virtual ResultExpr ClonePolicy() const {
// Allow use for simple thread creation (pthread_create) only.
// WARNING: s390 and cris pass the flags in the second arg -- see
// CLONE_BACKWARDS2 in arch/Kconfig in the kernel source -- but we
// don't support seccomp-bpf on those archs yet.
Arg<int> flags(0);
// The glibc source hasn't changed the thread creation clone flags
// since 2004, so this *should* be safe to hard-code. Bionic's
// value has changed a few times, and has converged on the same one
// as glibc; allow any of them.
static const int flags_common = CLONE_VM | CLONE_FS | CLONE_FILES |
CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM;
static const int flags_modern = flags_common | CLONE_SETTLS |
CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
// Can't use CASES here because its decltype magic infers const
// int instead of regular int and bizarre voluminous errors issue
// forth from the depths of the standard library implementation.
return Switch(flags)
#ifdef ANDROID
.Case(flags_common | CLONE_DETACHED, Allow()) // <= JB 4.2
.Case(flags_common, Allow()) // JB 4.3 or KK 4.4
#endif
.Case(flags_modern, Allow()) // Android L or glibc
.Default(InvalidSyscall());
}
NS_IMETHODIMP
FileSystemPermissionRequest::Run()
{
MOZ_ASSERT(NS_IsMainThread());
RefPtr<FileSystemBase> filesystem = mTask->GetFileSystem();
if (!filesystem) {
Cancel();
return NS_OK;
}
if (filesystem->PermissionCheckType() == FileSystemBase::ePermissionCheckNotRequired) {
Allow(JS::UndefinedHandleValue);
return NS_OK;
}
if (filesystem->PermissionCheckType() == FileSystemBase::ePermissionCheckByTestingPref &&
mozilla::Preferences::GetBool("device.storage.prompt.testing", false)) {
Allow(JS::UndefinedHandleValue);
return NS_OK;
}
if (!mWindow) {
Cancel();
return NS_OK;
}
nsContentPermissionUtils::AskPermission(this, mWindow);
return NS_OK;
}
SymbolNameSet DynamicLibrarySearchGenerator::
operator()(JITDylib &JD, const SymbolNameSet &Names) {
orc::SymbolNameSet Added;
orc::SymbolMap NewSymbols;
bool HasGlobalPrefix = (GlobalPrefix != '\0');
for (auto &Name : Names) {
if ((*Name).empty())
continue;
if (Allow && !Allow(Name))
continue;
if (HasGlobalPrefix && (*Name).front() != GlobalPrefix)
continue;
std::string Tmp((*Name).data() + (HasGlobalPrefix ? 1 : 0), (*Name).size());
if (void *Addr = Dylib.getAddressOfSymbol(Tmp.c_str())) {
Added.insert(Name);
NewSymbols[Name] = JITEvaluatedSymbol(
static_cast<JITTargetAddress>(reinterpret_cast<uintptr_t>(Addr)),
JITSymbolFlags::Exported);
}
}
// Add any new symbols to JD. Since the generator is only called for symbols
// that are not already defined, this will never trigger a duplicate
// definition error, so we can wrap this call in a 'cantFail'.
if (!NewSymbols.empty())
cantFail(JD.define(absoluteSymbols(std::move(NewSymbols))));
return Added;
}
virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
switch (aCall) {
case SYS_RECVMSG:
case SYS_SENDMSG:
return Some(Allow());
default:
return Nothing();
}
}
bool UnitContainer::Allow( const Unit *unit ) const {
if ( !Allow( unit->Type() ) ) return false;
int i;
for ( i = UnitCount() - 1; i >= 0; --i )
if ( GetUnit(i) == unit ) return true;
if ( unit->IsTransport() ) {
const Transport *t = static_cast<const Transport *>(unit);
if ( Crystals() + t->Crystals() > MaxCrystals() ) return false;
for ( i = t->UnitCount() - 1; i >= 0; --i )
if ( !Allow( t->GetUnit(i) ) ) return false;
}
return uc_slots >= uc_slots_full + unit->Weight();
}
//PCOMContentPermissionRequestChild
bool
MediaPermissionRequest::Recv__delete__(const bool& allow)
{
if (allow) {
(void) Allow();
} else {
(void) Cancel();
}
return true;
}
virtual ResultExpr PrctlPolicy() const {
// Note: this will probably need PR_SET_VMA if/when it's used on
// Android without being overridden by an allow-all policy, and
// the constant will need to be defined locally.
