/** * Starts the seccomp sandbox for this process. * Generally called just after SetCurrentProcessPrivileges. * Should be called only once, and before any potentially harmful content is loaded. * * Should normally make the process exit on failure. */ void SetCurrentProcessSandbox(void) { #ifdef PR_LOGGING if (!gSeccompSandboxLog) { gSeccompSandboxLog = PR_NewLogModule("SeccompSandbox"); } PR_ASSERT(gSeccompSandboxLog); #endif #ifdef MOZ_CONTENT_SANDBOX_REPORTER if (InstallSyscallReporter()) { PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_reporter() failed\n")); /* This is disabled so that we do not exit if seccomp-bpf is not available * This will be re-enabled when all B2G devices are required to support seccomp-bpf * See bug 880797 for reversal */ /* _exit(127); */ } #endif if (InstallSyscallFilter()) { PR_LOG(gSeccompSandboxLog, PR_LOG_ERROR, ("install_syscall_filter() failed\n")); /* This is disabled so that we do not exit if seccomp-bpf is not available * This will be re-enabled when all B2G devices are required to support seccomp-bpf * See bug 880797 for reversal */ /* _exit(127); */ } }
// Common code for sandbox startup. static void SetCurrentProcessSandbox(SandboxType aType) { if (InstallSyscallReporter()) { LOG_ERROR("install_syscall_reporter() failed\n"); } BroadcastSetThreadSandbox(aType); }
// Common code for sandbox startup. static void SetCurrentProcessSandbox(SandboxType aType) { MOZ_ASSERT(gSandboxCrashFunc); if (InstallSyscallReporter()) { SANDBOX_LOG_ERROR("install_syscall_reporter() failed\n"); } BroadcastSetThreadSandbox(aType); }
// Common code for sandbox startup. static void SetCurrentProcessSandbox(SandboxType aType) { MOZ_ASSERT(gSandboxCrashFunc); if (InstallSyscallReporter()) { SANDBOX_LOG_ERROR("install_syscall_reporter() failed\n"); } #ifdef MOZ_ASAN __sanitizer_sandbox_arguments asanArgs; asanArgs.coverage_sandboxed = 1; asanArgs.coverage_fd = -1; asanArgs.coverage_max_block_size = 0; __sanitizer_sandbox_on_notify(&asanArgs); #endif BroadcastSetThreadSandbox(aType); }
/** * Starts the seccomp sandbox for this process and sets user/group-based privileges. * Should be called only once, and before any potentially harmful content is loaded. * * Should normally make the process exit on failure. */ void SetCurrentProcessSandbox() { #if !defined(ANDROID) && defined(PR_LOGGING) if (!gSeccompSandboxLog) { gSeccompSandboxLog = PR_NewLogModule("SeccompSandbox"); } PR_ASSERT(gSeccompSandboxLog); #endif #if defined(MOZ_CONTENT_SANDBOX_REPORTER) if (InstallSyscallReporter()) { LOG_ERROR("install_syscall_reporter() failed\n"); } #endif if (IsSandboxingSupported()) { BroadcastSetThreadSandbox(); } }