Bug 1286865 - Step 0: Turn off crash-on-seccomp-fail by default on non-nightly. r=gcp (ebca1dfd) · Commits · Tommy Webb / Tor Browser

security/sandbox/linux/Sandbox.cpp

+26 −6

Original line number	Diff line number	Diff line
		@@ -73,6 +73,8 @@ int gSeccompTsyncBroadcastSignum = 0;

		namespace mozilla {

		static bool gSandboxCrashOnError = false;

		// This is initialized by SandboxSetCrashFunc().
		SandboxCrashFunc gSandboxCrashFunc;

		@@ -148,16 +150,19 @@ SigSysHandler(int nr, siginfo_t info, void void_context)
		// TODO, someday when this is enabled on MIPS: include the two extra
		// args in the error message.
		SANDBOX_LOG_ERROR("seccomp sandbox violation: pid %d, syscall %d,"
		" args %d %d %d %d %d %d. Killing process.",
		" args %d %d %d %d %d %d.%s",
		pid, syscall_nr,
		args[0], args[1], args[2], args[3], args[4], args[5]);
		args[0], args[1], args[2], args[3], args[4], args[5],
		gSandboxCrashOnError ? " Killing process." : "");

		if (gSandboxCrashOnError) {
		// Bug 1017393: record syscall number somewhere useful.
		info->si_addr = reinterpret_cast<void*>(syscall_nr);

		gSandboxCrashFunc(nr, info, &savedCtx);
		_exit(127);
		}
		}

		/**
		* This function installs the SIGSYS handler. This is slightly
		@@ -515,6 +520,21 @@ SandboxEarlyInit(GeckoProcessType aType)
		}
		MOZ_RELEASE_ASSERT(IsSingleThreaded());

		// Set gSandboxCrashOnError if appropriate. This doesn't need to
		// happen this early, but for now it's here so that I don't need to
		// add NSPR dependencies for PR_GetEnv.
		//
		// This also means that users with "unexpected threads" setups won't
		// crash even on nightly.
		#ifdef NIGHTLY_BUILD
		gSandboxCrashOnError = true;
		#endif
		if (const char* envVar = getenv("MOZ_SANDBOX_CRASH_ON_ERROR")) {
		if (envVar[0]) {
		gSandboxCrashOnError = envVar[0] != '0';
		}
		}

		// Which kinds of resource isolation (of those that need to be set
		// up at this point) can be used by this process?
		bool canChroot = false;