From fe6d4dbee4be96dec414aacb51ff52a2c6ebd09c Mon Sep 17 00:00:00 2001
From: Chris H-C <chutten@mozilla.com>
Date: Fri, 31 Mar 2023 20:47:16 +0000
Subject: [PATCH] Bug 1824682 - Add /dev/urandom to rdd process sandbox on
 Linux r=gcp

On Linuxen without getrandom(), Rust (and Firefox broadly) uses /dev/urandom
as a fallback. Rust uses it for a few things, notably hashmaps... and will
panic if it can't use it.

Differential Revision: https://phabricator.services.mozilla.com/D174336
---
 security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
index c0e319376b10..3ed662c398a7 100644
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -820,6 +820,7 @@ SandboxBrokerPolicyFactory::GetRDDPolicy(int aPid) {
 
   AddSharedMemoryPaths(policy.get(), aPid);
 
+  policy->AddPath(rdonly, "/dev/urandom");
   // FIXME (bug 1662321): we should fix nsSystemInfo so that every
   // child process doesn't need to re-read these files to get the info
   // the parent process already has.