summaryrefslogtreecommitdiffstats
path: root/security/sandbox/test/browser_content_sandbox_syscalls.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/test/browser_content_sandbox_syscalls.js')
-rw-r--r--security/sandbox/test/browser_content_sandbox_syscalls.js402
1 files changed, 402 insertions, 0 deletions
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
new file mode 100644
index 0000000000..1816e1dbbb
--- /dev/null
+++ b/security/sandbox/test/browser_content_sandbox_syscalls.js
@@ -0,0 +1,402 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+/* import-globals-from browser_content_sandbox_utils.js */
+"use strict";
+
+/* global OS */
+Cc["@mozilla.org/net/osfileconstantsservice;1"]
+ .getService(Ci.nsIOSFileConstantsService)
+ .init();
+
+registerCleanupFunction(() => {
+ delete window.OS;
+});
+
+Services.scriptloader.loadSubScript(
+ "chrome://mochitests/content/browser/" +
+ "security/sandbox/test/browser_content_sandbox_utils.js",
+ this
+);
+
+/*
+ * This test is for executing system calls in content processes to validate
+ * that calls that are meant to be blocked by content sandboxing are blocked.
+ * We use the term system calls loosely so that any OS API call such as
+ * fopen could be included.
+ */
+
+// Calls the native execv library function. Include imports so this can be
+// safely serialized and run remotely by ContentTask.spawn.
+function callExec(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib, cmd } = args;
+ let libc = ctypes.open(lib);
+ let exec = libc.declare(
+ "execv",
+ ctypes.default_abi,
+ ctypes.int,
+ ctypes.char.ptr
+ );
+ let rv = exec(cmd);
+ libc.close();
+ return rv;
+}
+
+// Calls the native fork syscall.
+function callFork(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib } = args;
+ let libc = ctypes.open(lib);
+ let fork = libc.declare("fork", ctypes.default_abi, ctypes.int);
+ let rv = fork();
+ libc.close();
+ return rv;
+}
+
+// Calls the native sysctl syscall.
+function callSysctl(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib, name } = args;
+ let libc = ctypes.open(lib);
+ let sysctlbyname = libc.declare(
+ "sysctlbyname",
+ ctypes.default_abi,
+ ctypes.int,
+ ctypes.char.ptr,
+ ctypes.voidptr_t,
+ ctypes.size_t.ptr,
+ ctypes.voidptr_t,
+ ctypes.size_t.ptr
+ );
+ let rv = sysctlbyname(name, null, null, null, null);
+ libc.close();
+ return rv;
+}
+
+function callPrctl(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib, option } = args;
+ let libc = ctypes.open(lib);
+ let prctl = libc.declare(
+ "prctl",
+ ctypes.default_abi,
+ ctypes.int,
+ ctypes.int, // option
+ ctypes.unsigned_long, // arg2
+ ctypes.unsigned_long, // arg3
+ ctypes.unsigned_long, // arg4
+ ctypes.unsigned_long // arg5
+ );
+ let rv = prctl(option, 0, 0, 0, 0);
+ if (rv == -1) {
+ rv = ctypes.errno;
+ }
+ libc.close();
+ return rv;
+}
+
+// Calls the native open/close syscalls.
