Bug 1320085 - Allow the getrlimit-equivalent subset of prlimit64. r=tedd
authorJed Davis <jld@mozilla.com>
Mon, 28 Nov 2016 12:05:28 -0700
changeset 324794 c021b68fc7dfbc9890e225db9d98e4763d7f08b6
parent 324793 7eab0a7c766e258f2849edf6b8666727354a2968
child 324795 7ad3151a0a797b2230a45483c1adabf4d896405b
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewerstedd
bugs1320085
milestone53.0a1
Bug 1320085 - Allow the getrlimit-equivalent subset of prlimit64. r=tedd This applies only to content processes, where we already allow getrlimit (but not setrlimit). The rule added here does not allow using prlimit64 to set any resource limits or interact with any other process. MozReview-Commit-ID: nMry3t6QPj
security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -711,16 +711,28 @@ public:
       return Allow();
 
     CASES_FOR_getrlimit:
     case __NR_clock_getres:
     CASES_FOR_getresuid:
     CASES_FOR_getresgid:
       return Allow();
 
+    case __NR_prlimit64: {
+      // Allow only the getrlimit() use case.  (glibc seems to use
+      // only pid 0 to indicate the current process; pid == getpid()
+      // is equivalent and could also be allowed if needed.)
+      Arg<pid_t> pid(0);
+      // This is really a const struct ::rlimit*, but Arg<> doesn't
+      // work with pointers, only integer types.
+      Arg<uintptr_t> new_limit(2);
+      return If(AllOf(pid == 0, new_limit == 0), Allow())
+        .Else(InvalidSyscall());
+    }
+
     case __NR_umask:
     case __NR_kill:
     case __NR_wait4:
 #ifdef __NR_waitpid
     case __NR_waitpid:
 #endif
 #ifdef __NR_arch_prctl
     case __NR_arch_prctl: