virtual ResultExpr ClonePolicy() const { // Allow use for simple thread creation (pthread_create) only. // WARNING: s390 and cris pass the flags in the second arg -- see // CLONE_BACKWARDS2 in arch/Kconfig in the kernel source -- but we // don't support seccomp-bpf on those archs yet. Arg<int> flags(0); // The glibc source hasn't changed the thread creation clone flags // since 2004, so this *should* be safe to hard-code. Bionic's // value has changed a few times, and has converged on the same one // as glibc; allow any of them. static const int flags_common = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM; static const int flags_modern = flags_common | CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID; // Can't use CASES here because its decltype magic infers const // int instead of regular int and bizarre voluminous errors issue // forth from the depths of the standard library implementation. return Switch(flags) #ifdef ANDROID .Case(flags_common | CLONE_DETACHED, Allow()) // <= JB 4.2 .Case(flags_common, Allow()) // JB 4.3 or KK 4.4 #endif .Case(flags_modern, Allow()) // Android L or glibc .Default(InvalidSyscall()); }
NS_IMETHODIMP FileSystemPermissionRequest::Run() { MOZ_ASSERT(NS_IsMainThread()); RefPtr<FileSystemBase> filesystem = mTask->GetFileSystem(); if (!filesystem) { Cancel(); return NS_OK; } if (filesystem->PermissionCheckType() == FileSystemBase::ePermissionCheckNotRequired) { Allow(JS::UndefinedHandleValue); return NS_OK; } if (filesystem->PermissionCheckType() == FileSystemBase::ePermissionCheckByTestingPref && mozilla::Preferences::GetBool("device.storage.prompt.testing", false)) { Allow(JS::UndefinedHandleValue); return NS_OK; } if (!mWindow) { Cancel(); return NS_OK; } nsContentPermissionUtils::AskPermission(this, mWindow); return NS_OK; }
SymbolNameSet DynamicLibrarySearchGenerator:: operator()(JITDylib &JD, const SymbolNameSet &Names) { orc::SymbolNameSet Added; orc::SymbolMap NewSymbols; bool HasGlobalPrefix = (GlobalPrefix != '\0'); for (auto &Name : Names) { if ((*Name).empty()) continue; if (Allow && !Allow(Name)) continue; if (HasGlobalPrefix && (*Name).front() != GlobalPrefix) continue; std::string Tmp((*Name).data() + (HasGlobalPrefix ? 1 : 0), (*Name).size()); if (void *Addr = Dylib.getAddressOfSymbol(Tmp.c_str())) { Added.insert(Name); NewSymbols[Name] = JITEvaluatedSymbol( static_cast<JITTargetAddress>(reinterpret_cast<uintptr_t>(Addr)), JITSymbolFlags::Exported); } } // Add any new symbols to JD. Since the generator is only called for symbols // that are not already defined, this will never trigger a duplicate // definition error, so we can wrap this call in a 'cantFail'. if (!NewSymbols.empty()) cantFail(JD.define(absoluteSymbols(std::move(NewSymbols)))); return Added; }
virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override { switch (aCall) { case SYS_RECVMSG: case SYS_SENDMSG: return Some(Allow()); default: return Nothing(); } }
bool UnitContainer::Allow( const Unit *unit ) const { if ( !Allow( unit->Type() ) ) return false; int i; for ( i = UnitCount() - 1; i >= 0; --i ) if ( GetUnit(i) == unit ) return true; if ( unit->IsTransport() ) { const Transport *t = static_cast<const Transport *>(unit); if ( Crystals() + t->Crystals() > MaxCrystals() ) return false; for ( i = t->UnitCount() - 1; i >= 0; --i ) if ( !Allow( t->GetUnit(i) ) ) return false; } return uc_slots >= uc_slots_full + unit->Weight(); }