Arg<int> op(0);
return Switch(op)
.CASES((PR_GET_SECCOMP, // BroadcastSetThreadSandbox, etc.
PR_SET_NAME, // Thread creation
PR_SET_DUMPABLE), // Crash reporting
Allow())
.Default(InvalidSyscall());
}
virtual ResultExpr EvaluateSyscall(int sysno) const override {
switch (sysno) {
// Simulate opening the plugin file.
#ifdef __NR_open
case __NR_open:
#endif
case __NR_openat:
return Trap(OpenTrap, mPlugin);
// ipc::Shmem
case __NR_mprotect:
return Allow();
case __NR_madvise: {
Arg<int> advice(2);
return If(advice == MADV_DONTNEED, Allow())
.Else(InvalidSyscall());
}
default:
return SandboxPolicyCommon::EvaluateSyscall(sysno);
}
}
virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
switch(aCall) {
// These are a problem: SysV shared memory follows the Unix
// "same uid policy" and can't be restricted/brokered like file
// access. But the graphics layer might not be using them
// anymore; this needs to be studied.
case SHMGET:
case SHMCTL:
case SHMAT:
case SHMDT:
return Some(Allow());
default:
return SandboxPolicyCommon::EvaluateIpcCall(aCall);
}
}
virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
switch(aCall) {
case SYS_RECVFROM:
case SYS_SENDTO:
return Some(Allow());
case SYS_SOCKETPAIR: {
// See bug 1066750.
if (!kSocketCallHasArgs) {
// We can't filter the args if the platform passes them by pointer.
return Some(Allow());
}
Arg<int> domain(0), type(1);
return Some(If(domain == AF_UNIX &&
(type == SOCK_STREAM || type == SOCK_SEQPACKET), Allow())
.Else(InvalidSyscall()));
}
#ifdef ANDROID
case SYS_SOCKET:
return Some(Error(EACCES));
#else // #ifdef DESKTOP
case SYS_RECV:
case SYS_SEND:
case SYS_SOCKET: // DANGEROUS
case SYS_CONNECT: // DANGEROUS
case SYS_SETSOCKOPT:
case SYS_GETSOCKNAME:
case SYS_GETPEERNAME:
case SYS_SHUTDOWN:
return Some(Allow());
#endif
default:
return SandboxPolicyCommon::EvaluateSocketCall(aCall);
}
}
void SandboxFilterImpl::AllowThreadClone() {
// WARNING: s390 and cris pass the flags in a different arg -- see
// CLONE_BACKWARDS2 in arch/Kconfig in the kernel source -- but we
// don't support seccomp-bpf on those archs yet.
//
// The glibc source hasn't changed the thread creation clone flags
// since 2004, so this *should* be safe to hard-code. Bionic's
// value has changed a few times, and has converged on the same one
// as glibc; allow any of them.
static const int flags_common = CLONE_VM | CLONE_FS | CLONE_FILES |
CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM;
Allow(SYSCALL_WITH_ARG(clone, 0,
#ifdef ANDROID
flags_common | CLONE_DETACHED, // <= JB 4.2
flags_common, // JB 4.3 or KK 4.4
#endif
flags_common | CLONE_SETTLS // Android L or glibc
| CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID));
}
void BattleOptionsTab::Allow( const wxString& name )
{
if ( !m_battle ) return;
int i = GetRestrictedUnitIndex( name );
Allow( i );
}
virtual ResultExpr EvaluateSyscall(int sysno) const override {
switch (sysno) {
// Timekeeping
case __NR_clock_gettime: {
Arg<clockid_t> clk_id(0);
return If(clk_id == CLOCK_MONOTONIC, Allow())
.ElseIf(clk_id == CLOCK_REALTIME, Allow())
.Else(InvalidSyscall());
}
case __NR_gettimeofday:
#ifdef __NR_time
case __NR_time:
#endif
case __NR_nanosleep:
return Allow();
// Thread synchronization
case __NR_futex:
// FIXME: This could be more restrictive....
