diff --git a/security/sandbox/common/test/SandboxTestingChildTests.h b/security/sandbox/common/test/SandboxTestingChildTests.h index 84381d1b46cf..0ff0238154e8 100644 --- a/security/sandbox/common/test/SandboxTestingChildTests.h +++ b/security/sandbox/common/test/SandboxTestingChildTests.h @@ -728,6 +728,11 @@ void RunTestsSocket(SandboxTestingChild* child) { return 0; }); + child->ErrnoValueTest("send_with_flag"_ns, ENOSYS, [] { + char c = 0; + return send(0, &c, 1, MSG_OOB); + }); + child->ErrnoValueTest("ioctl_dma_buf"_ns, ENOSYS, [] { // Attempt an arbitrary non-tty ioctl, on the wrong type of fd; if // allowed it would fail with ENOTTY (see the RDD tests) but in diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp index eb1de1d6e39b..4b070ce0c9b8 100644 --- a/security/sandbox/linux/SandboxFilter.cpp +++ b/security/sandbox/linux/SandboxFilter.cpp @@ -2161,10 +2161,14 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon { } BoolExpr MsgFlagsAllowed(const Arg& aFlags) const override { - // Allow everything for Necko, for now; this can be restricted - // later (and the socket process sandbox is already relatively - // permissive). - return BoolConst(true); + // Necko might use advanced networking features, and the sandbox + // is relatively permissive compared to content, so this is a + // default-allow policy. + // + // However, `MSG_OOB` has historically been buggy, and the way it + // maps to TCP is notoriously broken (see RFC 6093), so it should + // be safe to block. + return (aFlags & MSG_OOB) == 0; } Maybe EvaluateSocketCall(int aCall,