SandboxUtils.sys.mjs (4324B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 import { AppConstants } from "resource://gre/modules/AppConstants.sys.mjs"; 6 7 export var SandboxUtils = { 8 _sandboxDisabledThisSession: false, 9 /** 10 * Show a notification bar if user is running without unprivileged namespace 11 * 12 * @param {Window} aWindow 13 * The window where the notification will be displayed. 14 */ 15 maybeWarnAboutMissingUserNamespaces: 16 function SU_maybeWarnAboutMissingUserNamespaces(aWindow) { 17 if (AppConstants.platform !== "linux") { 18 return; 19 } 20 21 // This would cover Flatpak, Snap or any "Packaged App" (e.g., Debian package) 22 // Showing the notification on Flatpak would not be correct because of 23 // existing Flatpak isolation (see Bug 1882881). And for Snap and 24 // Debian packages it would be irrelevant as well. 25 const isPackagedApp = Services.sysinfo.getPropertyAsBool("isPackagedApp"); 26 if (isPackagedApp) { 27 return; 28 } 29 30 const kSandboxUserNamespacesPref = 31 "security.sandbox.warn_unprivileged_namespaces"; 32 const kSandboxUserNamespacesPrefValue = Services.prefs.getBoolPref( 33 kSandboxUserNamespacesPref 34 ); 35 if (!kSandboxUserNamespacesPrefValue) { 36 return; 37 } 38 39 const userNamespaces = 40 Services.sysinfo.getPropertyAsBool("hasUserNamespaces"); 41 if (userNamespaces) { 42 return; 43 } 44 45 let box = aWindow.gNotificationBox; 46 const mozXulElement = box.stack.ownerGlobal.MozXULElement; 47 mozXulElement.insertFTLIfNeeded("toolkit/updates/elevation.ftl"); 48 49 let buttons = [ 50 { 51 supportPage: "linux-security-warning", 52 "l10n-id": "sandbox-unprivileged-namespaces-howtofix", 53 }, 54 { 55 "l10n-id": "sandbox-unprivileged-namespaces-dismiss-button", 56 callback: () => { 57 Services.prefs.setBoolPref(kSandboxUserNamespacesPref, false); 58 }, 59 }, 60 ]; 61 62 // Now actually create the notification 63 box.appendNotification( 64 "sandbox-unprivileged-namespaces", 65 { 66 label: { "l10n-id": "sandbox-missing-unprivileged-namespaces" }, 67 priority: box.PRIORITY_WARNING_HIGH, 68 }, 69 buttons 70 ); 71 }, 72 73 /** 74 * Show a warning if the content sandbox is disabled. 75 * 76 * @param {Window} aWindow 77 * The window where the notification will be displayed. 78 */ 79 maybeWarnAboutDisabledContentSandbox(aWindow) { 80 const sandboxSettings = Cc[ 81 "@mozilla.org/sandbox/sandbox-settings;1" 82 ].getService(Ci.mozISandboxSettings); 83 84 if (sandboxSettings.effectiveContentSandboxLevel === 0) { 85 this._sandboxDisabledThisSession = true; 86 } 87 88 // if sandbox was never disabled, return early 89 // If it was disabled at any point, continue showing the warning 90 // in every window for the remainder of the session. 91 if (!this._sandboxDisabledThisSession) { 92 return; 93 } 94 95 const box = aWindow.gNotificationBox; 96 if (!box.getNotificationWithValue("sandbox-content-disabled")) { 97 const mozXulElement = box.stack.ownerGlobal.MozXULElement; 98 mozXulElement.insertFTLIfNeeded("toolkit/updates/elevation.ftl"); 99 100 box.appendNotification( 101 "sandbox-content-disabled", 102 { 103 label: { "l10n-id": "sandbox-content-disabled-warning" }, 104 priority: box.PRIORITY_WARNING_HIGH, 105 }, 106 [], 107 false, 108 false 109 ); 110 } 111 }, 112 113 observeContentSandboxPref() { 114 const observer = { 115 observe() { 116 const level = Services.prefs.getIntPref( 117 "security.sandbox.content.level", 118 -1 119 ); 120 if (level === 0) { 121 const winEnum = Services.wm.getEnumerator("navigator:browser"); 122 while (winEnum.hasMoreElements()) { 123 const win = winEnum.getNext(); 124 SandboxUtils.maybeWarnAboutDisabledContentSandbox(win); 125 } 126 Services.prefs.removeObserver( 127 "security.sandbox.content.level", 128 observer 129 ); 130 } 131 }, 132 }; 133 Services.prefs.addObserver("security.sandbox.content.level", observer); 134 }, 135 };