return Allow();
// Asynchronous I/O
case __NR_epoll_wait:
case __NR_epoll_pwait:
case __NR_epoll_ctl:
case __NR_ppoll:
case __NR_poll:
return Allow();
// Used when requesting a crash dump.
case __NR_pipe:
return Allow();
// Metadata of opened files
CASES_FOR_fstat:
return Allow();
// Simple I/O
case __NR_write:
case __NR_read:
case __NR_writev: // see SandboxLogging.cpp
return Allow();
// Memory mapping
CASES_FOR_mmap:
case __NR_munmap:
return Allow();
// Signal handling
#if defined(ANDROID) || defined(MOZ_ASAN)
case __NR_sigaltstack:
#endif
CASES_FOR_sigreturn:
CASES_FOR_sigprocmask:
CASES_FOR_sigaction:
return Allow();
// Send signals within the process (raise(), profiling, etc.)
case __NR_tgkill: {
Arg<pid_t> tgid(0);
return If(tgid == getpid(), Allow())
.Else(InvalidSyscall());
}
#if defined(ANDROID) && ANDROID_VERSION < 16
// Polyfill with tgkill; see above.
case __NR_tkill:
return Trap(TKillCompatTrap, nullptr);
#endif
// Yield
case __NR_sched_yield:
return Allow();
// Thread creation.
case __NR_clone:
return ClonePolicy();
// More thread creation.
#ifdef __NR_set_robust_list
case __NR_set_robust_list:
return Allow();
#endif
#ifdef ANDROID
case __NR_set_tid_address:
return Allow();
#endif
// prctl
case __NR_prctl:
return PrctlPolicy();
// NSPR can call this when creating a thread, but it will accept a
// polite "no".
case __NR_getpriority:
// But if thread creation races with sandbox startup, that call
// could succeed, and then we get one of these:
case __NR_setpriority:
return Error(EACCES);
// Stack bounds are obtained via pthread_getattr_np, which calls
// this but doesn't actually need it:
case __NR_sched_getaffinity:
return Error(ENOSYS);
// Read own pid/tid.
case __NR_getpid:
case __NR_gettid:
return Allow();
// Discard capabilities
case __NR_close:
return Allow();
// Machine-dependent stuff
#ifdef __arm__
case __ARM_NR_breakpoint:
case __ARM_NR_cacheflush:
case __ARM_NR_usr26: // FIXME: do we actually need this?
case __ARM_NR_usr32:
case __ARM_NR_set_tls:
return Allow();
#endif
// Needed when being debugged:
case __NR_restart_syscall:
return Allow();
// Terminate threads or the process
case __NR_exit:
case __NR_exit_group:
return Allow();
#ifdef MOZ_ASAN
// ASAN's error reporter wants to know if stderr is a tty.
case __NR_ioctl: {
Arg<int> fd(0);
return If(fd == STDERR_FILENO, Allow())
.Else(InvalidSyscall());
}
// ...and before compiler-rt r209773, it will call readlink on
// /proc/self/exe and use the cached value only if that fails:
case __NR_readlink:
case __NR_readlinkat:
return Error(ENOENT);
// ...and if it found an external symbolizer, it will try to run it:
// (See also bug 1081242 comment #7.)
CASES_FOR_stat:
return Error(ENOENT);
#endif
default:
return SandboxPolicyBase::EvaluateSyscall(sysno);
}
}
void
SandboxFilterImplContent::Build() {
/* Most used system calls should be at the top of the whitelist
* for performance reasons. The whitelist BPF filter exits after
* processing any ALLOW_SYSCALL macro.
*
* How are those syscalls found?
* 1) via strace -p <child pid> or/and
* 2) the child will report which system call has been denied by seccomp-bpf,
* just before exiting
* System call number to name mapping is found in:
* bionic/libc/kernel/arch-arm/asm/unistd.h
* or your libc's unistd.h/kernel headers.
*
* Current list order has been optimized through manual guess-work.
* It could be further optimized by analyzing the output of:
* 'strace -c -p <child pid>' for most used web apps.
