Closed Bug 1498742 Opened Last year Closed 4 months ago

[Mac] Start the GMP sandbox earlier

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

64 Branch
Unspecified
macOS
enhancement

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox69 --- fixed

People

(Reporter: haik, Assigned: haik, NeedInfo)

References

(Depends on 1 open bug)

Details

Attachments

(2 files)

Like with bug 1431441 which applied to the Mac sandbox for content processes, we should start the GMP sandbox early during process startup and unify the code with the content sandbox as much as possible. For the GMP process, running Widevine CDM (1.4.9.1088), lsmp just reports the following ports: launchd, notifyd, opendirectoryd, logd, and cfprefsd. Starting the sandbox earlier might not eliminate any of these services, so the security benefit is TBD. Changes to a CDM run by the GMP process could trigger registrations of unneeded services so starting the sandbox earlier could be benefit in that respect.
Assignee: nobody → haftandilian
Priority: -- → P1
Blocks: 1525086
No longer blocks: 1525086
See Also: → 1525086

Haif just as a heads up: it looks like you looked at running Widevine inside the GMP process. The other add-on which run inside the GMP container is OpenH264. So it would be good to double check that this change is not breaking OpenH264 as well.

(In reply to Nils Ohlmeier [:drno] from comment #1)

Haik just as a heads up: it looks like you looked at running Widevine inside the GMP process. The other add-on which run inside the GMP container is OpenH264. So it would be good to double check that this change is not breaking OpenH264 as well.

Nils, thanks, can you confirm we only use the GMP process for OpenH264 decoding if the OS libraries are not available? My understanding is we don't use the GMP process for this on recent macOS versions.

Flags: needinfo?(drno)

I'll be posting the patch for this shortly. We have QA testing planned to test OpenH264 and Widevine on the different versions of macOS supported.

Change the Mac GMP process launch to include sandboxing params on the command line to allow the sandbox to be started earlier during GMP process launch. Content, extension, and RDD processes have already been changed to start the sandbox earlier.

Update GMPProcessParent to override GeckoChildProcessHost methods used to construct sandboxing parameters. Pass the plugin path as a sandbox parameter so that the sandbox rules can whitelist the plugin directory which is now read after the sandbox is enabled in the plugin process. On development builds, pass "testingReadPath" params so directories needed during automated tests can be whitelisted.

Update Mac sandboxing code to detect GMP sandbox params on the command line and enable the sandbox with additional arguments needed for early sandbox start.

Allow reverting to the old implementation by setting security.sandbox.gmp.mac.earlyinit to false.

Depends on D34084

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ffc8d151cf3a
Part 1 - Move GetRepoDir(), GetObjDir(), IsDevelopmentBuild() from ContentChild to nsMacUtilsImpl r=spohl
https://hg.mozilla.org/integration/autoland/rev/5f9d32e26c71
Part 2 - Start the GMP sandbox earlier during process startup r=jya,cpearce
Attachment #9070453 - Attachment description: Bug 1498742 - Part 1 - Move GetRepoDir(), GetObjDir(), IsDevelopmentBuild() from ContentChild to nsMacUtilsImpl r?spohl → Bug 1498742 - Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r?spohl
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e5eed57a9111
Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r=spohl
https://hg.mozilla.org/integration/autoland/rev/6729dc168afd
Part 2 - Start the GMP sandbox earlier during process startup r=jya,cpearce
Flags: needinfo?(haftandilian)
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Backout by btara@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/3a8238bf97de
Backed out 2 changesets for nsMacUtilsImpl.cpp related build bustage a=backout

Backed out 2 changesets (Bug 1498742) for nsMacUtilsImpl.cpp related build bustage
https://hg.mozilla.org/mozilla-central/rev/3a8238bf97de

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Reason for backout:
https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=os%2Cx%2Ccross%2Ccompiled%2Cccov%2Cdebug%2Cbuild-macosx64-ccov%2Fdebug%2C%28b%29&tochange=6729dc168afd4186db7cfb4a3bb5810d8fc6a826&fromchange=c5379d7e3e1953bf91b0513b90be9892945b3314&selectedJob=251851424

