Bug 1120045 - Pref off allowing media plugins on Linux systems which can't sandbox them. r=jesup
authorJed Davis <jld@mozilla.com>
Wed, 28 Jan 2015 10:06:53 -0800
changeset 239750 95a9a38b73b0e0be7ba9cf1a6fa927ecacfff96d
parent 239749 c5e6fd99bcb8af1f0b68afdf7d9290310317febd
child 239751 ad37c88b6aed20f05302076fad9d22b04dda7f62
push id506
push usermleibovic@mozilla.com
push dateThu, 29 Jan 2015 12:40:10 +0000
reviewersjesup
bugs1120045, 1074561
milestone38.0a1
Bug 1120045 - Pref off allowing media plugins on Linux systems which can't sandbox them. r=jesup This does *not* affect the sandboxing requirement for EME CDMs added in bug 1074561; that is enforced separately and regardless of this pref. Bonus fix: GC unused includes of sandbox headers.
dom/media/gmp/GMPChild.cpp
dom/media/gmp/GMPService.cpp
modules/libpref/init/all.js
--- a/dom/media/gmp/GMPChild.cpp
+++ b/dom/media/gmp/GMPChild.cpp
@@ -32,19 +32,16 @@ static const int MAX_VOUCHER_LENGTH = 50
 #else
 #include <unistd.h> // for _exit()
 #endif
 
 #if defined(MOZ_GMP_SANDBOX)
 #if defined(XP_WIN)
 #define TARGET_SANDBOX_EXPORTS
 #include "mozilla/sandboxTarget.h"
-#elif defined (XP_LINUX)
-#include "mozilla/Sandbox.h"
-#include "mozilla/SandboxInfo.h"
 #elif defined(XP_MACOSX)
 #include "mozilla/Sandbox.h"
 #endif
 #endif
 
 namespace mozilla {
 namespace gmp {
 
--- a/dom/media/gmp/GMPService.cpp
+++ b/dom/media/gmp/GMPService.cpp
@@ -770,16 +770,25 @@ GeckoMediaPluginService::SelectPluginFor
 
   return nullptr;
 }
 
 class CreateGMPParentTask : public nsRunnable {
 public:
   NS_IMETHOD Run() {
     MOZ_ASSERT(NS_IsMainThread());
+#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
+    if (!SandboxInfo::Get().CanSandboxMedia()) {
+      if (!Preferences::GetBool("media.gmp.insecure.allow")) {
+        NS_WARNING("Denying media plugin load due to lack of sandboxing.");
+        return NS_ERROR_NOT_AVAILABLE;
+      }
+      NS_WARNING("Loading media plugin despite lack of sandboxing.");
+    }
+#endif
     mParent = new GMPParent();
     return NS_OK;
   }
   already_AddRefed<GMPParent> GetParent() {
     return mParent.forget();
   }
 private:
   nsRefPtr<GMPParent> mParent;
@@ -827,17 +836,17 @@ GeckoMediaPluginService::AddOnGMPThread(
 
   // The GMPParent inherits from IToplevelProtocol, which must be created
   // on the main thread to be threadsafe. See Bug 1035653.
   nsRefPtr<CreateGMPParentTask> task(new CreateGMPParentTask());
   nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
   MOZ_ASSERT(mainThread);
   mozilla::SyncRunnable::DispatchToThread(mainThread, task);
   nsRefPtr<GMPParent> gmp = task->GetParent();
-  rv = gmp->Init(this, directory);
+  rv = gmp ? gmp->Init(this, directory) : NS_ERROR_NOT_AVAILABLE;
   if (NS_FAILED(rv)) {
     NS_WARNING("Can't Create GMPParent");
     return;
   }
 
   MutexAutoLock lock(mMutex);
   mPlugins.AppendElement(gmp);
 }
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -4536,8 +4536,15 @@ pref("reader.font_size", 3);
 pref("reader.color_scheme", "auto");
 
 // The font type in reader (sans-serif, serif)
 pref("reader.font_type", "sans-serif");
 
 // Whether or not the user has interacted with the reader mode toolbar.
 // This is used to show a first-launch tip in reader mode.
 pref("reader.has_used_toolbar", false);
+
+#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
+// Whether to allow, on a Linux system that doesn't support the necessary sandboxing
+// features, loading Gecko Media Plugins unsandboxed.  However, EME CDMs will not be
+// loaded without sandboxing even if this pref is changed.
+pref("media.gmp.insecure.allow", false);
+#endif