Bug 1408497 - Disallow inotify in sandboxed content processes. r=gcp
authorJed Davis <jld@mozilla.com>
Wed, 25 Oct 2017 13:35:47 -0600
changeset 439291 4381412e49e32985fa68868c30134fa70102e8a4
parent 439290 83296a355dd49b2822a52b08d0df89e029ea56bc
child 439292 bb08f6cf8f67ae58adf767e9a7253655cb59c1c3
push id8114
push userjlorenzo@mozilla.com
push dateThu, 02 Nov 2017 16:33:21 +0000
treeherdermozilla-beta@73e0d89a540f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1408497
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1408497 - Disallow inotify in sandboxed content processes. r=gcp MozReview-Commit-ID: nKyIvMNQAt
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -784,19 +784,16 @@ public:
 
       // Rust's stdlib seems to use FIOCLEX instead of equivalent fcntls.
       return If(request == FIOCLEX, Allow())
         // Rust's stdlib also uses FIONBIO instead of equivalent fcntls.
         .ElseIf(request == FIONBIO, Allow())
         // ffmpeg, and anything else that calls isatty(), will be told
         // that nothing is a typewriter:
         .ElseIf(request == TCGETS, Error(ENOTTY))
-        // Bug 1408498: libgio uses FIONREAD on inotify fds.
-        // (We should stop using inotify: bug 1408497.)
-        .ElseIf(request == FIONREAD, Allow())
         // Allow anything that isn't a tty ioctl, for now; bug 1302711
         // will cover changing this to a default-deny policy.
         .ElseIf(shifted_type != kTtyIoctls, Allow())
         .Else(SandboxPolicyCommon::EvaluateSyscall(sysno));
     }
 #endif // !MOZ_ALSA
 
     CASES_FOR_fcntl: {
@@ -915,21 +912,24 @@ public:
     case __NR_wait4:
 #ifdef __NR_waitpid
     case __NR_waitpid:
 #endif
       // NSPR will start a thread to wait for child processes even if
       // fork() fails; see bug 227246 and bug 1299581.
       return Error(ECHILD);
 
-    case __NR_eventfd2:
+      // inotify_{add,rm}_watch take filesystem paths.  Pretend the
+      // kernel doesn't support inotify; note that this could make
+      // libgio attempt network connections for FAM.
     case __NR_inotify_init:
     case __NR_inotify_init1:
-    case __NR_inotify_add_watch:
-    case __NR_inotify_rm_watch:
+      return Error(ENOSYS);
+
+    case __NR_eventfd2:
       return Allow();
 
 #ifdef __NR_memfd_create
     case __NR_memfd_create:
       return Allow();
 #endif
 
 #ifdef __NR_rt_tgsigqueueinfo