//PCOMContentPermissionRequestChild bool MediaPermissionRequest::Recv__delete__(const bool& allow) { if (allow) { (void) Allow(); } else { (void) Cancel(); } return true; }
virtual ResultExpr PrctlPolicy() const { // Note: this will probably need PR_SET_VMA if/when it's used on // Android without being overridden by an allow-all policy, and // the constant will need to be defined locally. Arg<int> op(0); return Switch(op) .CASES((PR_GET_SECCOMP, // BroadcastSetThreadSandbox, etc. PR_SET_NAME, // Thread creation PR_SET_DUMPABLE), // Crash reporting Allow()) .Default(InvalidSyscall()); }
virtual ResultExpr EvaluateSyscall(int sysno) const override { switch (sysno) { // Simulate opening the plugin file. #ifdef __NR_open case __NR_open: #endif case __NR_openat: return Trap(OpenTrap, mPlugin); // ipc::Shmem case __NR_mprotect: return Allow(); case __NR_madvise: { Arg<int> advice(2); return If(advice == MADV_DONTNEED, Allow()) .Else(InvalidSyscall()); } default: return SandboxPolicyCommon::EvaluateSyscall(sysno); } }
virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override { switch(aCall) { // These are a problem: SysV shared memory follows the Unix // "same uid policy" and can't be restricted/brokered like file // access. But the graphics layer might not be using them // anymore; this needs to be studied. case SHMGET: case SHMCTL: case SHMAT: case SHMDT: return Some(Allow()); default: return SandboxPolicyCommon::EvaluateIpcCall(aCall); } }
virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override { switch(aCall) { case SYS_RECVFROM: case SYS_SENDTO: return Some(Allow()); case SYS_SOCKETPAIR: { // See bug 1066750. if (!kSocketCallHasArgs) { // We can't filter the args if the platform passes them by pointer. return Some(Allow()); } Arg<int> domain(0), type(1); return Some(If(domain == AF_UNIX && (type == SOCK_STREAM || type == SOCK_SEQPACKET), Allow()) .Else(InvalidSyscall())); } #ifdef ANDROID case SYS_SOCKET: return Some(Error(EACCES)); #else // #ifdef DESKTOP case SYS_RECV: case SYS_SEND: case SYS_SOCKET: // DANGEROUS case SYS_CONNECT: // DANGEROUS case SYS_SETSOCKOPT: case SYS_GETSOCKNAME: case SYS_GETPEERNAME: case SYS_SHUTDOWN: return Some(Allow()); #endif default: return SandboxPolicyCommon::EvaluateSocketCall(aCall); } }
void SandboxFilterImpl::AllowThreadClone() { // WARNING: s390 and cris pass the flags in a different arg -- see // CLONE_BACKWARDS2 in arch/Kconfig in the kernel source -- but we // don't support seccomp-bpf on those archs yet. // // The glibc source hasn't changed the thread creation clone flags // since 2004, so this *should* be safe to hard-code. Bionic's // value has changed a few times, and has converged on the same one // as glibc; allow any of them. static const int flags_common = CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM; Allow(SYSCALL_WITH_ARG(clone, 0, #ifdef ANDROID flags_common | CLONE_DETACHED, // <= JB 4.2 flags_common, // JB 4.3 or KK 4.4 #endif flags_common | CLONE_SETTLS // Android L or glibc | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID)); }
