author | Jed Davis <jld@mozilla.com> |
Wed, 12 Apr 2017 18:41:20 -0600 | |
changeset 386472 | c006ddf45ea82e700275ebdd848eae34d3f67d85 |
parent 386471 | a55ef97febd996e5c602b0c7b89e17d8fefee056 |
child 386473 | fab13cda2355312461539ff089bedc32fb2cbdaf |
push id | 32694 |
push user | archaeopteryx@coole-files.de |
push date | Tue, 17 Oct 2017 09:43:13 +0000 |
treeherder | mozilla-central@3bd3448d9684 [default view] [failures only] |
perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
reviewers | gcp |
bugs | 1320834 |
milestone | 58.0a1 |
first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -528,21 +528,16 @@ private: } public: explicit ContentSandboxPolicy(SandboxBrokerClient* aBroker, const std::vector<int>& aSyscallWhitelist) : mBroker(aBroker), mSyscallWhitelist(aSyscallWhitelist) {} ~ContentSandboxPolicy() override = default; - ResultExpr PrctlPolicy() const override { - // Ideally this should be restricted to a whitelist, but content - // uses enough things that it's not trivial to determine it. - return Allow(); - } Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override { switch(aCall) { case SYS_RECVFROM: case SYS_SENDTO: case SYS_SENDMMSG: // libresolv via libasyncns; see bug 1355274 return Some(Allow()); case SYS_SOCKETPAIR: { @@ -840,21 +835,16 @@ public: case __NR_wait4: #ifdef __NR_waitpid case __NR_waitpid: #endif // NSPR will start a thread to wait for child processes even if // fork() fails; see bug 227246 and bug 1299581. return Error(ECHILD); -#ifdef __NR_arch_prctl - case __NR_arch_prctl: -#endif - return Allow(); - case __NR_eventfd2: case __NR_inotify_init: case __NR_inotify_init1: case __NR_inotify_add_watch: case __NR_inotify_rm_watch: return Allow(); #ifdef __NR_memfd_create