Bug 1770523 - Return to not allowing X11 access in the RDD process. r=gcp

The patch for bug 1769499 lets the RDD process create a headless EGL context using GBM, which needs access only to the GPU device files, not the display server. This means that the X11 access recently added in bug 1769182 can be turned back off. Differential Revision: https://phabricator.services.mozilla.com/D147792
2022-06-01 16:42:53 +00:00 · 2022-06-01 16:42:53 +00:00 · b1826e7b68
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
@ -602,18 +602,8 @@ void RunTestsRDD(SandboxTestingChild* child) {
  child->ErrnoTest("socket_inet"_ns, false,
                   [] { return socket(AF_INET, SOCK_STREAM, 0); });

-  {
-    UniqueFileHandle fd(socket(AF_UNIX, SOCK_STREAM, 0));
-    child->ErrnoTest("socket_unix"_ns, true, [&] { return fd.get(); });
-
-    struct sockaddr_un sun {};
-    sun.sun_family = AF_UNIX;
-    strncpy(sun.sun_path, "/tmp/forbidden-sock", sizeof(sun.sun_path));
-
-    child->ErrnoValueTest("socket_unix_bind"_ns, ENOSYS, [&] {
-      return bind(fd.get(), (struct sockaddr*)&sun, sizeof(sun));
-    });
-  }
+  child->ErrnoTest("socket_unix"_ns, false,
+                   [] { return socket(AF_UNIX, SOCK_STREAM, 0); });

  child->ErrnoTest("uname"_ns, true, [] {
    struct utsname uts;
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -1790,7 +1790,6 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
  explicit RDDSandboxPolicy(SandboxBrokerClient* aBroker) {
    mBroker = aBroker;
    mMayCreateShmem = true;
-    mBrokeredConnect = true;
  }

 #ifndef ANDROID
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@ -382,7 +382,8 @@ static void AddGLDependencies(SandboxBroker::Policy* policy) {
  // cache, because the details can vary by process type, including
  // whether caching is enabled.

-  AddX11Dependencies(policy);
+  // This also doesn't include permissions for connecting to a display
+  // server, because headless GL (e.g., Mesa GBM) may not need it.
 }

 void SandboxBrokerPolicyFactory::InitContentPolicy() {
@ -399,6 +400,7 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {

  if (!headless) {
    AddGLDependencies(policy);
+    AddX11Dependencies(policy);
  }

  // Read permissions
@ -855,7 +857,8 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
    }
  }

-  // VA-API needs GPU access and GL context creation
+  // VA-API needs GPU access and GL context creation (but not display
+  // server access, as of bug 1769499).
  AddGLDependencies(policy.get());

  // FFmpeg and GPU drivers may need general-case library loading