From 59c1dc37892f589899d14515b0ac4c8977e5cb80 Mon Sep 17 00:00:00 2001
From: "M. Sirringhaus" <msirringhaus@suse.de>
Date: Tue, 16 Nov 2021 14:16:19 +0000
Subject: [PATCH] Bug 1736990 - Expose /dev/random and
 /proc/sys/crypto/fips_enabled in sandboxes. r=bryce,gcp

For running in FIPS mode, NSS needs to check /proc/sys/crypto/fips_enabled, to be able to tell whether FIPS is enabled or not.
FIPS also mandates using /dev/random instead of /dev/urandom.

Differential Revision: https://phabricator.services.mozilla.com/D129126
---
 .../common/test/SandboxTestingChildTests.h    | 41 +++++++++++++++++++
 security/sandbox/linux/Sandbox.cpp            |  1 +
 .../broker/SandboxBrokerPolicyFactory.cpp     |  4 ++
 3 files changed, 46 insertions(+)

diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h
index 001323c9a5af..4b23bab97fe7 100644
--- a/security/sandbox/common/test/SandboxTestingChildTests.h
+++ b/security/sandbox/common/test/SandboxTestingChildTests.h
@@ -111,6 +111,26 @@ void RunTestsContent(SandboxTestingChild* child) {
                          sizeof(sa_family_t) + str_size);
     return con_st;
   });
+
+  // Testing FIPS-relevant files, which need to be accessible
+  std::vector<std::pair<const char*, bool>> open_tests = {
+      {"/dev/random", true}};
+  // Not all systems have that file, so we only test access, if it exists
+  // in the first place
+  if (stat("/proc/sys/crypto/fips_enabled", &st) == 0) {
+    open_tests.push_back({"/proc/sys/crypto/fips_enabled", true});
+  }
+
+  for (const std::pair<const char*, bool>& to_open : open_tests) {
+    child->ErrnoTest("open("_ns + nsCString(to_open.first) + ")"_ns,
+                     to_open.second, [&] {
+                       int fd = open(to_open.first, O_RDONLY);
+                       if (to_open.second && fd > 0) {
+                         close(fd);
+                       }
+                       return fd;
+                     });
+  }
 #  endif  // XP_LINUX
 
 #  ifdef XP_MACOSX
@@ -156,6 +176,27 @@ void RunTestsSocket(SandboxTestingChild* child) {
     int rv = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
     return rv;
   });
+
+  // Testing FIPS-relevant files, which need to be accessible
+  std::vector<std::pair<const char*, bool>> open_tests = {
+      {"/dev/random", true}};
+  // Not all systems have that file, so we only test access, if it exists
+  // in the first place
+  struct stat st;
+  if (stat("/proc/sys/crypto/fips_enabled", &st) == 0) {
+    open_tests.push_back({"/proc/sys/crypto/fips_enabled", true});
+  }
+
+  for (const std::pair<const char*, bool>& to_open : open_tests) {
+    child->ErrnoTest("open("_ns + nsCString(to_open.first) + ")"_ns,
+                     to_open.second, [&] {
+                       int fd = open(to_open.first, O_RDONLY);
+                       if (to_open.second && fd > 0) {
+                         close(fd);
+                       }
+                       return fd;
+                     });
+  }
 #  endif  // XP_LINUX
 
 #else   // XP_UNIX
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
index c38175cecb97..1f9be80e97b8 100644
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* aFilePath) {
   auto files = new SandboxOpenedFiles();
   files->Add(std::move(plugin));
   files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
+  files->Add("/dev/random", SandboxOpenedFile::Dup::YES);
   files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
   files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
   files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index 35da47b714ba..62a53b1901bf 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
 
   // Read permissions
   policy->AddPath(rdonly, "/dev/urandom");
+  policy->AddPath(rdonly, "/dev/random");
+  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
   policy->AddPath(rdonly, "/proc/cpuinfo");
   policy->AddPath(rdonly, "/proc/meminfo");
   policy->AddDir(rdonly, "/sys/devices/cpu");
@@ -818,6 +820,8 @@ SandboxBrokerPolicyFactory::GetSocketProcessPolicy(int aPid) {
   auto policy = MakeUnique<SandboxBroker::Policy>();
 
   policy->AddPath(rdonly, "/dev/urandom");
+  policy->AddPath(rdonly, "/dev/random");
+  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
   policy->AddPath(rdonly, "/proc/cpuinfo");
   policy->AddPath(rdonly, "/proc/meminfo");
   policy->AddDir(rdonly, "/sys/devices/cpu");