void BattleOptionsTab::Allow( const wxString& name ) { if ( !m_battle ) return; int i = GetRestrictedUnitIndex( name ); Allow( i ); }
virtual ResultExpr EvaluateSyscall(int sysno) const override { switch (sysno) { // Timekeeping case __NR_clock_gettime: { Arg<clockid_t> clk_id(0); return If(clk_id == CLOCK_MONOTONIC, Allow()) .ElseIf(clk_id == CLOCK_REALTIME, Allow()) .Else(InvalidSyscall()); } case __NR_gettimeofday: #ifdef __NR_time case __NR_time: #endif case __NR_nanosleep: return Allow(); // Thread synchronization case __NR_futex: // FIXME: This could be more restrictive.... return Allow(); // Asynchronous I/O case __NR_epoll_wait: case __NR_epoll_pwait: case __NR_epoll_ctl: case __NR_ppoll: case __NR_poll: return Allow(); // Used when requesting a crash dump. case __NR_pipe: return Allow(); // Metadata of opened files CASES_FOR_fstat: return Allow(); // Simple I/O case __NR_write: case __NR_read: case __NR_writev: // see SandboxLogging.cpp return Allow(); // Memory mapping CASES_FOR_mmap: case __NR_munmap: return Allow(); // Signal handling #if defined(ANDROID) || defined(MOZ_ASAN) case __NR_sigaltstack: #endif CASES_FOR_sigreturn: CASES_FOR_sigprocmask: CASES_FOR_sigaction: return Allow(); // Send signals within the process (raise(), profiling, etc.) case __NR_tgkill: { Arg<pid_t> tgid(0); return If(tgid == getpid(), Allow()) .Else(InvalidSyscall()); } #if defined(ANDROID) && ANDROID_VERSION < 16 // Polyfill with tgkill; see above. case __NR_tkill: return Trap(TKillCompatTrap, nullptr); #endif // Yield case __NR_sched_yield: return Allow(); // Thread creation. case __NR_clone: return ClonePolicy(); // More thread creation. #ifdef __NR_set_robust_list case __NR_set_robust_list: return Allow(); #endif #ifdef ANDROID case __NR_set_tid_address: return Allow(); #endif // prctl case __NR_prctl: return PrctlPolicy(); // NSPR can call this when creating a thread, but it will accept a // polite "no". case __NR_getpriority: // But if thread creation races with sandbox startup, that call // could succeed, and then we get one of these: case __NR_setpriority: return Error(EACCES); // Stack bounds are obtained via pthread_getattr_np, which calls // this but doesn't actually need it: case __NR_sched_getaffinity: return Error(ENOSYS); // Read own pid/tid. case __NR_getpid: case __NR_gettid: return Allow(); // Discard capabilities case __NR_close: return Allow(); // Machine-dependent stuff #ifdef __arm__ case __ARM_NR_breakpoint: case __ARM_NR_cacheflush: case __ARM_NR_usr26: // FIXME: do we actually need this? case __ARM_NR_usr32: case __ARM_NR_set_tls: return Allow(); #endif // Needed when being debugged: case __NR_restart_syscall: return Allow(); // Terminate threads or the process case __NR_exit: case __NR_exit_group: return Allow(); #ifdef MOZ_ASAN // ASAN's error reporter wants to know if stderr is a tty. case __NR_ioctl: { Arg<int> fd(0); return If(fd == STDERR_FILENO, Allow()) .Else(InvalidSyscall()); } // ...and before compiler-rt r209773, it will call readlink on // /proc/self/exe and use the cached value only if that fails: case __NR_readlink: case __NR_readlinkat: return Error(ENOENT); // ...and if it found an external symbolizer, it will try to run it: // (See also bug 1081242 comment #7.) CASES_FOR_stat: return Error(ENOENT); #endif default: return SandboxPolicyBase::EvaluateSyscall(sysno); } }
