1884449 - We allow some socket calls in RDD "for X11" but we don't allow X11

Status: NEW

(Core :: Security: Process Sandboxing, enhancement, P2)

Description

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Noticed this while looking at another bug: in RDDSandboxPolicy::EvaluateSocketCall, we allow several calls (getsockname, getpeername, shutdown) “for X11”, but we don't allow X11 access. (At one point it seemed as if we'd need to use X11 to get access to GPU accelerated codecs, but we were able to avoid that; see bug 1770523 and related bugs.) So, we probably don't need to allow those syscalls. They're relatively harmless, so blocking them isn't a high priority, but I wanted to have a bug on file to document the situation.