Bug 974230 - Adjust sandbox so that socket() simply fails. r=kang

This is a workaround for issues with the SCTP code (bug 969715) and NSPR's IPv6 support (bug 936320).
2025-02-16 13:56:29 +00:00 · 2014-02-20 09:35:44 -05:00 · 2014-02-20 09:35:44 -05:00 · ad35f7df7c
commit ad35f7df7c
parent 3a2e9e491d
2 changed files with 9 additions and 3 deletions
--- a/security/sandbox/linux/linux_seccomp.h
+++ b/security/sandbox/linux/linux_seccomp.h
@ -241,10 +241,14 @@ struct arch_sigsys {
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #endif

-#define DENY_SYSCALL(name) \
+#define DENY_KILL_SYSCALL(name) \
        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

+#define DENY_SYSCALL(name, err) \
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
+        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO + err)
+
 #define KILL_PROCESS \
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)

--- a/security/sandbox/linux/seccomp_filter.h
+++ b/security/sandbox/linux/seccomp_filter.h
@ -83,7 +83,8 @@
  ALLOW_SYSCALL(lstat64), \
  ALLOW_SYSCALL(socketpair), \
  ALLOW_SYSCALL(sendmsg), \
-  ALLOW_SYSCALL(sigprocmask),
+  ALLOW_SYSCALL(sigprocmask), \
+  DENY_SYSCALL(socket, EACCES),
 #elif defined(__i386__)
 #define SECCOMP_WHITELIST_ARCH_TOREMOVE \
  ALLOW_SYSCALL(fstat64), \
@ -93,7 +94,8 @@
 #else
 #define SECCOMP_WHITELIST_ARCH_TOREMOVE \
  ALLOW_SYSCALL(socketpair), \
-  ALLOW_SYSCALL(sendmsg),
+  ALLOW_SYSCALL(sendmsg), \
+  DENY_SYSCALL(socket, EACCES),
 #endif

 /* Architecture-specific syscalls for desktop linux */