The Tor Browser: dom/ipc/AppProcessChecker.cpp@7e26c7da4463 (annotated)

dom/ipc/AppProcessChecker.cpp@7e26c7da4463 (annotated)

dom/ipc/AppProcessChecker.cpp

Wed, 31 Dec 2014 06:55:50 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:55:50 +0100
changeset 2: 7e26c7da4463
permissions: -rw-r--r--

Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  * vim: sw=2 ts=8 et :
  */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "AppProcessChecker.h"
 #include "nsIPermissionManager.h"
 #ifdef MOZ_CHILD_PERMISSIONS
 #include "ContentParent.h"
 #include "mozIApplication.h"
 #include "mozilla/hal_sandbox/PHalParent.h"
 #include "nsIAppsService.h"
 #include "nsIPrincipal.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsPrintfCString.h"
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsServiceManagerUtils.h"
 #include "TabParent.h"
 #include <algorithm>
 using namespace mozilla::dom;
 using namespace mozilla::hal_sandbox;
 using namespace mozilla::services;
 #else
 namespace mozilla {
 namespace dom {
 class PContentParent;
 }
 }
 class nsIPrincipal;
 #endif
 namespace mozilla {
 #ifdef MOZ_CHILD_PERMISSIONS
 bool
 AssertAppProcess(PBrowserParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   if (!aActor) {
     NS_WARNING("Testing process capability for null actor");
     return false;
   }
   TabParent* tab = static_cast<TabParent*>(aActor);
   nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
   bool aValid = false;
   // isBrowser frames inherit their app descriptor to identify their
   // data storage, but they don't inherit the capability associated
   // with that descriptor.
   if (app && (aType == ASSERT_APP_HAS_PERMISSION || !tab->IsBrowserElement())) {
     switch (aType) {
       case ASSERT_APP_HAS_PERMISSION:
       case ASSERT_APP_PROCESS_PERMISSION:
         if (!NS_SUCCEEDED(app->HasPermission(aCapability, &aValid))) {
           aValid = false;
         }
         break;
       case ASSERT_APP_PROCESS_MANIFEST_URL: {
         nsAutoString manifestURL;
         if (NS_SUCCEEDED(app->GetManifestURL(manifestURL)) &&
             manifestURL.EqualsASCII(aCapability)) {
           aValid = true;
         }
         break;
       }
       default:
         break;
     }
   }
   return aValid;
 }
 bool
 AssertAppStatus(PBrowserParent* aActor,
                 unsigned short aStatus)
 {
   if (!aActor) {
     NS_WARNING("Testing process capability for null actor");
     return false;
   }
   TabParent* tab = static_cast<TabParent*>(aActor);
   nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
   bool valid = false;
   if (app) {
     unsigned short appStatus = 0;
     if (NS_SUCCEEDED(app->GetAppStatus(&appStatus))) {
       valid = appStatus == aStatus;
     }
   }
   return valid;
 }
 bool
 AssertAppProcess(PContentParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   const InfallibleTArray<PBrowserParent*>& browsers =
     aActor->ManagedPBrowserParent();
   for (uint32_t i = 0; i < browsers.Length(); ++i) {
     if (AssertAppProcess(browsers[i], aType, aCapability)) {
       return true;
     }
   }
   NS_ERROR(
     nsPrintfCString(
       "Security problem: Content process does not have `%s'.  It will be killed.\n",
       aCapability).get());
   static_cast<ContentParent*>(aActor)->KillHard();
   return false;
 }
 bool
 AssertAppStatus(PContentParent* aActor,
                 unsigned short aStatus)
 {
   const InfallibleTArray<PBrowserParent*>& browsers =
     aActor->ManagedPBrowserParent();
   for (uint32_t i = 0; i < browsers.Length(); ++i) {
     if (AssertAppStatus(browsers[i], aStatus)) {
       return true;
     }
   }
   NS_ERROR(
     nsPrintfCString(
       "Security problem: Content process does not have `%d' status.  It will be killed.",
       aStatus).get());
   static_cast<ContentParent*>(aActor)->KillHard();
   return false;
 }
 bool
 AssertAppProcess(PHalParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   return AssertAppProcess(aActor->Manager(), aType, aCapability);
 }
 bool
 AssertAppPrincipal(PContentParent* aActor,
                    nsIPrincipal* aPrincipal)
 {
   if (!aPrincipal) {
     NS_WARNING("Principal is invalid, killing app process");
     static_cast<ContentParent*>(aActor)->KillHard();
     return false;
   }
   uint32_t principalAppId = aPrincipal->GetAppId();
   bool inBrowserElement = aPrincipal->GetIsInBrowserElement();
   // Check if the permission's appId matches a child we manage.
   const InfallibleTArray<PBrowserParent*>& browsers =
     aActor->ManagedPBrowserParent();
