author | Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org> |
Wed, 09 Jun 2021 13:45:28 +0000 (2021-06-09) | |
changeset 582463 | ecb4011a0c76a1c7040054a44712e277f3dc24a1 |
parent 582462 | 9ec189804055442e5cc98d69dd01b71e90ed0cb5 |
child 582464 | 6db320536cbc6aeaa37ffc2b2e6f1dd8e2f774a1 |
push id | 144630 |
push user | alissy@mozilla.com |
push date | Wed, 09 Jun 2021 13:47:51 +0000 (2021-06-09) |
treeherder | autoland@ecb4011a0c76 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | gcp |
bugs | 1715254 |
milestone | 91.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -853,16 +853,19 @@ class SandboxPolicyCommon : public Sandb // Yield case __NR_sched_yield: return Allow(); // Thread creation. case __NR_clone: return ClonePolicy(InvalidSyscall()); + case __NR_clone3: + return Error(ENOSYS); + // More thread creation. #ifdef __NR_set_robust_list case __NR_set_robust_list: return Allow(); #endif #ifdef ANDROID case __NR_set_tid_address: return Allow(); @@ -1499,16 +1502,19 @@ class ContentSandboxPolicy : public Sand // the child would inherit the seccomp-bpf policy and almost // certainly die from an unexpected SIGSYS. We also can't have // fork() crash, currently, because there are too many system // libraries/plugins that try to run commands. But they can // usually do something reasonable on error. case __NR_clone: return ClonePolicy(Error(EPERM)); + case __NR_clone3: + return Error(ENOSYS); + # ifdef __NR_fadvise64 case __NR_fadvise64: return Allow(); # endif # ifdef __NR_fadvise64_64 case __NR_fadvise64_64: return Allow();