mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-15 14:25:52 +00:00
2ba1e92974
The initialization path for the SOCKS proxy in firefox involves creating a generic AF_INET socket, and then replacing it if the actual configuration requires something else (either AF_INET6 or AF_LOCAL). With syscall filtering configured to return an error in the event of AF_INET or AF_INET6 socket creation, this initialization path fails. We would like this capability so that we can prevent firefox from making network requests outside of the Tor proxy. This patch adds a check in the initial socket creation path to see if the SOCKS proxy host begins with file:// with the assumption that such URIs point to a UNIX Domain Socket (on Linux+macOS only). In that case, we create an AF_LOCAL socket rather than the requested type. A similar check for Windows already exists to determine if the proxy is actually a named pipe. In the subsequent replacing step no work occurs as the passed in socket matches the type we need, so no changes need to be made there. NOTE: With this change there is still a one-time request for an AF_INET6 socket that occurs. This code path exists to determine whether the system supports IPv6; if socket(AF_INET6...) fails then it is assumed that the system does not. However, this check only affects code that is unreachable when using AF_LOCAL sockets so it seems safe leave as it is. However, this does mean that firefox will still be incompatible with seccomp policies which kill the calling thread in the event of a socket(AF_INET6,...) call. |
||
|---|---|---|
| .. | ||
| base | ||
| build | ||
| cache | ||
| cache2 | ||
| cookie | ||
| dns | ||
| ipc | ||
| locales | ||
| mime | ||
| protocol | ||
| sctp | ||
| socket | ||
| srtp | ||
| streamconv | ||
| system | ||
| test | ||
| wifi | ||
| moz.build | ||
| necko-config.h.in | ||