Bug 1329600 - Capture CPU usage on Linux - r=canaltinova,gcp Differential Revision: https://phabricator.services.mozilla.com/D99416

Bug 1676804 - P3. Add testcase r=gcp Differential Revision: https://phabricator.services.mozilla.com/D98900

Bug 1676804 - P2. Safe Browsing canonicalization should escape # r=gcp We didn't escape '#' as defined in the Safe Browsing spec "In the URL, percent-escape all characters that are <= ASCII 32, >= 127, "#", or "%". The escapes should use uppercase hex characters." See https://developers.google.com/safe-browsing/v4/urls-hashing Differential Revision: https://phabricator.services.mozilla.com/D98899

Bug 1676804 - P1. Safe Browsing canonicalization should not include query string r=gcp In the Safe Browsing spec, it says "Do not apply these path canonicalizations to the query parameters.", we should follow it. Differential Revision: https://phabricator.services.mozilla.com/D98898

Bug 1678174 - Add remaining time64 syscalls to the Linux sandboxes. r=gcp 32-bit Linux architectures have gained new versions of every system call handling time values, to allow a transition to 64-bit time_t that will continue to work after the year 2038; newer versions of glibc will attempt them and fall back to the 32-bit path (without caching the failure, so at best we take the overhead of handling SIGSYS). This patch allows time64 syscalls in the same cases where we allow their time32 versions, including the restrictions on clockid_t to prevent interacting with other processes or threads of other processes. (I've confirmed that the argument types match otherwise, so it's safe to reuse the same policies.) Differential Revision: https://phabricator.services.mozilla.com/D98693

Bug 1680166 - Return EFAULT when given a null path to stat* calls in the sandbox filter. r=gcp It's a common way to check the existence of system calls. Glibc may fall back to fstatat when statx is called, passing down the null path. Since we handle fstatat, let's return -EFAULT the same way the real fstatat syscall would do. This is needed for the sandbox not to constantly crash due to this statx call in rustc: https://github.com/rust-lang/rust/blob/09c9c9f7da72b774cc445c0f56fc0b9792a49647/library/std/src/sys/unix/fs.rs#L119-L123 Differential Revision: https://phabricator.services.mozilla.com/D98414

Bug 1672367 - Block Digital Guardian's module older than 7.6. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D96434

Bug 1672936 - Do not show "report a detection problem" in Safe Browsing malware interstitial page r=flod,fluent-reviewers,gcp Differential Revision: https://phabricator.services.mozilla.com/D94574

Bug 1673770 - Extend the handling of fstatat-as-fstat to sandboxes that don't use a file broker. r=gcp The fix for bug 1660901, to handle the subset of fstatat that is equivalent to fstat, was incomplete: it was added to the existing hook for the file broker, so processes that don't use a broker (like GMP) didn't get the fix. That wasn't a problem when the only use of that feature was in content processes via GTK, but now that glibc has reimplemented fstat that way, it's necessary for all processes. Differential Revision: https://phabricator.services.mozilla.com/D95108

Bug 1673202 - Call fstat directly in Linux sandbox fstatat interception. r=gcp Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)` by invoking the SIGSYS handler (because seccomp-bpf can't tell if the string will be empty when the syscall would use it), which makes the equivalent call to `fstat`. Unfortunately, recent development versions of glibc implement `fstat` by calling `fstatat`, which causes unbounded recursion and stack overflow. (This depends on the headers present at build time; see the bug for more details.) This patch switches it to use the `fstat` (or `fstat64` on 32-bit) syscall directly. Differential Revision: https://phabricator.services.mozilla.com/D94798

Bug 1672482 - Move getdents allowance to SandboxPolicyCommon. r=jld,gcp I think since it takes an FD this might be ok, but let me know if this somehow doesn't cut it and a more nuanced fix is needed. Since stuff like PR_GetNumberOfProcessors() uses it with some glibc versions, which is pretty basic functionality, we probably need to make it work in all processes. Differential Revision: https://phabricator.services.mozilla.com/D94358

Bug 1595994 - P13. Enable ffvpx in RDD on linux. r=mattwoodrow,gcp Depends on D91689 Differential Revision: https://phabricator.services.mozilla.com/D91690

Bug 1664922 - Allow CPU information in the "utility" sandbox policy, for nsSystemInfo. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D90603

Bug 1664922 - Allow CPU information in the "utility" sandbox policy, for nsSystemInfo. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D90603

Bug 1663550 - Enable sandbox on Linux/arm and Linux/arm64. r=gcp,glandium Differential Revision: https://phabricator.services.mozilla.com/D90002

Bug 1663550 - Fix the alignment of the stack for the sandbox's clone() trampoline. r=gcp The ABI on ARM64 requires 16-byte stack alignment, and that includes the small temporary stack that exists only so that we can `longjmp` off of it in the child process after calling `clone`. Differential Revision: https://phabricator.services.mozilla.com/D90001

Bug 1663550 - Update sandbox policy for various syscalls obsoleted on Linux/arm64. r=gcp In addition to e.g. lacking `open` in favor of `openat`, Linux/arm64 also removes a number of older syscalls along similar lines, like `dup2` in favor of `dup3`, and all variants of `select` other than `pselect6`. Differential Revision: https://phabricator.services.mozilla.com/D90000

