Tree - rpms/firefox - src.fedoraproject.org

rpms / firefox

Overview Files Commits Branches Forks Releases
Monitoring status:

Bugzilla Assignee:

Fedora:: gecko-maint
EPEL:: gecko-maint
Files

Commit: 33fd704cce4e66e27623dcab99d8f3cef02a991e
Blob Blame History Raw
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -418,10 +418,17 @@
     nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
                                          getter_AddRefs(contentTempDir));
     if (NS_SUCCEEDED(rv)) {
       contentTempDir->GetNativePath(mTmpDirName);
     }
+  } else if (aProcessType == GeckoProcessType_RDD) {
+    // The RDD process makes limited use of EGL.  If Mesa's shader
+    // cache is enabled and the directory isn't explicitly set, then
+    // it will try to getpwuid() the user which can cause problems
+    // with sandboxing.  Because we shouldn't need shader caching in
+    // this process, we just disable the cache to prevent that.
+    mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true";
   }
 #endif
 #if defined(MOZ_ENABLE_FORKSERVER)
   if (aProcessType == GeckoProcessType_Content && ForkServiceChild::Get()) {
     mLaunchOptions->use_forkserver = true;
diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
@@ -21,14 +21,16 @@
 #    include <termios.h>
 #    include <sys/resource.h>
 #    include <sys/time.h>
 #    include <sys/utsname.h>
 #    include <sched.h>
+#    include <sys/socket.h>
 #    include <sys/syscall.h>
 #    include <sys/un.h>
 #    include <linux/mempolicy.h>
 #    include "mozilla/ProcInfo_linux.h"
+#    include "mozilla/UniquePtrExtensions.h"
 #    ifdef MOZ_X11
 #      include "X11/Xlib.h"
 #      include "X11UndefineNone.h"
 #    endif  // MOZ_X11
 #  endif    // XP_LINUX
@@ -595,12 +597,25 @@
     return rv;
   });
 
   RunTestsSched(child);
 
-  child->ErrnoTest("socket"_ns, false,
-                   [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
+  child->ErrnoTest("socket_inet"_ns, false,
+                   [] { return socket(AF_INET, SOCK_STREAM, 0); });
+
+  {
+    UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0));
+    child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); });
+
+    struct sockaddr_un sun {};
+    sun.sun_family = AF_UNIX;
+    strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path));
+
+    child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] {
+      return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun));
+    });
+  }
 
   child->ErrnoTest("uname"_ns, true, [] {
     struct utsname uts;
     return uname(&uts);
   });
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -1783,10 +1783,11 @@
 class RDDSandboxPolicy final : public SandboxPolicyCommon {
  public:
   explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) {
     mBroker = aBroker;
     mMayCreateShmem = true;
+    mBrokeredConnect = true;
   }
 
 #ifndef ANDROID
   Maybe<ResultExpr> EvaluateIpcCall(int aCall, int aArgShift) const override {
     // The Intel media driver uses SysV IPC (semaphores and shared
@@ -1818,15 +1819,15 @@
 #endif
 
   Maybe<ResultExpr> EvaluateSocketCall(int aCall,
                                        bool aHasArgs) const override {
     switch (aCall) {
-      // Mesa can call getpwuid_r to get the home dir, which can try
-      // to connect to nscd (or maybe servers like NIS or LDAP); this
-      // can't be safely allowed, but we can quietly deny it.
-      case SYS_SOCKET:
-        return Some(Error(EACCES));
+      // These are for X11.
+      case SYS_GETSOCKNAME:
+      case SYS_GETPEERNAME:
+      case SYS_SHUTDOWN:
+        return Some(Allow());
 
       default:
         return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
     }
   }
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -853,13 +853,12 @@
     if (developer_repo_dir) {
       policy->AddDir(rdonly, developer_repo_dir);
     }
   }
 
-  // VA-API needs DRI and GPU detection
-  policy->AddDir(rdwr, "/dev/dri");
-  AddDriPaths(policy.get());
+  // VA-API needs GPU access and GL context creation
+  AddGLDependencies(policy.get());
 
   // FFmpeg and GPU drivers may need general-case library loading
   AddLdconfigPaths(policy.get());
   AddLdLibraryEnvPaths(policy.get());
rpms / firefox

Source Code

Files
