Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps
☠☠ backed out by df53224b9171 ☠ ☠
authorJonathan Kew <jkew@mozilla.com>
Sun, 05 Nov 2017 08:42:25 +0000
changeset 390222 a1c1fe33a052ac9ff96fbbe389f53687d25e2afc
parent 390221 bf35d13e27f392dc5dcdab3e7755c69b632f46ab
child 390223 f9763adebe6847072575978df2f8e010d790b083
push id96994
push userjkew@mozilla.com
push dateSun, 05 Nov 2017 08:44:44 +0000
treeherdermozilla-inbound@f9763adebe68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgps
bugs1412090
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps
gfx/thebes/gfxFcPlatformFontList.cpp
gfx/thebes/gfxFcPlatformFontList.h
--- a/gfx/thebes/gfxFcPlatformFontList.cpp
+++ b/gfx/thebes/gfxFcPlatformFontList.cpp
@@ -35,16 +35,21 @@
 #include <gdk/gdk.h>
 #include "gfxPlatformGtk.h"
 #endif
 
 #ifdef MOZ_X11
 #include "mozilla/X11Util.h"
 #endif
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBrokerPolicyFactory.h"
+#include "mozilla/SandboxSettings.h"
+#endif
+
 using namespace mozilla;
 using namespace mozilla::gfx;
 using namespace mozilla::unicode;
 
 using mozilla::dom::SystemFontListEntry;
 using mozilla::dom::FontPatternListEntry;
 
 #ifndef FC_POSTSCRIPT_NAME
@@ -1304,17 +1309,19 @@ gfxFcPlatformFontList::~gfxFcPlatformFon
 {
     if (mCheckFontUpdatesTimer) {
         mCheckFontUpdatesTimer->Cancel();
         mCheckFontUpdatesTimer = nullptr;
     }
 }
 
 void
-gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts)
+gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet,
+                                          const SandboxPolicy* aPolicy,
+                                          bool aAppFonts)
 {
     // This iterates over the fonts in a font set and adds in gfxFontFamily
     // objects for each family. Individual gfxFontEntry objects for each face
     // are not created here; the patterns are just stored in the family. When
     // a family is actually used, it will be populated with gfxFontEntry
     // records and the patterns moved to those.
 
     if (!aFontSet) {
@@ -1333,19 +1340,24 @@ gfxFcPlatformFontList::AddFontSetFamilie
         FcChar8* path;
         if (FcPatternGetString(pattern, FC_FILE, 0, &path) != FcResultMatch) {
             continue;
         }
         if (access(reinterpret_cast<const char*>(path), F_OK | R_OK) != 0) {
             continue;
         }
 
-        // TODO:
-        // Verify that /path/ will be readable with the content-process sandbox
-        // rules; any blocked fonts must not be included in the font list.
+#ifdef MOZ_CONTENT_SANDBOX
+        // Skip any fonts that will be blocked by the content-process sandbox
+        // policy.
+        if (aPolicy && !(aPolicy->Lookup(reinterpret_cast<const char*>(path)) &
+                         SandboxBroker::Perms::MAY_READ)) {
+            continue;
+        }
+#endif
 
         AddPatternToFontList(pattern, lastFamilyName,
                              familyName, fontFamily, aAppFonts);
     }
 }
 
 void
 gfxFcPlatformFontList::AddPatternToFontList(FcPattern* aFont,
@@ -1456,23 +1468,35 @@ gfxFcPlatformFontList::InitFontListForPl
                       "%u faces in %u families",
                       (unsigned)fontList.Length(), mFontFamilies.Count()));
 
         return NS_OK;
     }
 
     mLastConfig = FcConfigGetCurrent();
 
+    UniquePtr<SandboxPolicy> policy;
+
+#ifdef MOZ_CONTENT_SANDBOX
+    // Create a temporary SandboxPolicy to check font paths; use a fake PID
+    // to avoid picking up any PID-specific rules by accident.
+    SandboxBrokerPolicyFactory policyFactory;
+    if (GetEffectiveContentSandboxLevel() > 0 &&
+        !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+        policy = policyFactory.GetContentPolicy(-1, false);
+    }
+#endif
+
     // iterate over available fonts
     FcFontSet* systemFonts = FcConfigGetFonts(nullptr, FcSetSystem);
-    AddFontSetFamilies(systemFonts, /* aAppFonts = */ false);
+    AddFontSetFamilies(systemFonts, policy.get(), /* aAppFonts = */ false);
 
 #ifdef MOZ_BUNDLED_FONTS
     FcFontSet* appFonts = FcConfigGetFonts(nullptr, FcSetApplication);
-    AddFontSetFamilies(appFonts, /* aAppFonts = */ true);
+    AddFontSetFamilies(appFonts, policy.get(), /* aAppFonts = */ true);
 #endif
 
     mOtherFamilyNamesInitialized = true;
 
     return NS_OK;
 }
 
 void
--- a/gfx/thebes/gfxFcPlatformFontList.h
+++ b/gfx/thebes/gfxFcPlatformFontList.h
@@ -16,16 +16,20 @@
 
 #include <fontconfig/fontconfig.h>
 #include "ft2build.h"
 #include FT_FREETYPE_H
 #include FT_TRUETYPE_TABLES_H
 #include <cairo.h>
 #include <cairo-ft.h>
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBroker.h"
+#endif
+
 namespace mozilla {
     namespace dom {
         class SystemFontListEntry;
     };
 };
 
 template <>
 class nsAutoRefTraits<FcPattern> : public nsPointerRefTraits<FcPattern>
@@ -300,19 +304,27 @@ public:
         mGenericMappings.Clear();
     }
 
     static FT_Library GetFTLibrary();
 
 protected:
     virtual ~gfxFcPlatformFontList();
 
+#ifdef MOZ_CONTENT_SANDBOX
+    typedef mozilla::SandboxBroker::Policy SandboxPolicy;
+#else
+    // Dummy type just so we can still have a SandboxPolicy* parameter.
+    struct SandboxPolicy;
+#endif
+
     // Add all the font families found in a font set.
     // aAppFonts indicates whether this is the system or application fontset.
-    void AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts);
+    void AddFontSetFamilies(FcFontSet* aFontSet, const SandboxPolicy* aPolicy,
+                            bool aAppFonts);
 
     // Helper for above, to add a single font pattern.
     void AddPatternToFontList(FcPattern* aFont, FcChar8*& aLastFamilyName,
                               nsAString& aFamilyName,
                               RefPtr<gfxFontconfigFontFamily>& aFontFamily,
                               bool aAppFonts);
 
     // figure out which families fontconfig maps a generic to