*/
Allow(SYSCALL(futex));
Allow(SOCKETCALL(recvmsg, RECVMSG));
Allow(SOCKETCALL(sendmsg, SENDMSG));
// mmap2 is a little different from most off_t users, because it's
// passed in a register (so it's a problem for even a "new" 32-bit
// arch) -- and the workaround, mmap2, passes a page offset instead.
#if SYSCALL_EXISTS(mmap2)
Allow(SYSCALL(mmap2));
#else
Allow(SYSCALL(mmap));
#endif
Allow(SYSCALL(clock_gettime));
Allow(SYSCALL(epoll_wait));
Allow(SYSCALL(gettimeofday));
Allow(SYSCALL(read));
Allow(SYSCALL(write));
// 32-bit lseek is used, at least on Android, to implement ANSI fseek.
#if SYSCALL_EXISTS(_llseek)
Allow(SYSCALL(_llseek));
#endif
Allow(SYSCALL(lseek));
// Android also uses 32-bit ftruncate.
Allow(SYSCALL(ftruncate));
#if SYSCALL_EXISTS(ftruncate64)
Allow(SYSCALL(ftruncate64));
#endif
/* ioctl() is for GL. Remove when GL proxy is implemented.
* Additionally ioctl() might be a place where we want to have
* argument filtering */
Allow(SYSCALL(ioctl));
Allow(SYSCALL(close));
Allow(SYSCALL(munmap));
Allow(SYSCALL(mprotect));
Allow(SYSCALL(writev));
Allow(SYSCALL(clone));
Allow(SYSCALL(brk));
#if SYSCALL_EXISTS(set_thread_area)
Allow(SYSCALL(set_thread_area));
#endif
Allow(SYSCALL(getpid));
Allow(SYSCALL(gettid));
Allow(SYSCALL(getrusage));
Allow(SYSCALL(times));
Allow(SYSCALL(madvise));
Allow(SYSCALL(dup));
Allow(SYSCALL(nanosleep));
Allow(SYSCALL(poll));
// select()'s arguments used to be passed by pointer as a struct.
#if SYSCALL_EXISTS(_newselect)
Allow(SYSCALL(_newselect));
#else
Allow(SYSCALL(select));
#endif
// Some archs used to have 16-bit uid/gid instead of 32-bit.
#if SYSCALL_EXISTS(getuid32)
Allow(SYSCALL(getuid32));
Allow(SYSCALL(geteuid32));
Allow(SYSCALL(getgid32));
Allow(SYSCALL(getegid32));
#else
Allow(SYSCALL(getuid));
Allow(SYSCALL(geteuid));
Allow(SYSCALL(getgid));
Allow(SYSCALL(getegid));
#endif
// Some newer archs (e.g., x64 and x32) have only rt_sigreturn, but
// ARM has and uses both syscalls -- rt_sigreturn for SA_SIGINFO
// handlers and classic sigreturn otherwise.
#if SYSCALL_EXISTS(sigreturn)
Allow(SYSCALL(sigreturn));
#endif
Allow(SYSCALL(rt_sigreturn));
Allow(SYSCALL_LARGEFILE(fcntl, fcntl64));
/* Must remove all of the following in the future, when no longer used */
/* open() is for some legacy APIs such as font loading. */
/* See bug 906996 for removing unlink(). */
Allow(SYSCALL_LARGEFILE(fstat, fstat64));
Allow(SYSCALL_LARGEFILE(stat, stat64));
Allow(SYSCALL_LARGEFILE(lstat, lstat64));
Allow(SOCKETCALL(socketpair, SOCKETPAIR));
Deny(EACCES, SOCKETCALL(socket, SOCKET));
Allow(SYSCALL(open));
Allow(SYSCALL(readlink)); /* Workaround for bug 964455 */
Allow(SYSCALL(prctl));
Allow(SYSCALL(access));
Allow(SYSCALL(unlink));
Allow(SYSCALL(fsync));
Allow(SYSCALL(msync));
#if defined(ANDROID) && !defined(MOZ_MEMORY)
// Android's libc's realloc uses mremap.
