffix); if (tempDirSuffix.IsEmpty()) { nsCOMPtr<nsIUUIDGenerator> uuidgen = do_GetService("@mozilla.org/uuid-generator;1", &rv); if (NS_WARN_IF(NS_FAILED(rv))) { return nullptr; } nsID uuid; @@ -855,17 +791,18 @@ CreateProcessSandboxTempDir(GeckoProcess tempDirSuffix.AssignASCII(uuidChars, NSID_LENGTH); #ifdef XP_UNIX // Braces in a path are somewhat annoying to deal with // and pretty alien on Unix tempDirSuffix.StripChars(u"{}"); #endif // Save the pref - rv = Preferences::SetString(pref, tempDirSuffix); + rv = Preferences::SetString("security.sandbox.content.tempDirSuffix", + tempDirSuffix); if (NS_WARN_IF(NS_FAILED(rv))) { // If we fail to save the pref we don't want to create the temp dir, // because we won't be able to clean it up later. return nullptr; } nsCOMPtr<nsIPrefService> prefsvc = Preferences::GetService(); if (!prefsvc || NS_FAILED((rv = prefsvc->SavePrefFile(nullptr)))) { @@ -874,17 +811,17 @@ CreateProcessSandboxTempDir(GeckoProcess // the preference values allows an off main thread save, the successful // return from the call doesn't mean we actually saved the file. See // bug 1364496 for details. NS_WARNING("Failed to save pref file, cannot create temp dir."); return nullptr; } } - nsCOMPtr<nsIFile> sandboxTempDir = GetProcessSandboxTempDir(procType); + nsCOMPtr<nsIFile> sandboxTempDir = GetContentProcessSandboxTempDir(); if (!sandboxTempDir) { NS_WARNING("Failed to determine sandbox temp dir path."); return nullptr; } // Remove the directory. It may exist due to a previous crash. if (NS_FAILED(DeleteDirIfExists(sandboxTempDir))) { NS_WARNING("Failed to reset sandbox temp dir."); @@ -912,17 +849,17 @@ DeleteDirIfExists(nsIFile* dir) if (NS_FAILED(rv) && rv != NS_ERROR_FILE_NOT_FOUND && rv != NS_ERROR_FILE_TARGET_DOES_NOT_EXIST) { return rv; } } return NS_OK; } -#endif // defined(MOZ_SANDBOX) +#endif // defined(MOZ_CONTENT_SANDBOX) static const char *const kAppendPrefDir[] = { "defaults", "preferences", nullptr }; #ifdef DEBUG_bsmedberg static void DumpFileArray(const char *key, nsCOMArray<nsIFile> dirs) { @@ -1133,21 +1070,16 @@ nsXREDirProvider::DoStartup() #if defined(MOZ_CONTENT_SANDBOX) // Makes sure the content temp dir has been loaded if it hasn't been // already. In the parent this ensures it has been created before we attempt // to start any content processes. if (!mContentTempDir) { mozilla::Unused << NS_WARN_IF(NS_FAILED(LoadContentProcessTempDir())); } #endif -#if defined(MOZ_SANDBOX) - if (!mPluginTempDir) { - mozilla::Unused << NS_WARN_IF(NS_FAILED(LoadPluginProcessTempDir())); - } -#endif } return NS_OK; } void nsXREDirProvider::DoShutdown() { AUTO_PROFILER_LABEL("nsXREDirProvider::DoShutdown", OTHER); @@ -1170,24 +1102,21 @@ nsXREDirProvider::DoShutdown() obsSvc->NotifyObservers(nullptr, "profile-before-change", kShutdownPersist); obsSvc->NotifyObservers(nullptr, "profile-before-change-qm", kShutdownPersist); obsSvc->NotifyObservers(nullptr, "profile-before-change-telemetry", kShutdownPersist); } mProfileNotified = false; } +#if defined(MOZ_CONTENT_SANDBOX) if (XRE_IsParentProcess()) { -#if defined(MOZ_CONTENT_SANDBOX) Unused << DeleteDirIfExists(mContentProcessSandboxTempDir); + } #endif -#if defined(MOZ_SANDBOX) - Unused << DeleteDirIfExists(mPluginProcessSandboxTempDir); -#endif - } } #ifdef XP_WIN static nsresult GetShellFolderPath(KNOWNFOLDERID folder, nsAString& _retval) { DWORD flags = KF_FLAG_SIMPLE_IDLIST | KF_FLAG_DONT_VERIFY | KF_FLAG_NO_ALIAS; PWSTR path = nullptr;
--- a/toolkit/xre/nsXREDirProvider.h +++ b/toolkit/xre/nsXREDirProvider.h @@ -124,19 +124,16 @@ protected: // Internal helper that splits a path into components using the '/' and '\\' // delimiters. static inline nsresult AppendProfileString(nsIFile* aFile, const char* aPath); #if defined(MOZ_CONTENT_SANDBOX) // Load the temp directory for sandboxed content processes nsresult LoadContentProcessTempDir(); #endif -#if defined(MOZ_SANDBOX) - nsresult LoadPluginProcessTempDir(); -#endif void Append(nsIFile* aDirectory); nsCOMPtr<nsIDirectoryServiceProvider> mAppProvider; // On OSX, mGREDir points to .app/Contents/Resources nsCOMPtr<nsIFile> mGREDir; // On OSX, mGREBinDir points to .app/Contents/MacOS nsCOMPtr<nsIFile> mGREBinDir; @@ -145,16 +142,12 @@ protected: nsCOMPtr<nsIFile> mProfileDir; nsCOMPtr<nsIFile> mProfileLocalDir; bool mProfileNotified; bool mPrefsInitialized = false; #if defined(MOZ_CONTENT_SANDBOX) nsCOMPtr<nsIFile> mContentTempDir; nsCOMPtr<nsIFile> mContentProcessSandboxTempDir; #endif -#if defined(MOZ_SANDBOX) - nsCOMPtr<nsIFile> mPluginTempDir; - nsCOMPtr<nsIFile> mPluginProcessSandboxTempDir; -#endif nsCOMArray<nsIFile> mAppBundleDirectories; }; #endif
--- a/xpcom/io/nsAppDirectoryServiceDefs.h +++ b/xpcom/io/nsAppDirectoryServiceDefs.h @@ -98,17 +98,11 @@ // // At present, all sandboxed content processes use the same directory for // NS_APP_CONTENT_PROCESS_TEMP_DIR, but that should not be relied upon. // #define NS_APP_CONTENT_PROCESS_TEMP_DIR "ContentTmpD" #else // Otherwise NS_APP_CONTENT_PROCESS_TEMP_DIR must match NS_OS_TEMP_DIR. #define NS_APP_CONTENT_PROCESS_TEMP_DIR "TmpD" -#endif // defined(MOZ_CONTENT_SANDBOX) - -#if defined(MOZ_SANDBOX) -#define NS_APP_PLUGIN_PROCESS_TEMP_DIR "PluginTmpD" -#else -#define NS_APP_PLUGIN_PROCESS_TEMP_DIR "TmpD" -#endif +#endif // (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX) #endif // nsAppDirectoryServiceDefs_h___