void SandboxFilterImplContent::Build() { /* Most used system calls should be at the top of the whitelist * for performance reasons. The whitelist BPF filter exits after * processing any ALLOW_SYSCALL macro. * * How are those syscalls found? * 1) via strace -p <child pid> or/and * 2) the child will report which system call has been denied by seccomp-bpf, * just before exiting * System call number to name mapping is found in: * bionic/libc/kernel/arch-arm/asm/unistd.h * or your libc's unistd.h/kernel headers. * * Current list order has been optimized through manual guess-work. * It could be further optimized by analyzing the output of: * 'strace -c -p <child pid>' for most used web apps. */ Allow(SYSCALL(futex)); Allow(SOCKETCALL(recvmsg, RECVMSG)); Allow(SOCKETCALL(sendmsg, SENDMSG)); // mmap2 is a little different from most off_t users, because it's // passed in a register (so it's a problem for even a "new" 32-bit // arch) -- and the workaround, mmap2, passes a page offset instead. #if SYSCALL_EXISTS(mmap2) Allow(SYSCALL(mmap2)); #else Allow(SYSCALL(mmap)); #endif Allow(SYSCALL(clock_gettime)); Allow(SYSCALL(epoll_wait)); Allow(SYSCALL(gettimeofday)); Allow(SYSCALL(read)); Allow(SYSCALL(write)); // 32-bit lseek is used, at least on Android, to implement ANSI fseek. #if SYSCALL_EXISTS(_llseek) Allow(SYSCALL(_llseek)); #endif Allow(SYSCALL(lseek)); // Android also uses 32-bit ftruncate. Allow(SYSCALL(ftruncate)); #if SYSCALL_EXISTS(ftruncate64) Allow(SYSCALL(ftruncate64)); #endif /* ioctl() is for GL. Remove when GL proxy is implemented. * Additionally ioctl() might be a place where we want to have * argument filtering */ Allow(SYSCALL(ioctl)); Allow(SYSCALL(close)); Allow(SYSCALL(munmap)); Allow(SYSCALL(mprotect)); Allow(SYSCALL(writev)); Allow(SYSCALL(clone)); Allow(SYSCALL(brk)); #if SYSCALL_EXISTS(set_thread_area) Allow(SYSCALL(set_thread_area)); #endif Allow(SYSCALL(getpid)); Allow(SYSCALL(gettid)); Allow(SYSCALL(getrusage)); Allow(SYSCALL(times)); Allow(SYSCALL(madvise)); Allow(SYSCALL(dup)); Allow(SYSCALL(nanosleep)); Allow(SYSCALL(poll)); // select()'s arguments used to be passed by pointer as a struct. #if SYSCALL_EXISTS(_newselect) Allow(SYSCALL(_newselect)); #else Allow(SYSCALL(select)); #endif // Some archs used to have 16-bit uid/gid instead of 32-bit. #if SYSCALL_EXISTS(getuid32) Allow(SYSCALL(getuid32)); Allow(SYSCALL(geteuid32)); Allow(SYSCALL(getgid32)); Allow(SYSCALL(getegid32)); #else Allow(SYSCALL(getuid)); Allow(SYSCALL(geteuid)); Allow(SYSCALL(getgid)); Allow(SYSCALL(getegid)); #endif // Some newer archs (e.g., x64 and x32) have only rt_sigreturn, but // ARM has and uses both syscalls -- rt_sigreturn for SA_SIGINFO // handlers and classic sigreturn otherwise. #if SYSCALL_EXISTS(sigreturn) Allow(SYSCALL(sigreturn)); #endif Allow(SYSCALL(rt_sigreturn)); Allow(SYSCALL_LARGEFILE(fcntl, fcntl64)); /* Must remove all of the following in the future, when no longer used */ /* open() is for some legacy APIs such as font loading. */ /* See bug 906996 for removing