Hi,
a bit rough around the edges, but works so far in light testing here
with 60.0b15.
There are two pledge() calls so far, more or less at the places where
upstream starts/initiates sandboxing for the tier1 platforms, and after
a bit of testing this is the subset i've come up with to have it working
more than 5mn, youtube playing a video being the heavier test i did:
- main process : "stdio rpath wpath cpath inet proc exec prot_exec flock ps
sendfd recvfd dns vminfo tty"
- content processes : "stdio rpath wpath cpath inet recvfd sendfd prot_exec
unix"
Some code had to be short-circuited to not die upon KERN_PROC_PID
sysctls, and debugging info is printed to stdout:
ComputeProcessUptime called when pledged, noop
pledged main process (pid=20061) with promises: 'stdio rpath wpath cpath inet
proc exec prot_exec flock ps sendfd recvfd dns vminfo tty'
GetIsDebuggerAttached called when pledged, noop
pledged content process (pid=72708) with promises: 'stdio rpath wpath cpath
inet recvfd sendfd prot_exec unix'
For debugging purposes, the pledge strings are user-configurable via
about:config tweaks ('security.sandbox.pledge.main' and
'security.sandbox.pledge.content', this way one doesnt need to rebuild
the whole thing to change a pledge.
On top of this, 'security.sandbox.content.level' (used upstream across
all platforms) defaults to 1 so that the content processes get pledged
by default.
In the 'final' version, of course all this will be hardcoded because
security is not a knob, right ?
I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1457092
upstream to start a discussion on how to properly integrate it.
Now, for the testing, either checkout the pledge branch in my git repo:
git clone -b pledge https://rhaalovely.net/git/mozilla-firefox/
and build the port (it will be 60.0b15), or use the resulting pkg from
my repo:
doas env PKG_PATH=https://packages.rhaalovely.net/%m pkg_add firefox
Or you can try building 59.0.2 (in ports now) with the attached diff
below, applies but totally untested.
Of course if you test it, be prepared to watch dmesg for pledge messages
for various aborts, and report me what you were doing at that time, with
the corresponding message, so that i can try reproducing it.
Landry
diff --git a/Makefile b/Makefile
index 98e4e38..abae30f 100644
--- a/Makefile
+++ b/Makefile
@@ -69,6 +67,7 @@ MAKE_ENV += RUSTFLAGS="-C target-cpu=pentium4 --cfg
target_feature=\"sse2\""
DPB_PROPERTIES = lonesome
.endif
#CONFIGURE_ARGS += --enable-linker=lld
+CONFIGURE_ARGS += --enable-sandbox --enable-content-sandbox
SUBST_VARS += LOCALBASE X11BASE
diff --git a/files/all-openbsd.js b/files/all-openbsd.js
index 17e84f1..95185c0 100644
--- a/files/all-openbsd.js
+++ b/files/all-openbsd.js
@@ -4,3 +4,7 @@ pref("app.shield.optoutstudies.enabled", false);
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("spellchecker.dictionary_path", "${LOCALBASE}/share/mozilla-dicts/");
+// enable pledging the content process
+pref("security.sandbox.content.level", 1);
+pref("security.sandbox.pledge.main","stdio rpath wpath cpath inet proc exec
prot_exec flock ps sendfd recvfd dns vminfo tty");
+pref("security.sandbox.pledge.content","stdio rpath wpath cpath inet recvfd
sendfd prot_exec unix");
diff --git a/patches/patch-dom_ipc_ContentChild_cpp
b/patches/patch-dom_ipc_ContentChild_cpp
new file mode 100644
index 0000000..fd7344c
--- /dev/null
+++ b/patches/patch-dom_ipc_ContentChild_cpp
@@ -0,0 +1,32 @@
