The initialization path for the SOCKS proxy in firefox involves creating
a generic AF_INET socket, and then replacing it if the actual
configuration requires something else (either AF_INET6 or AF_LOCAL).
With syscall filtering configured to return an error in the event of
AF_INET or AF_INET6 socket creation, this initialization path fails. We
would like this capability so that we can prevent firefox from making
network requests outside of the Tor proxy.
This patch adds a check in the initial socket creation path to see if
the SOCKS proxy host begins with file:// with the assumption that such
URIs point to a UNIX Domain Socket (on Linux+macOS only). In that case,
we create an AF_LOCAL socket rather than the requested type. A similar
check for Windows already exists to determine if the proxy is actually a
named pipe.
In the subsequent replacing step no work occurs as the passed in socket
matches the type we need, so no changes need to be made there.
NOTE: With this change there is still a one-time request for an AF_INET6
socket that occurs. This code path exists to determine whether the
system supports IPv6; if socket(AF_INET6...) fails then it is assumed
that the system does not. However, this check only affects code that is
unreachable when using AF_LOCAL sockets so it seems safe leave as it is.
However, this does mean that firefox will still be incompatible with
seccomp policies which kill the calling thread in the event of a
socket(AF_INET6,...) call.
This flags is added in the http channel interface by which developers can control the TLS
connections from JavaScript code (e.g. Add-ons). Basically, all the changes accounted for
plumbing this TLS flags from JavaScript level to C++ code responsible for calling NSS
module. We also added a unit test to make sure that separate connections are created if we
use different tlsFlags. Basically we used a concrete set of flag values that covers the
edge cases and check the hashkey generated in the connection info.
