searching for reviewer(gcp)
280ba3849b1bd8779c1742848f57247ed3571bfc: Bug 1508898 - Prepare the Linux sandbox's socketcall/ipc-call dispatch table for reformatting. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 21 Nov 2018 11:05:31 +0000 - rev 450593
Push 272 by eakhgari@mozilla.com at Thu, 13 Dec 2018 22:29:46 +0000
Bug 1508898 - Prepare the Linux sandbox's socketcall/ipc-call dispatch table for reformatting. r=gcp The tables in SandboxFilterUtil.cpp should remain vertically aligned, but clang-format would disagree. This patch excludes that region from reformatting, and applies the other changes that clang-format would make there. Differential Revision: https://phabricator.services.mozilla.com/D12499
12213cfa93d9202807fe4074dd471d5704dc885d: Bug 1478575 - Unify CamerasChild shutdown paths. r=gcp, a=RyanVM
Andreas Pehrson <pehrsons@mozilla.com> - Mon, 20 Aug 2018 10:44:49 +0200 - rev 450033
Push 151 by ryanvm@gmail.com at Thu, 23 Aug 2018 17:52:30 +0000
Bug 1478575 - Unify CamerasChild shutdown paths. r=gcp, a=RyanVM
b7562482020074699b5e9be96b743571d883c3c6: Bug 1393954 - Roll Safe Browsing back to V2. r=gcp, a=gchang
Francois Marier <francois@mozilla.com> - Fri, 08 Sep 2017 18:11:00 -0400 - rev 448626
Push 2 by asasaki@mozilla.com at Thu, 26 Apr 2018 19:58:18 +0000
Bug 1393954 - Roll Safe Browsing back to V2. r=gcp, a=gchang We're doing this in the last Beta of the 56 cycle so that we can roll SBv4 out gradually via an add-on. MozReview-Commit-ID: 4eZrFhp6k6G
73fab5fbc84369a3fd29c592301187f1e445e481: Bug 1450740 - Don't sandbox network namespace when X11 named sockets aren't accessible. r=gcp, a=RyanVM
Jed Davis <jld@mozilla.com> - Mon, 02 Apr 2018 15:19:04 -0600 - rev 447408
Bug 1450740 - Don't sandbox network namespace when X11 named sockets aren't accessible. r=gcp, a=RyanVM MozReview-Commit-ID: KiL4GwMms3a
79e7ee0f6d6a5edc24e57643ac7da1a407f3caca: Bug 1444175 - Mark CamerasParent final; r=gcp
Alex Gaynor <agaynor@mozilla.com> - Thu, 08 Mar 2018 14:54:58 -0500 - rev 446785
Bug 1444175 - Mark CamerasParent final; r=gcp MozReview-Commit-ID: 2m1rCZxrUTq
792ab44dd9ec02732ae1d964c1726967e05b598f: Bug 1440206 - Allow brokered access to a subset of connect() in the Linux content sandbox. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 09 Mar 2018 19:31:23 -0700 - rev 446774
Bug 1440206 - Allow brokered access to a subset of connect() in the Linux content sandbox. r=gcp This is to support WebGL with hybrid graphics drivers that connect to a secondary X server for GL (Primus and VirtualGL), without allowing access to arbitrary sockets. In addition to local X11 connections, Primus needs to connect to the Bumblebee daemon (otherwise it will exit the calling process). The broker support is limited to AF_UNIX, to non-datagram sockets (see bug 1066750), and to pathname addresses. Abstract addresses could theoretically be handled but there isn't currently a compelling reason to, and the broker very much assumes it's dealing with a C-style string referring to a filesystem path and not an arbitrary byte sequence (including NULs). At a higher level: If the GPU X server is remote then it won't work, but it won't work anyway because WebGL requires features that aren't supported by indirect GLX. If the GPU X server is local but the browser is inside a chroot, it will fail to connect unless /tmp/.X11-unix is bind-mounted into the chroot; hopefully this use case is not common. MozReview-Commit-ID: IvI2jYDRZZ2
07b6161c7f60c5bc4d71388d952f1e643cdc8837: Bug 1434392 - Don't preload libmozsandbox in grandchild processes, only the sandboxed children themselves. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 07 Mar 2018 18:55:20 -0700 - rev 446569
Bug 1434392 - Don't preload libmozsandbox in grandchild processes, only the sandboxed children themselves. r=gcp
8e02f09249084029fec6d6bbdd2b9351398c3dee: Bug 1442486 - Mark LookupCacheV4 as primed after creating it. r=gcp
