Bug 1408497 - Disallow inotify in sandboxed content processes. r?gcp
MozReview-Commit-ID: nKyIvMNQAt
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -802,19 +802,16 @@ public:
// Rust's stdlib seems to use FIOCLEX instead of equivalent fcntls.
return If(request == FIOCLEX, Allow())
// Rust's stdlib also uses FIONBIO instead of equivalent fcntls.
.ElseIf(request == FIONBIO, Allow())
// ffmpeg, and anything else that calls isatty(), will be told
// that nothing is a typewriter:
.ElseIf(request == TCGETS, Error(ENOTTY))
- // Bug 1408498: libgio uses FIONREAD on inotify fds.
- // (We should stop using inotify: bug 1408497.)
- .ElseIf(request == FIONREAD, Allow())
// Allow anything that isn't a tty ioctl, for now; bug 1302711
// will cover changing this to a default-deny policy.
.ElseIf(shifted_type != kTtyIoctls, Allow())
.Else(SandboxPolicyCommon::EvaluateSyscall(sysno));
}
#endif // !MOZ_ALSA
CASES_FOR_fcntl: {
@@ -933,21 +930,24 @@ public:
case __NR_wait4:
#ifdef __NR_waitpid
case __NR_waitpid:
#endif
// NSPR will start a thread to wait for child processes even if
// fork() fails; see bug 227246 and bug 1299581.
return Error(ECHILD);
- case __NR_eventfd2:
+ // inotify_{add,rm}_watch take filesystem paths. Pretend the
+ // kernel doesn't support inotify; note that this could make
+ // libgio attempt network connections for FAM.
case __NR_inotify_init:
case __NR_inotify_init1:
- case __NR_inotify_add_watch:
- case __NR_inotify_rm_watch:
+ return Error(ENOSYS);
+
+ case __NR_eventfd2:
return Allow();
#ifdef __NR_memfd_create
case __NR_memfd_create:
return Allow();
#endif
#ifdef __NR_rt_tgsigqueueinfo