Bug 920372 - Fix socketcall whitelisting on i386. r=kang
authorJed Davis <jld@mozilla.com>
Tue, 20 May 2014 18:38:14 -0700
changeset 184044 179363be564197fc8907d08823bd06609257ece4
parent 184043 2adbb2797d8b4add9ad4db27090d7f6b26d6a3ee
child 184045 0e9ed96596b14b99a692d1b8415fb68b11d42abc
push id26810
push usercbook@mozilla.com
push dateWed, 21 May 2014 11:46:36 +0000
treeherdermozilla-central@50fb8c4db2fd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskang
bugs920372
milestone32.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 920372 - Fix socketcall whitelisting on i386. r=kang
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -10,16 +10,17 @@
 #include "linux_seccomp.h"
 #include "linux_syscalls.h"
 
 #include "mozilla/ArrayUtils.h"
 #include "mozilla/NullPtr.h"
 
 #include <errno.h>
 #include <unistd.h>
+#include <linux/net.h>
 
 namespace mozilla {
 
 class SandboxFilterImpl : public SandboxAssembler
 {
   void Build();
 public:
   SandboxFilterImpl() {
@@ -72,16 +73,24 @@ SandboxFilterImpl::Build() {
   // it; others (newer and/or 64-bit ones) didn't.  Adjust the
   // conditional as needed.
 #if SYSCALL_EXISTS(stat64)
 #define SYSCALL_LARGEFILE(plain, versioned) SYSCALL(versioned)
 #else
 #define SYSCALL_LARGEFILE(plain, versioned) SYSCALL(plain)
 #endif
 
+  // i386 multiplexes all the socket-related interfaces into a single
+  // syscall.
+#if SYSCALL_EXISTS(socketcall)
+#define SOCKETCALL(name, NAME) SYSCALL_WITH_ARG(socketcall, 0, SYS_##NAME)
+#else
+#define SOCKETCALL(name, NAME) SYSCALL(name)
+#endif
+
   /* Most used system calls should be at the top of the whitelist
    * for performance reasons. The whitelist BPF filter exits after
    * processing any ALLOW_SYSCALL macro.
    *
    * How are those syscalls found?
    * 1) via strace -p <child pid> or/and
    * 2) with MOZ_CONTENT_SANDBOX_REPORTER set, the child will report which system call
    *    has been denied by seccomp-bpf, just before exiting, via NSPR.
@@ -90,24 +99,18 @@ SandboxFilterImpl::Build() {
    * or your libc's unistd.h/kernel headers.
    *
    * Current list order has been optimized through manual guess-work.
    * It could be further optimized by analyzing the output of:
    * 'strace -c -p <child pid>' for most used web apps.
    */
 
   Allow(SYSCALL(futex));
-  // FIXME, bug 920372: i386 multiplexes all the socket-related
-  // interfaces into a single syscall.  We should check the selector.
-#if SYSCALL_EXISTS(socketcall)
-  Allow(SYSCALL(socketcall));
-#else
-  Allow(SYSCALL(recvmsg));
-  Allow(SYSCALL(sendmsg));
-#endif
+  Allow(SOCKETCALL(recvmsg, RECVMSG));
+  Allow(SOCKETCALL(sendmsg, SENDMSG));
 
   // mmap2 is a little different from most off_t users, because it's
   // passed in a register (so it's a problem for even a "new" 32-bit
   // arch) -- and the workaround, mmap2, passes a page offset instead.
 #if SYSCALL_EXISTS(mmap2)
   Allow(SYSCALL(mmap2));
 #else
   Allow(SYSCALL(mmap));
@@ -177,21 +180,18 @@ SandboxFilterImpl::Build() {
   Allow(SYSCALL_LARGEFILE(fcntl, fcntl64));
 
   /* Must remove all of the following in the future, when no longer used */
   /* open() is for some legacy APIs such as font loading. */
   /* See bug 906996 for removing unlink(). */
   Allow(SYSCALL_LARGEFILE(fstat, fstat64));
   Allow(SYSCALL_LARGEFILE(stat, stat64));
   Allow(SYSCALL_LARGEFILE(lstat, lstat64));
-  // FIXME, bug 920372: see above.
-#if !SYSCALL_EXISTS(socketcall)
-  Allow(SYSCALL(socketpair));
-  Deny(EACCES, SYSCALL(socket));
-#endif
+  Allow(SOCKETCALL(socketpair, SOCKETPAIR));
+  Deny(EACCES, SOCKETCALL(socket, SOCKET));
   Allow(SYSCALL(open));
   Allow(SYSCALL(readlink)); /* Workaround for bug 964455 */
   Allow(SYSCALL(prctl));
   Allow(SYSCALL(access));
   Allow(SYSCALL(unlink));
   Allow(SYSCALL(fsync));
   Allow(SYSCALL(msync));
 
@@ -208,20 +208,18 @@ SandboxFilterImpl::Build() {
   Allow(SYSCALL(rt_sigprocmask));
 
   // Used by profiler.  Also used for raise(), which causes problems
   // with Android KitKat abort(); see bug 1004832.
   Allow(SYSCALL_WITH_ARG(tgkill, 0, getpid()));
 
   /* B2G specific low-frequency syscalls */
 #ifdef MOZ_WIDGET_GONK
-#if !SYSCALL_EXISTS(socketcall)
-  Allow(SYSCALL(sendto));
-  Allow(SYSCALL(recvfrom));
-#endif
+  Allow(SOCKETCALL(sendto, SENDTO));
+  Allow(SOCKETCALL(recvfrom, RECVFROM));
   Allow(SYSCALL_LARGEFILE(getdents, getdents64));
   Allow(SYSCALL(epoll_ctl));
   Allow(SYSCALL(sched_yield));
   Allow(SYSCALL(sched_getscheduler));
   Allow(SYSCALL(sched_setscheduler));
   Allow(SYSCALL(sigaltstack));
 #endif