summaryrefslogtreecommitdiffstats
path: root/security/sandbox
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-15 03:35:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-15 03:35:49 +0000
commitd8bbc7858622b6d9c278469aab701ca0b609cddf (patch)
treeeff41dc61d9f714852212739e6b3738b82a2af87 /security/sandbox
parentReleasing progress-linux version 125.0.3-1~progress7.99u1. (diff)
downloadfirefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz
firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox')
-rwxr-xr-xsecurity/sandbox/chromium-shim/patches/with_update/patch_order.txt1
-rw-r--r--security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch39
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc8
-rw-r--r--security/sandbox/common/test/SandboxTestingChildTests.h18
-rw-r--r--security/sandbox/linux/SandboxFilter.cpp15
-rw-r--r--security/sandbox/mac/SandboxPolicyContent.h1
-rw-r--r--security/sandbox/mac/SandboxPolicyRDD.h1
7 files changed, 74 insertions, 9 deletions
diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
index 028348a0f0..703be7a3cb 100755
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -31,3 +31,4 @@ add_loongarch_defines.patch
block_NtImpersonateAnonymousToken_before_LowerToken.patch
fix_broker_alive_mutex.patch
fix_max_syscalls_linux_aarch64.patch
+set_delayed_integrity_on_process_acl.patch
diff --git a/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
new file mode 100644
index 0000000000..650c0e4f70
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
@@ -0,0 +1,39 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1709836178 0
+# Thu Mar 07 18:29:38 2024 +0000
+# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8
+# Parent f9c20c064d639a146ffa09ec832aee6dff44643d
+Bug 1889932 p1: Set process ACL to the delayed integrity level in LowerToken. r=yjuglaret!
+
+This allows us to maintain the same access to our process when the integrity
+level on our access token is dropped.
+
+Differential Revision: https://phabricator.services.mozilla.com/D206784
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+@@ -302,16 +302,22 @@ DWORD SetTokenIntegrityLevel(HANDLE toke
+ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
+ // We don't check for an invalid level here because we'll just let it
+ // fail on the SetTokenIntegrityLevel call later on.
+ if (integrity_level == INTEGRITY_LEVEL_LAST) {
+ // No mandatory level specified, we don't change it.
+ return ERROR_SUCCESS;
+ }
+
++ // Set integrity level for our process ACL, so we retain access to it.
++ // We ignore failures because this is not a security measure, but some
++ // functionality may fail later in the process.
++ SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
++ GetIntegrityLevelString(integrity_level));
++
+ HANDLE token_handle;
+ if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
+ &token_handle))
+ return ::GetLastError();
+
+ base::win::ScopedHandle token(token_handle);
+
+ return SetTokenIntegrityLevel(token.Get(), integrity_level);
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
index d93386d646..b4830bd253 100644
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -307,6 +307,14 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
return ERROR_SUCCESS;
}
+ // Set integrity level for our process ACL, so we retain access to it.
+ // We ignore failures because this is not a security measure, but some
+ // functionality may fail later in the process.
+ DWORD rv =
+ SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
+ GetIntegrityLevelString(integrity_level));
+ DCHECK(rv == ERROR_SUCCESS);
+
HANDLE token_handle;
if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
&token_handle))
diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
index e31588c271..294840dee8 100644
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
@@ -680,11 +680,11 @@ void RunTestsRDD(SandboxTestingChild* child) {
RunTestsSched(child);
- child->ErrnoTest("socket_inet"_ns, false,
- [] { return socket(AF_INET, SOCK_STREAM, 0); });
+ child->ErrnoValueTest("socket_inet"_ns, EACCES,
+ [] { return socket(AF_INET, SOCK_STREAM, 0); });
- child->ErrnoTest("socket_unix"_ns, false,
- [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
+ child->ErrnoValueTest("socket_unix"_ns, EACCES,
+ [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
child->ErrnoTest("uname"_ns, true, [] {
struct utsname uts;
@@ -721,6 +721,16 @@ void RunTestsRDD(SandboxTestingChild* child) {
return statfs("/usr/share", &sf);
});
+ child->ErrnoValueTest("fork"_ns, EPERM, [] {
+ pid_t pid = fork();
+ if (pid == 0) {
+ // Success: shouldn't happen, and parent will report a test
+ // failure.
+ _exit(0);
+ }
+ return pid;
+ });
+
# elif XP_MACOSX
RunMacTestLaunchProcess(child);
RunMacTestWindowServer(child);
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index 2eec3b27a7..a3b70e7889 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -1595,9 +1595,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
case __NR_clone:
return ClonePolicy(Error(EPERM));
- case __NR_clone3:
- return Error(ENOSYS);
-
# ifdef __NR_fadvise64
case __NR_fadvise64:
return Allow();
@@ -1842,20 +1839,24 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
bool aHasArgs) const override {
switch (aCall) {
// These are for X11.
+ //
+ // FIXME (bug 1884449): X11 is blocked now so we probably don't
+ // need these, but they're relatively harmless.
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
case SYS_SHUTDOWN:
return Some(Allow());
-#ifdef MOZ_ENABLE_V4L2
case SYS_SOCKET:
// Hardware-accelerated decode uses EGL to manage hardware surfaces.
// When initialised it tries to connect to the Wayland server over a
// UNIX socket. It still works fine if it can't connect to Wayland, so
// don't let it create the socket (but don't kill the process for
// trying).
+ //
+ // We also see attempts to connect to an X server on desktop
+ // Linux sometimes (bug 1882598).
return Some(Error(EACCES));
-#endif
default:
return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
@@ -1945,6 +1946,10 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
CASES_FOR_fstatfs:
return Allow();
+ // nvidia drivers may attempt to spawn nvidia-modprobe
+ case __NR_clone:
+ return ClonePolicy(Error(EPERM));
+
// Pass through the common policy.
default:
return SandboxPolicyCommon::EvaluateSyscall(sysno);
diff --git a/security/sandbox/mac/SandboxPolicyContent.h b/security/sandbox/mac/SandboxPolicyContent.h
index 3f49f684d6..aebb224858 100644
--- a/security/sandbox/mac/SandboxPolicyContent.h
+++ b/security/sandbox/mac/SandboxPolicyContent.h
@@ -197,6 +197,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
(iokit-property "IOGVAHEVCDecode")
(iokit-property "IOGVAHEVCEncode")
(iokit-property "IOGVAXDecode")
+ (iokit-property "IOAVDAV1DecodeCapabilities")
(iokit-property "IOPCITunnelled")
(iokit-property "IOVARendererID")
(iokit-property "MetalPluginName")
diff --git a/security/sandbox/mac/SandboxPolicyRDD.h b/security/sandbox/mac/SandboxPolicyRDD.h
index ddce1f4ecc..0379ad15f7 100644
--- a/security/sandbox/mac/SandboxPolicyRDD.h
+++ b/security/sandbox/mac/SandboxPolicyRDD.h
@@ -154,6 +154,7 @@ static const char SandboxPolicyRDD[] = R"SANDBOX_LITERAL(
(iokit-property "IOAVDHEVCDecodeCapabilities")
(iokit-property "IOGVAHEVCEncode")
(iokit-property "IOGVAXDecode")
+ (iokit-property "IOAVDAV1DecodeCapabilities")
(iokit-property "IOPCITunnelled")
(iokit-property "IOVARendererID")
(iokit-property "MetalPluginName")