unlink(). */ Allow(SYSCALL_LARGEFILE(fstat, fstat64)); Allow(SYSCALL_LARGEFILE(stat, stat64)); Allow(SYSCALL_LARGEFILE(lstat, lstat64)); Allow(SOCKETCALL(socketpair, SOCKETPAIR)); Deny(EACCES, SOCKETCALL(socket, SOCKET)); Allow(SYSCALL(open)); Allow(SYSCALL(readlink)); /* Workaround for bug 964455 */ Allow(SYSCALL(prctl)); Allow(SYSCALL(access)); Allow(SYSCALL(unlink)); Allow(SYSCALL(fsync)); Allow(SYSCALL(msync)); #if defined(ANDROID) && !defined(MOZ_MEMORY) // Android's libc's realloc uses mremap. Allow(SYSCALL(mremap)); #endif /* Should remove all of the following in the future, if possible */ Allow(SYSCALL(getpriority)); Allow(SYSCALL(sched_get_priority_min)); Allow(SYSCALL(sched_get_priority_max)); Allow(SYSCALL(setpriority)); // rt_sigprocmask is passed the sigset_t size. On older archs, // sigprocmask is a compatibility shim that assumes the pre-RT size. #if SYSCALL_EXISTS(sigprocmask) Allow(SYSCALL(sigprocmask)); #endif Allow(SYSCALL(rt_sigprocmask)); // Used by profiler. Also used for raise(), which causes problems // with Android KitKat abort(); see bug 1004832. Allow(SYSCALL_WITH_ARG(tgkill, 0, uint32_t(getpid()))); Allow(SOCKETCALL(sendto, SENDTO)); Allow(SOCKETCALL(recvfrom, RECVFROM)); Allow(SYSCALL_LARGEFILE(getdents, getdents64)); Allow(SYSCALL(epoll_ctl)); Allow(SYSCALL(sched_yield)); Allow(SYSCALL(sched_getscheduler)); Allow(SYSCALL(sched_setscheduler)); Allow(SYSCALL(sched_getparam)); Allow(SYSCALL(sched_setparam)); Allow(SYSCALL(sigaltstack)); /* Always last and always OK calls */ /* Architecture-specific very infrequently used syscalls */ #if SYSCALL_EXISTS(sigaction) Allow(SYSCALL(sigaction)); #endif Allow(SYSCALL(rt_sigaction)); #ifdef ARM_SYSCALL Allow(ARM_SYSCALL(breakpoint)); Allow(ARM_SYSCALL(cacheflush)); Allow(ARM_SYSCALL(usr26)); Allow(ARM_SYSCALL(usr32)); Allow(ARM_SYSCALL(set_tls)); #endif /* restart_syscall is called internally, generally when debugging */ Allow(SYSCALL(restart_syscall)); /* linux desktop is not as performance critical as mobile */ /* we can place desktop syscalls at the end */ #ifndef ANDROID Allow(SYSCALL(stat)); Allow(SYSCALL(getdents)); Allow(SYSCALL(lstat)); #if SYSCALL_EXISTS(mmap2) Allow(SYSCALL(mmap2)); #else Allow(SYSCALL(mmap)); #endif Allow(SYSCALL(openat)); Allow(SYSCALL(fcntl)); Allow(SYSCALL(fstat)); Allow(SYSCALL(readlink)); Allow(SOCKETCALL(getsockname, GETSOCKNAME)); Allow(SYSCALL(getuid)); Allow(SYSCALL(geteuid)); Allow(SYSCALL(mkdir)); Allow(SYSCALL(getcwd)); Allow(SYSCALL(readahead)); Allow(SYSCALL(pread64)); Allow(SYSCALL(statfs)); Allow(SYSCALL(pipe)); #if SYSCALL_EXISTS(ugetrlimit) Allow(SYSCALL(ugetrlimit)); #else Allow(SYSCALL(getrlimit)); #endif Allow(SOCKETCALL(shutdown, SHUTDOWN)); Allow(SOCKETCALL(getpeername, GETPEERNAME)); Allow(SYSCALL(eventfd2)); Allow(SYSCALL(clock_getres)); Allow(SYSCALL(sysinfo)); Allow(SYSCALL(getresuid)); Allow(SYSCALL(umask)); Allow(SYSCALL(getresgid)); Allow(SYSCALL(poll)); Allow(SYSCALL(inotify_init1)); Allow(SYSCALL(wait4)); Allow(SYSVIPCCALL(shmctl, SHMCTL)); Allow(SYSCALL(set_robust_list)); Allow(SYSCALL(rmdir)); Allow(SOCKETCALL(recvfrom, RECVFROM)); Allow(SYSVIPCCALL(shmdt, SHMDT)); Allow(SYSCALL(pipe2)); Allow(SOCKETCALL(setsockopt, SETSOCKOPT)); Allow(SYSVIPCCALL(shmat, SHMAT)); Allow(SYSCALL(set_tid_address)); Allow(SYSCALL(inotify_add_watch)); Allow(SYSCALL(rt_sigprocmask)); Allow(SYSVIPCCALL(shmget, SHMGET)); #if