+$OpenBSD$
+
+Index: dom/ipc/ContentChild.cpp
+--- dom/ipc/ContentChild.cpp.orig
++++ dom/ipc/ContentChild.cpp
+@@ -97,6 +97,8 @@
+ #include "CubebUtils.h"
+ #elif defined(XP_MACOSX)
+ #include "mozilla/Sandbox.h"
++#elif defined(__OpenBSD__)
++#include <unistd.h>
+ #endif
+ #endif
+
+@@ -1719,6 +1721,17 @@ ContentChild::RecvSetProcessSandbox(const MaybeFileDes
+ mozilla::SandboxTarget::Instance()->StartSandbox();
+ #elif defined(XP_MACOSX)
+ sandboxEnabled = StartMacOSContentSandbox();
++#elif defined(__OpenBSD__)
++ nsAutoCString promisesString;
++ Preferences::GetCString("security.sandbox.pledge.content",
++ promisesString);
++ if (pledge(promisesString.get(), NULL) == -1) {
++ if (errno == EINVAL)
++ printf_stderr("pledge promises for content process is a malformed
string: '%s'\n", promisesString.get());
++ if (errno == EPERM)
++ printf_stderr("pledge promises for content process cant elevate
priviledges: '%s'\n", promisesString.get());
++ } else
++ printf_stderr("pledged content process (pid=%d) with promises: '%s'\n",
getpid() promisesString.get());
+ #endif
+
+ CrashReporter::AnnotateCrashReport(
diff --git a/patches/patch-gfx_thebes_gfxFcPlatformFontList_cpp
b/patches/patch-gfx_thebes_gfxFcPlatformFontList_cpp
new file mode 100644
index 0000000..32586c5
--- /dev/null
+++ b/patches/patch-gfx_thebes_gfxFcPlatformFontList_cpp
@@ -0,0 +1,32 @@
+$OpenBSD$
+
+Index: gfx/thebes/gfxFcPlatformFontList.cpp
+--- gfx/thebes/gfxFcPlatformFontList.cpp.orig
++++ gfx/thebes/gfxFcPlatformFontList.cpp
+@@ -41,7 +41,7 @@
+ #include "mozilla/X11Util.h"
+ #endif
+
+-#ifdef MOZ_CONTENT_SANDBOX
++#if defined(MOZ_CONTENT_SANDBOX) && !defined(__OpenBSD__)
+ #include "mozilla/SandboxBrokerPolicyFactory.h"
+ #include "mozilla/SandboxSettings.h"
+ #endif
+@@ -1526,7 +1526,7 @@ gfxFcPlatformFontList::AddFontSetFamilies(FcFontSet* a
+ continue;
+ }
+
+-#ifdef MOZ_CONTENT_SANDBOX
++#if defined(MOZ_CONTENT_SANDBOX) && !defined(__OpenBSD__)
+ // Skip any fonts that will be blocked by the content-process sandbox
+ // policy.
+ if (aPolicy && !(aPolicy->Lookup(reinterpret_cast<const char*>(path))
&
+@@ -1688,7 +1688,7 @@ gfxFcPlatformFontList::InitFontListForPlatform()
+
+ UniquePtr<SandboxPolicy> policy;
+
+-#ifdef MOZ_CONTENT_SANDBOX
++#if defined(MOZ_CONTENT_SANDBOX) && !defined(__OpenBSD__)
+ // If read sandboxing is enabled, create a temporary SandboxPolicy to
+ // check font paths; use a fake PID to avoid picking up any PID-specific
+ // rules by accident.
diff --git a/patches/patch-gfx_thebes_gfxFcPlatformFontList_h
b/patches/patch-gfx_thebes_gfxFcPlatformFontList_h
new file mode 100644
index 0000000..f051b63
--- /dev/null
+++ b/patches/patch-gfx_thebes_gfxFcPlatformFontList_h
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Index: gfx/thebes/gfxFcPlatformFontList.h
+--- gfx/thebes/gfxFcPlatformFontList.h.orig
++++ gfx/thebes/gfxFcPlatformFontList.h
+@@ -22,7 +22,7 @@
+ #include <cairo.h>
+ #include <cairo-ft.h>
+
+-#ifdef MOZ_CONTENT_SANDBOX
++#if defined(MOZ_CONTENT_SANDBOX) && !defined(__OpenBSD__)
+ #include "mozilla/SandboxBroker.h"
+ #endif
+
+@@ -325,7 +325,7 @@ class gfxFcPlatformFontList : public gfxPlatformFontLi
+ protected:
+ virtual ~gfxFcPlatformFontList();
+
+-#ifdef MOZ_CONTENT_SANDBOX
++#if defined(MOZ_CONTENT_SANDBOX) && !defined(__OpenBSD__)
+ typedef mozilla::SandboxBroker::Policy SandboxPolicy;
+ #else
+ // Dummy type just so we can still have a SandboxPolicy* parameter.
