Bug 1595994 - P13. Enable ffvpx in RDD on linux. r=mattwoodrow,gcp

Depends on D91689

Differential Revision: https://phabricator.services.mozilla.com/D91690

dom/media/ipc/RDDChild.cpp

@@ -42,7 +42,7 @@ bool RDDChild::Init() {
   Maybe<FileDescriptor> brokerFd;
 
 #if defined(XP_LINUX) && defined(MOZ_SANDBOX)
-  auto policy = SandboxBrokerPolicyFactory::GetUtilityPolicy(OtherPid());
+  auto policy = SandboxBrokerPolicyFactory::GetRDDPolicy(OtherPid());
   if (policy != nullptr) {
     brokerFd = Some(FileDescriptor());
     mSandboxBroker =

modules/libpref/init/StaticPrefList.yaml

@@ -7083,6 +7083,8 @@
   value: true
 #elif defined(XP_MACOSX)
   value: true
+#elif defined(XP_LINUX) && !defined(ANDROID)
+  value: true
 #else
   value: false
 #endif

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp

@@ -678,7 +678,7 @@ UniquePtr<SandboxBroker::Policy> SandboxBrokerPolicyFactory::GetContentPolicy(
 }
 
 /* static */ UniquePtr<SandboxBroker::Policy>
-SandboxBrokerPolicyFactory::GetUtilityPolicy(int aPid) {
+SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
   auto policy = MakeUnique<SandboxBroker::Policy>();
 
   AddSharedMemoryPaths(policy.get(), aPid);
@@ -691,6 +691,39 @@ SandboxBrokerPolicyFactory::GetUtilityPolicy(int aPid) {
                   "/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
   policy->AddPath(rdonly, "/sys/devices/system/cpu/cpu0/cache/index2/size");
   policy->AddPath(rdonly, "/sys/devices/system/cpu/cpu0/cache/index3/size");
+  policy->AddDir(rdonly, "/sys/devices/cpu");
+  policy->AddDir(rdonly, "/sys/devices/system/cpu");
+  policy->AddDir(rdonly, "/sys/devices/system/node");
+  policy->AddDir(rdonly, "/lib");
+  policy->AddDir(rdonly, "/lib64");
+  policy->AddDir(rdonly, "/usr/lib");
+  policy->AddDir(rdonly, "/usr/lib32");
+  policy->AddDir(rdonly, "/usr/lib64");
+
+  // Firefox binary dir.
+  // Note that unlike the previous cases, we use NS_GetSpecialDirectory
+  // instead of GetSpecialSystemDirectory. The former requires a working XPCOM
+  // system, which may not be the case for some tests. For querying for the
+  // location of XPCOM things, we can use it anyway.
+  nsCOMPtr<nsIFile> ffDir;
+  nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(ffDir));
+  if (NS_SUCCEEDED(rv)) {
+    nsAutoCString tmpPath;
+    rv = ffDir->GetNativePath(tmpPath);
+    if (NS_SUCCEEDED(rv)) {
+      policy->AddDir(rdonly, tmpPath.get());
+    }
+  }
+
+  if (mozilla::IsDevelopmentBuild()) {
+    // If this is a developer build the resources are symlinks to outside the
+    // binary dir. Therefore in non-release builds we allow reads from the whole
+    // repository. MOZ_DEVELOPER_REPO_DIR is set by mach run.
+    const char* developer_repo_dir = PR_GetEnv("MOZ_DEVELOPER_REPO_DIR");
+    if (developer_repo_dir) {
+      policy->AddDir(rdonly, developer_repo_dir);
+    }
+  }
 
   if (policy->IsEmpty()) {
     policy = nullptr;

security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h

@@ -20,7 +20,7 @@ class SandboxBrokerPolicyFactory {
   UniquePtr<SandboxBroker::Policy> GetContentPolicy(int aPid,
                                                     bool aFileProcess);
 
-  static UniquePtr<SandboxBroker::Policy> GetUtilityPolicy(int aPid);
+  static UniquePtr<SandboxBroker::Policy> GetRDDPolicy(int aPid);
   static UniquePtr<SandboxBroker::Policy> GetSocketProcessPolicy(int aPid);
 
  private: