Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps
authorJonathan Kew <jkew@mozilla.com>
Thu, 09 Nov 2017 16:54:30 +0000
changeset 444290 eec946b5936068af4034b536735710e6f15d2e2a
parent 444289 72a6f5f3512c49acc3e3735dbadd1007f9ddc54c
child 444291 75e7f32c336501a698e618667ab180abc9ff6e84
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgps
bugs1412090
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1412090 - patch 3 - Check the sandbox policy to verify font files will be readable by the content process before including them in the system font list. r=gps
gfx/thebes/gfxFcPlatformFontList.cpp
gfx/thebes/gfxFcPlatformFontList.h
--- a/gfx/thebes/gfxFcPlatformFontList.cpp
+++ b/gfx/thebes/gfxFcPlatformFontList.cpp
@@ -35,16 +35,21 @@
 #include <gdk/gdk.h>
 #include "gfxPlatformGtk.h"
 #endif
 
 #ifdef MOZ_X11
 #include "mozilla/X11Util.h"
 #endif
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBrokerPolicyFactory.h"
+#include "mozilla/SandboxSettings.h"
+#endif
+
 using namespace mozilla;
 using namespace mozilla::gfx;
 using namespace mozilla::unicode;
 
 using mozilla::dom::SystemFontListEntry;
 using mozilla::dom::FontPatternListEntry;
 
 #ifndef FC_POSTSCRIPT_NAME
@@ -1296,17 +1301,19 @@ gfxFcPlatformFontList::~gfxFcPlatformFon
 {
     if (mCheckFontUpdatesTimer) {
         mCheckFontUpdatesTimer->Cancel();
         mCheckFontUpdatesTimer = nullptr;
     }
 }
 
 void
-gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts)
+gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* aFontSet,
+                                          const SandboxPolicy* aPolicy,
+                                          bool aAppFonts)
 {
     // This iterates over the fonts in a font set and adds in gfxFontFamily
     // objects for each family. Individual gfxFontEntry objects for each face
     // are not created here; the patterns are just stored in the family. When
     // a family is actually used, it will be populated with gfxFontEntry
     // records and the patterns moved to those.
 
     if (!aFontSet) {
@@ -1325,19 +1332,24 @@ gfxFcPlatformFontList::AddFontSetFamilie
         FcChar8* path;
         if (FcPatternGetString(pattern, FC_FILE, 0, &path) != FcResultMatch) {
             continue;
         }
         if (access(reinterpret_cast<const char*>(path), F_OK | R_OK) != 0) {
             continue;
         }
 
-        // TODO:
-        // Verify that /path/ will be readable with the content-process sandbox
-        // rules; any blocked fonts must not be included in the font list.
+#ifdef MOZ_CONTENT_SANDBOX
+        // Skip any fonts that will be blocked by the content-process sandbox
+        // policy.
+        if (aPolicy && !(aPolicy->Lookup(reinterpret_cast<const char*>(path)) &
+                         SandboxBroker::Perms::MAY_READ)) {
+            continue;
+        }
+#endif
 
         AddPatternToFontList(pattern, lastFamilyName,
                              familyName, fontFamily, aAppFonts);
     }
 }
 
 void
 gfxFcPlatformFontList::AddPatternToFontList(FcPattern* aFont,
@@ -1452,23 +1464,35 @@ gfxFcPlatformFontList::InitFontListForPl
 
         fontList.Clear();
 
         return NS_OK;
     }
 
     mLastConfig = FcConfigGetCurrent();
 
+    UniquePtr<SandboxPolicy> policy;
+
+#ifdef MOZ_CONTENT_SANDBOX
+    // Create a temporary SandboxPolicy to check font paths; use a fake PID
+    // to avoid picking up any PID-specific rules by accident.
+    SandboxBrokerPolicyFactory policyFactory;
+    if (GetEffectiveContentSandboxLevel() > 0 &&
+        !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
+        policy = policyFactory.GetContentPolicy(-1, false);
+    }
+#endif
+
     // iterate over available fonts
     FcFontSet* systemFonts = FcConfigGetFonts(nullptr, FcSetSystem);
-    AddFontSetFamilies(systemFonts, /* aAppFonts = */ false);
+    AddFontSetFamilies(systemFonts, policy.get(), /* aAppFonts = */ false);
 
 #ifdef MOZ_BUNDLED_FONTS
     FcFontSet* appFonts = FcConfigGetFonts(nullptr, FcSetApplication);
-    AddFontSetFamilies(appFonts, /* aAppFonts = */ true);
+    AddFontSetFamilies(appFonts, policy.get(), /* aAppFonts = */ true);
 #endif
 
     return NS_OK;
 }
 
 void
 gfxFcPlatformFontList::ReadSystemFontList(
     InfallibleTArray<SystemFontListEntry>* retValue)
--- a/gfx/thebes/gfxFcPlatformFontList.h
+++ b/gfx/thebes/gfxFcPlatformFontList.h
@@ -16,16 +16,20 @@
 
 #include <fontconfig/fontconfig.h>
 #include "ft2build.h"
 #include FT_FREETYPE_H
 #include FT_TRUETYPE_TABLES_H
 #include <cairo.h>
 #include <cairo-ft.h>
 
+#ifdef MOZ_CONTENT_SANDBOX
+#include "mozilla/SandboxBroker.h"
+#endif
+
 namespace mozilla {
     namespace dom {
         class SystemFontListEntry;
     };
 };
 
 template <>
 class nsAutoRefTraits<FcPattern> : public nsPointerRefTraits<FcPattern>
@@ -300,19 +304,27 @@ public:
         mGenericMappings.Clear();
     }
 
     static FT_Library GetFTLibrary();
 
 protected:
     virtual ~gfxFcPlatformFontList();
 
+#ifdef MOZ_CONTENT_SANDBOX
+    typedef mozilla::SandboxBroker::Policy SandboxPolicy;
+#else
+    // Dummy type just so we can still have a SandboxPolicy* parameter.
+    struct SandboxPolicy {};
+#endif
+
     // Add all the font families found in a font set.
     // aAppFonts indicates whether this is the system or application fontset.
-    void AddFontSetFamilies(FcFontSet* aFontSet, bool aAppFonts);
+    void AddFontSetFamilies(FcFontSet* aFontSet, const SandboxPolicy* aPolicy,
+                            bool aAppFonts);
 
     // Helper for above, to add a single font pattern.
     void AddPatternToFontList(FcPattern* aFont, FcChar8*& aLastFamilyName,
                               nsAString& aFamilyName,
                               RefPtr<gfxFontconfigFontFamily>& aFontFamily,
                               bool aAppFonts);
 
     // figure out which families fontconfig maps a generic to