126 lines
4.5 KiB
Diff
126 lines
4.5 KiB
Diff
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
|
|
--- a/ipc/glue/GeckoChildProcessHost.cpp
|
|
+++ b/ipc/glue/GeckoChildProcessHost.cpp
|
|
@@ -418,10 +418,17 @@
|
|
nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
|
|
getter_AddRefs(contentTempDir));
|
|
if (NS_SUCCEEDED(rv)) {
|
|
contentTempDir->GetNativePath(mTmpDirName);
|
|
}
|
|
+ } else if (aProcessType == GeckoProcessType_RDD) {
|
|
+ // The RDD process makes limited use of EGL. If Mesa's shader
|
|
+ // cache is enabled and the directory isn't explicitly set, then
|
|
+ // it will try to getpwuid() the user which can cause problems
|
|
+ // with sandboxing. Because we shouldn't need shader caching in
|
|
+ // this process, we just disable the cache to prevent that.
|
|
+ mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true";
|
|
}
|
|
#endif
|
|
#if defined(MOZ_ENABLE_FORKSERVER)
|
|
if (aProcessType == GeckoProcessType_Content && ForkServiceChild::Get()) {
|
|
mLaunchOptions->use_forkserver = true;
|
|
diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
|
|
@@ -21,14 +21,16 @@
|
|
# include <termios.h>
|
|
# include <sys/resource.h>
|
|
# include <sys/time.h>
|
|
# include <sys/utsname.h>
|
|
# include <sched.h>
|
|
+# include <sys/socket.h>
|
|
# include <sys/syscall.h>
|
|
# include <sys/un.h>
|
|
# include <linux/mempolicy.h>
|
|
# include "mozilla/ProcInfo_linux.h"
|
|
+# include "mozilla/UniquePtrExtensions.h"
|
|
# ifdef MOZ_X11
|
|
# include "X11/Xlib.h"
|
|
# include "X11UndefineNone.h"
|
|
# endif // MOZ_X11
|
|
# endif // XP_LINUX
|
|
@@ -595,12 +597,25 @@
|
|
return rv;
|
|
});
|
|
|
|
RunTestsSched(child);
|
|
|
|
- child->ErrnoTest("socket"_ns, false,
|
|
- [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
|
|
+ child->ErrnoTest("socket_inet"_ns, false,
|
|
+ [] { return socket(AF_INET, SOCK_STREAM, 0); });
|
|
+
|
|
+ {
|
|
+ UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0));
|
|
+ child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); });
|
|
+
|
|
+ struct sockaddr_un sun {};
|
|
+ sun.sun_family = AF_UNIX;
|
|
+ strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path));
|
|
+
|
|
+ child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] {
|
|
+ return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun));
|
|
+ });
|
|
+ }
|
|
|
|
child->ErrnoTest("uname"_ns, true, [] {
|
|
struct utsname uts;
|
|
return uname(&uts);
|
|
});
|
|
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
|
|
--- a/security/sandbox/linux/SandboxFilter.cpp
|
|
+++ b/security/sandbox/linux/SandboxFilter.cpp
|
|
@@ -1783,10 +1783,11 @@
|
|
class RDDSandboxPolicy final : public SandboxPolicyCommon {
|
|
public:
|
|
explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) {
|
|
mBroker = aBroker;
|
|
mMayCreateShmem = true;
|
|
+ mBrokeredConnect = true;
|
|
}
|
|
|
|
#ifndef ANDROID
|
|
Maybe<ResultExpr> EvaluateIpcCall(int aCall, int aArgShift) const override {
|
|
// The Intel media driver uses SysV IPC (semaphores and shared
|
|
@@ -1818,15 +1819,15 @@
|
|
#endif
|
|
|
|
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
|
|
bool aHasArgs) const override {
|
|
switch (aCall) {
|
|
- // Mesa can call getpwuid_r to get the home dir, which can try
|
|
- // to connect to nscd (or maybe servers like NIS or LDAP); this
|
|
- // can't be safely allowed, but we can quietly deny it.
|
|
- case SYS_SOCKET:
|
|
- return Some(Error(EACCES));
|
|
+ // These are for X11.
|
|
+ case SYS_GETSOCKNAME:
|
|
+ case SYS_GETPEERNAME:
|
|
+ case SYS_SHUTDOWN:
|
|
+ return Some(Allow());
|
|
|
|
default:
|
|
return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
|
|
}
|
|
}
|
|
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
|
|
@@ -853,13 +853,12 @@
|
|
if (developer_repo_dir) {
|
|
policy->AddDir(rdonly, developer_repo_dir);
|
|
}
|
|
}
|
|
|
|
- // VA-API needs DRI and GPU detection
|
|
- policy->AddDir(rdwr, "/dev/dri");
|
|
- AddDriPaths(policy.get());
|
|
+ // VA-API needs GPU access and GL context creation
|
|
+ AddGLDependencies(policy.get());
|
|
|
|
// FFmpeg and GPU drivers may need general-case library loading
|
|
AddLdconfigPaths(policy.get());
|
|
AddLdLibraryEnvPaths(policy.get());
|
|
|
|
|