Bug 1397753 - Disallow kill() in sandboxed content processes. r?gcp
As a special case to deal with PulseAudio, testing for a process's
existence with kill(pid, 0) quietly fails with EPERM instead.
(I also added some commentary on umask, since I was touching that part of
the code anyway.)
MozReview-Commit-ID: CM0Aqii13j4
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -786,20 +786,32 @@ public:
Arg<pid_t> pid(0);
// This is really a const struct ::rlimit*, but Arg<> doesn't
// work with pointers, only integer types.
Arg<uintptr_t> new_limit(2);
return If(AllOf(pid == 0, new_limit == 0), Allow())
.Else(InvalidSyscall());
}
+ // PulseAudio calls umask, even though it's unsafe in
+ // multithreaded applications. But, allowing it here doesn't
+ // really do anything one way or the other, now that file
+ // accesses are brokered to another process.
case __NR_umask:
- case __NR_kill:
return Allow();
+ case __NR_kill: {
+ Arg<int> sig(1);
+ // PulseAudio uses kill(pid, 0) to check if purported owners of
+ // shared memory files are still alive; see bug 1397753 for more
+ // details.
+ return If(sig == 0, Error(EPERM))
+ .Else(InvalidSyscall());
+ }
+
case __NR_wait4:
#ifdef __NR_waitpid
case __NR_waitpid:
#endif
// NSPR will start a thread to wait for child processes even if
// fork() fails; see bug 227246 and bug 1299581.
return Error(ECHILD);