Bug 1409895 - Deny getcwd in the Linux content process sandbox. r?gcp
getcwd won't do anything useful once we start chroot()ing to remove
filesystem access; with this patch it will at least fail the same way
regardless of whether user namespaces are available or if other factors
prevent complete FS isolation.
Bonus fix: improve the comments for this group of syscalls.
MozReview-Commit-ID: KueZzly2mlO
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -727,23 +727,25 @@ public:
switch (sysno) {
#ifdef DESKTOP
case __NR_getppid:
return Trap(GetPPidTrap, nullptr);
CASES_FOR_statfs:
return Trap(StatFsTrap, nullptr);
- // Filesystem syscalls that need more work to determine who's
- // using them, if they need to be, and what we intend to about it.
+ // GTK's theme parsing tries to getcwd() while sandboxed, but
+ // only during Talos runs.
case __NR_getcwd:
- CASES_FOR_fstatfs:
- CASES_FOR_fchown:
- case __NR_fchmod:
- case __NR_flock:
+ return Error(ENOENT);
+
+ CASES_FOR_fstatfs: // fontconfig, pulseaudio, GIO (see also statfs)
+ CASES_FOR_fchown: // pulseaudio
+ case __NR_fchmod: // pulseaudio
+ case __NR_flock: // graphics
return Allow();
// Bug 1354731: proprietary GL drivers try to mknod() their devices
case __NR_mknod: {
Arg<mode_t> mode(1);
return If((mode & S_IFMT) == S_IFCHR, Error(EPERM))
.Else(InvalidSyscall());
}