Francois Marier <francois@mozilla.com> - Thu, 01 Mar 2018 18:09:58 -0800 - rev 445677
Bug 1442486 - Mark LookupCacheV4 as primed after creating it. r=gcp RegenActiveTables() relies on mPrimed being set correctly and so the V4 lookup cache should behave the same way as the V2 one. The V2 lookup cache on the other hand was unnecessarily setting mPrimed to true twice. MozReview-Commit-ID: LwNdI9DTqZ7
67e9ab1a47457ae5aa9a250d00d65441de6b4f8e: Bug 1439455 - Display error names instead of codes in about:url-classifier. r=gcp
Francois Marier <francois@mozilla.com> - Thu, 22 Feb 2018 17:37:53 -0800 - rev 445166
Bug 1439455 - Display error names instead of codes in about:url-classifier. r=gcp This also changes a few MOZ_LOG() messages to use the error name instead of the raw numerical nsresult value. MozReview-Commit-ID: Jcngd0S9j2z
2d6c681af2c246a63f23d2ad9c656c59103aba5b: Bug 1439455 - Round timestamps up to nearest minute in log messages. r=gcp
Francois Marier <francois@mozilla.com> - Thu, 22 Feb 2018 14:21:41 -0800 - rev 445165
Bug 1439455 - Round timestamps up to nearest minute in log messages. r=gcp MozReview-Commit-ID: DDv8smOelPQ
fca779af7ef708dc4fd7b54a07ff2834747c7c86: Bug 1438391 - Detect VirtualGL and weaken the sandbox enough for it to work. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 22 Feb 2018 19:14:41 -0700 - rev 445163
Bug 1438391 - Detect VirtualGL and weaken the sandbox enough for it to work. r=gcp MozReview-Commit-ID: BXmm8JSfkeI
936b73ae6e3ce7a98e596b0422b2776db349e85d: Bug 1438401 - Quietly fail shmget() in sandboxed content processes. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 27 Feb 2018 21:30:08 -0700 - rev 445162
Bug 1438401 - Quietly fail shmget() in sandboxed content processes. r=gcp The X11 symbol interposition isn't enough, possibly because Cairo can also use XCB. Interposing XCB is more difficult because the API exposes more protocol details. Instead, just allow shmget to be called and fail; this will tell Cairo that it can't use SysV IPC with the X server, which is what we want. MozReview-Commit-ID: 5y9tE7UXMTE
923a5ace946a597e58bb14793cf20d1135c8b167: Bug 1362761 - Improve logging in PrefixSet. r=gcp
Francois Marier <francois@mozilla.com> - Wed, 21 Feb 2018 17:55:12 -0800 - rev 444676
Bug 1362761 - Improve logging in PrefixSet. r=gcp In addition to including the name of the prefix set in all of the LOG messages, the VariablePrefixSet class now initializes its dependent fixed-size prefix set correctly. MozReview-Commit-ID: C7c78HLcXY3
3a00711bb0e66315aed2077e1250b62be5832806: Bug 1362761 - Add checksum to nsUrlClassifierPrefixSet::mIndexDeltas array. r=gcp
Francois Marier <francois@mozilla.com> - Thu, 15 Feb 2018 16:59:14 -0800 - rev 444675
Bug 1362761 - Add checksum to nsUrlClassifierPrefixSet::mIndexDeltas array. r=gcp Adding a checksum to an array in the URL classifier to test our theory that the crashes are due to memory corruption. This patch also restores the Compact() calls that were #ifdef'd out in bug 1362761 to test a different theory. MozReview-Commit-ID: IkLduLO3IXb
308f2a530cd1ba24eeb79d454bd1880322515e20: Bug 1439468 - Improve error reporting in Safe Browsing protocol parser. r=gcp
Francois Marier <francois@mozilla.com> - Tue, 20 Feb 2018 13:54:30 -0800 - rev 444013
Bug 1439468 - Improve error reporting in Safe Browsing protocol parser. r=gcp MozReview-Commit-ID: JeyCZSbdZBd
106b66081b0df1dfbdebfdbeac5988c7f444943e: Bug 1254323 - Reduce identical gethash requests done by the URL Classifier. r=gcp
DimiL <dlee@mozilla.com> - Wed, 14 Feb 2018 16:12:29 -0800 - rev 444012
Bug 1254323 - Reduce identical gethash requests done by the URL Classifier. r=gcp MozReview-Commit-ID: KNNL1dBqXx0
d418ce8a05644edb16f317c13fc1c8cd2b6c3c2f: Bug 1435859 - Fix OOM crash on filenames without extensions. r=gcp
Francois Marier <francois@mozilla.com> - Thu, 15 Feb 2018 12:30:40 -0800 - rev 444011
