Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp
authorJed Davis <jld@mozilla.com>
Tue, 23 Jan 2018 22:37:44 -0700
changeset 453069 ff1469e834940ae28709a94c14ea02e0428e1cc5
parent 453068 35083f8586e713ecf393435c63ed2a93bc7c5803
child 453070 c2836d5bc6bc2daef4c7fb2d6507730992bd3d97
push id8799
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 16:46:23 +0000
treeherdermozilla-beta@15334014dc67 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1386019
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp MozReview-Commit-ID: 7YbJ8uYub7f
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -665,19 +665,22 @@ public:
     default:
       return SandboxPolicyCommon::EvaluateIpcCall(aCall);
     }
   }
 #endif
 
 #ifdef MOZ_PULSEAUDIO
   ResultExpr PrctlPolicy() const override {
-    Arg<int> op(0);
-    return If(op == PR_GET_NAME, Allow())
-      .Else(SandboxPolicyCommon::PrctlPolicy());
+    if (BelowLevel(4)) {
+      Arg<int> op(0);
+      return If(op == PR_GET_NAME, Allow())
+             .Else(SandboxPolicyCommon::PrctlPolicy());
+    }
+    return SandboxPolicyCommon::PrctlPolicy();
   }
 #endif
 
   ResultExpr EvaluateSyscall(int sysno) const override {
     // Straight allow for anything that got overriden via prefs
     const auto& whitelist = mParams.mSyscallWhitelist;
     if (std::find(whitelist.begin(), whitelist.end(), sysno)
         != whitelist.end()) {
@@ -753,19 +756,22 @@ public:
     CASES_FOR_statfs:
       return Trap(StatFsTrap, nullptr);
 
       // GTK's theme parsing tries to getcwd() while sandboxed, but
       // only during Talos runs.
     case __NR_getcwd:
       return Error(ENOENT);
 
+#ifdef MOZ_PULSEAUDIO
+    CASES_FOR_fchown:
+    case __NR_fchmod:
+      return AllowBelowLevel(4);
+#endif
     CASES_FOR_fstatfs: // fontconfig, pulseaudio, GIO (see also statfs)
-    CASES_FOR_fchown: // pulseaudio
-    case __NR_fchmod: // pulseaudio
     case __NR_flock: // graphics
       return Allow();
 
       // Bug 1354731: proprietary GL drivers try to mknod() their devices
     case __NR_mknod: {
       Arg<mode_t> mode(1);
       return If((mode & S_IFMT) == S_IFCHR, Error(EPERM))
         .Else(InvalidSyscall());
@@ -926,25 +932,28 @@ public:
         .Else(InvalidSyscall());
     }
 
       // PulseAudio calls umask, even though it's unsafe in
       // multithreaded applications.  But, allowing it here doesn't
       // really do anything one way or the other, now that file
       // accesses are brokered to another process.
     case __NR_umask:
-      return Allow();
+      return AllowBelowLevel(4);
 
     case __NR_kill: {
-      Arg<int> sig(1);
-      // PulseAudio uses kill(pid, 0) to check if purported owners of
-      // shared memory files are still alive; see bug 1397753 for more
-      // details.
-      return If(sig == 0, Error(EPERM))
-        .Else(InvalidSyscall());
+      if (BelowLevel(4)) {
+        Arg<int> sig(1);
+        // PulseAudio uses kill(pid, 0) to check if purported owners of
+        // shared memory files are still alive; see bug 1397753 for more
+        // details.
+        return If(sig == 0, Error(EPERM))
+               .Else(InvalidSyscall());
+      }
+      return InvalidSyscall();
     }
 
     case __NR_wait4:
 #ifdef __NR_waitpid
     case __NR_waitpid:
 #endif
       // NSPR will start a thread to wait for child processes even if
       // fork() fails; see bug 227246 and bug 1299581.