From fc1bf47cd86638b08e03b90b60b0bc80dd1d6c28 Mon Sep 17 00:00:00 2001
From: Martin Stransky <stransky@redhat.com>
Date: Thu, 9 Jun 2022 11:14:27 +0200
Subject: Updated to 101.0.1, More VA-API sandbox fixes (mzbz#1769182)

---
 D146275.diff | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 125 insertions(+)
 create mode 100644 D146275.diff

(limited to 'D146275.diff')

diff --git a/D146275.diff b/D146275.diff
new file mode 100644
index 0000000..989b317
--- /dev/null
+++ b/D146275.diff
@@ -0,0 +1,125 @@
+diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
+--- a/ipc/glue/GeckoChildProcessHost.cpp
++++ b/ipc/glue/GeckoChildProcessHost.cpp
+@@ -418,10 +418,17 @@
+     nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
+                                          getter_AddRefs(contentTempDir));
+     if (NS_SUCCEEDED(rv)) {
+       contentTempDir->GetNativePath(mTmpDirName);
+     }
++  } else if (aProcessType == GeckoProcessType_RDD) {
++    // The RDD process makes limited use of EGL.  If Mesa's shader
++    // cache is enabled and the directory isn't explicitly set, then
++    // it will try to getpwuid() the user which can cause problems
++    // with sandboxing.  Because we shouldn't need shader caching in
++    // this process, we just disable the cache to prevent that.
++    mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true";
+   }
+ #endif
+ #if defined(MOZ_ENABLE_FORKSERVER)
+   if (aProcessType == GeckoProcessType_Content && ForkServiceChild::Get()) {
+     mLaunchOptions->use_forkserver = true;
+diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
+--- a/security/sandbox/common/test/SandboxTestingChildTests.h
++++ b/security/sandbox/common/test/SandboxTestingChildTests.h
+@@ -21,14 +21,16 @@
+ #    include <termios.h>
+ #    include <sys/resource.h>
+ #    include <sys/time.h>
+ #    include <sys/utsname.h>
+ #    include <sched.h>
++#    include <sys/socket.h>
+ #    include <sys/syscall.h>
+ #    include <sys/un.h>
+ #    include <linux/mempolicy.h>
+ #    include "mozilla/ProcInfo_linux.h"
++#    include "mozilla/UniquePtrExtensions.h"
+ #    ifdef MOZ_X11
+ #      include "X11/Xlib.h"
+ #      include "X11UndefineNone.h"
+ #    endif  // MOZ_X11
+ #  endif    // XP_LINUX
+@@ -595,12 +597,25 @@
+     return rv;
+   });
+ 
+   RunTestsSched(child);
+ 
+-  child->ErrnoTest("socket"_ns, false,
+-                   [] { return socket(AF_UNIX, SOCK_STREAM, 0); });
++  child->ErrnoTest("socket_inet"_ns, false,
++                   [] { return socket(AF_INET, SOCK_STREAM, 0); });
++
++  {
++    UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0));
++    child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); });
++
++    struct sockaddr_un sun {};
++    sun.sun_family = AF_UNIX;
++    strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path));
++
++    child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] {
++      return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun));
++    });
++  }
+ 
+   child->ErrnoTest("uname"_ns, true, [] {
+     struct utsname uts;
+     return uname(&uts);
+   });
+diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
+--- a/security/sandbox/linux/SandboxFilter.cpp
++++ b/security/sandbox/linux/SandboxFilter.cpp
+@@ -1783,10 +1783,11 @@
+ class RDDSandboxPolicy final : public SandboxPolicyCommon {
+  public:
+   explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) {
+     mBroker = aBroker;
+     mMayCreateShmem = true;
++    mBrokeredConnect = true;
+   }
+ 
+ #ifndef ANDROID
+   Maybe<ResultExpr> EvaluateIpcCall(int aCall, int aArgShift) const override {
+     // The Intel media driver uses SysV IPC (semaphores and shared
+@@ -1818,15 +1819,15 @@
+ #endif
+ 
+   Maybe<ResultExpr> EvaluateSocketCall(int aCall,
+                                        bool aHasArgs) const override {
+     switch (aCall) {
+-      // Mesa can call getpwuid_r to get the home dir, which can try
+-      // to connect to nscd (or maybe servers like NIS or LDAP); this
+-      // can't be safely allowed, but we can quietly deny it.
+-      case SYS_SOCKET:
+-        return Some(Error(EACCES));
++      // These are for X11.
++      case SYS_GETSOCKNAME:
++      case SYS_GETPEERNAME:
++      case SYS_SHUTDOWN:
++        return Some(Allow());
+ 
+       default:
+         return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
+     }
+   }
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -853,13 +853,12 @@
+     if (developer_repo_dir) {
+       policy->AddDir(rdonly, developer_repo_dir);
+     }
+   }
+ 
+-  // VA-API needs DRI and GPU detection
+-  policy->AddDir(rdwr, "/dev/dri");
+-  AddDriPaths(policy.get());
++  // VA-API needs GPU access and GL context creation
++  AddGLDependencies(policy.get());
+ 
+   // FFmpeg and GPU drivers may need general-case library loading
+   AddLdconfigPaths(policy.get());
+   AddLdLibraryEnvPaths(policy.get());
+ 
+
-- 
cgit