Bug 1455498 - Whitelist directories passed in LD_LIBRARY_PATH. r=jld

Differential Revision: https://phabricator.services.mozilla.com/D70554

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

@@ -254,6 +254,22 @@ static void AddLdconfigPaths(SandboxBroker::Policy* aPolicy) {
   AddPathsFromFile(aPolicy, ldConfig);
 }
 
+static void AddLdLibraryEnvPaths(SandboxBroker::Policy* aPolicy) {
+  nsAutoCString LdLibraryEnv(PR_GetEnv("LD_LIBRARY_PATH"));
+  // The items in LD_LIBRARY_PATH can be separated by either colons or
+  // semicolons, according to the ld.so(8) man page, and empirically it
+  // seems to be allowed to mix them (i.e., a:b;c is a list with 3 elements).
+  // There is no support for escaping the delimiters, fortunately (for us).
+  LdLibraryEnv.ReplaceChar(';', ':');
+  for (const nsACString& libPath : LdLibraryEnv.Split(':')) {
+    char* resolvedPath = realpath(PromiseFlatCString(libPath).get(), nullptr);
+    if (resolvedPath) {
+      aPolicy->AddDir(rdonly, resolvedPath);
+      free(resolvedPath);
+    }
+  }
+}
+
 static void AddSharedMemoryPaths(SandboxBroker::Policy* aPolicy, pid_t aPid) {
   std::string shmPath("/dev/shm");
   if (base::SharedMemory::AppendPosixShmPrefix(&shmPath, aPid)) {
@@ -299,6 +315,7 @@ SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory() {
 
   AddMesaSysfsPaths(policy);
   AddLdconfigPaths(policy);
+  AddLdLibraryEnvPaths(policy);
 
   // Bug 1385715: NVIDIA PRIME support
   policy->AddPath(rdonly, "/proc/modules");