Bug 1974445 - Linux sandbox: filter send/recv flags for socket process. a=diannaS

Original Revision: https://phabricator.services.mozilla.com/D255743

Differential Revision: https://phabricator.services.mozilla.com/D259016

security/sandbox/common/test/SandboxTestingChildTests.h

@@ -728,6 +728,11 @@ void RunTestsSocket(SandboxTestingChild* child) {
     return 0;
   });
 
+  child->ErrnoValueTest("send_with_flag"_ns, ENOSYS, [] {
+    char c = 0;
+    return send(0, &c, 1, MSG_OOB);
+  });
+
   child->ErrnoValueTest("ioctl_dma_buf"_ns, ENOSYS, [] {
     // Attempt an arbitrary non-tty ioctl, on the wrong type of fd; if
     // allowed it would fail with ENOTTY (see the RDD tests) but in

security/sandbox/linux/SandboxFilter.cpp

@@ -2161,10 +2161,14 @@ class SocketProcessSandboxPolicy final : public SandboxPolicyCommon {
   }
 
   BoolExpr MsgFlagsAllowed(const Arg<int>& aFlags) const override {
-    // Allow everything for Necko, for now; this can be restricted
-    // later (and the socket process sandbox is already relatively
-    // permissive).
-    return BoolConst(true);
+    // Necko might use advanced networking features, and the sandbox
+    // is relatively permissive compared to content, so this is a
+    // default-allow policy.
+    //
+    // However, `MSG_OOB` has historically been buggy, and the way it
+    // maps to TCP is notoriously broken (see RFC 6093), so it should
+    // be safe to block.
+    return (aFlags & MSG_OOB) == 0;
   }
 
   Maybe<ResultExpr> EvaluateSocketCall(int aCall,