Bug 1439057 - Tighten /dev/shm access in Linux content sandbox policy. r?gcp
This patch uses the shared memory name prefixes introduced in
bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.
When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in
bug 1440203),
/dev/shm access is completely denied.
MozReview-Commit-ID: L2ylG5KrXTU
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -3,16 +3,17 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "SandboxBrokerPolicyFactory.h"
#include "SandboxInfo.h"
#include "SandboxLogging.h"
+#include "base/shared_memory.h"
#include "mozilla/Array.h"
#include "mozilla/ClearOnShutdown.h"
#include "mozilla/Preferences.h"
#include "mozilla/SandboxSettings.h"
#include "mozilla/UniquePtr.h"
#include "mozilla/UniquePtrExtensions.h"
#include "mozilla/SandboxLaunch.h"
#include "mozilla/dom/ContentChild.h"
@@ -182,17 +183,16 @@ AddLdconfigPaths(SandboxBroker::Policy*
}
SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory()
{
// Policy entries that are the same in every process go here, and
// are cached over the lifetime of the factory.
#if defined(MOZ_CONTENT_SANDBOX)
SandboxBroker::Policy* policy = new SandboxBroker::Policy;
- policy->AddDir(rdwrcr, "/dev/shm");
// Write permssions
//
// Bug 1308851: NVIDIA proprietary driver when using WebGL
policy->AddFilePrefix(rdwr, "/dev", "nvidia");
// Bug 1312678: radeonsi/Intel with DRI when using WebGL
policy->AddDir(rdwr, "/dev/dri");
@@ -501,16 +501,25 @@ SandboxBrokerPolicyFactory::GetContentPo
#endif
}
if (allowAlsa) {
// Bug 1309098: ALSA support
policy->AddDir(rdwr, "/dev/snd");
}
+ if (allowPulse) {
+ policy->AddDir(rdwrcr, "/dev/shm");
+ } else {
+ std::string shmPath("/dev/shm");
+ if (base::SharedMemory::AppendPosixShmPrefix(&shmPath, aPid)) {
+ policy->AddPrefix(rdwrcr, shmPath.c_str());
+ }
+ }
+
#ifdef MOZ_WIDGET_GTK
if (const auto userDir = g_get_user_runtime_dir()) {
// Bug 1321134: DConf's single bit of shared memory
// The leaf filename is "user" by default, but is configurable.
nsPrintfCString shmPath("%s/dconf/", userDir);
policy->AddPrefix(rdwrcr, shmPath.get());
policy->AddAncestors(shmPath.get());
if (allowPulse) {