+function callOpen(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib, path, flags } = args;
+ let libc = ctypes.open(lib);
+ let open = libc.declare(
+ "open",
+ ctypes.default_abi,
+ ctypes.int,
+ ctypes.char.ptr,
+ ctypes.int
+ );
+ let close = libc.declare("close", ctypes.default_abi, ctypes.int, ctypes.int);
+ let fd = open(path, flags);
+ close(fd);
+ libc.close();
+ return fd;
+}
+
+// Verify faccessat2
+function callFaccessat2(args) {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let { lib, dirfd, path, mode, flag } = args;
+ let libc = ctypes.open(lib);
+ let faccessat = libc.declare(
+ "faccessat",
+ ctypes.default_abi,
+ ctypes.int,
+ ctypes.int, // dirfd
+ ctypes.char.ptr, // path
+ ctypes.int, // mode
+ ctypes.int // flag
+ );
+ let rv = faccessat(dirfd, path, mode, flag);
+ if (rv == -1) {
+ rv = ctypes.errno;
+ }
+ libc.close();
+ return rv;
+}
+
+// open syscall flags
+function openWriteCreateFlags() {
+ Assert.ok(isMac() || isLinux());
+ if (isMac()) {
+ let O_WRONLY = 0x001;
+ let O_CREAT = 0x200;
+ return O_WRONLY | O_CREAT;
+ }
+ // Linux
+ let O_WRONLY = 0x01;
+ let O_CREAT = 0x40;
+ return O_WRONLY | O_CREAT;
+}
+
+// Returns the name of the native library needed for native syscalls
+function getOSLib() {
+ switch (Services.appinfo.OS) {
+ case "WINNT":
+ return "kernel32.dll";
+ case "Darwin":
+ return "libc.dylib";
+ case "Linux":
+ return "libc.so.6";
+ default:
+ Assert.ok(false, "Unknown OS");
+ return 0;
+ }
+}
+
+// Reading a header might be weird, but the alternatives to read a stable
+// version number we can easily check against are not much more fun
+async function getKernelVersion() {
+ let header = await IOUtils.readUTF8("/usr/include/linux/version.h");
+ let hr = header.split("\n");
+ for (let line in hr) {
+ let hrs = hr[line].split(" ");
+ if (hrs[0] === "#define" && hrs[1] === "LINUX_VERSION_CODE") {
+ return Number(hrs[2]);
+ }
+ }
+ throw Error("No LINUX_VERSION_CODE");
+}
+
+// This is how it is done in /usr/include/linux/version.h
+function computeKernelVersion(major, minor, dot) {
+ return (major << 16) + (minor << 8) + dot;
+}
+
+function getGlibcVersion() {
+ const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm");
+ let libc = ctypes.open(getOSLib());
+ let gnu_get_libc_version = libc.declare(
+ "gnu_get_libc_version",
+ ctypes.default_abi,
+ ctypes.char.ptr
+ );
+ let rv = gnu_get_libc_version().readString();
+ libc.close();
+ let ar = rv.split(".");
+ // return a number made of MAJORMINOR
+ return Number(ar[0] + ar[1]);
+}
+
+// Returns a harmless command to execute with execv
+function getOSExecCmd() {
+ Assert.ok(!isWin());
+ return "/bin/cat";
+}
+
+// Returns true if the current content sandbox level, passed in
+// the |level| argument, supports syscall sandboxing.
+function areContentSyscallsSandboxed(level) {
+ let syscallsSandboxMinLevel = 0;
+
+ // Set syscallsSandboxMinLevel to the lowest level that has
+ // syscall sandboxing enabled. For now, this varies across
+ // Windows, Mac, Linux, other.
+ switch (Services.appinfo.OS) {
+ case "WINNT":
+ syscallsSandboxMinLevel = 1;
+ break;
+ case "Darwin":
+ syscallsSandboxMinLevel = 1;
+ break;
+ case "Linux":
+ syscallsSandboxMinLevel = 1;
+ break;
+ default:
+ Assert.ok(false, "Unknown OS");
+ }
+
+ return level >= syscallsSandboxMinLevel;
+}
+
+//
+// Drive tests for a single content process.
+//
+// Tests executing OS API calls in the content process. Limited to Mac
+// and Linux calls for now.
+//
+add_task(async function() {
+ // This test is only relevant in e10s
+ if (!gMultiProcessBrowser) {
+ ok(false, "e10s is enabled");
+ info("e10s is not enabled, exiting");
+ return;
+ }
+
+ let level = 0;
+ let prefExists = true;
+
+ // Read the security.sandbox.content.level pref.
+ // If the pref isn't set and we're running on Linux on !isNightly(),
+ // exit without failing. The Linux content sandbox is only enabled
+ // on Nightly at this time.
+ // eslint-disable-next-line mozilla/use-default-preference-values
+ try {
+ level = Services.prefs.getIntPref("security.sandbox.content.level");
+ } catch (e) {
+ prefExists = false;
+ }
+
+ ok(prefExists, "pref security.sandbox.content.level exists");
+ if (!prefExists) {
+ return;
+ }
+
+ info(`security.sandbox.content.level=${level}`);
+ ok(level > 0, "content sandbox is enabled.");
+
+ let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
+
+ // Content sandbox enabled, but level doesn't include syscall sandboxing.
