Skip to content

Commit 7538e5f

Browse files
jldmoz-jld
authored andcommitted
Bug 2040515 - Rip out the symlink brokering. r=Thinker
This is almost certainly unused. Bug 1380701 comment #23 mentioned PulseAudio in content processes, which is no longer supported. (If you flip `media.cubeb.sandbox` for testing, you'll need to turn off sandboxing; you should not flip that pref for production use.) In general there are very few places left where sandboxed processes can create files, and none of them should need symlinks. However, there might be libraries which were calling symlink and silently failing. Given all of that, this patch does not return symlink/symlinkat to being unexpected syscalls (crash on Nightly, ENOSYS otherwise) but instead just makes them quietly fail with EPERM. (This happens to match macOS, it's a reasonable error code, and tests can distinguish it from the EACCES of a broker rejection.) Differential Revision: https://phabricator.services.mozilla.com/D301463
1 parent 8d9b9ae commit 7538e5f

9 files changed

Lines changed: 19 additions & 85 deletions

security/sandbox/common/test/SandboxTestingChildTests.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -627,6 +627,12 @@ void RunTestsContent(SandboxTestingChild* child) {
627627
return fd;
628628
});
629629

630+
child->ErrnoValueTest("symlink"_ns, EPERM,
631+
[] { return symlink("something", "/tmp/testlink"); });
632+
child->ErrnoValueTest("symlinkat"_ns, EPERM, [] {
633+
return symlinkat("something", AT_FDCWD, "/tmp/testlink");
634+
});
635+
630636
# endif // XP_LINUX
631637

632638
# ifdef XP_MACOSX

security/sandbox/linux/SandboxBrokerClient.cpp

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -205,11 +205,6 @@ int SandboxBrokerClient::Link(const char* aOldPath, const char* aNewPath) {
205205
return DoCall(&req, aOldPath, aNewPath, nullptr, false);
206206
}
207207

208-
int SandboxBrokerClient::Symlink(const char* aOldPath, const char* aNewPath) {
209-
Request req = MakeRequest(SANDBOX_FILE_SYMLINK, 0, 0);
210-
return DoCall(&req, aOldPath, aNewPath, nullptr, false);
211-
}
212-
213208
int SandboxBrokerClient::Rename(const char* aOldPath, const char* aNewPath) {
214209
Request req = MakeRequest(SANDBOX_FILE_RENAME, 0, 0);
215210
return DoCall(&req, aOldPath, aNewPath, nullptr, false);

security/sandbox/linux/SandboxBrokerClient.h

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@ class SandboxBrokerClient final : private SandboxBrokerCommon {
3434
int Chmod(const char* aPath, int aMode);
3535
int Link(const char* aPath, const char* aPath2);
3636
int Mkdir(const char* aPath, int aMode);
37-
int Symlink(const char* aOldPath, const char* aNewPath);
3837
int Rename(const char* aOldPath, const char* aNewPath);
3938
int Unlink(const char* aPath);
4039
int Rmdir(const char* aPath);

security/sandbox/linux/SandboxFilter.cpp

Lines changed: 2 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -299,13 +299,6 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
299299
return broker->Link(path, path2);
300300
}
301301

302-
static intptr_t SymlinkTrap(ArgsRef aArgs, void* aux) {
303-
auto broker = static_cast<SandboxBrokerClient*>(aux);
304-
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
305-
auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
306-
return broker->Symlink(path, path2);
307-
}
308-
309302
static intptr_t RenameTrap(ArgsRef aArgs, void* aux) {
310303
auto broker = static_cast<SandboxBrokerClient*>(aux);
311304
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
@@ -472,19 +465,6 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
472465
return broker->Link(path, path2);
473466
}
474467

