|
 |
fc1bf47 |
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
|
|
|
fc1bf47 |
--- a/ipc/glue/GeckoChildProcessHost.cpp
|
|
|
fc1bf47 |
+++ b/ipc/glue/GeckoChildProcessHost.cpp
|
|
|
fc1bf47 |
@@ -418,10 +418,17 @@
|
|
|
fc1bf47 |
nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
|
|
|
fc1bf47 |
getter_AddRefs(contentTempDir));
|
|
|
fc1bf47 |
if (NS_SUCCEEDED(rv)) {
|
|
|
fc1bf47 |
contentTempDir->GetNativePath(mTmpDirName);
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
+ } else if (aProcessType == GeckoProcessType_RDD) {
|
|
|
fc1bf47 |
+ // The RDD process makes limited use of EGL. If Mesa's shader
|
|
|
fc1bf47 |
+ // cache is enabled and the directory isn't explicitly set, then
|
|
|
fc1bf47 |
+ // it will try to getpwuid() the user which can cause problems
|
|
|
fc1bf47 |
+ // with sandboxing. Because we shouldn't need shader caching in
|
|
|
fc1bf47 |
+ // this process, we just disable the cache to prevent that.
|
|
|
fc1bf47 |
+ mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true";
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
#endif
|
|
|
fc1bf47 |
#if defined(MOZ_ENABLE_FORKSERVER)
|
|
|
fc1bf47 |
if (aProcessType == GeckoProcessType_Content && ForkServiceChild::Get()) {
|
|
|
fc1bf47 |
mLaunchOptions->use_forkserver = true;
|
|
|
fc1bf47 |
diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
|
fc1bf47 |
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
|
fc1bf47 |
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
|
fc1bf47 |
@@ -21,14 +21,16 @@
|
|
|
fc1bf47 |
# include <termios.h>
|
|
|
fc1bf47 |
# include <sys/resource.h>
|
|
|
fc1bf47 |
# include <sys/time.h>
|
|
|
fc1bf47 |
# include <sys/utsname.h>
|
|
|
fc1bf47 |
# include <sched.h>
|
|
|
fc1bf47 |
+# include <sys/socket.h>
|
|
|
fc1bf47 |
# include <sys/syscall.h>
|
|
|
fc1bf47 |
# include <sys/un.h>
|
|
|
fc1bf47 |
# include <linux/mempolicy.h>
|
|
|
fc1bf47 |
# include "mozilla/ProcInfo_linux.h"
|
|
|
fc1bf47 |
+# include "mozilla/UniquePtrExtensions.h"
|
|
|
fc1bf47 |
# ifdef MOZ_X11
|
|
|
fc1bf47 |
# include "X11/Xlib.h"
|
|
|
fc1bf47 |
# include "X11UndefineNone.h"
|
|
|
fc1bf47 |
# endif // MOZ_X11
|
|
|
fc1bf47 |
# endif // XP_LINUX
|
|
|
fc1bf47 |
@@ -595,12 +597,25 @@
|
|
|
fc1bf47 |
return rv;
|
|
|
fc1bf47 |
});
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
RunTestsSched(child);
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
- child->ErrnoTest("socket"_ns, false,
|
|
|
fc1bf47 |
- [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
|
|
|
fc1bf47 |
+ child->ErrnoTest("socket_inet"_ns, false,
|
|
|
fc1bf47 |
+ [] { return socket(AF_INET, SOCK_STREAM, 0); });
|
|
|
fc1bf47 |
+
|
|
|
fc1bf47 |
+ {
|
|
|
fc1bf47 |
+ UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0));
|
|
|
fc1bf47 |
+ child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); });
|
|
|
fc1bf47 |
+
|
|
|
fc1bf47 |
+ struct sockaddr_un sun {};
|
|
|
fc1bf47 |
+ sun.sun_family = AF_UNIX;
|
|
|
fc1bf47 |
+ strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path));
|
|
|
fc1bf47 |
+
|
|
|
fc1bf47 |
+ child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] {
|
|
|
fc1bf47 |
+ return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun));
|
|
|
fc1bf47 |
+ });
|
|
|
fc1bf47 |
+ }
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
child->ErrnoTest("uname"_ns, true, [] {
|
|
|
fc1bf47 |
struct utsname uts;
|
|
|
fc1bf47 |
return uname(&uts;;
|
|
|
fc1bf47 |
});
|
|
|
fc1bf47 |
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
|
|
|
fc1bf47 |
--- a/security/sandbox/linux/SandboxFilter.cpp
|
|
|
fc1bf47 |
+++ b/security/sandbox/linux/SandboxFilter.cpp
|
|
|
fc1bf47 |
@@ -1783,10 +1783,11 @@
|
|
|
fc1bf47 |
class RDDSandboxPolicy final : public SandboxPolicyCommon {
|
|
|
fc1bf47 |
public:
|
|
|
fc1bf47 |
explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) {
|
|
|
fc1bf47 |
mBroker = aBroker;
|
|
|
fc1bf47 |
mMayCreateShmem = true;
|
|
|
fc1bf47 |
+ mBrokeredConnect = true;
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
#ifndef ANDROID
|
|
|
fc1bf47 |
Maybe<ResultExpr> EvaluateIpcCall(int aCall, int aArgShift) const override {
|
|
|
fc1bf47 |
// The Intel media driver uses SysV IPC (semaphores and shared
|
|
|
fc1bf47 |
@@ -1818,15 +1819,15 @@
|
|
|
fc1bf47 |
#endif
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
|
|
|
fc1bf47 |
bool aHasArgs) const override {
|
|
|
fc1bf47 |
switch (aCall) {
|
|
|
fc1bf47 |
- // Mesa can call getpwuid_r to get the home dir, which can try
|
|
|
fc1bf47 |
- // to connect to nscd (or maybe servers like NIS or LDAP); this
|
|
|
fc1bf47 |
- // can't be safely allowed, but we can quietly deny it.
|
|
|
fc1bf47 |
- case SYS_SOCKET:
|
|
|
fc1bf47 |
- return Some(Error(EACCES));
|
|
|
fc1bf47 |
+ // These are for X11.
|
|
|
fc1bf47 |
+ case SYS_GETSOCKNAME:
|
|
|
fc1bf47 |
+ case SYS_GETPEERNAME:
|
|
|
fc1bf47 |
+ case SYS_SHUTDOWN:
|
|
|
fc1bf47 |
+ return Some(Allow());
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
default:
|
|
|
fc1bf47 |
return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
|
fc1bf47 |
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
|
fc1bf47 |
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
|
fc1bf47 |
@@ -853,13 +853,12 @@
|
|
|
fc1bf47 |
if (developer_repo_dir) {
|
|
|
fc1bf47 |
policy->AddDir(rdonly, developer_repo_dir);
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
}
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
- // VA-API needs DRI and GPU detection
|
|
|
fc1bf47 |
- policy->AddDir(rdwr, "/dev/dri");
|
|
|
fc1bf47 |
- AddDriPaths(policy.get());
|
|
|
fc1bf47 |
+ // VA-API needs GPU access and GL context creation
|
|
|
fc1bf47 |
+ AddGLDependencies(policy.get());
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
// FFmpeg and GPU drivers may need general-case library loading
|
|
|
fc1bf47 |
AddLdconfigPaths(policy.get());
|
|
|
fc1bf47 |
AddLdLibraryEnvPaths(policy.get());
|
|
|
fc1bf47 |
|
|
|
fc1bf47 |
|