Bug 1435859 - Fix OOM crash on filenames without extensions. r=gcp Passing a value of -1 to nsCString::Truncate() converts that value to a large integer and leads to an unnecessary 4GB memory allocation. MozReview-Commit-ID: Icm5iUsEgA6
d853ce9b3dd3e2d4ac66c6e12b6ed2425513b91a: Bug 1438389 - Quietly disallow chown() in sandboxed content processes. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 15 Feb 2018 16:10:00 -0700 - rev 443980
Bug 1438389 - Quietly disallow chown() in sandboxed content processes. r=gcp Also covers fchownat() and attempts to be ready for newer archs like ARM64. Bonus fix: extend bug 1354731 (mknod) fix to cover mknodat so this part of the policy isn't glaringly inconsistent about "at" syscalls. Tested locally by attaching gdb and injecting syscalls. MozReview-Commit-ID: CCOk0jZVoG4
9dcf26ff6a6e910ed28745ea3604319a5536fcb1: Bug 1434528 - Adjust sandbox feature detection to deal with Ubuntu guest accounts. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 08 Feb 2018 17:46:42 -0700 - rev 443319
Bug 1434528 - Adjust sandbox feature detection to deal with Ubuntu guest accounts. r=gcp Guest sessions on Ubuntu (and maybe other distributions that use LightDM?) apply an AppArmor policy that allows CLONE_NEWUSER but doesn't allow using any of the capabilities it grants, or even configuring the new user namespace. This patch causes those environments to be detected as not supporting unprivileged user namespaces, because for all practical purposes they don't. MozReview-Commit-ID: HVkoBakRwaA
55dddaa9b77ce9314f788b3890c01934a143c390: Bug 1433636 - Put a limit on the length of Safe Browsing metadata values. r=gcp
Francois Marier <francois@mozilla.com> - Tue, 30 Jan 2018 14:21:33 -0800 - rev 443119
Bug 1433636 - Put a limit on the length of Safe Browsing metadata values. r=gcp Disk corruption can lead to the stored length of a value to be unreasonably large and trigger an OOM. Since values are all currently <= 32 bytes, we can safely enforce a 256-byte upper bound. MozReview-Commit-ID: XygReOpEK3
f4b1eccde367b86d34795e52f3a548666735b6e5: Bug 1384638 - Remove another NS_ENSURE warning from ShouldEnableTracking. r=gcp
Eric Rahm <erahm@mozilla.com> - Fri, 09 Feb 2018 16:32:41 -0800 - rev 442776
Bug 1384638 - Remove another NS_ENSURE warning from ShouldEnableTracking. r=gcp
b579fb6511ba94c03a726f365086406dcb4fa31d: Bug 1434741 - Only check final download URL against the application reputation whitelist. r=gcp
Francois Marier <francois@mozilla.com> - Mon, 05 Feb 2018 18:11:56 -0800 - rev 442523
Bug 1434741 - Only check final download URL against the application reputation whitelist. r=gcp MozReview-Commit-ID: QCaStgteko
0cdfcf8734a9eeb40ff2d0f8a60fa05d8a56a6bb: Bug 1436213 - Make test_bug1274685_unowned_list.js work on pver2 and pver4. r=gcp
Francois Marier <francois@mozilla.com> - Tue, 06 Feb 2018 15:36:48 -0800 - rev 442517
Bug 1436213 - Make test_bug1274685_unowned_list.js work on pver2 and pver4. r=gcp This test is supposed to verify that Safe Browsing providers can be initialized correctly even when a table is not configured properly. By removing a table from both google and google4, we ensure that the test will be meaningful regardless of the stack in use. Also filter out the console noise triggered by looking for the update and gethash URLs of the "test" dummy provider. MozReview-Commit-ID: KjWqSqA4FxJ
5ea26fba220d1ef35ce40eeb281ad3ce4bbe6e5f: Bug 1436882 - Fix termination signal when clone()ing child processes. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 08 Feb 2018 17:30:03 -0700 - rev 442461
Bug 1436882 - Fix termination signal when clone()ing child processes. r=gcp This fixes a mistake in bug 1401062: the termination signal was omitted, so it's 0, and if it isn't exactly SIGCHLD, then a tracer/debugger will receive PTRACE_EVENT_CLONE rather than PTRACE_EVENT_FORK. This causes GDB to see the child process as a thread instead of a separate process, and it becomes very confused after the process calls execve(). MozReview-Commit-ID: Baf2RFHVWRU