Allow(SYSCALL(mremap));
#endif
/* Should remove all of the following in the future, if possible */
Allow(SYSCALL(getpriority));
Allow(SYSCALL(sched_get_priority_min));
Allow(SYSCALL(sched_get_priority_max));
Allow(SYSCALL(setpriority));
// rt_sigprocmask is passed the sigset_t size. On older archs,
// sigprocmask is a compatibility shim that assumes the pre-RT size.
#if SYSCALL_EXISTS(sigprocmask)
Allow(SYSCALL(sigprocmask));
#endif
Allow(SYSCALL(rt_sigprocmask));
// Used by profiler. Also used for raise(), which causes problems
// with Android KitKat abort(); see bug 1004832.
Allow(SYSCALL_WITH_ARG(tgkill, 0, uint32_t(getpid())));
Allow(SOCKETCALL(sendto, SENDTO));
Allow(SOCKETCALL(recvfrom, RECVFROM));
Allow(SYSCALL_LARGEFILE(getdents, getdents64));
Allow(SYSCALL(epoll_ctl));
Allow(SYSCALL(sched_yield));
Allow(SYSCALL(sched_getscheduler));
Allow(SYSCALL(sched_setscheduler));
Allow(SYSCALL(sched_getparam));
Allow(SYSCALL(sched_setparam));
Allow(SYSCALL(sigaltstack));
/* Always last and always OK calls */
/* Architecture-specific very infrequently used syscalls */
#if SYSCALL_EXISTS(sigaction)
Allow(SYSCALL(sigaction));
#endif
Allow(SYSCALL(rt_sigaction));
#ifdef ARM_SYSCALL
Allow(ARM_SYSCALL(breakpoint));
Allow(ARM_SYSCALL(cacheflush));
Allow(ARM_SYSCALL(usr26));
Allow(ARM_SYSCALL(usr32));
Allow(ARM_SYSCALL(set_tls));
#endif
/* restart_syscall is called internally, generally when debugging */
Allow(SYSCALL(restart_syscall));
/* linux desktop is not as performance critical as mobile */
/* we can place desktop syscalls at the end */
#ifndef ANDROID
Allow(SYSCALL(stat));
Allow(SYSCALL(getdents));
Allow(SYSCALL(lstat));
#if SYSCALL_EXISTS(mmap2)
Allow(SYSCALL(mmap2));
#else
Allow(SYSCALL(mmap));
#endif
Allow(SYSCALL(openat));
Allow(SYSCALL(fcntl));
Allow(SYSCALL(fstat));
Allow(SYSCALL(readlink));
Allow(SOCKETCALL(getsockname, GETSOCKNAME));
Allow(SYSCALL(getuid));
Allow(SYSCALL(geteuid));
Allow(SYSCALL(mkdir));
Allow(SYSCALL(getcwd));
Allow(SYSCALL(readahead));
Allow(SYSCALL(pread64));
Allow(SYSCALL(statfs));
Allow(SYSCALL(pipe));
#if SYSCALL_EXISTS(ugetrlimit)
Allow(SYSCALL(ugetrlimit));
#else
Allow(SYSCALL(getrlimit));
#endif
Allow(SOCKETCALL(shutdown, SHUTDOWN));
Allow(SOCKETCALL(getpeername, GETPEERNAME));
Allow(SYSCALL(eventfd2));
Allow(SYSCALL(clock_getres));
Allow(SYSCALL(sysinfo));
Allow(SYSCALL(getresuid));
Allow(SYSCALL(umask));
Allow(SYSCALL(getresgid));
Allow(SYSCALL(poll));
Allow(SYSCALL(inotify_init1));
Allow(SYSCALL(wait4));
Allow(SYSVIPCCALL(shmctl, SHMCTL));
Allow(SYSCALL(set_robust_list));
Allow(SYSCALL(rmdir));
Allow(SOCKETCALL(recvfrom, RECVFROM));
Allow(SYSVIPCCALL(shmdt, SHMDT));
Allow(SYSCALL(pipe2));
Allow(SOCKETCALL(setsockopt, SETSOCKOPT));
Allow(SYSVIPCCALL(shmat, SHMAT));
Allow(SYSCALL(set_tid_address));
Allow(SYSCALL(inotify_add_watch));
Allow(SYSCALL(rt_sigprocmask));
Allow(SYSVIPCCALL(shmget, SHMGET));
#if SYSCALL_EXISTS(utimes)
Allow(SYSCALL(utimes));
#else
Allow(SYSCALL(utime));
#endif
#if SYSCALL_EXISTS(arch_prctl)
Allow(SYSCALL(arch_prctl));
#endif
Allow(SYSCALL(sched_getaffinity));
/* We should remove all of the following in the future (possibly even more) */
Allow(SOCKETCALL(socket, SOCKET));
Allow(SYSCALL(chmod));
Allow(SYSCALL(execve));
Allow(SYSCALL(rename));
Allow(SYSCALL(symlink));
Allow(SOCKETCALL(connect, CONNECT));
Allow(SYSCALL(quotactl));
Allow(SYSCALL(kill));
Allow(SOCKETCALL(sendto, SENDTO));
#endif
/* nsSystemInfo uses uname (and we cache an instance, so */
/* the info remains present even if we block the syscall) */
Allow(SYSCALL(uname));
Allow(SYSCALL(exit_group));
Allow(SYSCALL(exit));
}
virtual ResultExpr PrctlPolicy() const override {
// Ideally this should be restricted to a whitelist, but content
// uses enough things that it's not trivial to determine it.
