Bug 1320085 - Allow the getrlimit-equivalent subset of prlimit64. r=tedd
authorJed Davis <jld@mozilla.com>
Mon, 28 Nov 2016 12:05:28 -0700
changeset 324761 c021b68fc7dfbc9890e225db9d98e4763d7f08b6
parent 324760 7eab0a7c766e258f2849edf6b8666727354a2968
child 324762 7ad3151a0a797b2230a45483c1adabf4d896405b
push id31016
push userkwierso@gmail.com
push dateWed, 30 Nov 2016 20:53:00 +0000
treeherdermozilla-central@8f1e42069983 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstedd
bugs1320085
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1320085 - Allow the getrlimit-equivalent subset of prlimit64. r=tedd This applies only to content processes, where we already allow getrlimit (but not setrlimit). The rule added here does not allow using prlimit64 to set any resource limits or interact with any other process. MozReview-Commit-ID: nMry3t6QPj
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -711,16 +711,28 @@ public:
       return Allow();
 
     CASES_FOR_getrlimit:
     case __NR_clock_getres:
     CASES_FOR_getresuid:
     CASES_FOR_getresgid:
       return Allow();
 
+    case __NR_prlimit64: {
+      // Allow only the getrlimit() use case.  (glibc seems to use
+      // only pid 0 to indicate the current process; pid == getpid()
+      // is equivalent and could also be allowed if needed.)
+      Arg<pid_t> pid(0);
+      // This is really a const struct ::rlimit*, but Arg<> doesn't
+      // work with pointers, only integer types.
+      Arg<uintptr_t> new_limit(2);
+      return If(AllOf(pid == 0, new_limit == 0), Allow())
+        .Else(InvalidSyscall());
+    }
+
     case __NR_umask:
     case __NR_kill:
     case __NR_wait4:
 #ifdef __NR_waitpid
     case __NR_waitpid:
 #endif
 #ifdef __NR_arch_prctl
     case __NR_arch_prctl: