diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -325,30 +325,84 @@
policy->AddDynamic(perms, trimPath.get());
}
}
}
+static void AddX11Dependencies(SandboxBroker::Policy* policy) {
+ // Allow Primus to contact the Bumblebee daemon to manage GPU
+ // switching on NVIDIA Optimus systems.
+ const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
+ if (bumblebeeSocket == nullptr) {
+ bumblebeeSocket = "/var/run/bumblebee.socket";
+ }
+ policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
+
+#if defined(MOZ_WIDGET_GTK) && defined(MOZ_X11)
+ // Allow local X11 connections, for several purposes:
+ //
+ // * for content processes to use WebGL when the browser is in headless
+ // mode, by opening the X display if/when needed
+ //
+ // * if Primus or VirtualGL is used, to contact the secondary X server
+ static const bool kIsX11 =
+ !mozilla::widget::GdkIsWaylandDisplay() && PR_GetEnv("DISPLAY");
+ if (kIsX11) {
+ policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
+ if (auto* const xauth = PR_GetEnv("XAUTHORITY")) {
+ policy->AddPath(rdonly, xauth);
+ } else if (auto* const home = PR_GetEnv("HOME")) {
+ // This follows the logic in libXau: append "/.Xauthority",
+ // even if $HOME ends in a slash, except in the special case
+ // where HOME=/ because POSIX allows implementations to treat
+ // an initial double slash specially.
+ nsAutoCString xauth(home);
+ if (xauth != "/"_ns) {
+ xauth.Append('/');
+ }
+ xauth.AppendLiteral(".Xauthority");
+ policy->AddPath(rdonly, xauth.get());
+ }
+ }
+#endif
+}
+
+static void AddGLDependencies(SandboxBroker::Policy* policy) {
+ // Devices
+ policy->AddDir(rdwr, "/dev/dri");
+ policy->AddFilePrefix(rdwr, "/dev", "nvidia");
+
+ // Hardware info
+ AddDriPaths(policy);
+
+ // /etc and /usr/share (glvnd, libdrm, drirc, ...?)
+ policy->AddDir(rdonly, "/etc");
+ policy->AddDir(rdonly, "/usr/share");
+ policy->AddDir(rdonly, "/usr/local/share");
+
+ // Note: This function doesn't do anything about Mesa's shader
+ // cache, because the details can vary by process type, including
+ // whether caching is enabled.
+
+ AddX11Dependencies(policy);
+}
+
void SandboxBrokerPolicyFactory::InitContentPolicy() {
const bool headless =
StaticPrefs::security_sandbox_content_headless_AtStartup();
// Policy entries that are the same in every process go here, and
// are cached over the lifetime of the factory.
SandboxBroker::Policy* policy = new SandboxBroker::Policy;
// Write permssions
- //
- if (!headless) {
- // Bug 1308851: NVIDIA proprietary driver when using WebGL
- policy->AddFilePrefix(rdwr, "/dev", "nvidia");
-
- // Bug 1312678: Mesa with DRI when using WebGL
- policy->AddDir(rdwr, "/dev/dri");
- }
// Bug 1575985: WASM library sandbox needs RW access to /dev/null
policy->AddPath(rdwr, "/dev/null");
+ if (!headless) {
+ AddGLDependencies(policy);
+ }
+
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
policy->AddPath(rdonly, "/dev/random");
policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
policy->AddPath(rdonly, "/proc/cpuinfo");
@@ -370,13 +424,10 @@
policy->AddDir(rdonly, "/run/host/fonts");
policy->AddDir(rdonly, "/run/host/user-fonts");
policy->AddDir(rdonly, "/run/host/local-fonts");
policy->AddDir(rdonly, "/var/cache/fontconfig");
- if (!headless) {
- AddDriPaths(policy);
- }
AddLdconfigPaths(policy);
AddLdLibraryEnvPaths(policy);
if (!headless) {
// Bug 1385715: NVIDIA PRIME support
@@ -569,45 +620,11 @@
}
}
#endif
if (!headless) {
- // Allow Primus to contact the Bumblebee daemon to manage GPU
- // switching on NVIDIA Optimus systems.
- const char* bumblebeeSocket = PR_GetEnv("BUMBLEBEE_SOCKET");
- if (bumblebeeSocket == nullptr) {
- bumblebeeSocket = "/var/run/bumblebee.socket";
- }
- policy->AddPath(SandboxBroker::MAY_CONNECT, bumblebeeSocket);
-
-#if defined(MOZ_WIDGET_GTK) && defined(MOZ_X11)
- // Allow local X11 connections, for several purposes:
- //
- // * for content processes to use WebGL when the browser is in headless
- // mode, by opening the X display if/when needed
- //
- // * if Primus or VirtualGL is used, to contact the secondary X server
- static const bool kIsX11 =
- !mozilla::widget::GdkIsWaylandDisplay() && PR_GetEnv("DISPLAY");
- if (kIsX11) {
- policy->AddPrefix(SandboxBroker::MAY_CONNECT, "/tmp/.X11-unix/X");
- if (auto* const xauth = PR_GetEnv("XAUTHORITY")) {
- policy->AddPath(rdonly, xauth);
- } else if (auto* const home = PR_GetEnv("HOME")) {
- // This follows the logic in libXau: append "/.Xauthority",
- // even if $HOME ends in a slash, except in the special case
- // where HOME=/ because POSIX allows implementations to treat
- // an initial double slash specially.
- nsAutoCString xauth(home);
- if (xauth != "/"_ns) {
- xauth.Append('/');
- }
- xauth.AppendLiteral(".Xauthority");
- policy->AddPath(rdonly, xauth.get());
- }
- }
-#endif
+ AddX11Dependencies(policy);
}
// Bug 1732580: when packaged as a strictly confined snap, may need
// read-access to configuration files under $SNAP/.
const char* snap = PR_GetEnv("SNAP");