4e2bf17f806d4451e4390dc5f6bd83daeca1b8ce: Bug 1425274 - Filter socketpair() in content sandbox on 32-bit x86 with new-enough kernels. r=gcp
Jed Davis <jld@mozilla.com> - Mon, 29 Jan 2018 17:36:06 -0700 - rev 442302
Bug 1425274 - Filter socketpair() in content sandbox on 32-bit x86 with new-enough kernels. r=gcp This replaces the globals for whether socket calls (and ipc(2) calls, but we never used that) have real arguments with a parameter, which in hindsight should have been done in bug 1273852, which is when we started handling both socketcall(2) and separate socket calls in the same policy. This allows handling the two cases differently. MozReview-Commit-ID: 1pfckmCpJlW
74b5e036363f6123db0a96e31355b4aa88058c28: Bug 1376910 - Remove SysV IPC access from Linux content sandbox when possible. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 26 Jan 2018 19:43:10 -0700 - rev 442280
Bug 1376910 - Remove SysV IPC access from Linux content sandbox when possible. r=gcp There are a few things that use SysV IPC, which we discovered the last time we tried to do this, which need to be accomodated: 1. The ALSA dmix plugin; if the build has ALSA support (off by default) and if audio remoting is disabled, SysV IPC is allowed. 2. ATI/AMD's old proprietary graphics driver (fglrx), which is obsolete and doesn't support newer hardware, but still has users; if it's detected, SysV IPC is allowed. 3. Graphics libraries trying to use the MIT-SHM extension; this is already turned off for other reasons (see bug 1271100), but that shim seems to not load early enough in some cases, so it's copied into libmozsandbox, which is preloaded before anything else in LD_PRELOAD. Also, msgget is now blocked in all cases; the only case it was known to be used involved ESET antivirus, which is now handled specially (bug 1362601). In any case, the seccomp-bpf policy has never allowed actually *using* message queues, so creating them is not very useful. MozReview-Commit-ID: 5bOOQcXFd9U
40f74605367ec4d620873fa8ff90c2dcc2a7ce31: Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp
Francois Marier <francois@mozilla.com> - Fri, 02 Feb 2018 13:30:28 -0800 - rev 441958
Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp The list of sites to suppress flash infobars on should not be downloaded from shavar unless the infobar feature is enabled. MozReview-Commit-ID: BjkS5vWiilg
3884f0f9f316613ba0e60845e40f166c58b20d3b: Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp
Francois Marier <francois@mozilla.com> - Fri, 02 Feb 2018 13:30:28 -0800 - rev 441869
Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp The list of sites to suppress flash infobars on should not be downloaded from shavar unless the infobar feature is enabled. MozReview-Commit-ID: BjkS5vWiilg
3a9399e07e62176256c052bcc1538937ac667174: Bug 1435435 - Add new binary extensions to download protection. r=gcp
Francois Marier <francois@mozilla.com> - Fri, 02 Feb 2018 16:09:48 -0800 - rev 441868
Bug 1435435 - Add new binary extensions to download protection. r=gcp Sync up with the Chrome list and add new BitTorrent, Visio and HTML-like file extensions. https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb MozReview-Commit-ID: Alh2hrOZy1h
46c4a5ce6e0f8e13363e96a22e74912eed10bd00: Bug 1213998 - Apply chroot() to sandboxed content processes on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 16 Jan 2018 19:10:51 -0700 - rev 441306
Bug 1213998 - Apply chroot() to sandboxed content processes on Linux. r=gcp MozReview-Commit-ID: DGepECmw3pq
a415b43fc1d26ff89cd3d9fd4bed95611febbabe: Bug 1430949 - Isolate network namespace in Linux content sandbox level 4. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:31:06 -0700 - rev 441295
