--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -685,21 +685,25 @@ public:
     default:
       return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
     }
   }
 
 #ifdef DESKTOP
   Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
     switch(aCall) {
-      // These are a problem: SysV shared memory follows the Unix
-      // "same uid policy" and can't be restricted/brokered like file
-      // access.  But the graphics layer might not be using them
-      // anymore; this needs to be studied.
+      // These are a problem: SysV IPC follows the Unix "same uid
+      // policy" and can't be restricted/brokered like file access.
+      // We're not using it directly, but there are some library
+      // dependencies that do; see ContentNeedsSysVIPC() in
+      // SandboxLaunch.cpp.  Also, Cairo as used by GTK will sometimes
+      // try to use MIT-SHM, so shmget() is a non-fatal error.  See
+      // also bug 1376910 and bug 1438401.
     case SHMGET:
+      return Some(mAllowSysV ? Allow() : Error(EPERM));
     case SHMCTL:
     case SHMAT:
     case SHMDT:
     case SEMGET:
     case SEMCTL:
     case SEMOP:
       if (mAllowSysV) {
         return Some(Allow());

--- a/security/sandbox/linux/SandboxHooks.cpp
+++ b/security/sandbox/linux/SandboxHooks.cpp
@@ -119,22 +119,8 @@ inotify_init(void)
 }
 
 extern "C" MOZ_EXPORT int
 inotify_init1(int flags)
 {
   errno = ENOSYS;
   return -1;
 }
-
-#ifdef MOZ_X11
-// We're already preventing the use of X11 MIT-SHM like this in
-// widget/gtk/mozgtk/mozgtk.c because of bug 1271100, but that's not
-// quite enough: sometimes libXext can be preloaded, so we have to
-// defeat that with our own preload library.  (With just the mozgtk
-// interposition, we saw crashes when we blocked the SysV IPC
-// syscalls; see bug 1376910 comment #14.)
-extern "C" MOZ_EXPORT Bool
-XShmQueryExtension(Display* aDisplay)
-{
-  return False;
-}
-#endif