   for (uint32_t i = 0; i < browsers.Length(); ++i) {
     TabParent* tab = static_cast<TabParent*>(browsers[i]);
     if (tab->OwnOrContainingAppId() == principalAppId) {
       // If the child only runs inBrowserElement content and the principal claims
       // it's not in a browser element, it's lying.
       if (!tab->IsBrowserElement() || inBrowserElement) {
         return true;
       }
       break;
     }
   }
   NS_WARNING("Principal is invalid, killing app process");
   static_cast<ContentParent*>(aActor)->KillHard();
   return false;
 }
 already_AddRefed<nsIPrincipal>
 GetAppPrincipal(uint32_t aAppId)
 {
   nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
   nsCOMPtr<mozIApplication> app;
   nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
   NS_ENSURE_SUCCESS(rv, nullptr);
   nsString origin;
   rv = app->GetOrigin(origin);
   NS_ENSURE_SUCCESS(rv, nullptr);
   nsCOMPtr<nsIURI> uri;
   NS_NewURI(getter_AddRefs(uri), origin);
   nsCOMPtr<nsIScriptSecurityManager> secMan =
     do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
   nsCOMPtr<nsIPrincipal> appPrincipal;
   rv = secMan->GetAppCodebasePrincipal(uri, aAppId, false,
                                        getter_AddRefs(appPrincipal));
   NS_ENSURE_SUCCESS(rv, nullptr);
   return appPrincipal.forget();
 }
 uint32_t
 CheckPermission(PContentParent* aActor,
                 nsIPrincipal* aPrincipal,
                 const char* aPermission)
 {
   if (!AssertAppPrincipal(aActor, aPrincipal)) {
     return nsIPermissionManager::DENY_ACTION;
   }
   nsCOMPtr<nsIPermissionManager> pm =
     do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);
   NS_ENSURE_TRUE(pm, nsIPermissionManager::DENY_ACTION);
   // Make sure that `aPermission' is an app permission before checking the origin.
   nsCOMPtr<nsIPrincipal> appPrincipal = GetAppPrincipal(aPrincipal->GetAppId());
   uint32_t appPerm = nsIPermissionManager::UNKNOWN_ACTION;
   nsresult rv = pm->TestExactPermissionFromPrincipal(appPrincipal, aPermission, &appPerm);
   NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
   // Setting to "deny" in the settings UI should deny everywhere.
   if (appPerm == nsIPermissionManager::UNKNOWN_ACTION ||
       appPerm == nsIPermissionManager::DENY_ACTION) {
     return appPerm;
   }
   uint32_t permission = nsIPermissionManager::UNKNOWN_ACTION;
   rv = pm->TestExactPermissionFromPrincipal(aPrincipal, aPermission, &permission);
   NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
   if (permission == nsIPermissionManager::UNKNOWN_ACTION ||
       permission == nsIPermissionManager::DENY_ACTION) {
     return permission;
   }
   // For browser content (and if the app hasn't explicitly denied this),
   // consider the requesting origin, not the app.
   if (appPerm == nsIPermissionManager::PROMPT_ACTION &&
       aPrincipal->GetIsInBrowserElement()) {
     return permission;
   }
   // Setting to "prompt" in the settings UI should prompt everywhere in
   // non-browser content.
   if (appPerm == nsIPermissionManager::PROMPT_ACTION ||
       permission == nsIPermissionManager::PROMPT_ACTION) {
     return nsIPermissionManager::PROMPT_ACTION;
   }
   if (appPerm == nsIPermissionManager::ALLOW_ACTION ||
       permission == nsIPermissionManager::ALLOW_ACTION) {
     return nsIPermissionManager::ALLOW_ACTION;
   }
   NS_RUNTIMEABORT("Invalid permission value");
   return nsIPermissionManager::DENY_ACTION;
 }
 #else
 bool
 AssertAppProcess(mozilla::dom::PBrowserParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   return true;
 }
 bool
 AssertAppStatus(mozilla::dom::PBrowserParent* aActor,
                 unsigned short aStatus)
 {
   return true;
 }
 bool
 AssertAppProcess(mozilla::dom::PContentParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   return true;
 }
 bool
 AssertAppStatus(mozilla::dom::PContentParent* aActor,
                 unsigned short aStatus)
 {
   return true;
 }
 bool
 AssertAppProcess(mozilla::hal_sandbox::PHalParent* aActor,
                  AssertAppProcessType aType,
                  const char* aCapability)
 {
   return true;
 }
 bool
 AssertAppPrincipal(mozilla::dom::PContentParent* aActor,
                    nsIPrincipal* aPrincipal)
 {
   return true;
 }
 uint32_t
 CheckPermission(mozilla::dom::PContentParent* aActor,
                 nsIPrincipal* aPrincipal,
                 const char* aPermission)
 {
   return nsIPermissionManager::ALLOW_ACTION;
 }
 #endif
 } // namespace mozilla

The Tor Browser / annotate

dom/ipc/AppProcessChecker.cpp@7e26c7da4463 (annotated)

dom/ipc/AppProcessChecker.cpp