tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit ac665134d1e82061489fadb438a56aadd565b0ab
parent 514dc1601ce6d23da8463ae64441a75f493a46d2
Author: Jed Davis <jld@mozilla.com>
Date:   Thu, 13 Nov 2025 16:43:53 +0000

Bug 1992904 - Allow uname in the Linux utility process sandbox.  r=gcp

This also moves the uname rule into `SandboxPolicyCommon`, because it's
now allowed in every type except GMP (which already overrides it) and is
likely to be needed in any future process types.

Differential Revision: https://phabricator.services.mozilla.com/D270795

Diffstat:

Msecurity/sandbox/common/test/SandboxTestingChildTests.h | 11++++++++---


Msecurity/sandbox/linux/SandboxFilter.cpp | 18+++++++-----------


2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
@@ -1001,11 +1001,16 @@ void RunTestsGenericUtility(SandboxTestingChild* child) {
     return rv;
   });
 
-  struct rusage res;
   child->ErrnoTest("getrusage"_ns, true, [&] {
-    int rv = getrusage(RUSAGE_SELF, &res);
-    return rv;
+    struct rusage res;
+    return getrusage(RUSAGE_SELF, &res);
+  });
+
+  child->ErrnoTest("uname"_ns, true, [&] {
+    struct utsname uts;
+    return uname(&uts);
   });
+
 #  elif XP_MACOSX  // XP_LINUX
   RunMacTestLaunchProcess(child);
   RunMacTestWindowServer(child);
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
@@ -1399,6 +1399,13 @@ class SandboxPolicyCommon : public SandboxPolicyBase {
       case __NR_getcwd:
         return Error(ENOENT);
 
+        // Basically every process type ends up using this for some
+        // reason (nsSystemInfo in content, Mesa in RDD, bug 1992904 for
+        // utility, etc.).  Other than GMP, which overrides this (see
+        // below), it's relatively safe to expose this information.
+      case __NR_uname:
+        return Allow();
+
       default:
         return SandboxPolicyBase::EvaluateSyscall(sysno);
     }
@@ -1781,9 +1788,6 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
 
 #endif  // DESKTOP
 
-        // nsSystemInfo uses uname (and we cache an instance, so
-        // the info remains present even if we block the syscall)
-      case __NR_uname:
 #ifdef DESKTOP
       case __NR_sysinfo:
 #endif
@@ -2118,10 +2122,6 @@ class RDDSandboxPolicy final : public SandboxPolicyCommon {
       case __NR_sched_get_priority_max:
         return Allow();
 
-        // Mesa sometimes wants to know the OS version.
-      case __NR_uname:
-        return Allow();
-
         // nvidia tries to mknod(!) its devices; that won't work anyway,
         // so quietly reject it.
 #ifdef __NR_mknod
@@ -2313,10 +2313,6 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
       }
 #endif  // DESKTOP
 
-      // Bug 1640612
-      case __NR_uname:
-        return Allow();
-
       default:
         return SandboxPolicyCommon::EvaluateSyscall(sysno);
     }