Bug 1199413 - Fix MOZ_DISABLE_GMP_SANDBOX so it disables all the sandboxing. r=kang
authorJed Davis <jld@mozilla.com>
Fri, 28 Aug 2015 12:18:00 +0200
changeset 294351 0d99e927527b2300dacfbc641e4af1249f46d604
parent 294350 20b84c6d55a0befeebd372be64497db318e7081f
child 294352 10e3f62dc8a66c514fd1b3b42604cc5b7be8ebdc
push id5245
push userraliiev@mozilla.com
push dateThu, 29 Oct 2015 11:30:51 +0000
treeherdermozilla-beta@dac831dc1bd0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskang
bugs1199413
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1199413 - Fix MOZ_DISABLE_GMP_SANDBOX so it disables all the sandboxing. r=kang Bonus fix: don't start the chroot helper unless we're going to use it. For this to matter, you'd need a system with unprivileged user namespaces but no seccomp-bpf (or fake it with env vars) *and* to set media.gmp.insecure.allow, so this is more to set a good example for future changes to this code than for functional reasons.
security/sandbox/linux/Sandbox.cpp
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -518,48 +518,52 @@ SandboxEarlyInit(GeckoProcessType aType,
   // Nuwa process (e.g., unsharing the network namespace there instead
   // of for each content process, to save memory), this will need to be
   // changed by moving the SandboxEarlyInit call to an earlier point.
   if (aIsNuwa) {
     return;
   }
 
   MOZ_RELEASE_ASSERT(IsSingleThreaded());
+  const SandboxInfo info = SandboxInfo::Get();
 
   // Which kinds of resource isolation (of those that need to be set
   // up at this point) can be used by this process?
   bool canChroot = false;
   bool canUnshareNet = false;
   bool canUnshareIPC = false;
 
   switch (aType) {
   case GeckoProcessType_Default:
     MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
     return;
 #ifdef MOZ_GMP_SANDBOX
   case GeckoProcessType_GMPlugin:
+    if (!info.Test(SandboxInfo::kEnabledForMedia)) {
+      break;
+    }
     canUnshareNet = true;
     canUnshareIPC = true;
-    canChroot = true;
+    // Need seccomp-bpf to intercept open().
+    canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
     break;
 #endif
     // In the future, content processes will be able to use some of
     // these.
   default:
     // Other cases intentionally left blank.
     break;
   }
 
   // If there's nothing to do, then we're done.
   if (!canChroot && !canUnshareNet && !canUnshareIPC) {
     return;
   }
 
   // If capabilities can't be gained, then nothing can be done.
-  const SandboxInfo info = SandboxInfo::Get();
   if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
     return;
   }
 
   // The failure cases for the various unshares, and setting up the
   // chroot helper, don't strictly need to be fatal -- but they also
   // shouldn't fail on any reasonable system, so let's take the small
   // risk of breakage over the small risk of quietly providing less