Closed
Bug 1012951
Opened 11 years ago
Closed 10 years ago
Sandbox the OpenH264 plugin for Linux
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: mreavy, Assigned: jld)
References
(Blocks 2 open bugs)
Details
Attachments
(3 files, 5 obsolete files)
1.67 KB,
patch
|
Details | Diff | Splinter Review | |
22.93 KB,
patch
|
kang
:
review+
|
Details | Diff | Splinter Review |
22.89 KB,
patch
|
jld
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
For security reasons we want to sandbox the OpenH264 plugin (which runs in separate process). This bug handles Linux. This is a spin off from Bug 985252.
Updated•11 years ago
|
OS: Windows 7 → Linux
Hardware: x86_64 → All
Reporter | ||
Updated•11 years ago
|
Blocks: WebRTC-OpenH264, 925570
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jld
Assignee | ||
Comment 1•10 years ago
|
||
If bug 1020090 can't happen soon enough, it might be possible to "fix" that problem by having the parent create the shm segments and pass them to the child. (The performance implications would remain.)
Assignee | ||
Comment 2•10 years ago
|
||
I applied the patch from bug 985252 and modified it to attach strace(1) to the process at the point where sandboxing would be started, and ran attachment 8436213 [details]. System call counts:
1 restart_syscall
4 clone
4 prctl
4 set_robust_list
16 gettid
1354 ftruncate
1354 open
1354 stat
1354 unlink
2708 dup
2708 fcntl
2708 lseek
3396 sendmsg
4085 munmap
4109 mmap
4467 recvmsg
4891 epoll_wait
5426 close
5432 fstat
6234 poll
6270 futex
7510 read
7510 write
19034 mprotect
The open/stat/unlink calls are all for SHM segments, which bug 1020090 should take care of; the fcntl calls are also part of that. prctl is always PR_SET_NAME. And everything else should be relatively harmless.
Assignee | ||
Comment 3•10 years ago
|
||
So, with the current WIP on bug 1020090, plus the PGMP::SetProcessSandbox stuff from bug 985252, there are no more filesystem references.
But also, if we wanted to turn on sandboxing before the call to PR_LoadLibrary and prevent any part of a media plugin from running unsandboxed, that should be possible: the path to the library file is known ahead of time, so we can pre-open it before sandboxing and simulate the actual open() in the SIGSYS handler. That plus preloading locale and iconv support seems to be enough, judging by strace.
Assignee | ||
Comment 4•10 years ago
|
||
Current work in progress. Depends on patches from bug 985252 and bug 1020090. Assorted caveats noted in commit message and in comments (and it probably breaks the build on non-Tier-1 Linux platforms). On my system this lets OpenH264 work (and exit normally, and invoke the crash reporter) without sandbox violations.
Assignee | ||
Comment 5•10 years ago
|
||
Shiny new work-in-progress. Starts the sandbox before the library is loaded.
Attachment #8450724 -
Attachment is obsolete: true
Reporter | ||
Comment 6•10 years ago
|
||
Finally getting around to updating the bug component to security (which is more accurate).
Component: WebRTC → Security
Assignee | ||
Comment 7•10 years ago
|
||
I think this has reached the point where I can stop calling it "work in progress". I've tested locally on Debian unstable and Ubuntu 12.04, both 64-bit and 32-bit x86.
The f? is because I've changed how the Windows build enables GMP sandboxing (no functional change intended). Because not all Linux-based platforms will use GMP sandboxing (for now) I wanted a flag for it instead of duplicating the test in multiple places, so it seemed reasonable to generalize it.
Try: https://tbpl.mozilla.org/?tree=Try&rev=0ea0bf1ce749
Attachment #8454102 -
Attachment is obsolete: true
Attachment #8459424 -
Flags: review?(ted)
Attachment #8459424 -
Flags: review?(gdestuynder)
Attachment #8459424 -
Flags: feedback?(tabraldes)
Comment 8•10 years ago
|
||
Comment on attachment 8459424 [details] [diff] [review]
bug1012951-gmp-sandbox-hg0.diff
Review of attachment 8459424 [details] [diff] [review]:
-----------------------------------------------------------------
> The f? is because I've changed how the Windows build enables GMP sandboxing
> (no functional change intended). Because not all Linux-based platforms will
> use GMP sandboxing (for now) I wanted a flag for it instead of duplicating
> the test in multiple places, so it seemed reasonable to generalize it.
This seems fine to me, but the real person who should take a look is a build system peer.
