Bug 1705045 - Quietly deny `MADV_MERGEABLE` in Linux sandbox policies that filter `madvise`. r=gcp

This `madvise` type is used by one Linux distro's libc, and in principle could be used by other userspace libraries trying to optimize performance, and I'd rather not allow it (see bug for more details). Therefore, this patch returns an error instead of treating it as an unknown syscall (which crashes on Nightly). However, the content policy doesn't yet filter `madvise` (bug 1510861); this patch doesn't change that. Differential Revision: https://phabricator.services.mozilla.com/D112884
2021-04-30 00:24:15 +00:00 · 2021-04-30 00:24:15 +00:00 · 6f45e8a477
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -784,6 +784,7 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
 #ifdef MOZ_ASAN
            .ElseIf(advice == MADV_DONTDUMP, Allow())
 #endif
+            .ElseIf(advice == MADV_MERGEABLE, Error(EPERM))  // bug 1705045
            .Else(InvalidSyscall());
      }

@ -1673,6 +1674,7 @@ class GMPSandboxPolicy : public SandboxPolicyCommon {
 #ifdef MOZ_ASAN
            .ElseIf(advice == MADV_DONTDUMP, Allow())
 #endif
+            .ElseIf(advice == MADV_MERGEABLE, Error(EPERM))  // bug 1705045
            .Else(Error(ENOSYS));
      }