Bug 1575985 part 2 - Allow RW access to /dev/null in content sandbox r=gcp
authorshravanrn@gmail.com <shravanrn@gmail.com>
Mon, 30 Sep 2019 21:57:34 +0000
changeset 495906 eeaa7ecf70e3ffbcd4a1908d02982b2e5d6fc8a8
parent 495905 134999fb1885d55868a18682dd7334676a0c2082
child 495907 c539d3afc61d69c2fc5958ccc98a9e0c7156238f
push id114140
push userdvarga@mozilla.com
push dateWed, 02 Oct 2019 18:04:51 +0000
treeherdermozilla-inbound@32eb0ea893f3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1575985
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1575985 part 2 - Allow RW access to /dev/null in content sandbox r=gcp This is needed by lucet to run WASM sandboxed libraries. Differential Revision: https://phabricator.services.mozilla.com/D46108
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -265,16 +265,19 @@ SandboxBrokerPolicyFactory::SandboxBroke
   // Write permssions
   //
   // Bug 1308851: NVIDIA proprietary driver when using WebGL
   policy->AddFilePrefix(rdwr, "/dev", "nvidia");
 
   // Bug 1312678: radeonsi/Intel with DRI when using WebGL
   policy->AddDir(rdwr, "/dev/dri");
 
+  // Bug 1575985: WASM library sandbox needs RW access to /dev/null
+  policy->AddPath(rdwr, "/dev/null");
+
   // Read permissions
   policy->AddPath(rdonly, "/dev/urandom");
   policy->AddPath(rdonly, "/proc/cpuinfo");
   policy->AddPath(rdonly, "/proc/meminfo");
   policy->AddDir(rdonly, "/sys/devices/cpu");
   policy->AddDir(rdonly, "/sys/devices/system/cpu");
   policy->AddDir(rdonly, "/lib");
   policy->AddDir(rdonly, "/lib64");