Bug 1438389 - Quietly disallow chown() in sandboxed content processes. r?gcp
Also covers fchownat() and attempts to be ready for newer archs like ARM64.
Bonus fix: extend
bug 1354731 (mknod) fix to cover mknodat so this part
of the policy isn't glaringly inconsistent about "at" syscalls.
Tested locally by attaching gdb and injecting syscalls.
MozReview-Commit-ID: CCOk0jZVoG4
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -809,21 +809,30 @@ public:
case __NR_fchmod:
return AllowBelowLevel(4);
#endif
CASES_FOR_fstatfs: // fontconfig, pulseaudio, GIO (see also statfs)
case __NR_flock: // graphics
return Allow();
// Bug 1354731: proprietary GL drivers try to mknod() their devices
- case __NR_mknod: {
- Arg<mode_t> mode(1);
+#ifdef __NR_mknod
+ case __NR_mknod:
+#endif
+ case __NR_mknodat: {
+ Arg<mode_t> mode(sysno == __NR_mknodat ? 2 : 1);
return If((mode & S_IFMT) == S_IFCHR, Error(EPERM))
.Else(InvalidSyscall());
}
+ // Bug 1438389: ...and nvidia GL will sometimes try to chown the devices
+#ifdef __NR_chown
+ case __NR_chown:
+#endif
+ case __NR_fchownat:
+ return Error(EPERM);
// For ORBit called by GConf (on some systems) to get proxy
// settings. Can remove when bug 1325242 happens in some form.
case __NR_utime:
return Error(EPERM);
#endif
CASES_FOR_select: