diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp --- a/ipc/glue/GeckoChildProcessHost.cpp +++ b/ipc/glue/GeckoChildProcessHost.cpp @@ -418,10 +418,17 @@ nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR, getter_AddRefs(contentTempDir)); if (NS_SUCCEEDED(rv)) { contentTempDir->GetNativePath(mTmpDirName); } + } else if (aProcessType == GeckoProcessType_RDD) { + // The RDD process makes limited use of EGL. If Mesa's shader + // cache is enabled and the directory isn't explicitly set, then + // it will try to getpwuid() the user which can cause problems + // with sandboxing. Because we shouldn't need shader caching in + // this process, we just disable the cache to prevent that. + mLaunchOptions->env_map["MESA_GLSL_CACHE_DISABLE"] = "true"; } #endif #if defined(MOZ_ENABLE_FORKSERVER) if (aProcessType == GeckoProcessType_Content && ForkServiceChild::Get()) { mLaunchOptions->use_forkserver = true; diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h --- a/security/sandbox/common/test/SandboxTestingChildTests.h +++ b/security/sandbox/common/test/SandboxTestingChildTests.h @@ -21,14 +21,16 @@ # include # include # include # include # include +# include # include # include # include # include "mozilla/ProcInfo_linux.h" +# include "mozilla/UniquePtrExtensions.h" # ifdef MOZ_X11 # include "X11/Xlib.h" # include "X11UndefineNone.h" # endif // MOZ_X11 # endif // XP_LINUX @@ -595,12 +597,25 @@ return rv; }); RunTestsSched(child); - child->ErrnoTest("socket"_ns, false, - [] { return socket(AF_UNIX, SOCK_STREAM, 0); }); + child->ErrnoTest("socket_inet"_ns, false, + [] { return socket(AF_INET, SOCK_STREAM, 0); }); + + { + UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0)); + child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); }); + + struct sockaddr_un sun {}; + sun.sun_family = AF_UNIX; + strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path)); + + child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] { + return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun)); + }); + } child->ErrnoTest("uname"_ns, true, [] { struct utsname uts; return uname(&uts); }); diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -1783,10 +1783,11 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon { public: explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) { mBroker = aBroker; mMayCreateShmem = true; + mBrokeredConnect = true; } #ifndef ANDROID Maybe EvaluateIpcCall(int aCall, int aArgShift) const override { // The Intel media driver uses SysV IPC (semaphores and shared @@ -1818,15 +1819,15 @@ #endif Maybe EvaluateSocketCall(int aCall, bool aHasArgs) const override { switch (aCall) { - // Mesa can call getpwuid_r to get the home dir, which can try - // to connect to nscd (or maybe servers like NIS or LDAP); this - // can't be safely allowed, but we can quietly deny it. - case SYS_SOCKET: - return Some(Error(EACCES)); + // These are for X11. + case SYS_GETSOCKNAME: + case SYS_GETPEERNAME: + case SYS_SHUTDOWN: + return Some(Allow()); default: return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs); } } diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp @@ -853,13 +853,12 @@ if (developer_repo_dir) { policy->AddDir(rdonly, developer_repo_dir); } } - // VA-API needs DRI and GPU detection - policy->AddDir(rdwr, "/dev/dri"); - AddDriPaths(policy.get()); + // VA-API needs GPU access and GL context creation + AddGLDependencies(policy.get()); // FFmpeg and GPU drivers may need general-case library loading AddLdconfigPaths(policy.get()); AddLdLibraryEnvPaths(policy.get());