summaryrefslogtreecommitdiff
path: root/D146273.diff
blob: 0d838e25f0c89708c7d194f8caa914d8d2369ae9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@@ -699,10 +699,18 @@
   Maybe<ResultExpr> EvaluateSocketCall(int aCall,
                                        bool aHasArgs) const override {
     switch (aCall) {
       case SYS_RECVMSG:
       case SYS_SENDMSG:
+        // These next four aren't needed for IPC or other core
+        // functionality at the time of this writing, but they're
+        // subsets of recvmsg/sendmsg so there's nothing gained by not
+        // allowing them here (and simplifying subclasses).
+      case SYS_RECVFROM:
+      case SYS_SENDTO:
+      case SYS_RECV:
+      case SYS_SEND:
         return Some(Allow());
 
       case SYS_SOCKETPAIR: {
         // We try to allow "safe" (always connected) socketpairs when using the
         // file broker, or for content processes, but we may need to fall back
@@ -1253,12 +1261,10 @@
   ~ContentSandboxPolicy() override = default;
 
   Maybe<ResultExpr> EvaluateSocketCall(int aCall,
                                        bool aHasArgs) const override {
     switch (aCall) {
-      case SYS_RECVFROM:
-      case SYS_SENDTO:
       case SYS_SENDMMSG:  // libresolv via libasyncns; see bug 1355274
         return Some(Allow());
 
 #ifdef ANDROID
       case SYS_SOCKET:
@@ -1268,18 +1274,21 @@
       case SYS_CONNECT:
         if (BelowLevel(4)) {
           return Some(Allow());
         }
         return SandboxPolicyCommon::EvaluateSocketCall(aCall, aHasArgs);
-      case SYS_RECV:
-      case SYS_SEND:
+
+        // FIXME (bug 1761134): sockopts should be filtered
       case SYS_GETSOCKOPT:
       case SYS_SETSOCKOPT:
+        // These next 3 were needed for X11; they may not be needed
+        // with X11 lockdown, but there's not much attack surface here.
       case SYS_GETSOCKNAME:
       case SYS_GETPEERNAME:
       case SYS_SHUTDOWN:
         return Some(Allow());
+
       case SYS_ACCEPT:
       case SYS_ACCEPT4:
         if (mUsingRenderDoc) {
           return Some(Allow());
         }
@@ -1908,26 +1917,19 @@
   }
 
   Maybe<ResultExpr> EvaluateSocketCall(int aCall,
                                        bool aHasArgs) const override {
     switch (aCall) {
+      case SYS_SOCKET:
+      case SYS_CONNECT:
       case SYS_BIND:
         return Some(Allow());
 
-      case SYS_SOCKET:
-        return Some(Allow());
-
-      case SYS_CONNECT:
-        return Some(Allow());
-
-      case SYS_RECVFROM:
-      case SYS_SENDTO:
+        // FIXME(bug 1641401) do we really need this?
       case SYS_SENDMMSG:
         return Some(Allow());
 
-      case SYS_RECV:
-      case SYS_SEND:
       case SYS_GETSOCKOPT:
       case SYS_SETSOCKOPT:
       case SYS_GETSOCKNAME:
       case SYS_GETPEERNAME:
       case SYS_SHUTDOWN:

bgstack15