SYSCALL_EXISTS(utimes) Allow(SYSCALL(utimes)); #else Allow(SYSCALL(utime)); #endif #if SYSCALL_EXISTS(arch_prctl) Allow(SYSCALL(arch_prctl)); #endif Allow(SYSCALL(sched_getaffinity)); /* We should remove all of the following in the future (possibly even more) */ Allow(SOCKETCALL(socket, SOCKET)); Allow(SYSCALL(chmod)); Allow(SYSCALL(execve)); Allow(SYSCALL(rename)); Allow(SYSCALL(symlink)); Allow(SOCKETCALL(connect, CONNECT)); Allow(SYSCALL(quotactl)); Allow(SYSCALL(kill)); Allow(SOCKETCALL(sendto, SENDTO)); #endif /* nsSystemInfo uses uname (and we cache an instance, so */ /* the info remains present even if we block the syscall) */ Allow(SYSCALL(uname)); Allow(SYSCALL(exit_group)); Allow(SYSCALL(exit)); }
virtual ResultExpr PrctlPolicy() const override { // Ideally this should be restricted to a whitelist, but content // uses enough things that it's not trivial to determine it. return Allow(); }
void SandboxFilterImplGMP::Build() { // As for content processes, check the most common syscalls first. Allow(SYSCALL_WITH_ARG(clock_gettime, 0, CLOCK_MONOTONIC, CLOCK_REALTIME)); Allow(SYSCALL(futex)); Allow(SYSCALL(gettimeofday)); Allow(SYSCALL(poll)); Allow(SYSCALL(write)); Allow(SYSCALL(read)); Allow(SYSCALL(epoll_wait)); Allow(SYSCALL(epoll_pwait)); Allow(SOCKETCALL(recvmsg, RECVMSG)); Allow(SOCKETCALL(sendmsg, SENDMSG)); Allow(SYSCALL(time)); Allow(SYSCALL(sched_yield)); // Nothing after this line is performance-critical. #if SYSCALL_EXISTS(mmap2) Allow(SYSCALL(mmap2)); #else Allow(SYSCALL(mmap)); #endif Allow(SYSCALL_LARGEFILE(fstat, fstat64)); Allow(SYSCALL(munmap)); Allow(SYSCALL(getpid)); Allow(SYSCALL(gettid)); AllowThreadClone(); Allow(SYSCALL_WITH_ARG(prctl, 0, PR_GET_SECCOMP, PR_SET_NAME)); #if SYSCALL_EXISTS(set_robust_list) Allow(SYSCALL(set_robust_list)); #endif // NSPR can call this when creating a thread, but it will accept a // polite "no". Deny(EACCES, SYSCALL(getpriority)); // But if thread creation races with sandbox startup, that call // could succeed, and then we get one of these: Deny(EACCES, SYSCALL(setpriority)); // Stack bounds are obtained via pthread_getattr_np, which calls // this but doesn't actually need it: Deny(ENOSYS, SYSCALL(sched_getaffinity)); #ifdef MOZ_ASAN Allow(SYSCALL(sigaltstack)); // ASAN's error reporter wants to know if stderr is a tty. Deny(ENOTTY, SYSCALL_WITH_ARG(ioctl, 0, STDERR_FILENO)); // ...and before compiler-rt r209773, it will call readlink and use // the cached value only if that fails: Deny(ENOENT, SYSCALL(readlink)); // ...and if it found an external symbolizer, it will try to run it: // (See also bug 1081242 comment #7.) Deny(ENOENT, SYSCALL_LARGEFILE(stat, stat64)); #endif Allow(SYSCALL(mprotect)); Allow(SYSCALL_WITH_ARG(madvise, 2, MADV_DONTNEED)); #if SYSCALL_EXISTS(sigreturn) Allow(SYSCALL(sigreturn)); #endif Allow(SYSCALL(rt_sigreturn)); Allow(SYSCALL(restart_syscall)); Allow(SYSCALL(close)); // "Sleeping for 300 seconds" in debug crashes; possibly other uses. Allow(SYSCALL(nanosleep)); // For the crash reporter: #if