Bug 1439057 - Tighten /dev/shm access in Linux content sandbox policy. r=gcp

This patch uses the shared memory name prefixes introduced in bug 1447867
to prevent access to /dev/shm files of other applications or other
processes within the same browser instance.

When a shared memory implementation that doesn't use shm_open is available
(specifically, the memfd_create support to be added in bug 1440203),
/dev/shm access is completely denied.

MozReview-Commit-ID: L2ylG5KrXTU

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

@@ -8,6 +8,7 @@
 #include "SandboxInfo.h"
 #include "SandboxLogging.h"
 
+#include "base/shared_memory.h"
 #include "mozilla/Array.h"
 #include "mozilla/ClearOnShutdown.h"
 #include "mozilla/Preferences.h"
@@ -190,7 +191,6 @@ SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory()
   // are cached over the lifetime of the factory.
 #if defined(MOZ_CONTENT_SANDBOX)
   SandboxBroker::Policy* policy = new SandboxBroker::Policy;
-  policy->AddDir(rdwrcr, "/dev/shm");
   // Write permssions
   //
   // Bug 1308851: NVIDIA proprietary driver when using WebGL
@@ -509,6 +509,15 @@ SandboxBrokerPolicyFactory::GetContentPolicy(int aPid, bool aFileProcess)
     policy->AddDir(rdwr, "/dev/snd");
   }
 
+  if (allowPulse) {
+    policy->AddDir(rdwrcr, "/dev/shm");
+  } else {
+    std::string shmPath("/dev/shm");
+    if (base::SharedMemory::AppendPosixShmPrefix(&shmPath, aPid)) {
+      policy->AddPrefix(rdwrcr, shmPath.c_str());
+    }
+  }
+
 #ifdef MOZ_WIDGET_GTK
   if (const auto userDir = g_get_user_runtime_dir()) {
     // Bug 1321134: DConf's single bit of shared memory