mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-12-29 02:31:05 +00:00
417 lines
11 KiB
C++
417 lines
11 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "AppProcessChecker.h"
|
|
#include "nsIPermissionManager.h"
|
|
#ifdef MOZ_CHILD_PERMISSIONS
|
|
#include "ContentParent.h"
|
|
#include "mozIApplication.h"
|
|
#include "mozilla/hal_sandbox/PHalParent.h"
|
|
#include "nsIAppsService.h"
|
|
#include "nsIPrincipal.h"
|
|
#include "nsPrintfCString.h"
|
|
#include "nsIURI.h"
|
|
#include "nsContentUtils.h"
|
|
#include "nsNetUtil.h"
|
|
#include "nsServiceManagerUtils.h"
|
|
#include "TabParent.h"
|
|
|
|
#include <algorithm>
|
|
|
|
using namespace mozilla::dom;
|
|
using namespace mozilla::hal_sandbox;
|
|
using namespace mozilla::services;
|
|
#else
|
|
namespace mozilla {
|
|
namespace dom {
|
|
class PContentParent;
|
|
} // namespace dom
|
|
} // namespace mozilla
|
|
|
|
class nsIPrincipal;
|
|
#endif
|
|
|
|
namespace mozilla {
|
|
|
|
#if DEUBG
|
|
#define LOG(args...) printf_stderr(args)
|
|
#else
|
|
#define LOG(...)
|
|
#endif
|
|
|
|
#ifdef MOZ_CHILD_PERMISSIONS
|
|
|
|
static bool
|
|
CheckAppTypeHelper(mozIApplication* aApp,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability,
|
|
bool aIsBrowserElement)
|
|
{
|
|
bool aValid = false;
|
|
|
|
// isBrowser frames inherit their app descriptor to identify their
|
|
// data storage, but they don't inherit the capability associated
|
|
// with that descriptor.
|
|
if (aApp && (aType == ASSERT_APP_HAS_PERMISSION || !aIsBrowserElement)) {
|
|
switch (aType) {
|
|
case ASSERT_APP_HAS_PERMISSION:
|
|
case ASSERT_APP_PROCESS_PERMISSION:
|
|
if (!NS_SUCCEEDED(aApp->HasPermission(aCapability, &aValid))) {
|
|
aValid = false;
|
|
}
|
|
break;
|
|
case ASSERT_APP_PROCESS_MANIFEST_URL: {
|
|
nsAutoString manifestURL;
|
|
if (NS_SUCCEEDED(aApp->GetManifestURL(manifestURL)) &&
|
|
manifestURL.EqualsASCII(aCapability)) {
|
|
aValid = true;
|
|
}
|
|
break;
|
|
}
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
return aValid;
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(PBrowserParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
if (!aActor) {
|
|
NS_WARNING("Testing process capability for null actor");
|
|
return false;
|
|
}
|
|
|
|
TabParent* tab = TabParent::GetFrom(aActor);
|
|
nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
|
|
|
|
return CheckAppTypeHelper(app, aType, aCapability, tab->IsBrowserElement());
|
|
}
|
|
|
|
static bool
|
|
CheckAppStatusHelper(mozIApplication* aApp,
|
|
unsigned short aStatus)
|
|
{
|
|
bool valid = false;
|
|
|
|
if (aApp) {
|
|
unsigned short appStatus = 0;
|
|
if (NS_SUCCEEDED(aApp->GetAppStatus(&appStatus))) {
|
|
valid = appStatus == aStatus;
|
|
}
|
|
}
|
|
|
|
return valid;
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(PBrowserParent* aActor,
|
|
unsigned short aStatus)
|
|
{
|
|
if (!aActor) {
|
|
NS_WARNING("Testing process capability for null actor");
|
|
return false;
|
|
}
|
|
|
|
TabParent* tab = TabParent::GetFrom(aActor);
|
|
nsCOMPtr<mozIApplication> app = tab->GetOwnOrContainingApp();
|
|
|
|
return CheckAppStatusHelper(app, aStatus);
|
|
}
|
|
|
|
// A general purpose helper function to check permission against the origin
|
|
// rather than mozIApplication.