+ ok(areSyscallsSandboxed, "content syscall sandboxing is enabled.");
+ if (!areSyscallsSandboxed) {
+ info("content sandbox level too low for syscall tests, exiting\n");
+ return;
+ }
+
+ let browser = gBrowser.selectedBrowser;
+ let lib = getOSLib();
+
+ // use execv syscall
+ // (causes content process to be killed on Linux)
+ if (isMac()) {
+ // exec something harmless, this should fail
+ let cmd = getOSExecCmd();
+ let rv = await SpecialPowers.spawn(browser, [{ lib, cmd }], callExec);
+ ok(rv == -1, `exec(${cmd}) is not permitted`);
+ }
+
+ // use open syscall
+ if (isLinux() || isMac()) {
+ // open a file for writing in $HOME, this should fail
+ let path = fileInHomeDir().path;
+ let flags = openWriteCreateFlags();
+ let fd = await SpecialPowers.spawn(
+ browser,
+ [{ lib, path, flags }],
+ callOpen
+ );
+ ok(fd < 0, "opening a file for writing in home is not permitted");
+ }
+
+ // use open syscall
+ if (isLinux() || isMac()) {
+ // open a file for writing in the content temp dir, this should fail on
+ // macOS and work on Linux. The open handler in the content process closes
+ // the file for us
+ let path = fileInTempDir().path;
+ let flags = openWriteCreateFlags();
+ let fd = await SpecialPowers.spawn(
+ browser,
+ [{ lib, path, flags }],
+ callOpen
+ );
+ if (isMac()) {
+ ok(
+ fd === -1,
+ "opening a file for writing in content temp is not permitted"
+ );
+ } else {
+ ok(fd >= 0, "opening a file for writing in content temp is permitted");
+ }
+ }
+
+ // use fork syscall
+ if (isLinux() || isMac()) {
+ let rv = await SpecialPowers.spawn(browser, [{ lib }], callFork);
+ ok(rv == -1, "calling fork is not permitted");
+ }
+
+ // On macOS before 10.10 the |sysctl-name| predicate didn't exist for
+ // filtering |sysctl| access. Check the Darwin version before running the
+ // tests (Darwin 14.0.0 is macOS 10.10). This branch can be removed when we
+ // remove support for macOS 10.9.
+ if (isMac() && Services.sysinfo.getProperty("version") >= "14.0.0") {
+ let rv = await SpecialPowers.spawn(
+ browser,
+ [{ lib, name: "kern.boottime" }],
+ callSysctl
+ );
+ ok(rv == -1, "calling sysctl('kern.boottime') is not permitted");
+
+ rv = await SpecialPowers.spawn(
+ browser,
+ [{ lib, name: "net.inet.ip.ttl" }],
+ callSysctl
+ );
+ ok(rv == -1, "calling sysctl('net.inet.ip.ttl') is not permitted");
+
+ rv = await SpecialPowers.spawn(
+ browser,
+ [{ lib, name: "hw.ncpu" }],
+ callSysctl
+ );
+ ok(rv == 0, "calling sysctl('hw.ncpu') is permitted");
+ }
+
+ if (isLinux()) {
+ // verify we block PR_CAPBSET_READ with EINVAL
+ let option = OS.Constants.libc.PR_CAPBSET_READ;
+ let rv = await SpecialPowers.spawn(browser, [{ lib, option }], callPrctl);
+ ok(rv == OS.Constants.libc.EINVAL, "prctl(PR_CAPBSET_READ) is blocked");
+
+ const kernelVersion = await getKernelVersion();
+ const glibcVersion = getGlibcVersion();
+ // faccessat2 is only used with kernel 5.8+ by glibc 2.33+
+ if (glibcVersion >= 233 && kernelVersion >= computeKernelVersion(5, 8, 0)) {
+ info("Linux v5.8+, glibc 2.33+, checking faccessat2");
+ const dirfd = 0;
+ const path = "/";
+ const mode = 0;
+ // the value 0x01 is just one we know should get rejected
+ let rv = await SpecialPowers.spawn(
+ browser,
+ [{ lib, dirfd, path, mode, flag: 0x01 }],
+ callFaccessat2
+ );
+ ok(
+ rv == OS.Constants.libc.ENOSYS,
+ "faccessat2 (flag=0x01) was blocked with ENOSYS"
+ );
+
+ rv = await SpecialPowers.spawn(
+ browser,
+ [{ lib, dirfd, path, mode, flag: OS.Constants.libc.AT_EACCESS }],
+ callFaccessat2
+ );
+ ok(
+ rv == OS.Constants.libc.EACCES,
+ "faccessat2 (flag=0x200) was allowed, errno=EACCES"
+ );
+ } else {
+ info(
+ "Unsupported kernel (" +
+ kernelVersion +
+ " )/glibc (" +
+ glibcVersion +
+ "), skipping faccessat2"
+ );
+ }
+ }
+});