diff options
author | Martin Stransky <stransky@redhat.com> | 2022-06-09 11:14:27 +0200 |
---|---|---|
committer | Martin Stransky <stransky@redhat.com> | 2022-06-09 11:14:27 +0200 |
commit | fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28 (patch) | |
tree | a546c6ae63cb2698f65388be7b3e60b6e913533c /D146273.diff | |
parent | Enabled VA-API by default (+ added VA-API fixes from upstream), Fixed WebGL p... (diff) | |
download | librewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.tar.gz librewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.tar.bz2 librewolf-fedora-ff-fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28.zip |
Updated to 101.0.1, More VA-API sandbox fixes (mzbz#1769182)
Diffstat (limited to 'D146273.diff')
-rw-r--r-- | D146273.diff | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/D146273.diff b/D146273.diff new file mode 100644 index 0000000..0d838e2 --- /dev/null +++ b/D146273.diff @@ -0,0 +1,90 @@ +diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp +--- a/security/sandbox/linux/SandboxFilter.cpp ++++ b/security/sandbox/linux/SandboxFilter.cpp +@@ -699,10 +699,18 @@ + Maybe<ResultExpr> EvaluateSocketCall(int aCall, + bool aHasArgs) const override { + switch (aCall) { + case SYS_RECVMSG: + case SYS_SENDMSG: ++ // These next four aren't needed for IPC or other core ++ // functionality at the time of this writing, but they're ++ // subsets of recvmsg/sendmsg so there's nothing gained by not ++ // allowing them here (and simplifying subclasses). ++ case SYS_RECVFROM: ++ case SYS_SENDTO: ++ case SYS_RECV: ++ case SYS_SEND: + return Some(Allow()); + + case SYS_SOCKETPAIR: { + // We try to allow "safe" (always connected) socketpairs when using the + // file broker, or for content processes, but we may need to fall back +@@ -1253,12 +1261,10 @@ + ~ContentSandboxPolicy() override = default; + + Maybe<ResultExpr> EvaluateSocketCall(int aCall, + bool aHasArgs) const override { + switch (aCall) { +- case SYS_RECVFROM: +- case SYS_SENDTO: + case SYS_SENDMMSG: // libresolv via libasyncns; see bug 1355274 + return Some(Allow()); + + #ifdef ANDROID + case SYS_SOCKET: +@@ -1268,18 +1274,21 @@ + case SYS_CONNECT: + if (BelowLevel(4)) { + return Some(Allow()); + } + return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs); +- case SYS_RECV: +- case SYS_SEND: ++ ++ // FIXME (bug 1761134): sockopts should be filtered + case SYS_GETSOCKOPT: + case SYS_SETSOCKOPT: ++ // These next 3 were needed for X11; they may not be needed ++ // with X11 lockdown, but there's not much attack surface here. + case SYS_GETSOCKNAME: + case SYS_GETPEERNAME: + case SYS_SHUTDOWN: + return Some(Allow()); ++ + case SYS_ACCEPT: + case SYS_ACCEPT4: + if (mUsingRenderDoc) { + return Some(Allow()); + } +@@ -1908,26 +1917,19 @@ + } + + Maybe<ResultExpr> EvaluateSocketCall(int aCall, + bool aHasArgs) const override { + switch (aCall) { ++ case SYS_SOCKET: ++ case SYS_CONNECT: + case SYS_BIND: + return Some(Allow()); + +- case SYS_SOCKET: +- return Some(Allow()); +- +- case SYS_CONNECT: +- return Some(Allow()); +- +- case SYS_RECVFROM: +- case SYS_SENDTO: ++ // FIXME(bug 1641401) do we really need this? + case SYS_SENDMMSG: + return Some(Allow()); + +- case SYS_RECV: +- case SYS_SEND: + case SYS_GETSOCKOPT: + case SYS_SETSOCKOPT: + case SYS_GETSOCKNAME: + case SYS_GETPEERNAME: + case SYS_SHUTDOWN: + |