[tor-commits] [tor-browser/tor-browser-52.6.0esr-8.0-2] Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured

[gk at torproject.org]

commit eafaa94a613a326bd13234540fe88b86451ee3e9
Author: Richard Pospesel <richard at torproject.org>
Date:   Thu Feb 1 16:20:42 2018 -0800

    Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
    
    The initialization path for the SOCKS proxy in firefox involves creating
    a generic AF_INET socket, and then replacing it if the actual
    configuration requires something else (either AF_INET6 or AF_LOCAL).
    With syscall filtering configured to return an error in the event of
    AF_INET or AF_INET6 socket creation, this initialization path fails.  We
    would like this capability so that we can prevent firefox from making
    network requests outside of the Tor proxy.
    
    This patch adds a check in the initial socket creation path to see if
    the SOCKS proxy host begins with file:// with the assumption that such
    URIs point to a UNIX Domain Socket (on Linux+macOS only).  In that case,
    we create an AF_LOCAL socket rather than the requested type.  A similar
    check for Windows already exists to determine if the proxy is actually a
    named pipe.
    
    In the subsequent replacing step no work occurs as the passed in socket
    matches the type we need, so no changes need to be made there.
    
    NOTE: With this change there is still a one-time request for an AF_INET6
    socket that occurs.  This code path exists to determine whether the
    system supports IPv6; if socket(AF_INET6...) fails then it is assumed
    that the system does not.  However, this check only affects code that is
    unreachable when using AF_LOCAL sockets so it seems safe to leave as it is.
    However, this does mean that Tor Browser will still be incompatible with
    seccomp policies which kill the calling thread in the event of a
    socket(AF_INET6,...) call.
---
 netwerk/socket/nsSOCKSSocketProvider.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/netwerk/socket/nsSOCKSSocketProvider.cpp b/netwerk/socket/nsSOCKSSocketProvider.cpp
index c62534f7bf3d..bcae1234f486 100644
--- a/netwerk/socket/nsSOCKSSocketProvider.cpp
+++ b/netwerk/socket/nsSOCKSSocketProvider.cpp
@@ -43,6 +43,14 @@ nsSOCKSSocketProvider::CreateV5(nsISupports *aOuter, REFNSIID aIID, void **aResu
     return rv;
 }
 
+#if defined(XP_UNIX)
+bool
+static IsUNIXDomainSocketPath(const nsACString& aPath)
+{
+    return StringBeginsWith(aPath, NS_LITERAL_CSTRING("file://"));
+}
+#endif
+
 NS_IMETHODIMP
 nsSOCKSSocketProvider::NewSocket(int32_t family,
                                  const char *host, 
@@ -62,6 +70,13 @@ nsSOCKSSocketProvider::NewSocket(int32_t family,
         sock = CreateNamedPipeLayer();
     } else
 #endif
+#if defined(XP_UNIX)
+    nsAutoCString proxyHost;
+    proxy->GetHost(proxyHost);
+    if(IsUNIXDomainSocketPath(proxyHost)) {
+        family = AF_LOCAL;
+    }
+#endif
     {
         sock = PR_OpenTCPSocket(family);
         if (!sock) {