Attachment #8459424 -
Flags: feedback?(tabraldes) → feedback+
Attachment #8459424 -
Flags: review?(gdestuynder) → review+
Comment 9•10 years ago
|
||
Comment on attachment 8459424 [details] [diff] [review]
bug1012951-gmp-sandbox-hg0.diff
Review of attachment 8459424 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/media/gmp/GMPChild.cpp
@@ +25,5 @@
> #if defined(XP_WIN)
> #define TARGET_SANDBOX_EXPORTS
> #include "mozilla/sandboxTarget.h"
> +#elif defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
> +#include "mozilla/Sandbox.h"
Kind of sucks that the API is different here per-platform.
Attachment #8459424 -
Flags: review?(ted) → review+
Assignee | ||
Comment 10•10 years ago
|
||
Rebase. Carrying over r+es.
Attachment #8459424 -
Attachment is obsolete: true
Attachment #8464329 -
Flags: review+
Assignee | ||
Comment 11•10 years ago
|
||
…and with this trivial change, it passes the recently added H.264 tests on try: https://tbpl.mozilla.org/?tree=Try&rev=f1d674e3e736
Attachment #8464329 -
Attachment is obsolete: true
Attachment #8464502 -
Flags: review+
Assignee | ||
Comment 12•10 years ago
|
||
Comment 13•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Assignee | ||
Comment 14•10 years ago
|
||
I'll request uplift once this has had some time on m-c.
Flags: needinfo?(jld)
Comment 15•10 years ago
|
||
Backed out for causing bug 1046165 (not your fault; test coverage was down).
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/99e1f3c50a12
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•10 years ago
|
Whiteboard: 33
Updated•10 years ago
|
Whiteboard: 33
Comment 16•10 years ago
|
||
Merge of backout:
https://hg.mozilla.org/mozilla-central/rev/99e1f3c50a12
Target Milestone: mozilla34 → ---
Assignee | ||
Comment 18•10 years ago
|
||
I'll squash the patches for review and commit, because I don't think it makes sense to land them separately and leave a broken intemediate state, but this is in case of bugzilla interdiff failure.
Flags: needinfo?(jld)
Assignee | ||
Comment 19•10 years ago
|
||
I think I should get re-review for the incremental changes (see also attachment 8466472 [details] [diff] [review]).
Try: https://tbpl.mozilla.org/?tree=Try&rev=db0c695346a1
Attachment #8464502 -
Attachment is obsolete: true
Attachment #8466473 -
Flags: review?(gdestuynder)
Assignee | ||
Comment 20•10 years ago
|
||
(In reply to Jed Davis [:jld] from comment #18)
> Created attachment 8466472 [details] [diff] [review]
> Incremental changes from bug 1046538
>
> I'll squash the patches for review and commit, because I don't think it
> makes sense to land them separately and leave a broken intemediate state,
> but this is in case of bugzilla interdiff failure.
…actually, the interdiff is a little larger (or would be if it could handle this case, which it can't). I switched from nsCString to a strdup()ed const char* to store the plugin path given that bug 1041886 will require that anyway; and given that assuming nsCString::get to be async-signal-safe, even if that currently happens to be true, seems like a bad idea.
Comment on attachment 8466473 [details] [diff] [review]
bug1012951-gmp-sandbox-hg3.diff
Review of attachment 8466473 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for the details :) Better interdiff would be nice ;)
Attachment #8466473 -
Flags: review?(gdestuynder) → review+
Assignee | ||
Comment 22•10 years ago
|
||
Bug 1034138 means that the sched_getaffinity soft-fail needs to be unifdef'ed, it looks like.
Assignee | ||
Comment 23•10 years ago
|
||
Comment 24•10 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Assignee | ||
Comment 25•10 years ago
|
||
Approval Request Comment
[Feature/regressing bug #]: Bug 948160
[User impact if declined]: No sandboxing for OpenH264 on Linux.
[Describe test coverage new/current, TBPL]: Buildbot has been successfully using this since it landed on m-c.
[Risks and why]: We may encounter Linux distributions that require sandbox policy changes (different versions of libc, etc.) — but that will happen regardless of what train this rides, and I want to get as much lead time between that and shipping EME as possible.
[String/UUID change made/needed]: None.
Attachment #8473928 -
Flags: review+
Attachment #8473928 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
status-firefox33:
--- → affected
status-firefox34:
--- → fixed
Updated•10 years ago
|
Attachment #8473928 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 26•10 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•