diff --git a/patches/patch-mozglue_misc_TimeStamp_posix_cpp
b/patches/patch-mozglue_misc_TimeStamp_posix_cpp
new file mode 100644
index 0000000..51a15e3
--- /dev/null
+++ b/patches/patch-mozglue_misc_TimeStamp_posix_cpp
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+neuter KERN_PROC sysctl when running w/ pledge
+Index: mozglue/misc/TimeStamp_posix.cpp
+--- mozglue/misc/TimeStamp_posix.cpp.orig
++++ mozglue/misc/TimeStamp_posix.cpp
+@@ -313,6 +313,10 @@ TimeStamp::ComputeProcessUptime()
+ struct timespec ts;
+ int rv = clock_gettime(CLOCK_REALTIME, &ts);
+
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ fprintf(stderr, "%s called when pledged, noop\n", __func__);
++ return 0;
++#endif
+ if (rv == -1) {
+ return 0;
+ }
diff --git a/patches/patch-toolkit_xre_nsAppRunner_cpp
b/patches/patch-toolkit_xre_nsAppRunner_cpp
new file mode 100644
index 0000000..4fa3168
--- /dev/null
+++ b/patches/patch-toolkit_xre_nsAppRunner_cpp
@@ -0,0 +1,24 @@
+$OpenBSD$
+
+Index: toolkit/xre/nsAppRunner.cpp
+--- toolkit/xre/nsAppRunner.cpp.orig
++++ toolkit/xre/nsAppRunner.cpp
+@@ -4450,6 +4450,18 @@ void AddSandboxAnnotations()
+ sandboxCapable = true;
+ #elif defined(XP_LINUX)
+ sandboxCapable = SandboxInfo::Get().CanSandboxContent();
++#elif defined(__OpenBSD__)
++ sandboxCapable = true;
++ nsAutoCString promisesString;
++ Preferences::GetCString("security.sandbox.pledge.main",
++ promisesString);
++ if (pledge(promisesString.get(), NULL) == -1) {
++ if (errno == EINVAL)
++ printf_stderr("pledge promises for main process is a malformed
string: '%s'\n", promisesString.get());
++ if (errno == EPERM)
++ printf_stderr("pledge promises for main process cant elevate
priviledges: '%s'\n", promisesString.get());
++ } else
++ printf_stderr("pledged main process (pid=%d) with promises: '%s'\n",
getpid(), promisesString.get());
+ #endif
+
+ CrashReporter::AnnotateCrashReport(
diff --git a/patches/patch-xpcom_base_nsDebugImpl_cpp
b/patches/patch-xpcom_base_nsDebugImpl_cpp
new file mode 100644
index 0000000..accfdd0
--- /dev/null
+++ b/patches/patch-xpcom_base_nsDebugImpl_cpp
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+neuter KERN_PROC sysctl when running w/ pledge
+Index: xpcom/base/nsDebugImpl.cpp
+--- xpcom/base/nsDebugImpl.cpp.orig
++++ xpcom/base/nsDebugImpl.cpp
+@@ -180,6 +180,10 @@ nsDebugImpl::GetIsDebuggerAttached(bool* aResult)
+ {
+ *aResult = false;
+
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++// printf_stderr("%s called when pledged, noop\n", __func__);
++ return NS_OK;
++#endif
+ #if defined(XP_WIN)
+ *aResult = ::IsDebuggerPresent();
+ #elif defined(XP_MACOSX) || defined(__DragonFly__) || defined(__FreeBSD__) \
diff --git a/patches/patch-xpcom_base_nsMemoryReporterManager_cpp
b/patches/patch-xpcom_base_nsMemoryReporterManager_cpp
new file mode 100644
index 0000000..b5f0a15
--- /dev/null
+++ b/patches/patch-xpcom_base_nsMemoryReporterManager_cpp
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+neuter KERN_PROC sysctl when running w/ pledge
+Index: xpcom/base/nsMemoryReporterManager.cpp
+--- xpcom/base/nsMemoryReporterManager.cpp.orig
++++ xpcom/base/nsMemoryReporterManager.cpp
+@@ -220,6 +220,10 @@ SystemHeapSize(int64_t* aSizeOut)
+ static MOZ_MUST_USE nsresult
+ GetKinfoProcSelf(KINFO_PROC* aProc)
+ {
++#if defined(__OpenBSD__) && defined(MOZ_SANDBOX)
++ printf_stderr("%s called when pledged, noop\n", __func__);
++ return NS_ERROR_FAILURE;
++#endif
+ int mib[] = {
+ CTL_KERN,
+ KERN_PROC,
