Bug 1438389 - Quietly disallow chown() in sandboxed content processes. r=gcp

Also covers fchownat() and attempts to be ready for newer archs like ARM64. Bonus fix: extend bug 1354731 (mknod) fix to cover mknodat so this part of the policy isn't glaringly inconsistent about "at" syscalls. Tested locally by attaching gdb and injecting syscalls. MozReview-Commit-ID: CCOk0jZVoG4 --HG-- extra : rebase_source : 1d0cafd9d91586eaec0233ff15b3bbb1ef7485f0
2024-10-17 23:35:34 +00:00 · 2018-02-15 16:10:00 -07:00 · 2018-02-15 16:10:00 -07:00 · 9bdbd2d99f
commit 9bdbd2d99f
parent 8afc412494
1 changed files with 11 additions and 2 deletions
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -814,11 +814,20 @@ public:
      return Allow();

      // Bug 1354731: proprietary GL drivers try to mknod() their devices
-    case __NR_mknod: {
-      Arg<mode_t> mode(1);
+#ifdef __NR_mknod
+    case __NR_mknod:
+#endif
+    case __NR_mknodat: {
+      Arg<mode_t> mode(sysno == __NR_mknodat ? 2 : 1);
      return If((mode & S_IFMT) == S_IFCHR, Error(EPERM))
        .Else(InvalidSyscall());
    }
+      // Bug 1438389: ...and nvidia GL will sometimes try to chown the devices
+#ifdef __NR_chown
+    case __NR_chown:
+#endif
+    case __NR_fchownat:
+      return Error(EPERM);

      // For ORBit called by GConf (on some systems) to get proxy
      // settings.  Can remove when bug 1325242 happens in some form.