Bug 1123245 Part 3: Add prefs for the Windows NPAPI process sandbox. r=bsmedberg, a=sledru
authorBob Owen <bobowencode@gmail.com>
Mon, 26 Jan 2015 11:44:27 +0000
changeset 243027 9bfc57be3f2c
parent 243026 f7b5148c84a1
child 243028 d340f3d3439d
push id4366
push userbobowencode@gmail.com
push date2015-01-26 12:06 +0000
treeherdermozilla-beta@9bfc57be3f2c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbsmedberg, sledru
bugs1123245
milestone36.0
Bug 1123245 Part 3: Add prefs for the Windows NPAPI process sandbox. r=bsmedberg, a=sledru
browser/app/profile/firefox.js
dom/plugins/ipc/PluginModuleParent.cpp
dom/plugins/ipc/PluginProcessParent.cpp
dom/plugins/ipc/PluginProcessParent.h
ipc/glue/GeckoChildProcessHost.cpp
ipc/glue/GeckoChildProcessHost.h
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -1188,16 +1188,24 @@ pref("dom.ipc.plugins.enabled.x86_64", t
 #else
 pref("dom.ipc.plugins.enabled", true);
 #endif
 
 // Start the browser in e10s mode
 pref("browser.tabs.remote.autostart", false);
 pref("browser.tabs.remote.desktopbehavior", true);
 
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+// Controls whether the Windows NPAPI plugin process is sandboxed by default.
+// To get a different setting for a particular plugin replace "default", with
+// the plugin's nice file name, see: nsPluginTag::GetNiceFileName.
+pref("dom.ipc.plugins.sandbox.default", false);
+pref("dom.ipc.plugins.sandbox.flash", false);
+#endif
+
 #if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
 // This controls whether the content process on Windows is sandboxed.
 // You also need to be using remote tabs, see above.
 // on = full sandbox enabled
 // warn = warn only sandbox enabled
 // anything else = sandbox disabled
 // This will probably require a restart.
 pref("browser.tabs.remote.sandbox", "off");
--- a/dom/plugins/ipc/PluginModuleParent.cpp
+++ b/dom/plugins/ipc/PluginModuleParent.cpp
@@ -208,21 +208,30 @@ PluginModuleContentParent::Create(mozill
 // static
 PluginLibrary*
 PluginModuleChromeParent::LoadModule(const char* aFilePath, uint32_t aPluginId,
                                      nsPluginTag* aPluginTag)
 {
     PLUGIN_LOG_DEBUG_FUNCTION;
 
     int32_t prefSecs = Preferences::GetInt(kLaunchTimeoutPref, 0);
+    bool enableSandbox = false;
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    nsAutoCString sandboxPref("dom.ipc.plugins.sandbox.");
+    sandboxPref.Append(aPluginTag->GetNiceFileName());
+    if (NS_FAILED(Preferences::GetBool(sandboxPref.get(), &enableSandbox))) {
+      enableSandbox = Preferences::GetBool("dom.ipc.plugins.sandbox.default");
+    }
+#endif
 
     // Block on the child process being launched and initialized.
     nsAutoPtr<PluginModuleChromeParent> parent(new PluginModuleChromeParent(aFilePath, aPluginId));
     TimeStamp launchStart = TimeStamp::Now();
-    bool launched = parent->mSubprocess->Launch(prefSecs * 1000);
+    bool launched = parent->mSubprocess->Launch(prefSecs * 1000,
+                                                enableSandbox);
     if (!launched) {
         // We never reached open
         parent->mShutdown = true;
         return nullptr;
     }
     TimeStamp launchEnd = TimeStamp::Now();
     parent->mTimeBlocked = (launchEnd - launchStart);
     parent->Open(parent->mSubprocess->GetChannel(),
--- a/dom/plugins/ipc/PluginProcessParent.cpp
+++ b/dom/plugins/ipc/PluginProcessParent.cpp
@@ -34,18 +34,28 @@ PluginProcessParent::PluginProcessParent
 {
 }
 