return Allow();
}
void SandboxFilterImplGMP::Build() {
// As for content processes, check the most common syscalls first.
Allow(SYSCALL_WITH_ARG(clock_gettime, 0, CLOCK_MONOTONIC, CLOCK_REALTIME));
Allow(SYSCALL(futex));
Allow(SYSCALL(gettimeofday));
Allow(SYSCALL(poll));
Allow(SYSCALL(write));
Allow(SYSCALL(read));
Allow(SYSCALL(epoll_wait));
Allow(SYSCALL(epoll_pwait));
Allow(SOCKETCALL(recvmsg, RECVMSG));
Allow(SOCKETCALL(sendmsg, SENDMSG));
Allow(SYSCALL(time));
Allow(SYSCALL(sched_yield));
// Nothing after this line is performance-critical.
#if SYSCALL_EXISTS(mmap2)
Allow(SYSCALL(mmap2));
#else
Allow(SYSCALL(mmap));
#endif
Allow(SYSCALL_LARGEFILE(fstat, fstat64));
Allow(SYSCALL(munmap));
Allow(SYSCALL(getpid));
Allow(SYSCALL(gettid));
AllowThreadClone();
Allow(SYSCALL_WITH_ARG(prctl, 0, PR_GET_SECCOMP, PR_SET_NAME));
#if SYSCALL_EXISTS(set_robust_list)
Allow(SYSCALL(set_robust_list));
#endif
// NSPR can call this when creating a thread, but it will accept a
// polite "no".
Deny(EACCES, SYSCALL(getpriority));
// But if thread creation races with sandbox startup, that call
// could succeed, and then we get one of these:
Deny(EACCES, SYSCALL(setpriority));
// Stack bounds are obtained via pthread_getattr_np, which calls
// this but doesn't actually need it:
Deny(ENOSYS, SYSCALL(sched_getaffinity));
#ifdef MOZ_ASAN
Allow(SYSCALL(sigaltstack));
// ASAN's error reporter wants to know if stderr is a tty.
Deny(ENOTTY, SYSCALL_WITH_ARG(ioctl, 0, STDERR_FILENO));
// ...and before compiler-rt r209773, it will call readlink and use
// the cached value only if that fails:
Deny(ENOENT, SYSCALL(readlink));
// ...and if it found an external symbolizer, it will try to run it:
// (See also bug 1081242 comment #7.)
Deny(ENOENT, SYSCALL_LARGEFILE(stat, stat64));
#endif
Allow(SYSCALL(mprotect));
Allow(SYSCALL_WITH_ARG(madvise, 2, MADV_DONTNEED));
#if SYSCALL_EXISTS(sigreturn)
Allow(SYSCALL(sigreturn));
#endif
Allow(SYSCALL(rt_sigreturn));
Allow(SYSCALL(restart_syscall));
Allow(SYSCALL(close));
// "Sleeping for 300 seconds" in debug crashes; possibly other uses.