|
|
static bool
|
|
CheckOriginPermission(const nsACString& aOrigin, const char* aPermission)
|
|
{
|
|
LOG("CheckOriginPermission: %s, %s\n", nsCString(aOrigin).get(), aPermission);
|
|
|
|
nsIScriptSecurityManager *securityManager =
|
|
nsContentUtils::GetSecurityManager();
|
|
|
|
nsCOMPtr<nsIPrincipal> principal;
|
|
securityManager->CreateCodebasePrincipalFromOrigin(aOrigin,
|
|
getter_AddRefs(principal));
|
|
|
|
nsCOMPtr<nsIPermissionManager> permMgr = services::GetPermissionManager();
|
|
NS_ENSURE_TRUE(permMgr, false);
|
|
|
|
uint32_t perm;
|
|
nsresult rv = permMgr->TestExactPermissionFromPrincipal(principal, aPermission, &perm);
|
|
NS_ENSURE_SUCCESS(rv, false);
|
|
|
|
LOG("Permission %s for %s: %d\n", aPermission, nsCString(aOrigin).get(), perm);
|
|
return nsIPermissionManager::ALLOW_ACTION == perm;
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(TabContext& aContext,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
const mozilla::DocShellOriginAttributes& attr = aContext.OriginAttributesRef();
|
|
nsCString suffix;
|
|
attr.CreateSuffix(suffix);
|
|
|
|
if (!aContext.SignedPkgOriginNoSuffix().IsEmpty()) {
|
|
LOG("TabContext owning signed package origin: %s, originAttr; %s\n",
|
|
nsCString(aContext.SignedPkgOriginNoSuffix()).get(),
|
|
suffix.get());
|
|
}
|
|
|
|
// Do a origin-based permission check if the TabContext owns a signed package.
|
|
if (!aContext.SignedPkgOriginNoSuffix().IsEmpty() &&
|
|
(ASSERT_APP_HAS_PERMISSION == aType || ASSERT_APP_PROCESS_PERMISSION == aType)) {
|
|
nsCString origin = aContext.SignedPkgOriginNoSuffix() + suffix;
|
|
return CheckOriginPermission(origin, aCapability);
|
|
}
|
|
|
|
nsCOMPtr<mozIApplication> app = aContext.GetOwnOrContainingApp();
|
|
return CheckAppTypeHelper(app, aType, aCapability, aContext.IsBrowserElement());
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(TabContext& aContext,
|
|
unsigned short aStatus)
|
|
{
|
|
|
|
nsCOMPtr<mozIApplication> app = aContext.GetOwnOrContainingApp();
|
|
return CheckAppStatusHelper(app, aStatus);
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(PContentParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
nsTArray<TabContext> contextArray =
|
|
static_cast<ContentParent*>(aActor)->GetManagedTabContext();
|
|
for (uint32_t i = 0; i < contextArray.Length(); ++i) {
|
|
if (AssertAppProcess(contextArray[i], aType, aCapability)) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
NS_ERROR(
|
|
nsPrintfCString(
|
|
"Security problem: Content process does not have `%s'. It will be killed.\n",
|
|
aCapability).get());
|
|
|
|
static_cast<ContentParent*>(aActor)->KillHard("AssertAppProcess");
|
|
|
|
return false;
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(PContentParent* aActor,
|
|
unsigned short aStatus)
|
|
{
|
|
nsTArray<TabContext> contextArray =
|
|
static_cast<ContentParent*>(aActor)->GetManagedTabContext();
|
|
for (uint32_t i = 0; i < contextArray.Length(); ++i) {
|
|
if (AssertAppStatus(contextArray[i], aStatus)) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
NS_ERROR(
|
|
nsPrintfCString(
|
|
"Security problem: Content process does not have `%d' status. It will be killed.",
|
|
aStatus).get());
|
|
|
|
static_cast<ContentParent*>(aActor)->KillHard("AssertAppStatus");
|
|
|
|
return false;
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(PHalParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
return AssertAppProcess(aActor->Manager(), aType, aCapability);
|
|
}
|
|
|
|
bool
|
|
AssertAppPrincipal(PContentParent* aActor,
|
|
nsIPrincipal* aPrincipal)
|
|
{
|
|
if (!aPrincipal) {
|
|
NS_WARNING("Principal is invalid, killing app process");
|
|
static_cast<ContentParent*>(aActor)->KillHard("AssertAppPrincipal");
|
|
return false;
|
|
}
|
|
|
|
uint32_t principalAppId = aPrincipal->GetAppId();
|
|
bool inBrowserElement = aPrincipal->GetIsInBrowserElement();
|
|
|
|
// Check if the permission's appId matches a child we manage.
|
|
nsTArray<TabContext> contextArray =
|
|
static_cast<ContentParent*>(aActor)->GetManagedTabContext();
|
|
for (uint32_t i = 0; i < contextArray.Length(); ++i) {
|
|
if (contextArray[i].OwnOrContainingAppId() == principalAppId) {
|
|
// If the child only runs inBrowserElement content and the principal claims
|
|
// it's not in a browser element, it's lying.
