Backed out 3 changesets (bug 1383007, bug 1376910)
authorJed Davis <jld@mozilla.com>
Wed, 26 Jul 2017 12:50:28 -0600
changeset 420039 1efacc8c49ba68b524de18c6b30153cb78e524d2
parent 420038 6eea5fcd952669d07f9154e64ab3887ded8d8af8
child 420040 92d9a593abdad1174fe96840233ebd6bca1bc1e7
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1383007, 1376910
milestone56.0a1
backs out394b3d22db1988839462c9832f4ef309aef556a1
17e2e2aa8f56546d6749d41266af06b7390df7db
d11cd5c3fc6f5e1ec439e6d15e3f911f3e967e3c
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out 3 changesets (bug 1383007, bug 1376910) Backed out changeset 394b3d22db19 (bug 1383007) Backed out changeset 17e2e2aa8f56 (bug 1376910) Backed out changeset d11cd5c3fc6f (bug 1376910)
security/sandbox/linux/Sandbox.cpp
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -560,40 +560,29 @@ SandboxEarlyInit(GeckoProcessType aType)
   bool canChroot = false;
   bool canUnshareNet = false;
   bool canUnshareIPC = false;
 
   switch (aType) {
   case GeckoProcessType_Default:
     MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
     return;
-
 #ifdef MOZ_GMP_SANDBOX
   case GeckoProcessType_GMPlugin:
     if (!info.Test(SandboxInfo::kEnabledForMedia)) {
       break;
     }
     canUnshareNet = true;
     canUnshareIPC = true;
     // Need seccomp-bpf to intercept open().
     canChroot = info.Test(SandboxInfo::kHasSeccompBPF);
     break;
 #endif
-
-#ifdef MOZ_CONTENT_SANDBOX
-  case GeckoProcessType_Content:
-    if (!info.Test(SandboxInfo::kEnabledForContent)) {
-      break;
-    }
-#ifndef MOZ_ALSA
-    canUnshareIPC = true;
-#endif
-    break;
-#endif
-
+    // In the future, content processes will be able to use some of
+    // these.
   default:
     // Other cases intentionally left blank.
     break;
   }
 
   // If TSYNC is not supported, set up signal handler
   // used to enable seccomp on each thread.
   if (!info.Test(SandboxInfo::kHasSeccompTSync)) {
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -563,24 +563,29 @@ public:
     default:
       return SandboxPolicyCommon::EvaluateSocketCall(aCall);
     }
   }
 
 #ifdef DESKTOP
   Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
     switch(aCall) {
-      // SysV IPC is a problem: it follows the Unix "same uid policy"
-      // and can't be restricted/brokered like file access.
-#ifdef MOZ_ALSA
+      // These are a problem: SysV shared memory follows the Unix
+      // "same uid policy" and can't be restricted/brokered like file
+      // access.  But the graphics layer might not be using them
+      // anymore; this needs to be studied.
+    case SHMGET:
+    case SHMCTL:
+    case SHMAT:
+    case SHMDT:
     case SEMGET:
     case SEMCTL:
     case SEMOP:
+    case MSGGET:
       return Some(Allow());
-#endif
     default:
       return SandboxPolicyCommon::EvaluateIpcCall(aCall);
     }
   }
 #endif
 
   ResultExpr EvaluateSyscall(int sysno) const override {
     // Straight allow for anything that got overriden via prefs