mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 07:13:20 +00:00
f81f999eeb
The argument and environment strings for a child process are now sent directly to that process after it's forked, in a separate IPC message, rather than to the fork server. The initial message sent to the fork server carries an attached socket used only for that request, which is used to construct an additional `MiniTransceiver` instance for this new message. This ensures that those strings aren't present in the fork server's address space and can't accidentally leak into other child processes; currently there's some code that attempts to overwrite all copies of the data in memory but this could be defeated by compiler optimizations, library code making extra copies while resizing buffers, or other mistakes. It's safer to follow the principle of least privilege. This patch also lays the groundwork for future changes to the fork server protocol: if the per-request socket also carried the reply to the fork request, the main channel could carry other messages in both directions. (This patch does not do that, yet; the main protocol still contains the equivalent of exactly one sync message type.) Note that file descriptors to be passed to the child process are still sent to the fork server rather than directly to the child; this isn't ideal, but it's harmless for security (we can be relatively sure that fds are `close`d as intended and there are no accidental duplicates) and it made the patches less complicated (this one and also bug 1858279). Differential Revision: https://phabricator.services.mozilla.com/D205782 |
||
---|---|---|
.. | ||
gtest | ||
src | ||
chromium-config.mozbuild | ||
moz.build |