|
|
if (!contextArray[i].IsBrowserElement() || inBrowserElement) {
|
|
return true;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
NS_WARNING("Principal is invalid, killing app process");
|
|
static_cast<ContentParent*>(aActor)->KillHard("AssertAppPrincipal");
|
|
return false;
|
|
}
|
|
|
|
already_AddRefed<nsIPrincipal>
|
|
GetAppPrincipal(uint32_t aAppId)
|
|
{
|
|
nsCOMPtr<nsIAppsService> appsService = do_GetService(APPS_SERVICE_CONTRACTID);
|
|
|
|
nsCOMPtr<mozIApplication> app;
|
|
nsresult rv = appsService->GetAppByLocalId(aAppId, getter_AddRefs(app));
|
|
NS_ENSURE_SUCCESS(rv, nullptr);
|
|
|
|
nsCOMPtr<nsIPrincipal> principal;
|
|
app->GetPrincipal(getter_AddRefs(principal));
|
|
|
|
return principal.forget();
|
|
}
|
|
|
|
uint32_t
|
|
CheckPermission(PContentParent* aActor,
|
|
nsIPrincipal* aPrincipal,
|
|
const char* aPermission)
|
|
{
|
|
if (!AssertAppPrincipal(aActor, aPrincipal)) {
|
|
return nsIPermissionManager::DENY_ACTION;
|
|
}
|
|
|
|
nsCOMPtr<nsIPermissionManager> pm =
|
|
services::GetPermissionManager();
|
|
NS_ENSURE_TRUE(pm, nsIPermissionManager::DENY_ACTION);
|
|
|
|
// Make sure that `aPermission' is an app permission before checking the origin.
|
|
nsCOMPtr<nsIPrincipal> appPrincipal = GetAppPrincipal(aPrincipal->GetAppId());
|
|
uint32_t appPerm = nsIPermissionManager::UNKNOWN_ACTION;
|
|
nsresult rv = pm->TestExactPermissionFromPrincipal(appPrincipal, aPermission, &appPerm);
|
|
NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
|
|
// Setting to "deny" in the settings UI should deny everywhere.
|
|
if (appPerm == nsIPermissionManager::UNKNOWN_ACTION ||
|
|
appPerm == nsIPermissionManager::DENY_ACTION) {
|
|
return appPerm;
|
|
}
|
|
|
|
uint32_t permission = nsIPermissionManager::UNKNOWN_ACTION;
|
|
rv = pm->TestExactPermissionFromPrincipal(aPrincipal, aPermission, &permission);
|
|
NS_ENSURE_SUCCESS(rv, nsIPermissionManager::UNKNOWN_ACTION);
|
|
if (permission == nsIPermissionManager::UNKNOWN_ACTION ||
|
|
permission == nsIPermissionManager::DENY_ACTION) {
|
|
return permission;
|
|
}
|
|
|
|
// For browser content (and if the app hasn't explicitly denied this),
|
|
// consider the requesting origin, not the app.
|
|
if (appPerm == nsIPermissionManager::PROMPT_ACTION &&
|
|
aPrincipal->GetIsInBrowserElement()) {
|
|
return permission;
|
|
}
|
|
|
|
// Setting to "prompt" in the settings UI should prompt everywhere in
|
|
// non-browser content.
|
|
if (appPerm == nsIPermissionManager::PROMPT_ACTION ||
|
|
permission == nsIPermissionManager::PROMPT_ACTION) {
|
|
return nsIPermissionManager::PROMPT_ACTION;
|
|
}
|
|
|
|
if (appPerm == nsIPermissionManager::ALLOW_ACTION ||
|
|
permission == nsIPermissionManager::ALLOW_ACTION) {
|
|
return nsIPermissionManager::ALLOW_ACTION;
|
|
}
|
|
|
|
NS_RUNTIMEABORT("Invalid permission value");
|
|
return nsIPermissionManager::DENY_ACTION;
|
|
}
|
|
|
|
#else
|
|
|
|
bool
|
|
AssertAppProcess(mozilla::dom::PBrowserParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(mozilla::dom::PBrowserParent* aActor,
|
|
unsigned short aStatus)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(const mozilla::dom::TabContext& aContext,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(const mozilla::dom::TabContext& aContext,
|
|
unsigned short aStatus)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
|
|
bool
|
|
AssertAppProcess(mozilla::dom::PContentParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppStatus(mozilla::dom::PContentParent* aActor,
|
|
unsigned short aStatus)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppProcess(mozilla::hal_sandbox::PHalParent* aActor,
|
|
AssertAppProcessType aType,
|
|
const char* aCapability)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
bool
|
|
AssertAppPrincipal(mozilla::dom::PContentParent* aActor,
|
|
nsIPrincipal* aPrincipal)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
uint32_t
|
|
CheckPermission(mozilla::dom::PContentParent* aActor,
|
|
nsIPrincipal* aPrincipal,
|
|
const char* aPermission)
|
|
{
|
|
return nsIPermissionManager::ALLOW_ACTION;
|
|
}
|
|
|
|
#endif
|
|
|
|
} // namespace mozilla
|