Bug 1430949 - Isolate network namespace in Linux content sandbox level 4. r=gcp This is turned off if the X11 server is remote -- including TCP to localhost -- because otherwise it would be blocked. Note that ssh X forwarding presents a TCP-only server. The Nightly default for the force-namespace hidden pref is changed to false, because we will now normally be using namespaces if available. MozReview-Commit-ID: L9BbLdoLvLg
79905d4e85aba22cafcd8f331b06197134267975: Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. r=gcp
Francois Marier <francois@mozilla.com> - Mon, 29 Jan 2018 15:16:54 -0800 - rev 441100
Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. r=gcp Download protection requires both the malware list as well as its own special lists. The code therefore checks that both Safe Browsing and download protection are enabled before checking downloaded files. The list manager should check the same prefs before downloading any of the download protection lists in order to avoid connecting to the Safe Browsing server when Safe Browsing is fully disabled. MozReview-Commit-ID: 66vMA56T4pJ
bdb502c30c7c72c758d7bc4f22774fe27d045c1d: Bug 1431370 - Make DoRiceDeltaDecode allocation fallible to fix startup OOM crash. r=gcp
Francois Marier <francois@mozilla.com> - Tue, 30 Jan 2018 13:26:43 -0800 - rev 441099
Bug 1431370 - Make DoRiceDeltaDecode allocation fallible to fix startup OOM crash. r=gcp MozReview-Commit-ID: 2vf4EU4TVCq
478aba1b67a459246c2cb909a5fd9a4766d8641f: Bug 1410522 - Enable download protection on non-official builds too. r=gcp,johannh
Francois Marier <francois@mozilla.com> - Mon, 29 Jan 2018 15:51:14 -0800 - rev 440888
Bug 1410522 - Enable download protection on non-official builds too. r=gcp,johannh This reverts the change introduced in bug 1394053. Google has made the download protection lists available to everyone and so we no longer need to restrict the download protection feature to official builds. MozReview-Commit-ID: CQcG5Ip1mDV
af41b725ff915e0bca46a43175fc20c8a0785b86: Bug 1386019 - Also remove ALSA-related sandbox rules if ALSA is remoted. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:37:45 -0700 - rev 439909
Bug 1386019 - Also remove ALSA-related sandbox rules if ALSA is remoted. r=gcp MozReview-Commit-ID: FKebcgPi60x
c2836d5bc6bc2daef4c7fb2d6507730992bd3d97: Bug 1386019 - Remove PulseAudio-specific sandbox broker rules when remoting audio. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:37:44 -0700 - rev 439908
Bug 1386019 - Remove PulseAudio-specific sandbox broker rules when remoting audio. r=gcp This also moves those parts of the policy factory out of the constructor, because the pref service isn't initialized yet at that point. MozReview-Commit-ID: 6wbq4MHu1GJ
ff1469e834940ae28709a94c14ea02e0428e1cc5: Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:37:44 -0700 - rev 439907
Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp MozReview-Commit-ID: 7YbJ8uYub7f
35083f8586e713ecf393435c63ed2a93bc7c5803: Bug 1126437 - Add Linux content sandbox level 4 for blocking socket APIs. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:35:44 -0700 - rev 439906
Bug 1126437 - Add Linux content sandbox level 4 for blocking socket APIs. r=gcp Level 4 is now the default unless audio remoting (media.cubeb.sandbox pref) is disabled. MozReview-Commit-ID: 4jUgiZnJImt
bb5e75c2d0c8473678517965ad6e6d0ff3c323fb: Bug 1126437 - Reorganize content sandbox params extracted from libxul APIs. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 23 Jan 2018 22:35:44 -0700 - rev 439905
Bug 1126437 - Reorganize content sandbox params extracted from libxul APIs. r=gcp The end goal is to allow the seccomp-bpf policy to vary based on the content sandbox level. Rather than add yet another parameter to SetContentProcessSandbox to pass down the sandbox level, this collects the values that have to be computed in libxul into a struct, and moves the code that computes it so it's not cluttering up ContentChild. MozReview-Commit-ID: L0dyQwHQKhc
22ce3b9ca9af6ee4448141c7b4181fd7f6b17fde: Bug 1430756 - Remove check for unshare(), which we're no longer using. r=gcp