SYSCALL_EXISTS(sigprocmask) Allow(SYSCALL(sigprocmask)); #endif Allow(SYSCALL(rt_sigprocmask)); #if SYSCALL_EXISTS(sigaction) Allow(SYSCALL(sigaction)); #endif Allow(SYSCALL(rt_sigaction)); Allow(SYSCALL(pipe)); Allow(SYSCALL_WITH_ARG(tgkill, 0, uint32_t(getpid()))); Allow(SYSCALL_WITH_ARG(prctl, 0, PR_SET_DUMPABLE)); // Note for when GMP is supported on an ARM platform: Add whichever // of the ARM-specific syscalls are needed for this type of process. Allow(SYSCALL(epoll_ctl)); Allow(SYSCALL(exit)); Allow(SYSCALL(exit_group)); }
virtual ResultExpr EvaluateSyscall(int sysno) const override { switch(sysno) { // Filesystem operations we need to get rid of; see bug 930258. case __NR_open: case __NR_openat: case __NR_access: case __NR_faccessat: CASES_FOR_stat: CASES_FOR_lstat: CASES_FOR_fstatat: #ifdef DESKTOP // Some if not all of these can probably be soft-failed or // removed entirely; this needs to be studied. case __NR_mkdir: case __NR_rmdir: case __NR_getcwd: CASES_FOR_statfs: case __NR_chmod: case __NR_rename: case __NR_symlink: case __NR_quotactl: case __NR_utimes: #endif return Allow(); case __NR_readlink: case __NR_readlinkat: // Workaround for bug 964455: return Error(EINVAL); CASES_FOR_select: case __NR_pselect6: return Allow(); CASES_FOR_getdents: CASES_FOR_lseek: CASES_FOR_ftruncate: case __NR_writev: case __NR_pread64: #ifdef DESKTOP case __NR_readahead: #endif return Allow(); case __NR_ioctl: // ioctl() is for GL. Remove when GL proxy is implemented. // Additionally ioctl() might be a place where we want to have // argument filtering return Allow(); CASES_FOR_fcntl: // Some fcntls have significant side effects like sending // arbitrary signals, and there's probably nontrivial kernel // attack surface; this should be locked down more if possible. return Allow(); case __NR_mprotect: case __NR_brk: case __NR_madvise: #if defined(ANDROID) && !defined(MOZ_MEMORY) // Android's libc's realloc uses mremap. case __NR_mremap: #endif return Allow(); case __NR_sigaltstack: return Allow(); #ifdef __NR_set_thread_area case __NR_set_thread_area: return Allow(); #endif case __NR_getrusage: case __NR_times: return Allow(); case __NR_dup: return Allow(); CASES_FOR_getuid: CASES_FOR_getgid: CASES_FOR_geteuid: CASES_FOR_getegid: return Allow(); case __NR_fsync: case __NR_msync: return Allow(); case __NR_getpriority: case __NR_setpriority: case __NR_sched_get_priority_min: case __NR_sched_get_priority_max: case __NR_sched_getscheduler: case __NR_sched_setscheduler: case __NR_sched_getparam: case __NR_sched_setparam: #ifdef DESKTOP case __NR_sched_getaffinity: #endif return Allow(); #ifdef DESKTOP case __NR_pipe2: return Allow(); CASES_FOR_getrlimit: case __NR_clock_getres: case __NR_getresuid: case __NR_getresgid: return Allow(); case __NR_umask: case __NR_kill: case __NR_wait4: #ifdef __NR_arch_prctl case __NR_arch_prctl: #endif return Allow(); case __NR_eventfd2: case __NR_inotify_init1: case __NR_inotify_add_watch: return Allow(); #endif // nsSystemInfo uses uname (and we cache an instance, so // the info remains present even if we block the syscall) case __NR_uname: #ifdef DESKTOP case __NR_sysinfo: #endif return Allow(); default: return SandboxPolicyCommon::EvaluateSyscall(sysno); } }