1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -699,10 +699,18 @@
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
bool aHasArgs) const override {
switch (aCall) {
case SYS_RECVMSG:
case SYS_SENDMSG:
+ // These next four aren't needed for IPC or other core
+ // functionality at the time of this writing, but they're
+ // subsets of recvmsg/sendmsg so there's nothing gained by not
+ // allowing them here (and simplifying subclasses).
+ case SYS_RECVFROM:
+ case SYS_SENDTO:
+ case SYS_RECV:
+ case SYS_SEND:
return Some(Allow());
case SYS_SOCKETPAIR: {
// We try to allow "safe" (always connected) socketpairs when using the
// file broker, or for content processes, but we may need to fall back
@@ -1253,12 +1261,10 @@
~ContentSandboxPolicy() override = default;
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
bool aHasArgs) const override {
switch (aCall) {
- case SYS_RECVFROM:
- case SYS_SENDTO:
case SYS_SENDMMSG: // libresolv via libasyncns; see bug 1355274
return Some(Allow());
#ifdef ANDROID
case SYS_SOCKET:
@@ -1268,18 +1274,21 @@
case SYS_CONNECT:
if (BelowLevel(4)) {
return Some(Allow());
}
return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
- case SYS_RECV:
- case SYS_SEND:
+
+ // FIXME (bug 1761134): sockopts should be filtered
case SYS_GETSOCKOPT:
case SYS_SETSOCKOPT:
+ // These next 3 were needed for X11; they may not be needed
+ // with X11 lockdown, but there's not much attack surface here.
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
case SYS_SHUTDOWN:
return Some(Allow());
+
case SYS_ACCEPT:
case SYS_ACCEPT4:
if (mUsingRenderDoc) {
return Some(Allow());
}
@@ -1908,26 +1917,19 @@
}
Maybe<ResultExpr> EvaluateSocketCall(int aCall,
bool aHasArgs) const override {
switch (aCall) {
+ case SYS_SOCKET:
+ case SYS_CONNECT:
case SYS_BIND:
return Some(Allow());
- case SYS_SOCKET:
- return Some(Allow());
-
- case SYS_CONNECT:
- return Some(Allow());
-
- case SYS_RECVFROM:
- case SYS_SENDTO:
+ // FIXME(bug 1641401) do we really need this?
case SYS_SENDMMSG:
return Some(Allow());
- case SYS_RECV:
- case SYS_SEND:
case SYS_GETSOCKOPT:
case SYS_SETSOCKOPT:
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
case SYS_SHUTDOWN:
|