Jed Davis <jld@mozilla.com> - Mon, 22 Jan 2018 14:32:48 -0700 - rev 439785
Bug 1430756 - Remove check for unshare(), which we're no longer using. r=gcp This also removes an assertion that was failing under external sandboxes that deny unshare() even when it's a no-op. MozReview-Commit-ID: KBEPJyDGU7M
bd7ff5744eb29e105b7b3c37cb5f46164fa11ef4: Bug 1401062 - Avoid doing sandbox-related things to unsandboxed child processes. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 09 Jan 2018 19:54:56 -0700 - rev 439532
Bug 1401062 - Avoid doing sandbox-related things to unsandboxed child processes. r=gcp This is a small piece of cleanup that turned out to not be strictly necessary for the rest of this, so I've made it a separate commit. Sandbox-related launch adjustments (currently, interposing libc functions and providing a file descriptor for the syscall reporter) are no longer applied to processes that won't be sandboxed. The MOZ_SANDBOXED environment variable communicates this to the child process, which allows SandboxEarlyInit to be skipped in that case as well. The idea is that disabling sandboxing for a process type, as part of troubleshooting, should disable everything sandbox-related. As a side-effect, this also skips some very minor but unnecessary overhead for NPAPI process startup. MozReview-Commit-ID: D0KxsRIIRN
400800683ab64f40bade321bf05f5db03ff3ebd5: Bug 1401062 - Create Linux child processes with clone() for namespace/chroot sandboxing. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 06 Oct 2017 17:16:41 -0600 - rev 439531
Bug 1401062 - Create Linux child processes with clone() for namespace/chroot sandboxing. r=gcp Namespace isolation is now handled by using clone() at process creation time, rather than calling unshare. pthread_atfork will no longer apply to sandboxed child processes. The two significant uses of it in Firefox currently are to (1) make malloc work post-fork, which we already avoid depending on in IPC and sandboxing, and (2) block SIGPROF while forking, which is taken care of; see SandboxFork::Fork for details. Note that if we need pthread_atfork in the future it could be emulated by symbol interposition. clone() is called via glibc's wrapper, for increased compatibility vs. invoking the syscall directly, using longjmp to recover the syscall's fork-like semantics the same way Chromium does; see comments for details. The chroot helper is reimplemented; the general approach is similar, but instead of a thread it's a process cloned with CLONE_FS (so the filesystem root is shared) from the child process before it calls exec, so that it still holds CAP_SYS_CHROOT in the newly created user namespace. This does mean that it will retain a CoW copy of the parent's address space until the child starts sandboxing, but that is a relatively short period of time, so the memory overhead should be small and short-lived. The chrooting now happens *after* the seccomp-bpf policy is applied; previously this wasn't possible because the chroot thread would have become seccomp-restricted and unable to chroot. This fixes a potential race condition where a thread could try to access the filesystem after chrooting but before having its syscalls intercepted for brokering, causing spurious failure. (This failure mode hasn't been observed in practice, but we may not be looking for it.) This adds a hidden bool pref, security.sandbox.content.force-namespace, which unshares the user namespace (if possible) even if no sandboxing requires it. It defaults to true on Nightly and false otherwise, to get test coverage; the default will change to false once we're using namespaces by default with content. MozReview-Commit-ID: JhCXF9EgOt6
0a64770aace0e8fa74b972a03a610ceaaec73161: Bug 1401062 - Delete the old namespace/chroot code and reorganize sandbox init. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 31 Aug 2017 20:38:25 -0600 - rev 439530