475-
static intptr_t SymlinkAtTrap(ArgsRef aArgs, void* aux) {
476-
auto broker = static_cast<SandboxBrokerClient*>(aux);
477-
auto path = reinterpret_cast<const char*>(aArgs.args[0]);
478-
auto fd2 = static_cast<int>(aArgs.args[1]);
479-
auto path2 = reinterpret_cast<const char*>(aArgs.args[2]);
480-
if (fd2 != AT_FDCWD && path2[0] != '/') {
481-
SANDBOX_LOG("unsupported fd-relative symlinkat(\"%s\", %d, \"%s\")", path,
482-
fd2, path2);
483-
return BlockedSyscallTrap(aArgs, nullptr);
484-
}
485-
return broker->Symlink(path, path2);
486-
}
487-
488468
static intptr_t RenameAtTrap(ArgsRef aArgs, void* aux) {
489469
auto broker = static_cast<SandboxBrokerClient*>(aux);
490470
auto fd = static_cast<int>(aArgs.args[0]);
@@ -966,7 +946,7 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
966946
case __NR_mkdir:
967947
return Trap(MkdirTrap, mBroker);
968948
case __NR_symlink:
969-
return Trap(SymlinkTrap, mBroker);
949+
return Error(EPERM);
970950
case __NR_rename:
971951
return Trap(RenameTrap, mBroker);
972952
case __NR_rmdir:
@@ -995,7 +975,7 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
995975
case __NR_mkdirat:
996976
return Trap(MkdirAtTrap, mBroker);
997977
case __NR_symlinkat:
998-
return Trap(SymlinkAtTrap, mBroker);
978+
return Error(EPERM);
999979
case __NR_renameat:
1000980
return Trap(RenameAtTrap, mBroker);
1001981
case __NR_unlinkat:

security/sandbox/linux/broker/SandboxBroker.cpp

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -529,17 +529,6 @@ static int DoStat(const char* aPath, statstruct* aBuff, int aFlags) {
529529
return statsyscall(aPath, aBuff);
530530
}
531531

532-
static int DoLink(const char* aPath, const char* aPath2,
533-
SandboxBrokerCommon::Operation aOper) {
534-
if (aOper == SandboxBrokerCommon::Operation::SANDBOX_FILE_LINK) {
535-
return link(aPath, aPath2);
536-
}
537-
if (aOper == SandboxBrokerCommon::Operation::SANDBOX_FILE_SYMLINK) {
538-
return symlink(aPath, aPath2);
539-
}
540-
MOZ_CRASH("SandboxBroker: Unknown link operation");
541-
}
542-
543532
static int DoConnect(const char* aPath, size_t aLen, int aType,
544533
bool aIsAbstract) {
545534
// Deny SOCK_DGRAM for the same reason it's denied for socketpair.
@@ -910,9 +899,8 @@ void SandboxBroker::ThreadMain(void) {
910899
break;
911900

912901
case SANDBOX_FILE_LINK:
913-
case SANDBOX_FILE_SYMLINK:
914902
if (permissive || AllowOperation(W_OK | X_OK, perms)) {
915-
if (DoLink(pathBuf, pathBuf2, req.mOp) == 0) {
903+
if (link(pathBuf, pathBuf2) == 0) {
916904
resp.mError = 0;
917905
} else {
918906
resp.mError = -errno;

security/sandbox/linux/broker/SandboxBrokerCommon.cpp

Lines changed: 2 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -46,19 +46,8 @@ unsigned SandboxBrokerCommon::OperationToInt(Operation aOp) {
4646
// static
4747
const char* SandboxBrokerCommon::OperationDescription(Operation aOp) {
4848
static constexpr const char* kNames[] = {
49-
"open",
50-
"access",
51-
"stat",
52-
"chmod",
53-
"link",
54-
"symlink",
55-
"mkdir",
56-
"rename",
57-
"rmdir",
58-
"unlink",
59-
"readlink",
60-
"connect",
61-
"connect-abstract",
49+
"open", "access", "stat", "chmod", "link", "mkdir",
50+
"rename", "rmdir", "unlink", "readlink", "connect", "connect-abstract",
6251
};
6352

