From 660156542f181cb4232fc25635d9c2dd8158a3cc Mon Sep 17 00:00:00 2001
From: Jed Davis <jld@mozilla.com>
Date: Wed, 7 Aug 2019 22:34:50 +0000
Subject: [PATCH] Bug 1559368 - When determining sandbox capabilities, check
 for the specific X11 socket that would be used. r=gcp

Differential Revision: https://phabricator.services.mozilla.com/D40915

--HG--
extra : moz-landing-system : lando
---
 .../sandbox/linux/launch/SandboxLaunch.cpp    | 30 ++++++++++++++-----
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/security/sandbox/linux/launch/SandboxLaunch.cpp b/security/sandbox/linux/launch/SandboxLaunch.cpp
index 2c179c06595c..3258927217da 100644
--- a/security/sandbox/linux/launch/SandboxLaunch.cpp
+++ b/security/sandbox/linux/launch/SandboxLaunch.cpp
@@ -100,14 +100,28 @@ static bool IsDisplayLocal() {
     //
     // Unfortunately, the Xorg client libraries prefer the abstract
     // addresses, so this isn't directly detectable by inspecting the
-    // parent process's socket.  Instead, this checks for the
-    // directory the sockets are stored in, which typically won't
-    // exist in a container with a private /tmp that isn't running its
-    // own X server.
-    if (access("/tmp/.X11-unix", X_OK) != 0) {
-      NS_ERROR(
-          "/tmp/.X11-unix is inaccessible; can't isolate network"
-          " namespace in content processes");
+    // parent process's socket.  Instead, parse the DISPLAY env var
+    // (which was updated if necessary in nsAppRunner.cpp) to get the
+    // display number and construct the socket path, falling back to
+    // testing the directory in case that doesn't work.  (See bug
+    // 1565972 and bug 1559368 for cases where we need to test the
+    // specific socket.)
+    const char* const displayStr = PR_GetEnv("DISPLAY");
+    nsAutoCString socketPath("/tmp/.X11-unix");
+    int accessFlags = X_OK;
+    int displayNum;
+    // sscanf ignores trailing text, so display names with a screen
+    // number (e.g., ":0.2") will parse correctly.
+    if (displayStr && (sscanf(displayStr, ":%d", &displayNum) == 1 ||
+                       sscanf(displayStr, "unix:%d", &displayNum) == 1)) {
+      socketPath.AppendPrintf("/X%d", displayNum);
+      accessFlags = R_OK | W_OK;
+    }
+    if (access(socketPath.get(), accessFlags) != 0) {
+      SANDBOX_LOG_ERROR(
+          "%s is inaccessible (%s); can't isolate network namespace in"
+          " content processes",
+          socketPath.get(), strerror(errno));
       return false;
     }
   }