diff options
Diffstat (limited to 'security/sandbox/linux/SandboxFilter.cpp')
| -rw-r--r-- | security/sandbox/linux/SandboxFilter.cpp | 129 |
1 files changed, 0 insertions, 129 deletions
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index da7e54300..afaf53cec 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -340,133 +340,4 @@ public: // The process-type-specific syscall rules start here: -#ifdef MOZ_GMP_SANDBOX -// Unlike for content, the GeckoMediaPlugin seccomp-bpf policy needs -// to be an effective sandbox by itself, because we allow GMP on Linux -// systems where that's the only sandboxing mechanism we can use. -// -// Be especially careful about what this policy allows. -class GMPSandboxPolicy : public SandboxPolicyCommon { - static intptr_t OpenTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - auto plugin = static_cast<SandboxOpenedFile*>(aux); - const char* path; - int flags; - - switch (aArgs.nr) { -#ifdef __NR_open - case __NR_open: - path = reinterpret_cast<const char*>(aArgs.args[0]); - flags = static_cast<int>(aArgs.args[1]); - break; -#endif - case __NR_openat: - // The path has to be absolute to match the pre-opened file (see - // assertion in ctor) so the dirfd argument is ignored. - path = reinterpret_cast<const char*>(aArgs.args[1]); - flags = static_cast<int>(aArgs.args[2]); - break; - default: - MOZ_CRASH("unexpected syscall number"); - } - - if (strcmp(path, plugin->mPath) != 0) { - SANDBOX_LOG_ERROR("attempt to open file %s (flags=0%o) which is not the" - " media plugin %s", path, flags, plugin->mPath); - return -EPERM; - } - if ((flags & O_ACCMODE) != O_RDONLY) { - SANDBOX_LOG_ERROR("non-read-only open of file %s attempted (flags=0%o)", - path, flags); - return -EPERM; - } - int fd = plugin->mFd.exchange(-1); - if (fd < 0) { - SANDBOX_LOG_ERROR("multiple opens of media plugin file unimplemented"); - return -ENOSYS; - } - return fd; - } - - static intptr_t SchedTrap(const sandbox::arch_seccomp_data& aArgs, - void* aux) - { - const pid_t tid = syscall(__NR_gettid); - if (aArgs.args[0] == static_cast<uint64_t>(tid)) { - return syscall(aArgs.nr, - 0, - aArgs.args[1], - aArgs.args[2], - aArgs.args[3], - aArgs.args[4], - aArgs.args[5]); - } - SANDBOX_LOG_ERROR("unsupported tid in SchedTrap"); - return BlockedSyscallTrap(aArgs, nullptr); - } - - SandboxOpenedFile* mPlugin; -public: - explicit GMPSandboxPolicy(SandboxOpenedFile* aPlugin) - : mPlugin(aPlugin) - { - MOZ_ASSERT(aPlugin->mPath[0] == '/', "plugin path should be absolute"); - } - - virtual ~GMPSandboxPolicy() { } - - virtual ResultExpr EvaluateSyscall(int sysno) const override { - switch (sysno) { - // Simulate opening the plugin file. -#ifdef __NR_open - case __NR_open: -#endif - case __NR_openat: - return Trap(OpenTrap, mPlugin); - - // ipc::Shmem - case __NR_mprotect: - return Allow(); - case __NR_madvise: { - Arg<int> advice(2); - return If(advice == MADV_DONTNEED, Allow()) - .ElseIf(advice == MADV_FREE, Allow()) -#ifdef MOZ_ASAN - .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) - .ElseIf(advice == MADV_DONTDUMP, Allow()) -#endif - .Else(InvalidSyscall()); - } - case __NR_brk: - CASES_FOR_geteuid: - return Allow(); - case __NR_sched_getparam: - case __NR_sched_getscheduler: - case __NR_sched_get_priority_min: - case __NR_sched_get_priority_max: - case __NR_sched_setscheduler: { - Arg<pid_t> pid(0); - return If(pid == 0, Allow()) - .Else(Trap(SchedTrap, nullptr)); - } - - // For clock(3) on older glibcs; bug 1304220. - case __NR_times: - return Allow(); - - default: - return SandboxPolicyCommon::EvaluateSyscall(sysno); - } - } -}; - -UniquePtr<sandbox::bpf_dsl::Policy> -GetMediaSandboxPolicy(SandboxOpenedFile* aPlugin) -{ - return UniquePtr<sandbox::bpf_dsl::Policy>(new GMPSandboxPolicy(aPlugin)); -} - -#endif // MOZ_GMP_SANDBOX - } |