6453
static_assert(

security/sandbox/linux/broker/SandboxBrokerCommon.h

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,6 @@ class SandboxBrokerCommon {
3232
SANDBOX_FILE_STAT,
3333
SANDBOX_FILE_CHMOD,
3434
SANDBOX_FILE_LINK,
35-
SANDBOX_FILE_SYMLINK,
3635
SANDBOX_FILE_MKDIR,
3736
SANDBOX_FILE_RENAME,
3837
SANDBOX_FILE_RMDIR,
@@ -44,11 +43,11 @@ class SandboxBrokerCommon {
4443
};
4544
MOZ_USING_ENUM_STATIC(Operation, SANDBOX_FILE_OPEN, SANDBOX_FILE_ACCESS,
4645
SANDBOX_FILE_STAT, SANDBOX_FILE_CHMOD,
47-
SANDBOX_FILE_LINK, SANDBOX_FILE_SYMLINK,
48-
SANDBOX_FILE_MKDIR, SANDBOX_FILE_RENAME,
49-
SANDBOX_FILE_RMDIR, SANDBOX_FILE_UNLINK,
50-
SANDBOX_FILE_READLINK, SANDBOX_SOCKET_CONNECT,
51-
SANDBOX_SOCKET_CONNECT_ABSTRACT, SANDBOX_OP_MAX_VALUE);
46+
SANDBOX_FILE_LINK, SANDBOX_FILE_MKDIR,
47+
SANDBOX_FILE_RENAME, SANDBOX_FILE_RMDIR,
48+
SANDBOX_FILE_UNLINK, SANDBOX_FILE_READLINK,
49+
SANDBOX_SOCKET_CONNECT, SANDBOX_SOCKET_CONNECT_ABSTRACT,
50+
SANDBOX_OP_MAX_VALUE);
5251

5352
static bool OperationIsValid(Operation aOp) {
5453
return static_cast<unsigned>(aOp) <=

security/sandbox/linux/gtest/TestBroker.cpp

Lines changed: 2 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -68,9 +68,6 @@ class SandboxBrokerTest : public ::testing::Test {
6868
int Mkdir(const char* aPath, int aMode) {
6969
return mClient->Mkdir(aPath, aMode);
7070
}
71-
int Symlink(const char* aPath, const char* bPath) {
72-
return mClient->Symlink(aPath, bPath);
73-
}
7471
int Rename(const char* aPath, const char* bPath) {
7572
return mClient->Rename(aPath, bPath);
7673
}
@@ -306,25 +303,6 @@ TEST_F(SandboxBrokerTest, Link) {
306303
PrePostTestCleanup();
307304
}
308305

309-
TEST_F(SandboxBrokerTest, Symlink) {
310-
PrePostTestCleanup();
311-
312-
int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
313-
ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
314-
close(fd);
315-
ASSERT_EQ(0, Symlink("/tmp/blublu", "/tmp/blublublu"));
316-
EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
317-
statstruct aStat;
318-
ASSERT_EQ(0, lstatsyscall("/tmp/blublublu", &aStat));
319-
EXPECT_EQ((mode_t)S_IFLNK, aStat.st_mode & S_IFMT);
320-
// Not whitelisted target path
321-
EXPECT_EQ(-EACCES, Symlink("/tmp/blublu", "/tmp/nope"));
322-
EXPECT_EQ(0, unlink("/tmp/blublublu"));
323-
EXPECT_EQ(0, unlink("/tmp/blublu"));
324-
325-
PrePostTestCleanup();
326-
}
327-
328306
TEST_F(SandboxBrokerTest, Mkdir) {
329307
PrePostTestCleanup();
330308

@@ -400,7 +378,8 @@ TEST_F(SandboxBrokerTest, Readlink) {
400378
int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
401379
ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
402380
close(fd);
403-
ASSERT_EQ(0, Symlink("/tmp/blublu", "/tmp/blublublu"));
381+
// This is the real symlink() now that there's no broker support.
382+
ASSERT_EQ(0, symlink("/tmp/blublu", "/tmp/blublublu"));
404383
EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
405384
char linkBuff[256];
406385
EXPECT_EQ(11, Readlink("/tmp/blublublu", linkBuff, sizeof(linkBuff)));

security/sandbox/test/browser_content_sandbox_fs_tests.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,10 +75,9 @@ async function createTempFile() {
7575
createSymlink
7676
);
7777
ok(!symlinkCreated.ok, "created a symlink in temp failed");
78-
const expectedError = isLinux() ? lazy.LIBC.EACCES : lazy.LIBC.EPERM;
7978
is(
8079
symlinkCreated.code,
81-
expectedError,
80+
lazy.LIBC.EPERM,
8281
"created a symlink in temp failed with access denied"
8382
);
8483
}

0 commit comments

Comments
 (0)