Merging upstream version 126.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

7 files changed, 74 insertions, 9 deletions

diff --git a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
index 028348a0f0..703be7a3cb 100755
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -31,3 +31,4 @@ add_loongarch_defines.patch
 block_NtImpersonateAnonymousToken_before_LowerToken.patch
 fix_broker_alive_mutex.patch
 fix_max_syscalls_linux_aarch64.patch
+set_delayed_integrity_on_process_acl.patch
diff --git a/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
new file mode 100644
index 0000000000..650c0e4f70
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/with_update/set_delayed_integrity_on_process_acl.patch
@@ -0,0 +1,39 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1709836178 0
+#      Thu Mar 07 18:29:38 2024 +0000
+# Node ID 2b9ab7e6c5a1630b497fe1543634cbaebdc395f8
+# Parent  f9c20c064d639a146ffa09ec832aee6dff44643d
+Bug 1889932 p1: Set process ACL to the delayed integrity level in LowerToken. r=yjuglaret!
+
+This allows us to maintain the same access to our process when the integrity
+level on our access token is dropped.
+
+Differential Revision: https://phabricator.services.mozilla.com/D206784
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
++++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+@@ -302,16 +302,22 @@ DWORD SetTokenIntegrityLevel(HANDLE toke
+ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
+   // We don't check for an invalid level here because we'll just let it
+   // fail on the SetTokenIntegrityLevel call later on.
+   if (integrity_level == INTEGRITY_LEVEL_LAST) {
+     // No mandatory level specified, we don't change it.
+     return ERROR_SUCCESS;
+   }
+ 
++  // Set integrity level for our process ACL, so we retain access to it.
++  // We ignore failures because this is not a security measure, but some
++  // functionality may fail later in the process.
++  SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
++                          GetIntegrityLevelString(integrity_level));
++
+   HANDLE token_handle;
+   if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
+                           &token_handle))
+     return ::GetLastError();
+ 
+   base::win::ScopedHandle token(token_handle);
+ 
+   return SetTokenIntegrityLevel(token.Get(), integrity_level);
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
index d93386d646..b4830bd253 100644
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
@@ -307,6 +307,14 @@ DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
     return ERROR_SUCCESS;
   }
 
+  // Set integrity level for our process ACL, so we retain access to it.
+  // We ignore failures because this is not a security measure, but some
+  // functionality may fail later in the process.
+  DWORD rv =
+      SetObjectIntegrityLabel(::GetCurrentProcess(), SE_KERNEL_OBJECT, L"",
+                              GetIntegrityLevelString(integrity_level));
+  DCHECK(rv == ERROR_SUCCESS);
+
   HANDLE token_handle;
   if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
                           &token_handle))
diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
index e31588c271..294840dee8 100644
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
@@ -680,11 +680,11 @@ void RunTestsRDD(SandboxTestingChild* child) {
 
   RunTestsSched(child);
 
-  child->ErrnoTest("socket_inet"_ns, false,
-                   [] { return socket(AF_INET, SOCK_STREAM, 0); });
+  child->ErrnoValueTest("socket_inet"_ns, EACCES,
+                        [] { return socket(AF_INET, SOCK_STREAM, 0); });
 
-  child->ErrnoTest("socket_unix"_ns, false,
-                   [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
+  child->ErrnoValueTest("socket_unix"_ns, EACCES,
+                        [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
 
   child->ErrnoTest("uname"_ns, true, [] {
     struct utsname uts;
@@ -721,6 +721,16 @@ void RunTestsRDD(SandboxTestingChild* child) {
     return statfs("/usr/share", &sf);
   });
 
+  child->ErrnoValueTest("fork"_ns, EPERM, [] {
+    pid_t pid = fork();
+    if (pid == 0) {
+      // Success: shouldn't happen, and parent will report a test
+      // failure.
+      _exit(0);
+    }
+    return pid;
+  });
+
 #  elif XP_MACOSX
   RunMacTestLaunchProcess(child);
   RunMacTestWindowServer(child);
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
index 2eec3b27a7..a3b70e7889 100644
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -1595,9 +1595,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
       case __NR_clone:
         return ClonePolicy(Error(EPERM));
 
-      case __NR_clone3:
-        return Error(ENOSYS);
-
 #  ifdef __NR_fadvise64
       case __NR_fadvise64:
         return Allow();
@@ -1842,20 +1839,24 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
                                        bool aHasArgs) const override {
     switch (aCall) {
       // These are for X11.
+      //
+      // FIXME (bug 1884449): X11 is blocked now so we probably don't
+      // need these, but they're relatively harmless.
       case SYS_GETSOCKNAME:
       case SYS_GETPEERNAME:
       case SYS_SHUTDOWN:
         return Some(Allow());
 
-#ifdef MOZ_ENABLE_V4L2
       case SYS_SOCKET:
         // Hardware-accelerated decode uses EGL to manage hardware surfaces.
         // When initialised it tries to connect to the Wayland server over a
         // UNIX socket. It still works fine if it can't connect to Wayland, so
         // don't let it create the socket (but don't kill the process for
         // trying).
+        //
+        // We also see attempts to connect to an X server on desktop
+        // Linux sometimes (bug 1882598).
         return Some(Error(EACCES));
-#endif
 
       default:
         return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
@@ -1945,6 +1946,10 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
       CASES_FOR_fstatfs:
         return Allow();
 
+        // nvidia drivers may attempt to spawn nvidia-modprobe
+      case __NR_clone:
+        return ClonePolicy(Error(EPERM));
+
         // Pass through the common policy.
       default:
         return SandboxPolicyCommon::EvaluateSyscall(sysno);
diff --git a/security/sandbox/mac/SandboxPolicyContent.h b/security/sandbox/mac/SandboxPolicyContent.h
index 3f49f684d6..aebb224858 100644
--- a/security/sandbox/mac/SandboxPolicyContent.h
+++ b/security/sandbox/mac/SandboxPolicyContent.h
@@ -197,6 +197,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
       (iokit-property "IOGVAHEVCDecode")
       (iokit-property "IOGVAHEVCEncode")
       (iokit-property "IOGVAXDecode")
+      (iokit-property "IOAVDAV1DecodeCapabilities")
       (iokit-property "IOPCITunnelled")
       (iokit-property "IOVARendererID")
       (iokit-property "MetalPluginName")
diff --git a/security/sandbox/mac/SandboxPolicyRDD.h b/security/sandbox/mac/SandboxPolicyRDD.h
index ddce1f4ecc..0379ad15f7 100644
--- a/security/sandbox/mac/SandboxPolicyRDD.h
+++ b/security/sandbox/mac/SandboxPolicyRDD.h
@@ -154,6 +154,7 @@ static const char SandboxPolicyRDD[] = R"SANDBOX_LITERAL(
       (iokit-property "IOAVDHEVCDecodeCapabilities")
       (iokit-property "IOGVAHEVCEncode")
       (iokit-property "IOGVAXDecode")
+      (iokit-property "IOAVDAV1DecodeCapabilities")
       (iokit-property "IOPCITunnelled")
       (iokit-property "IOVARendererID")
       (iokit-property "MetalPluginName")