Bug 1358647 - Disallow bind/listen/accept for Linux content processes. r=gcp
authorJed Davis <jld@mozilla.com>
Tue, 25 Apr 2017 19:29:32 -0600
changeset 355254 c1339155e30164c191881948a06c8906d8c13f57
parent 355253 f175826d91892402ffb6ac1510eee1baef87344c
child 355255 f9673e8aff0e179a75624485e2141d11d71a865e
push id41628
push userjedavis@mozilla.com
push dateThu, 27 Apr 2017 14:55:45 +0000
treeherderautoland@c1339155e301 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1358647
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1358647 - Disallow bind/listen/accept for Linux content processes. r=gcp MozReview-Commit-ID: Cz9MKxOJnsS
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -533,20 +533,16 @@ public:
 #ifdef ANDROID
     case SYS_SOCKET:
       return Some(Error(EACCES));
 #else // #ifdef DESKTOP
     case SYS_RECV:
     case SYS_SEND:
     case SYS_SOCKET: // DANGEROUS
     case SYS_CONNECT: // DANGEROUS
-    case SYS_ACCEPT:
-    case SYS_ACCEPT4:
-    case SYS_BIND:
-    case SYS_LISTEN:
     case SYS_GETSOCKOPT:
     case SYS_SETSOCKOPT:
     case SYS_GETSOCKNAME:
     case SYS_GETPEERNAME:
     case SYS_SHUTDOWN:
       return Some(Allow());
 #endif
     default: