Bug 1409895 - Deny getcwd in the Linux content process sandbox. r=gcp
authorJed Davis <jld@mozilla.com>
Mon, 20 Nov 2017 10:47:54 -0700
changeset 447508 3b11a0bf7ae7a7fe0ed508583cf07441b68bab78
parent 447507 519d3e54fda0c023745e644598170afe477d853b
child 447509 57736bb879c17404377b716c95cbd3b7c455b40f
push id8527
push userCallek@gmail.com
push dateThu, 11 Jan 2018 21:05:50 +0000
treeherdermozilla-beta@95342d212a7a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1409895
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1409895 - Deny getcwd in the Linux content process sandbox. r=gcp getcwd won't do anything useful once we start chroot()ing to remove filesystem access; with this patch it will at least fail the same way regardless of whether user namespaces are available or if other factors prevent complete FS isolation. Bonus fix: improve the comments for this group of syscalls. MozReview-Commit-ID: KueZzly2mlO
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -727,23 +727,25 @@ public:
     switch (sysno) {
 #ifdef DESKTOP
     case __NR_getppid:
       return Trap(GetPPidTrap, nullptr);
 
     CASES_FOR_statfs:
       return Trap(StatFsTrap, nullptr);
 
-      // Filesystem syscalls that need more work to determine who's
-      // using them, if they need to be, and what we intend to about it.
+      // GTK's theme parsing tries to getcwd() while sandboxed, but
+      // only during Talos runs.
     case __NR_getcwd:
-    CASES_FOR_fstatfs:
-    CASES_FOR_fchown:
-    case __NR_fchmod:
-    case __NR_flock:
+      return Error(ENOENT);
+
+    CASES_FOR_fstatfs: // fontconfig, pulseaudio, GIO (see also statfs)
+    CASES_FOR_fchown: // pulseaudio
+    case __NR_fchmod: // pulseaudio
+    case __NR_flock: // graphics
       return Allow();
 
       // Bug 1354731: proprietary GL drivers try to mknod() their devices
     case __NR_mknod: {
       Arg<mode_t> mode(1);
       return If((mode & S_IFMT) == S_IFCHR, Error(EPERM))
         .Else(InvalidSyscall());
     }