Bug 1663550 - Implement brokering for the remaining `at` syscalls in the Linux sandbox. r=gcp Linux/arm64 omits syscalls that can be implemented in terms of newer syscalls by inserting constant arguments; this means that all of the basic filesystem operations use the `at` versions, like `unlinkat` replacing both `unlink` and `rmdir`. We've supported some of them when x86 libcs started using them, but there are several others we were missing; this patch adds them. Differential Revision: https://phabricator.services.mozilla.com/D89999

Bug 1663550 - Rearrange the broker glue to handle none of the non-`at` syscalls existing. r=gcp Linux/arm64 seems to exclude any syscalls that were redundant when it was created (specifically, that can be implemented in terms of another by inserting constant arguments), which includes all the of the non-`at` filesystem syscalls --- for example, `open` vs. `openat`. This patch rearranges ifdefs to handle that case; later patches will fill in the currently unhandled syscalls in the `at`-only side. Differential Revision: https://phabricator.services.mozilla.com/D89998

Bug 1663550 - Minor cleanups for Linux sandbox policy. r=gcp Not strictly part of ARM support, but worth committing, and in particular printing the `AT_*` flags in hex is helpful for matching them against headers when `*at` syscalls fail. Differential Revision: https://phabricator.services.mozilla.com/D89997

Bug 1663550 - Remove obsolete sandbox rule allowing utime(). r=gcp We no longer use GConf (bug 1433685), so we can remove the sandbox rule allowing it to call utime(). That syscall doesn't exist on ARM or ARM64, so this rule would have to be ifdef'ed if it were re-added. Differential Revision: https://phabricator.services.mozilla.com/D89996

Bug 1663550 - Add "arm" and "arm64" architecture names to Linux sandbox telemetry. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D89995

Bug 1660901 - Add some test cases for fstatat inside the content sandbox. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D88500

Bug 1660901 - Support the fstat-like subset of fstatat in the Linux sandbox policies. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D88499

Bug 1657616 - Remove the link to StopBadware.org in SafeBrowsing interstitial page r=gcp,fluent-reviewers,flod Differential Revision: https://phabricator.services.mozilla.com/D86321

Bug 1657616 - Remove the link to StopBadware.org in SafeBrowsing interstitial page r=gcp,fluent-reviewers,flod Differential Revision: https://phabricator.services.mozilla.com/D86321

Bug 1642729 - P6: Save images in a dictionary r=gcp Saving the temporary files under a dictionary without world/group-execute permissions Differential Revision: https://phabricator.services.mozilla.com/D85076

Bug 1642729 - P5: Set the permission of the temporary file to 600 r=gcp Differential Revision: https://phabricator.services.mozilla.com/D85075

Bug 1654438 - Add mochi.xorigin-test to whitelistHosts pref r=gcp In fission cross-origin mochitests, "mochi.xorigin-test" is the top-level url instead of "mochi.test". Our pairwise whitelist has to use the right top-level host accordingly to make testcase work. Differential Revision: https://phabricator.services.mozilla.com/D84585

Bug 1650751 - Add FMODE_NONOTIFY to ignored file flags in Linux sandbox. r=gcp As of kernel 5.8 (commit [e9c15badb][]), Linux will set the internal `FMODE_NONOTIFY` flag on files that don't exist in the filesystem, including (unnamed) pipes and sockets. Although this flag isn't properly part of the userspace API, it will be returned by F_GETFL, so userspace code that tries to change file flags will pass it to F_SETFL. The implementation of `F_SETFL` has an allow list of flags userspace can change (`SETFL_MASK`) and ignores all others, but our sandbox has a list of flags *known* to be ignored, because currently unknown flags could potentially be accepted by the kernel in the future. This patch adds `FMODE_NONOTIFY` as an ignored flag. [e9c15badb]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9c15badbb7b20ccdbadf5da14e0a68fbad51015 Differential Revision: https://phabricator.services.mozilla.com/D83205

Bug 1651701 - Allow rseq in the Linux sandboxes. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D83142

Bug 1640345 - Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp This adds the boolean pref security.sandbox.content.headless (on Linux only) which does two things: 1. Sets the MOZ_HEADLESS env var for content processes, so that they don't initialize GTK and don't connect to the X server. 2. Disallows brokered access to parts of the filesystem used only for graphics -- most critically connecting to the X11 socket itself, but also opening GPU device nodes and the parts of sysfs used by Mesa, for example. This is experimental; use at your own risk. Setting this pref will break native widgets, so it's also necessary to set widget.disable-native-theme-for-content Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter. Differential Revision: https://phabricator.services.mozilla.com/D81425

Bug 1644917 - Part 2: Cache as much of the content sandbox file policy as possible. r=gcp,Gijs Now that filesystem broker policy entries that depend on prefs can be cached in the "common" policy object, let's do this wherever possible. Partially fixes bug 1600189. Differential Revision: https://phabricator.services.mozilla.com/D81424

