diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
commit | d8bbc7858622b6d9c278469aab701ca0b609cddf (patch) | |
tree | eff41dc61d9f714852212739e6b3738b82a2af87 /security/sandbox | |
parent | Releasing progress-linux version 125.0.3-1~progress7.99u1. (diff) | |
download | firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip |
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/sandbox')
7 files changed, 74 insertions, 9 deletions
diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt index 028348a0f0..703be7a3cb 100755 --- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt +++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt @@ -31,3 +31,4 @@ add_loongarch_defines.patch block_NtImpersonateAnonymousToken_before_LowerToken.patch fix_broker_alive_mutex.patch fix_max_syscalls_linux_aarch64.patch +set_delayed_integrity_on_process_acl.patch diff --git a/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch new file mode 100644 index 0000000000..650c0e4f70 --- /dev/null +++ b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch @@ -0,0 +1,39 @@ +# HG changeset patch +# User Bob Owen <bobowencode@gmail.com> +# Date 1709836178 0 +# Thu Mar 07 18:29:38 2024 +0000 +# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8 +# Parent f9c20c064d639a146ffa09ec832aee6dff44643d +Bug 1889932 p1: Set process ACL to the delayed integrity level in LowerToken. r=yjuglaret! + +This allows us to maintain the same access to our process when the integrity +level on our access token is dropped. + +Differential Revision: https://phabricator.services.mozilla.com/D206784 + +diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc ++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +@@ -302,16 +302,22 @@ DWORD SetTokenIntegrityLevel(HANDLE toke + DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) { + // We don't check for an invalid level here because we'll just let it + // fail on the SetTokenIntegrityLevel call later on. + if (integrity_level == INTEGRITY_LEVEL_LAST) { + // No mandatory level specified, we don't change it. + return ERROR_SUCCESS; + } + ++ // Set integrity level for our process ACL, so we retain access to it. ++ // We ignore failures because this is not a security measure, but some ++ // functionality may fail later in the process. ++ SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"", ++ GetIntegrityLevelString(integrity_level)); ++ + HANDLE token_handle; + if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, + &token_handle)) + return ::GetLastError(); + + base::win::ScopedHandle token(token_handle); + + return SetTokenIntegrityLevel(token.Get(), integrity_level); diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc index d93386d646..b4830bd253 100644 --- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc +++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc @@ -307,6 +307,14 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) { return ERROR_SUCCESS; } + // Set integrity level for our process ACL, so we retain access to it. + // We ignore failures because this is not a security measure, but some + // functionality may fail later in the process. + DWORD rv = + SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"", + GetIntegrityLevelString(integrity_level)); + DCHECK(rv == ERROR_SUCCESS); + HANDLE token_handle; if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT, &token_handle)) diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h index e31588c271..294840dee8 100644 --- a/security/sandbox/common/test/SandboxTestingChildTests.h +++ b/security/sandbox/common/test/SandboxTestingChildTests.h @@ -680,11 +680,11 @@ void RunTestsRDD(SandboxTestingChild* child) { RunTestsSched(child); - child->ErrnoTest("socket_inet"_ns, false, - [] { return socket(AF_INET, SOCK_STREAM, 0); }); + child->ErrnoValueTest("socket_inet"_ns, EACCES, + [] { return socket(AF_INET, SOCK_STREAM, 0); }); - child->ErrnoTest("socket_unix"_ns, false, - [] { return socket(AF_UNIX, SOCK_STREAM, 0); }); + child->ErrnoValueTest("socket_unix"_ns, EACCES, + [] { return socket(AF_UNIX, SOCK_STREAM, 0); }); child->ErrnoTest("uname"_ns, true, [] { struct utsname uts; @@ -721,6 +721,16 @@ void RunTestsRDD(SandboxTestingChild* child) { return statfs("/usr/share", &sf); }); + child->ErrnoValueTest("fork"_ns, EPERM, [] { + pid_t pid = fork(); + if (pid == 0) { + // Success: shouldn't happen, and parent will report a test + // failure. + _exit(0); + } + return pid; + }); + # elif XP_MACOSX RunMacTestLaunchProcess(child); RunMacTestWindowServer(child); diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index 2eec3b27a7..a3b70e7889 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -1595,9 +1595,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon { case __NR_clone: return ClonePolicy(Error(EPERM)); - case __NR_clone3: - return Error(ENOSYS); - # ifdef __NR_fadvise64 case __NR_fadvise64: return Allow(); @@ -1842,20 +1839,24 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon { bool aHasArgs) const override { switch (aCall) { // These are for X11. + // + // FIXME (bug 1884449): X11 is blocked now so we probably don't + // need these, but they're relatively harmless. case SYS_GETSOCKNAME: case SYS_GETPEERNAME: case SYS_SHUTDOWN: return Some(Allow()); -#ifdef MOZ_ENABLE_V4L2 case SYS_SOCKET: // Hardware-accelerated decode uses EGL to manage hardware surfaces. // When initialised it tries to connect to the Wayland server over a // UNIX socket. It still works fine if it can't connect to Wayland, so // don't let it create the socket (but don't kill the process for // trying). + // + // We also see attempts to connect to an X server on desktop + // Linux sometimes (bug 1882598). return Some(Error(EACCES)); -#endif default: return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs); @@ -1945,6 +1946,10 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon { CASES_FOR_fstatfs: return Allow(); + // nvidia drivers may attempt to spawn nvidia-modprobe + case __NR_clone: + return ClonePolicy(Error(EPERM)); + // Pass through the common policy. default: return SandboxPolicyCommon::EvaluateSyscall(sysno); diff --git a/security/sandbox/mac/SandboxPolicyContent.h b/security/sandbox/mac/SandboxPolicyContent.h index 3f49f684d6..aebb224858 100644 --- a/security/sandbox/mac/SandboxPolicyContent.h +++ b/security/sandbox/mac/SandboxPolicyContent.h @@ -197,6 +197,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL( (iokit-property "IOGVAHEVCDecode") (iokit-property "IOGVAHEVCEncode") (iokit-property "IOGVAXDecode") + (iokit-property "IOAVDAV1DecodeCapabilities") (iokit-property "IOPCITunnelled") (iokit-property "IOVARendererID") (iokit-property "MetalPluginName") diff --git a/security/sandbox/mac/SandboxPolicyRDD.h b/security/sandbox/mac/SandboxPolicyRDD.h index ddce1f4ecc..0379ad15f7 100644 --- a/security/sandbox/mac/SandboxPolicyRDD.h +++ b/security/sandbox/mac/SandboxPolicyRDD.h @@ -154,6 +154,7 @@ static const char SandboxPolicyRDD[] = R"SANDBOX_LITERAL( (iokit-property "IOAVDHEVCDecodeCapabilities") (iokit-property "IOGVAHEVCEncode") (iokit-property "IOGVAXDecode") + (iokit-property "IOAVDAV1DecodeCapabilities") (iokit-property "IOPCITunnelled") (iokit-property "IOVARendererID") (iokit-property "MetalPluginName") |