Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps a=gchang
authorJonathan Kew <jkew@mozilla.com>
Thu, 09 Nov 2017 16:54:30 +0000
changeset 444855 5edf5a792dc37f502452fc103fbdf490b7b6874b
parent 444854 a298f27945aafc8282c103c90916d4c7ca57c82f
child 444856 5758facf358ba61b7bebb63d9b8e873f30f33124
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgps, gchang
bugs1412090
milestone58.0
Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps a=gchang
gfx/thebes/gfxFcPlatformFontList.cpp
gfx/thebes/gfxFcPlatformFontList.h
--- a/gfx/thebes/gfxFcPlatformFontList.cpp
+++ b/gfx/thebes/gfxFcPlatformFontList.cpp
@@ -35,16 +35,21 @@
 #include <gdk/gdk.h>
 #include "gfxPlatformGtk.h"
 #endif
 
 #ifdef MOZ_X11
 #include "mozilla/X11Util.h"
 #endif
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBrokerPolicyFactory.h"
+#include "mozilla/SandboxSettings.h"
+#endif
+
 using namespace mozilla;
 using namespace mozilla::gfx;
 using namespace mozilla::unicode;
 
 using mozilla::dom::SystemFontListEntry;
 using mozilla::dom::FontPatternListEntry;
 
 #ifndef FC_POSTSCRIPT_NAME
@@ -1296,17 +1301,19 @@ gfxFcPlatformFontList::~gfxFcPlatformFon
 {
     if (mCheckFontUpdatesTimer) {
         mCheckFontUpdatesTimer->Cancel();
         mCheckFontUpdatesTimer = nullptr;
     }
 }
 
 void
-gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts)
+gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet,
+                                          const SandboxPolicy* aPolicy,
+                                          bool aAppFonts)
 {
     // This iterates over the fonts in a font set and adds in gfxFontFamily
     // objects for each family. Individual gfxFontEntry objects for each face
     // are not created here; the patterns are just stored in the family. When
     // a family is actually used, it will be populated with gfxFontEntry
     // records and the patterns moved to those.
 
     if (!aFontSet) {
@@ -1325,19 +1332,24 @@ gfxFcPlatformFontList::AddFontSetFamilie
         FcChar8* path;
         if (FcPatternGetString(pattern, FC_FILE, 0, &path) != FcResultMatch) {
             continue;
         }
         if (access(reinterpret_cast<const char*>(path), F_OK | R_OK) != 0) {
             continue;
         }
 
-        // TODO:
-        // Verify that /path/ will be readable with the content-process sandbox
-        // rules; any blocked fonts must not be included in the font list.
+#ifdef MOZ_CONTENT_SANDBOX
+        // Skip any fonts that will be blocked by the content-process sandbox
+        // policy.
+        if (aPolicy && !(aPolicy->Lookup(reinterpret_cast<const char*>(path)) &
+                         SandboxBroker::Perms::MAY_READ)) {
+            continue;
+        }
+#endif
 
         AddPatternToFontList(pattern, lastFamilyName,
                              familyName, fontFamily, aAppFonts);
     }
 }
 
 void
 gfxFcPlatformFontList::AddPatternToFontList(FcPattern* aFont,
@@ -1480,23 +1492,35 @@ gfxFcPlatformFontList::InitFontListForPl
 
         fontList.Clear();
 
         return NS_OK;
     }
 
     mLastConfig = FcConfigGetCurrent();
 
+    UniquePtr<SandboxPolicy> policy;
+
+#ifdef MOZ_CONTENT_SANDBOX
+    // Create a temporary SandboxPolicy to check font paths; use a fake PID
+    // to avoid picking up any PID-specific rules by accident.
+    SandboxBrokerPolicyFactory policyFactory;
+    if (GetEffectiveContentSandboxLevel() > 0 &&
+        !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+        policy = policyFactory.GetContentPolicy(-1, false);
+    }
+#endif
+
     // iterate over available fonts
     FcFontSet* systemFonts = FcConfigGetFonts(nullptr, FcSetSystem);
-    AddFontSetFamilies(systemFonts, /* aAppFonts = */ false);
+    AddFontSetFamilies(systemFonts, policy.get(), /* aAppFonts = */ false);
 
 #ifdef MOZ_BUNDLED_FONTS
     FcFontSet* appFonts = FcConfigGetFonts(nullptr, FcSetApplication);
-    AddFontSetFamilies(appFonts, /* aAppFonts = */ true);
+    AddFontSetFamilies(appFonts, policy.get(), /* aAppFonts = */ true);
 #endif
 
     return NS_OK;
 }
 
 void
 gfxFcPlatformFontList::ReadSystemFontList(
     InfallibleTArray<SystemFontListEntry>* retValue)
--- a/gfx/thebes/gfxFcPlatformFontList.h
+++ b/gfx/thebes/gfxFcPlatformFontList.h
@@ -16,16 +16,20 @@
 
 #include <fontconfig/fontconfig.h>
 #include "ft2build.h"
 #include FT_FREETYPE_H
 #include FT_TRUETYPE_TABLES_H
 #include <cairo.h>
 #include <cairo-ft.h>
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBroker.h"
+#endif
+
 namespace mozilla {
     namespace dom {
         class SystemFontListEntry;
     };
 };
 
 template <>
 class nsAutoRefTraits<FcPattern> : public nsPointerRefTraits<FcPattern>
@@ -300,19 +304,27 @@ public:
         mGenericMappings.Clear();
     }
 
     static FT_Library GetFTLibrary();
 
 protected:
     virtual ~gfxFcPlatformFontList();
 
+#ifdef MOZ_CONTENT_SANDBOX
+    typedef mozilla::SandboxBroker::Policy SandboxPolicy;
+#else
+    // Dummy type just so we can still have a SandboxPolicy* parameter.
+    struct SandboxPolicy {};
+#endif
+
     // Add all the font families found in a font set.
     // aAppFonts indicates whether this is the system or application fontset.
-    void AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts);
+    void AddFontSetFamilies(FcFontSet* aFontSet, const SandboxPolicy* aPolicy,
+                            bool aAppFonts);
 
     // Helper for above, to add a single font pattern.
     void AddPatternToFontList(FcPattern* aFont, FcChar8*& aLastFamilyName,
                               nsAString& aFamilyName,
                               RefPtr<gfxFontconfigFontFamily>& aFontFamily,
                               bool aAppFonts);
 
     // figure out which families fontconfig maps a generic to