Bug 1401062 - Delete the old namespace/chroot code and reorganize sandbox init. r=gcp This is mostly deletion, except for SandboxEarlyInit. The unshare() parts are going away, and the "unexpected threads" workaround can go away along with them, but the signal broadcast setup still needs to happen early so we can prevent blocking the signal. So, SandboxEarlyInit's contract changes slightly from "call before any other threads exist" to "before any threads that might block all signals", and everything that can be deferred to immedately before sandbox startup is. As a result, some getenv()s change to PR_GetEnv because there can be threads, and there is now an NSPR dependency. (This may mean that mozglue can no longer interpose symbols in NSPR, because libmozsandbox is preloaded, but I don't think we're doing that.) MozReview-Commit-ID: 7e9u0qBNOqn
17c5d6591ddef2166d1fe7785d9f9f859e79ac98: Bug 1435859 - Fix OOM crash on filenames without extensions. r=gcp, a=RyanVM
Francois Marier <francois@mozilla.com> - Thu, 15 Feb 2018 12:30:40 -0800 - rev 439399
Bug 1435859 - Fix OOM crash on filenames without extensions. r=gcp, a=RyanVM Passing a value of -1 to nsCString::Truncate() converts that value to a large integer and leads to an unnecessary 4GB memory allocation. MozReview-Commit-ID: Icm5iUsEgA6
45c1f99b1b86dcdb6a7c1d28724749f2f0b79163: Bug 1433636 - Put a limit on the length of Safe Browsing metadata values. r=gcp, a=lizzard
Francois Marier <francois@mozilla.com> - Tue, 30 Jan 2018 14:21:33 -0800 - rev 439363
Bug 1433636 - Put a limit on the length of Safe Browsing metadata values. r=gcp, a=lizzard Disk corruption can lead to the stored length of a value to be unreasonably large and trigger an OOM. Since values are all currently <= 32 bytes, we can safely enforce a 256-byte upper bound. MozReview-Commit-ID: XygReOpEK3
536f8eeb6485913cabc1abbe56798b7bcd380fe3: Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp a=RyanVM
Francois Marier <francois@mozilla.com> - Fri, 02 Feb 2018 13:30:28 -0800 - rev 439099
Bug 1435098 - Gate flashinfobar list on the plugins.show_infobar. r=bytesized,gcp a=RyanVM The list of sites to suppress flash infobars on should not be downloaded from shavar unless the infobar feature is enabled. MozReview-Commit-ID: BjkS5vWiilg
fb10c0f561b34bcb31397f50338066ef1f34cfe7: Bug 1431370 - Make DoRiceDeltaDecode allocation fallible to fix startup OOM crash. r=gcp a=RyanVM
Francois Marier <francois@mozilla.com> - Tue, 30 Jan 2018 13:26:43 -0800 - rev 439093
Bug 1431370 - Make DoRiceDeltaDecode allocation fallible to fix startup OOM crash. r=gcp a=RyanVM MozReview-Commit-ID: 2vf4EU4TVCq
7cefe9877e46f2eefab2a8169777755b96252743: Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. r=gcp, a=RyanVM
Francois Marier <francois@mozilla.com> - Mon, 29 Jan 2018 15:16:54 -0800 - rev 439049
Bug 1431192 - Only fetch download protection lists when Safe Browsing is enabled. r=gcp, a=RyanVM Download protection requires both the malware list as well as its own special lists. The code therefore checks that both Safe Browsing and download protection are enabled before checking downloaded files. The list manager should check the same prefs before downloading any of the download protection lists in order to avoid connecting to the Safe Browsing server when Safe Browsing is fully disabled. MozReview-Commit-ID: 66vMA56T4pJ
4248602674ff589f368a4b868fa4743a033640e4: Bug 1428950 - Unbreak build on BSDs after bug 1297740. r=gcp
Jan Beich <jbeich@FreeBSD.org> - Tue, 09 Jan 2018 02:13:20 +0000 - rev 436976
Bug 1428950 - Unbreak build on BSDs after bug 1297740. r=gcp
ed67462e65747f5d393754203a246928d8dd1514: Bug 1425688 - Enable ESLint rule mozilla/use-services for security/. r=gcp,keeler
Mark Banner <standard8@mozilla.com> - Sat, 16 Dec 2017 13:10:40 -0600 - rev 436246
Bug 1425688 - Enable ESLint rule mozilla/use-services for security/. r=gcp,keeler MozReview-Commit-ID: 4Kd9L8ExNGl