Bug 1273852 - Always add seccomp-bpf socketcall dispatcher. r=jld draft
authorGian-Carlo Pascutto <gcp@mozilla.com>
Wed, 29 Jun 2016 20:34:40 +0200
changeset 382479 afb33482cf279349d8fbcfab8880c146ddb9be70
parent 382391 b69a5bbb5e40bd426e35222baa600b481e50d265
child 382480 2b42bfb6d85ffb7c35ad971b544a757ebf313421
push id21732
push usergpascutto@mozilla.com
push dateWed, 29 Jun 2016 18:36:30 +0000
reviewersjld
bugs1273852
milestone50.0a1
Bug 1273852 - Always add seccomp-bpf socketcall dispatcher. r=jld For 32-bit Linux 4.3+, always add socketcall dispatcher even if relevant syscalls are known, because both entry points will exist. See Linux kernel commit: commit 9dea5dc921b5f4045a18c63eb92e84dc274d17eb Author: Andy Lutomirski <luto@kernel.org> Date: Tue Jul 14 15:24:24 2015 -0700 x86/entry/syscalls: Wire up 32-bit direct socket calls MozReview-Commit-ID: I3GEvolGfsR
security/sandbox/linux/SandboxFilterUtil.cpp
--- a/security/sandbox/linux/SandboxFilterUtil.cpp
+++ b/security/sandbox/linux/SandboxFilterUtil.cpp
@@ -57,25 +57,28 @@ SandboxPolicyBase::EvaluateSyscall(int a
         // Optimize out cases that are equal to the default.
         if (thisCase) {
           acc.reset(new Caser<int>(acc->Case(i, *thisCase)));
         }
       }
       return acc->Default(InvalidSyscall());
     }
 #endif // ANDROID
-#else // __NR_socketcall
-#define DISPATCH_SOCKETCALL(sysnum, socketnum)         \
-    case sysnum:                                       \
+#endif // __NR_socketcall
+#define DISPATCH_SOCKETCALL(sysnum, socketnum)                       \
+    case sysnum:                                                     \
       return EvaluateSocketCall(socketnum).valueOr(InvalidSyscall())
+#ifdef __NR_socket
       DISPATCH_SOCKETCALL(__NR_socket,      SYS_SOCKET);
       DISPATCH_SOCKETCALL(__NR_bind,        SYS_BIND);
       DISPATCH_SOCKETCALL(__NR_connect,     SYS_CONNECT);
       DISPATCH_SOCKETCALL(__NR_listen,      SYS_LISTEN);
+#ifdef __NR_accept
       DISPATCH_SOCKETCALL(__NR_accept,      SYS_ACCEPT);
+#endif
       DISPATCH_SOCKETCALL(__NR_getsockname, SYS_GETSOCKNAME);
       DISPATCH_SOCKETCALL(__NR_getpeername, SYS_GETPEERNAME);
       DISPATCH_SOCKETCALL(__NR_socketpair,  SYS_SOCKETPAIR);
 #ifdef __NR_send
       DISPATCH_SOCKETCALL(__NR_send,        SYS_SEND);
       DISPATCH_SOCKETCALL(__NR_recv,        SYS_RECV);
 #endif // __NR_send
       DISPATCH_SOCKETCALL(__NR_sendto,      SYS_SENDTO);
@@ -83,17 +86,19 @@ SandboxPolicyBase::EvaluateSyscall(int a
       DISPATCH_SOCKETCALL(__NR_shutdown,    SYS_SHUTDOWN);
       DISPATCH_SOCKETCALL(__NR_setsockopt,  SYS_SETSOCKOPT);
       DISPATCH_SOCKETCALL(__NR_getsockopt,  SYS_GETSOCKOPT);
       DISPATCH_SOCKETCALL(__NR_sendmsg,     SYS_SENDMSG);
       DISPATCH_SOCKETCALL(__NR_recvmsg,     SYS_RECVMSG);
       DISPATCH_SOCKETCALL(__NR_accept4,     SYS_ACCEPT4);
       DISPATCH_SOCKETCALL(__NR_recvmmsg,    SYS_RECVMMSG);
       DISPATCH_SOCKETCALL(__NR_sendmmsg,    SYS_SENDMMSG);
+#endif // __NR_socket
 #undef DISPATCH_SOCKETCALL
+#ifndef __NR_socketcall
 #ifndef ANDROID
 #define DISPATCH_SYSVCALL(sysnum, ipcnum)         \
     case sysnum:                                  \
       return EvaluateIpcCall(ipcnum).valueOr(InvalidSyscall())
       DISPATCH_SYSVCALL(__NR_semop,       SEMOP);
       DISPATCH_SYSVCALL(__NR_semget,      SEMGET);
       DISPATCH_SYSVCALL(__NR_semctl,      SEMCTL);
       DISPATCH_SYSVCALL(__NR_semtimedop,  SEMTIMEDOP);