Bug 1511560 - Allow dup and ftruncate (when needed) in SandboxPolicyCommon. r=gcp

File descriptors are sometimes dup()ed in the process of communicating them over IPC; some of this may be unnecessary (due to insufficient use of move-only types), but dup() is relatively harmless. It was previously allowed for both content and GMP, so this doesn't change anything. The handling of ftruncate is a little complicated -- it's used for IPC shared memory, but only when creating segments; so GMP doesn't allow it and should continue not allowing it, but content needs it and RDD will as well. As a result, the subclass indicates if it will be needed. Note that even when we have memfd_create support (bug 1440203), ftruncate is still necessary even though brokering may not. Depends on D14523 Differential Revision: https://phabricator.services.mozilla.com/D14524 --HG-- extra : moz-landing-system : lando
2024-10-21 01:05:45 +00:00 · 2019-02-27 20:14:52 +00:00 · 2019-02-27 20:14:52 +00:00 · 6fc87bff63
commit 6fc87bff63
parent bb4d6b8630
1 changed files with 26 additions and 8 deletions
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -96,10 +96,19 @@ namespace mozilla {
 // denied if no broker client is provided by the concrete class.
 class SandboxPolicyCommon : public SandboxPolicyBase {
 protected:
-  SandboxBrokerClient* mBroker;
+  enum class ShmemUsage {
+    MAY_CREATE,
+    ONLY_USE,
+  };

-  explicit SandboxPolicyCommon(SandboxBrokerClient* aBroker = nullptr)
-      : mBroker(aBroker) {}
+  SandboxBrokerClient* mBroker;
+  ShmemUsage mShmemUsage;
+
+  explicit SandboxPolicyCommon(SandboxBrokerClient* aBroker,
+                               ShmemUsage aShmemUsage = ShmemUsage::MAY_CREATE)
+      : mBroker(aBroker), mShmemUsage(aShmemUsage) {}
+
+  SandboxPolicyCommon() : SandboxPolicyCommon(nullptr, ShmemUsage::ONLY_USE) {}

  typedef const sandbox::arch_seccomp_data& ArgsRef;

@ -493,6 +502,20 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
      CASES_FOR_lseek:
        return Allow();

+      CASES_FOR_ftruncate:
+        switch (mShmemUsage) {
+          case ShmemUsage::MAY_CREATE:
+            return Allow();
+          case ShmemUsage::ONLY_USE:
+            return InvalidSyscall();
+          default:
+            MOZ_CRASH("unreachable");
+        }
+
+        // Used by our fd/shm classes
+      case __NR_dup:
+        return Allow();
+
        // Memory mapping
      CASES_FOR_mmap:
      case __NR_munmap:
@ -982,7 +1005,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
        return Allow();

      CASES_FOR_getdents:
-      CASES_FOR_ftruncate:
      case __NR_writev:
      case __NR_pread64:
 #  ifdef DESKTOP
@ -1088,7 +1110,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
      case __NR_times:
        return Allow();

-      case __NR_dup:
      case __NR_dup2:  // See ConnectTrapCommon
        return Allow();

@ -1366,9 +1387,6 @@ class GMPSandboxPolicy : public SandboxPolicyCommon {
      CASES_FOR_fcntl:
        return Trap(FcntlTrap, nullptr);

-      case __NR_dup:
-        return Allow();
-
      default:
        return SandboxPolicyCommon::EvaluateSyscall(sysno);
    }