This does two things:
1) Move the level 3 rules to always be applicable, and simplifies level 2 accordingly
2) Consistently uses the raw string literal syntax for regexes
MozReview-Commit-ID: 6iwjOvRVMM7
--HG--
extra : rebase_source : 3ac59219ad0793a98bdb203fb3d247561216a560
PulseAudio is the only thing that's known to need this. Note that the
same file often exists as /etc/machine-id, and we currently allow reading
all of /etc (which includes other fingerprinting hazards as well).
MozReview-Commit-ID: FoyKQzhAV6M
--HG--
extra : rebase_source : 593ee0b94cf507681a034d22cd06a9050d56b86a
If these aren't close-on-exec, they can be inherited by the crash
reporter process after the parent process has crashed and exited,
causing child processes to continue running when the IPC I/O thread blocks
in the file broker trying to open a GeckoChildCrash temp file.
(Empirically, the main thread then blocks waiting for the I/O thread.)
Operations that run on dedicated threads, like playing media, may
continue even though the main and IPC threads are locked up, resulting in
videos that keep playing sound even though the browser seems to no longer
exist.
If the broker socket is closed as expected when the parent process
exits, the child will return failure from the brokered file operation
and then go on to get an IPC error due to the parent process's
nonexistence, and will exit as normal.
This patch makes the same change to rejected syscall reporting, even
though that's a one-way asynchronous message with no response to wait
for, just in case something goes wrong enough to fill the entire socket
buffer but not so badly broken that it would wind up in an infinite loop
anyway.
SOCK_CLOEXEC has been present since Linux 2.6.26, and it would be used
only if seccomp-bpf is available, so it should be safe to use
unconditionally.
MozReview-Commit-ID: 7tDPBJILzlj
--HG--
extra : rebase_source : b797655dff2eea88c406d83dcee4a859f2a038b7
As a special case to deal with PulseAudio, testing for a process's
existence with kill(pid, 0) quietly fails with EPERM instead.
(I also added some commentary on umask, since I was touching that part of
the code anyway.)
MozReview-Commit-ID: CM0Aqii13j4
--HG--
extra : rebase_source : 44ef05e9a39a9eea4a649399c63b865f5523d43b
This fixes improper usages of Find where an offset was actually being use for
the boolean ignore case flag. It also fixes a few instances of passing in a
literal wchar_t to our functions where a NS_LITERAL_STRING or char16_t should
be used instead.
--HG--
extra : rebase_source : 5de1e9335895d65e6db06c510e8887d27be3390f
extra : source : f762f605dd83fc6331161a33e1ef5d54cafbd08d
This is 0cb5dadc2b1f84fbbd9c6f75056e38d05a5b07d3 and
db4c64b63d6098294ed255e962700fd2d465575e in the chromium repository.
This allows a single process to create sandboxed children with alternate
desktops on both an alternate winstation and the local winstation.
MozReview-Commit-ID: 8sS7LjoveOk
--HG--
extra : rebase_source : 6915af73743f87ed74ddefe04210dbdd95bb56ed
Adds access to video encoding/decoding services when running on macOS 10.13 High Sierra.
MozReview-Commit-ID: 6h4dZ6gkFtp
--HG--
extra : rebase_source : 8c5078b336631e3254fcaaf6727dff281c840159
Fix the file access check by adding missing parentheses to isDirectory method call.
Don't run the cookies file check on Linux because the test profile is read accessible due to being in /tmp.
MozReview-Commit-ID: lps2hk8f5U
--HG--
extra : rebase_source : 5fba75d65081e56df5a0d171c41689c489a3aace
Generally, the intent for the Add* methods is that they always grant
rights in addition to what's already in the policy, not remove them;
this makes subtree rules that overlap single-file rules follow that
principle.
This requires a global analysis because the conflicting rules can be
added in any order. It does not currently attempt to handle prefix
rules that aren't at a path component boundary, because that's not a
problem we currently have.
MozReview-Commit-ID: 4kv6QoGCBTV
--HG--
extra : rebase_source : 9e41263bbb1c07b8cde40ec2e72d746f17278fcb
Now that all of the operations that took two paths are removed, we can
have less string manipulation running on untrusted inputs in a trusted
context.
Note that the path isn't null-terminated in transit, because we know
the message length and there's no longer any need to delimit anything.
(This is how the protocol worked before the two-path operations were
added.)
MozReview-Commit-ID: 5VHkMoPlWmU
--HG--
extra : rebase_source : 2108a4f7c7bf5098f2ef63786c3675367bd56e19
In testing (local and CI) these seem to no longer be used.
MozReview-Commit-ID: 2D3C8eWoIsB
--HG--
extra : rebase_source : dde2015af1d036c32631d185703f1149285b253e