Failure log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=251851424&repo=autoland&lineNumber=12318

[task 2019-06-14T08:55:22.476Z] 08:55:22 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/base'
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - /builds/worker/workspace/build/src/sccache/sccache /builds/worker/workspace/build/src/clang/bin/clang++ -isysroot /builds/worker/workspace/build/src/MacOSX10.11.sdk --target=x86_64-apple-darwin -o nsMacUtilsImpl.o -c -fvisibility=hidden -fvisibility-inlines-hidden -DDEBUG=1 -DOS_POSIX=1 -DOS_MACOSX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/xpcom/base -I/builds/worker/workspace/build/src/obj-firefox/xpcom/base -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/xpcom/build -I/builds/worker/workspace/build/src/dom/base -I/builds/worker/workspace/build/src/mfbt -I/builds/worker/workspace/build/src/netwerk/base -I/builds/worker/workspace/build/src/xpcom/ds -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -fno-sized-deallocation -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -stdlib=libc++ -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O3 -fno-omit-frame-pointer -funwind-tables @/builds/worker/workspace/build/src/obj-firefox/code_coverage_cflags -MD -MP -MF .deps/nsMacUtilsImpl.o.pp /builds/worker/workspace/build/src/xpcom/base/nsMacUtilsImpl.cpp
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - /builds/worker/workspace/build/src/xpcom/base/nsMacUtilsImpl.cpp:12:10: fatal error: 'mozilla/SandboxSettings.h' file not found
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - #include "mozilla/SandboxSettings.h"
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - ^~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - 1 error generated.
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - /builds/worker/workspace/build/src/config/rules.mk:810: recipe for target 'nsMacUtilsImpl.o' failed
[task 2019-06-14T08:55:22.477Z] 08:55:22 ERROR - make[4]: *** [nsMacUtilsImpl.o] Error 1
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/base'
[task 2019-06-14T08:55:22.477Z] 08:55:22 INFO - /builds/worker/workspace/build/src/config/recurse.mk:74: recipe for target 'xpcom/base/target' failed
[task 2019-06-14T08:55:22.478Z] 08:55:22 ERROR - make[3]: *** [xpcom/base/target] Error 2
[task 2019-06-14T08:55:22.478Z] 08:55:22 INFO - make[3]: *** Waiting for unfinished jobs....
[task 2019-06-14T08:55:22.481Z] 08:55:22 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/config/external/icu/i18n'

Flags: needinfo?(haftandilian)

The Ccov build failure appears to be due to missing #ifdef guards in nsMacUtilsImpl.cpp to only #include SandboxSettings.h if MOZ_SANDBOX is defined. I'll add the missing guards, make sure the Ccov build is clean, and re-land.

Flags: needinfo?(haftandilian)
Attachment #9070453 - Attachment description: Bug 1498742 - Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r?spohl → Bug 1498742 - Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r=spohl
Attachment #9070454 - Attachment description: Bug 1498742 - Part 2 - Start the GMP sandbox earlier during process startup r?jya → Bug 1498742 - Part 2 - Start the GMP sandbox earlier during process startup r=jya,cpearce
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4f3e83d8de59
Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r=spohl
https://hg.mozilla.org/integration/autoland/rev/f6da94d90350
Part 2 - Start the GMP sandbox earlier during process startup r=jya,cpearce
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6d8143f30d16
Part 1 - Move GetRepoDir() and GetObjDir() from ContentChild to nsMacUtilsImpl r=spohl
https://hg.mozilla.org/integration/autoland/rev/41ab55fee001
Part 2 - Start the GMP sandbox earlier during process startup r=jya,cpearce
Flags: needinfo?(haftandilian)
Status: REOPENED → RESOLVED
Closed: 4 months ago4 months ago
Resolution: --- → FIXED
Depends on: 1574510
You need to log in before you can comment on or make changes to this bug.