Bug 1644917 - Part 1: Construct content sandbox "common" policy lazily. r=gcp,Gijs When the SandboxBrokerPolicyFactory is constructed, prefs aren't available, which constrains the cached subset of the content process policy to entries that don't depend on prefs. Delaying the computation until a content process is started removes that restriction. (This also delays the reading of dynamic linker configuration to discover library directories, so a test needs to be adjusted.) Differential Revision: https://phabricator.services.mozilla.com/D81423

Bug 1644917 - Part 0: Make AddDynamicPathList a static non-member function. r=gcp Not strictly necessary, but I noticed this while I was making changes: AddDynamicPathList can be a simple static function instead of a private static method, and doesn't need to be in the header. Differential Revision: https://phabricator.services.mozilla.com/D81422

Bug 1640612 - Allow socket process to read /etc, r=gcp Differential Revision: https://phabricator.services.mozilla.com/D80718

Bug 1513674 - Remove nsIMemoryReporter from fixed-length prefix. r=gcp Right now, now matter which SafeBrowsing protocol we use (V2 or V4), we always use variable-length prefix set to store prefixes. Since nsUrlClassifierPrefixSet is a member of VariableLengthPrefixSet and it is never used alone, we can remove nsIMemoryReporter from it to prevent calculating the same memory report twice. Differential Revision: https://phabricator.services.mozilla.com/D81171

Bug 1640345 - Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp This adds the boolean pref security.sandbox.content.headless (on Linux only) which does two things: 1. Sets the MOZ_HEADLESS env var for content processes, so that they don't initialize GTK and don't connect to the X server. 2. Disallows brokered access to parts of the filesystem used only for graphics -- most critically connecting to the X11 socket itself, but also opening GPU device nodes and the parts of sysfs used by Mesa, for example. This is experimental; use at your own risk. Setting this pref will break native widgets, so it's also necessary to set widget.disable-native-theme-for-content Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter. Differential Revision: https://phabricator.services.mozilla.com/D81425

Bug 1644917 - Part 2: Cache as much of the content sandbox file policy as possible. r=gcp Now that filesystem broker policy entries that depend on prefs can be cached in the "common" policy object, let's do this wherever possible. Should also fix bug 1621231. Differential Revision: https://phabricator.services.mozilla.com/D81424

Bug 1644917 - Part 1: Construct content sandbox "common" policy lazily. r=gcp When the SandboxBrokerPolicyFactory is constructed, prefs aren't available, which constrains the cached subset of the content process policy to entries that don't depend on prefs. Delaying the computation until a content process is started removes that restriction. Differential Revision: https://phabricator.services.mozilla.com/D81423

Bug 1644917 - Part 0: Make AddDynamicPathList a static non-member function. r=gcp Not strictly necessary, but I noticed this while I was making changes: AddDynamicPathList can be a simple static function instead of a private static method, and doesn't need to be in the header. Differential Revision: https://phabricator.services.mozilla.com/D81422

Bug 1640612 - Allow socket process to read /etc, r=gcp Differential Revision: https://phabricator.services.mozilla.com/D80718

Bug 1647133 - P2. Make nsIURIClassifier take a nsISerialEventTarget. r=gcp The argument aEventTarget is actually never used by any caller; nullptr is always passed for it. But the code is there in case it isn't null which would call into IProtocol::SetEventTargetFor Depends on D80419 Differential Revision: https://phabricator.services.mozilla.com/D80421

Bug 1407712 - Block more versions of guard64.dll of Comodo Firewall. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D79238

Bug 1644642 - Use iterator-based RemoveElementsAt overload. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D79032

Bug 1637984 - Part 2: Block PavLspHook64.dll on Win7 and older. r=gcp Depends on D78414 Differential Revision: https://phabricator.services.mozilla.com/D78415

Bug 1639181 - Allow a safe subset of fd flag fcntls in the common sandbox policy. r=gcp Content processes allow a restricted subset of F_{GET,SET}{FD,FL} that prevents setting unknown or known-unsafe flags, which was copied to the socket process policy; this patch moves it to the common policy and removes RDD's copy of GMP's override. The immediate reason for this is DMD using F_GETFL via fdopen to use a file descriptor passed over IPC, but in general this should be safe and it's a reasonable thing to expect to be able to use. Differential Revision: https://phabricator.services.mozilla.com/D77379

Bug 1576728 - Block more versions of oly[64].dll and pdzipmenu[32|64].dll. r=gcp Since we learned these modules are a shell exntension, blocking in the browser process should suffice. Differential Revision: https://phabricator.services.mozilla.com/D75606

Bug 1347710 - Enable Windows GPU sandbox for supported hardware r=gcp Currently, there is an outstanding issue where enabling the GPU sandbox breaks scrolling using the the mouse wheel on laptops with Intel GPUs. This will enable the GPU sandbox on Nightly for non-Intel GPUs to prevent any sandbox regressions while we try and figure out what the scrolling issue is. See Bug 1630860 for more info Differential Revision: https://phabricator.services.mozilla.com/D73923

Bug 1626570 - Improve handling of copying arrays in toolkit/components/url-classifier/. r=gcp Differential Revision: https://phabricator.services.mozilla.com/D72328