Allow(SYSCALL(nanosleep));
// For the crash reporter:
#if SYSCALL_EXISTS(sigprocmask)
Allow(SYSCALL(sigprocmask));
#endif
Allow(SYSCALL(rt_sigprocmask));
#if SYSCALL_EXISTS(sigaction)
Allow(SYSCALL(sigaction));
#endif
Allow(SYSCALL(rt_sigaction));
Allow(SYSCALL(pipe));
Allow(SYSCALL_WITH_ARG(tgkill, 0, uint32_t(getpid())));
Allow(SYSCALL_WITH_ARG(prctl, 0, PR_SET_DUMPABLE));
// Note for when GMP is supported on an ARM platform: Add whichever
// of the ARM-specific syscalls are needed for this type of process.
Allow(SYSCALL(epoll_ctl));
Allow(SYSCALL(exit));
Allow(SYSCALL(exit_group));
}
virtual ResultExpr EvaluateSyscall(int sysno) const override {
switch(sysno) {
// Filesystem operations we need to get rid of; see bug 930258.
case __NR_open:
case __NR_openat:
case __NR_access:
case __NR_faccessat:
CASES_FOR_stat:
CASES_FOR_lstat:
CASES_FOR_fstatat:
#ifdef DESKTOP
// Some if not all of these can probably be soft-failed or
// removed entirely; this needs to be studied.
case __NR_mkdir:
case __NR_rmdir:
case __NR_getcwd:
CASES_FOR_statfs:
case __NR_chmod:
case __NR_rename:
case __NR_symlink:
case __NR_quotactl:
case __NR_utimes:
#endif
return Allow();
case __NR_readlink:
case __NR_readlinkat:
// Workaround for bug 964455:
return Error(EINVAL);
CASES_FOR_select:
case __NR_pselect6:
return Allow();
CASES_FOR_getdents:
CASES_FOR_lseek:
CASES_FOR_ftruncate:
case __NR_writev:
case __NR_pread64:
#ifdef DESKTOP
case __NR_readahead:
#endif
return Allow();
case __NR_ioctl:
// ioctl() is for GL. Remove when GL proxy is implemented.
// Additionally ioctl() might be a place where we want to have
// argument filtering
return Allow();
CASES_FOR_fcntl:
// Some fcntls have significant side effects like sending
// arbitrary signals, and there's probably nontrivial kernel
// attack surface; this should be locked down more if possible.
return Allow();
case __NR_mprotect:
case __NR_brk:
case __NR_madvise:
#if defined(ANDROID) && !defined(MOZ_MEMORY)
// Android's libc's realloc uses mremap.
case __NR_mremap:
#endif
return Allow();
case __NR_sigaltstack:
return Allow();
#ifdef __NR_set_thread_area
case __NR_set_thread_area:
return Allow();
#endif
case __NR_getrusage:
case __NR_times:
return Allow();
case __NR_dup:
return Allow();
CASES_FOR_getuid:
CASES_FOR_getgid:
CASES_FOR_geteuid:
CASES_FOR_getegid:
return Allow();
case __NR_fsync:
case __NR_msync:
return Allow();
case __NR_getpriority:
case __NR_setpriority:
case __NR_sched_get_priority_min:
case __NR_sched_get_priority_max:
case __NR_sched_getscheduler:
case __NR_sched_setscheduler:
case __NR_sched_getparam:
case __NR_sched_setparam:
#ifdef DESKTOP
case __NR_sched_getaffinity:
#endif
return Allow();
#ifdef DESKTOP
case __NR_pipe2:
return Allow();
CASES_FOR_getrlimit:
case __NR_clock_getres:
case __NR_getresuid:
case __NR_getresgid:
return Allow();
case __NR_umask:
case __NR_kill:
case __NR_wait4:
#ifdef __NR_arch_prctl
case __NR_arch_prctl:
#endif
return Allow();
case __NR_eventfd2:
case __NR_inotify_init1:
case __NR_inotify_add_watch:
return Allow();
#endif
// nsSystemInfo uses uname (and we cache an instance, so
// the info remains present even if we block the syscall)
case __NR_uname:
#ifdef DESKTOP
case __NR_sysinfo:
#endif
return Allow();
default:
return SandboxPolicyCommon::EvaluateSyscall(sysno);
}
}