 PluginProcessParent::~PluginProcessParent()
 {
 }
 
 bool
-PluginProcessParent::Launch(int32_t timeoutMs)
+PluginProcessParent::Launch(int32_t timeoutMs,
+                            bool aEnableSandbox)
 {
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+    mEnableNPAPISandbox = aEnableSandbox;
+#else
+    if (aEnableSandbox) {
+        MOZ_ASSERT(false,
+                   "Can't enable an NPAPI process sandbox for platform/build.");
+    }
+#endif
+
     ProcessArchitecture currentArchitecture = base::GetCurrentProcessArchitecture();
     uint32_t containerArchitectures = GetSupportedArchitecturesForProcessType(GeckoProcessType_Plugin);
 
     uint32_t pluginLibArchitectures = currentArchitecture;
 #ifdef XP_MACOSX
     nsresult rv = GetArchitecturesForBinary(mPluginFilePath.c_str(), &pluginLibArchitectures);
     if (NS_FAILED(rv)) {
         // If the call failed just assume that we want the current architecture.
--- a/dom/plugins/ipc/PluginProcessParent.h
+++ b/dom/plugins/ipc/PluginProcessParent.h
@@ -25,18 +25,23 @@ class PluginProcessParent : public mozil
 {
 public:
     explicit PluginProcessParent(const std::string& aPluginFilePath);
     ~PluginProcessParent();
 
     /**
      * Synchronously launch the plugin process. If the process fails to launch
      * after timeoutMs, this method will return false.
+     *
+     * @param timeoutMs Timeout in milliseconds for the synchronous launch.
+     * @param aEnableSandbox Enables a process sandbox if one is available for
+     * this platform/build. Will assert if true passed and one is not available.
      */
-    bool Launch(int32_t timeoutMs);
+    bool Launch(int32_t timeoutMs,
+                bool aEnableSandbox = false);
 
     void Delete();
 
     virtual bool CanShutdown() MOZ_OVERRIDE
     {
         return true;
     }
 
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -90,16 +90,19 @@ GeckoChildProcessHost::DefaultChildPrivi
 GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
                                              ChildPrivileges aPrivileges)
   : ChildProcessHost(RENDER_PROCESS), // FIXME/cjones: we should own this enum
     mProcessType(aProcessType),
     mPrivileges(aPrivileges),
     mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
     mProcessState(CREATING_CHANNEL),
     mDelegate(nullptr),
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
+    mEnableNPAPISandbox(false),
+#endif
 #if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
     mEnableContentSandbox(false),
     mWarnOnlyContentSandbox(false),
 #endif
     mChildProcessHandle(0)
 #if defined(MOZ_WIDGET_COCOA)
   , mChildTask(MACH_PORT_NULL)
 #endif
@@ -796,17 +799,18 @@ GeckoChildProcessHost::PerformAsyncLaunc
       if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
         mSandboxBroker.SetSecurityLevelForContentProcess(mWarnOnlyContentSandbox);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
       }
 #endif // MOZ_CONTENT_SANDBOX
       break;
     case GeckoProcessType_Plugin:
-      if (!PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
+      if (mEnableNPAPISandbox &&
+          !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
         mSandboxBroker.SetSecurityLevelForPluginProcess();
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
       }
       break;
     case GeckoProcessType_IPDLUnitTest:
       // XXX: We don't sandbox this process type yet
       // mSandboxBroker.SetSecurityLevelForIPDLUnitTestProcess();
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@@ -164,16 +164,20 @@ protected:
 #ifdef XP_WIN
   void InitWindowsGroupID();
   nsString mGroupId;
 
 #ifdef MOZ_SANDBOX
   SandboxBroker mSandboxBroker;
   std::vector<std::wstring> mAllowedFilesRead;
 
+  // XXX: Bug 1124167: We should get rid of the process specific logic for
+  // sandboxing in this class at some point. Unfortunately it will take a bit
+  // of reorganizing so I don't think this patch is the right time.
+  bool mEnableNPAPISandbox;
 #if defined(MOZ_CONTENT_SANDBOX)
   bool mEnableContentSandbox;
   bool mWarnOnlyContentSandbox;
 #endif
 #endif
 #endif // XP_WIN
 
 #if defined(OS_POSIX)