mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-18 15:55:36 +00:00
Bug 1608558 - pt3 - add EvaluateSocketCall and missing cases to EvaluateSyscall for Socket process sandbox. r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D62445 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
40fb8ff87d
commit
5e124284d9
@ -1503,11 +1503,47 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
|
||||
}
|
||||
}
|
||||
|
||||
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
|
||||
bool aHasArgs) const override {
|
||||
switch (aCall) {
|
||||
case SYS_BIND:
|
||||
return Some(Allow());
|
||||
|
||||
case SYS_SOCKET:
|
||||
return Some(Allow());
|
||||
|
||||
case SYS_CONNECT:
|
||||
return Some(Allow());
|
||||
|
||||
case SYS_RECVFROM:
|
||||
case SYS_SENDTO:
|
||||
case SYS_SENDMMSG:
|
||||
return Some(Allow());
|
||||
|
||||
case SYS_RECV:
|
||||
case SYS_SEND:
|
||||
case SYS_GETSOCKOPT:
|
||||
case SYS_SETSOCKOPT:
|
||||
case SYS_GETSOCKNAME:
|
||||
case SYS_GETPEERNAME:
|
||||
case SYS_SHUTDOWN:
|
||||
case SYS_ACCEPT:
|
||||
case SYS_ACCEPT4:
|
||||
return Some(Allow());
|
||||
|
||||
default:
|
||||
return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
|
||||
}
|
||||
}
|
||||
|
||||
ResultExpr EvaluateSyscall(int sysno) const override {
|
||||
switch (sysno) {
|
||||
case __NR_getrusage:
|
||||
return Allow();
|
||||
|
||||
case __NR_prctl:
|
||||
return Allow();
|
||||
|
||||
case __NR_ioctl: {
|
||||
static const unsigned long kTypeMask = _IOC_TYPEMASK << _IOC_TYPESHIFT;
|
||||
static const unsigned long kTtyIoctls = TIOCSTI & kTypeMask;
|
||||
@ -1573,6 +1609,11 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
|
||||
|
||||
#ifdef DESKTOP
|
||||
// This section is borrowed from ContentSandboxPolicy
|
||||
CASES_FOR_getrlimit:
|
||||
CASES_FOR_getresuid:
|
||||
CASES_FOR_getresgid:
|
||||
return Allow();
|
||||
|
||||
case __NR_prlimit64: {
|
||||
// Allow only the getrlimit() use case. (glibc seems to use
|
||||
// only pid 0 to indicate the current process; pid == getpid()
|
||||
@ -1586,6 +1627,12 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
|
||||
}
|
||||
#endif // DESKTOP
|
||||
|
||||
CASES_FOR_getuid:
|
||||
CASES_FOR_getgid:
|
||||
CASES_FOR_geteuid:
|
||||
CASES_FOR_getegid:
|
||||
return Allow();
|
||||
|
||||
default:
|
||||
return SandboxPolicyCommon::EvaluateSyscall(sysno);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user