From 577b3a77317c1400ca4740440e4d5d6c8e84eff6 Mon Sep 17 00:00:00 2001 From: Gian-Carlo Pascutto Date: Thu, 26 Oct 2017 17:50:49 +0200 Subject: [PATCH] Bug 1386404 - Intercept access to /tmp and rewrite to content process tempdir. r=jld MozReview-Commit-ID: 2h9hw6opYof --HG-- extra : rebase_source : f3121d7afff22e3f72c66e3a5553e731a83a2e1c --- .../sandbox/linux/broker/SandboxBroker.cpp | 32 +++++++++++++++++++ security/sandbox/linux/broker/SandboxBroker.h | 2 ++ .../broker/SandboxBrokerPolicyFactory.cpp | 2 -- 3 files changed, 34 insertions(+), 2 deletions(-) diff --git a/security/sandbox/linux/broker/SandboxBroker.cpp b/security/sandbox/linux/broker/SandboxBroker.cpp index 63bdb30a3465..28e0d6ee514d 100644 --- a/security/sandbox/linux/broker/SandboxBroker.cpp +++ b/security/sandbox/linux/broker/SandboxBroker.cpp @@ -28,6 +28,9 @@ #include "mozilla/NullPtr.h" #include "mozilla/Sprintf.h" #include "mozilla/ipc/FileDescriptor.h" +#include "nsDirectoryServiceDefs.h" +#include "nsAppDirectoryServiceDefs.h" +#include "SpecialSystemDirectory.h" #include "sandbox/linux/system_headers/linux_syscalls.h" namespace mozilla { @@ -515,6 +518,34 @@ SandboxBroker::ConvertToRealPath(char* aPath, size_t aBufSize, size_t aPathLen) return aPathLen; } +size_t +SandboxBroker::RemapTempDirs(char* aPath, size_t aBufSize, size_t aPathLen) +{ + nsAutoCString path(aPath); + static const nsLiteralCString tempPrefix(NS_LITERAL_CSTRING("/tmp")); + + if (StringBeginsWith(path, tempPrefix)) { + size_t prefixLen = tempPrefix.Length(); + const nsDependentCSubstring cutPath = + Substring(path, prefixLen, path.Length() - prefixLen); + // Only now try to get the content process temp dir + nsCOMPtr tmpDir; + nsresult rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR, + getter_AddRefs(tmpDir)); + if (NS_SUCCEEDED(rv)) { + nsAutoCString tmpPath; + rv = tmpDir->GetNativePath(tmpPath); + if (NS_SUCCEEDED(rv)) { + tmpPath.Append(cutPath); + base::strlcpy(aPath, tmpPath.get(), aBufSize); + return strlen(aPath); + } + } + } + + return aPathLen; +} + nsCString SandboxBroker::ReverseSymlinks(const nsACString& aPath) { @@ -675,6 +706,7 @@ SandboxBroker::ThreadMain(void) // Look up the first pathname but first translate relative paths. pathLen = ConvertToRealPath(pathBuf, sizeof(pathBuf), pathLen); + pathLen = RemapTempDirs(pathBuf, sizeof(pathBuf), pathLen); perms = mPolicy->Lookup(nsDependentCString(pathBuf, pathLen)); // We don't have read permissions on the requested dir. diff --git a/security/sandbox/linux/broker/SandboxBroker.h b/security/sandbox/linux/broker/SandboxBroker.h index a55c11374cc9..1716f6e8d17f 100644 --- a/security/sandbox/linux/broker/SandboxBroker.h +++ b/security/sandbox/linux/broker/SandboxBroker.h @@ -143,6 +143,8 @@ class SandboxBroker final void AuditDenial(int aOp, int aFlags, int aPerms, const char* aPath); // Remap relative paths to absolute paths. size_t ConvertToRealPath(char* aPath, size_t aBufSize, size_t aPathLen); + // Remap references to /tmp and friends to the content process tempdir + size_t RemapTempDirs(char* aPath, size_t aBufSize, size_t aPathLen); nsCString ReverseSymlinks(const nsACString& aPath); // Retrieves permissions for the path the original symlink sits in. int SymlinkPermissions(const char* aPath, const size_t aPathLen); diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp index a7c2526df18b..74a1617a7fa3 100644 --- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp +++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp @@ -231,8 +231,6 @@ SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() #endif policy->AddDir(rdonly, "/usr/share"); policy->AddDir(rdonly, "/usr/local/share"); - policy->AddDir(rdonly, "/usr/tmp"); - policy->AddDir(rdonly, "/var/tmp"); // Various places where fonts reside policy->AddDir(rdonly, "/usr/X11R6/lib/X11/fonts"); policy->AddDir(rdonly, "/nix/store");