1291502 - Improve media plugin filesystem access sandbox policy failure modes

Status: NEW

(Core :: Security: Process Sandboxing, defect)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

In bug 1290633 I changed the GMP sandbox policy to fail most unexpected open()s without crashing, in order to avoid the crash reporter always recursively crashing and never getting a crash dump.  This still isn't ideal because we don't get the metadata, but also it means we won't notice any other unexpected opens that happen outside of crash handling.

Once we have a capable enough filesystem broker, we could give GMP processes the same “sandboxed temp dir” capability as content processes and use that; if/when we do, we can effectively revert bug 1290633.

A slightly separate problem: I could have done something like strstr() the path for "GeckoChildCrash" and soft-failed only those, but I was also concerned that this might happen again for some other path/filename that *is* opened during crash handling and not realize it, the same way bug 1290633 went unnoticed at first.  So it would be nice if there were something like a global atomic flag set while crashing (including non-sandbox-induced) to try to avoid crash recursion, but that might be more of a feature request for the Breakpad Integration component.