Bug 1511560 - Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon. r=gcp
authorJed Davis <jld@mozilla.com>
Sat, 23 Feb 2019 00:44:08 +0000
changeset 519401 bab79f85596242146787d6d2a5ad56596cc1343e
parent 519400 48431f63d84227177951f65c9c828548d9a8bbb2
child 519402 db2dee78ddb0dd23e29948258abd6c7404555b59
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1511560
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1511560 - Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon. r=gcp madvise is used by our malloc (and probably others), and mprotect is used with shared memory, including when created by another process, so the common policy should include those rules. Depends on D14521 Differential Revision: https://phabricator.services.mozilla.com/D14522
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -442,17 +442,34 @@ class SandboxPolicyCommon : public Sandb
       CASES_FOR_lseek:
         return Allow();
 
         // Memory mapping
       CASES_FOR_mmap:
       case __NR_munmap:
         return Allow();
 
-        // Signal handling
+        // ipc::Shmem; also, glibc when creating threads:
+      case __NR_mprotect:
+        return Allow();
+
+        // madvise hints used by malloc; see bug 1303813 and bug 1364533
+      case __NR_madvise: {
+        Arg<int> advice(2);
+        return If(advice == MADV_DONTNEED, Allow())
+            .ElseIf(advice == MADV_FREE, Allow())
+            .ElseIf(advice == MADV_HUGEPAGE, Allow())
+            .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
+#ifdef MOZ_ASAN
+            .ElseIf(advice == MADV_DONTDUMP, Allow())
+#endif
+            .Else(InvalidSyscall());
+      }
+
+      // Signal handling
 #if defined(ANDROID) || defined(MOZ_ASAN)
       case __NR_sigaltstack:
 #endif
       CASES_FOR_sigreturn:
       CASES_FOR_sigprocmask:
       CASES_FOR_sigaction:
         return Allow();
 
@@ -1047,18 +1064,19 @@ class ContentSandboxPolicy : public Sand
             // Pulseaudio uses F_SETLKW, as does fontconfig.
             .Case(F_SETLKW, Allow())
 #  ifdef F_SETLKW64
             .Case(F_SETLKW64, Allow())
 #  endif
             .Default(SandboxPolicyCommon::EvaluateSyscall(sysno));
       }
 
-      case __NR_mprotect:
       case __NR_brk:
+        // FIXME(bug 1510861) are we using any hints that aren't allowed
+        // in SandboxPolicyCommon now?
       case __NR_madvise:
         // libc's realloc uses mremap (Bug 1286119); wasm does too (bug
         // 1342385).
       case __NR_mremap:
         return Allow();
 
         // Bug 1462640: Mesa libEGL uses mincore to test whether values
         // are pointers, for reasons.
@@ -1330,30 +1348,16 @@ class GMPSandboxPolicy : public SandboxP
     switch (sysno) {
       // Simulate opening the plugin file.
 #  ifdef __NR_open
       case __NR_open:
 #  endif
       case __NR_openat:
         return Trap(OpenTrap, mFiles);
 
-        // ipc::Shmem
-      case __NR_mprotect:
-        return Allow();
-      case __NR_madvise: {
-        Arg<int> advice(2);
-        return If(advice == MADV_DONTNEED, Allow())
-            .ElseIf(advice == MADV_FREE, Allow())
-            .ElseIf(advice == MADV_HUGEPAGE, Allow())
-            .ElseIf(advice == MADV_NOHUGEPAGE, Allow())
-#  ifdef MOZ_ASAN
-            .ElseIf(advice == MADV_DONTDUMP, Allow())
-#  endif
-            .Else(InvalidSyscall());
-      }
       case __NR_brk:
       CASES_FOR_geteuid:
         return Allow();
       case __NR_sched_get_priority_min:
       case __NR_sched_get_priority_max:
         return Allow();
       case __NR_sched_getparam:
       case __NR_sched_getscheduler: