Bug 1736990 - Expose /dev/random and /proc/sys/crypto/fips_enabled in sandboxes. r=bryce,gcp

For running in FIPS mode, NSS needs to check /proc/sys/crypto/fips_enabled, to be able to tell whether FIPS is enabled or not.
FIPS also mandates using /dev/random instead of /dev/urandom.

Differential Revision: https://phabricator.services.mozilla.com/D129126
This commit is contained in:
M. Sirringhaus 2021-11-16 14:16:19 +00:00
parent 57aa369908
commit 59c1dc3789
3 changed files with 46 additions and 0 deletions

View file

@ -111,6 +111,26 @@ void RunTestsContent(SandboxTestingChild* child) {
sizeof(sa_family_t) + str_size);
return con_st;
});
// Testing FIPS-relevant files, which need to be accessible
std::vector<std::pair<const char*, bool>> open_tests = {
{"/dev/random", true}};
// Not all systems have that file, so we only test access, if it exists
// in the first place
if (stat("/proc/sys/crypto/fips_enabled", &st) == 0) {
open_tests.push_back({"/proc/sys/crypto/fips_enabled", true});
}
for (const std::pair<const char*, bool>& to_open : open_tests) {
child->ErrnoTest("open("_ns + nsCString(to_open.first) + ")"_ns,
to_open.second, [&] {
int fd = open(to_open.first, O_RDONLY);
if (to_open.second && fd > 0) {
close(fd);
}
return fd;
});
}
# endif // XP_LINUX
# ifdef XP_MACOSX
@ -156,6 +176,27 @@ void RunTestsSocket(SandboxTestingChild* child) {
int rv = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
return rv;
});
// Testing FIPS-relevant files, which need to be accessible
std::vector<std::pair<const char*, bool>> open_tests = {
{"/dev/random", true}};
// Not all systems have that file, so we only test access, if it exists
// in the first place
struct stat st;
if (stat("/proc/sys/crypto/fips_enabled", &st) == 0) {
open_tests.push_back({"/proc/sys/crypto/fips_enabled", true});
}
for (const std::pair<const char*, bool>& to_open : open_tests) {
child->ErrnoTest("open("_ns + nsCString(to_open.first) + ")"_ns,
to_open.second, [&] {
int fd = open(to_open.first, O_RDONLY);
if (to_open.second && fd > 0) {
close(fd);
}
return fd;
});
}
# endif // XP_LINUX
#else // XP_UNIX

View file

@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* aFilePath) {
auto files = new SandboxOpenedFiles();
files->Add(std::move(plugin));
files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
files->Add("/dev/random", SandboxOpenedFile::Dup::YES);
files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");

View file

@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitContentPolicy() {
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
policy->AddPath(rdonly, "/dev/random");
policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
@ -818,6 +820,8 @@ SandboxBrokerPolicyFactory::GetSocketProcessPolicy(int aPid) {
auto policy = MakeUnique<SandboxBroker::Policy>();
policy->AddPath(rdonly, "/dev/urandom");
policy->AddPath(rdonly, "/dev/random");
policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");