Bug 1397753 - Disallow kill() in sandboxed content processes. r=gcp

As a special case to deal with PulseAudio, testing for a process's existence with kill(pid, 0) quietly fails with EPERM instead. (I also added some commentary on umask, since I was touching that part of the code anyway.) MozReview-Commit-ID: CM0Aqii13j4 --HG-- extra : rebase_source : 44ef05e9a39a9eea4a649399c63b865f5523d43b
2017-09-07 08:29:02 -06:00 · 2017-09-07 08:29:02 -06:00 · e6cee20f4d
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -791,10 +791,22 @@ public:
        .Else(InvalidSyscall());
    }

+      // PulseAudio calls umask, even though it's unsafe in
+      // multithreaded applications.  But, allowing it here doesn't
+      // really do anything one way or the other, now that file
+      // accesses are brokered to another process.
    case __NR_umask:
-    case __NR_kill:
      return Allow();

+    case __NR_kill: {
+      Arg<int> sig(1);
+      // PulseAudio uses kill(pid, 0) to check if purported owners of
+      // shared memory files are still alive; see bug 1397753 for more
+      // details.
+      return If(sig == 0, Error(EPERM))
+        .Else(InvalidSyscall());
+    }
+
    case __NR_wait4:
 #ifdef __NR_waitpid
    case __NR_waitpid: