Closed Bug 1043733 Opened 5 years ago Closed 5 years ago

Require sandboxing for media plugins on Linux.

Categories

(Core :: Security, defect)

All
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla34
Tracking Status
firefox33 --- fixed
firefox34 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 2 open bugs)

Details

Attachments

(2 files)

As a followup from bug 1039819, and to summarize recent discussion in #media: this bug is to disable Gecko Media Plugin support on Linux hosts that don't support seccomp-bpf sandboxing.

Also, at this point it would be good to have a way for a user to check their sandboxing support status.  Chromium has an about:sandbox page for this.
A few infrastructure changes:

* Once we start trying to enable sandboxing, either it works or we crash.

* Whether sandboxing is expected to work (or "work" by doing nothing, if disabled) is exposed to callers of the sandboxing code, so they can take steps earlier than sandbox start time, like disabling media plugin loading so that the browser doesn't advertise media capabilities it can't actually use.

* To make this all (hopefully) simpler, the testing for seccomp-bpf support and environment variables is now done in a static initializer, setting flags used elsewhere in the code.

Also of note:

* Disabling GMP support is accomplished by failing calls to GeckoMediaPluginService::AddPluginDirectory.

Try: https://tbpl.mozilla.org/?tree=Try&rev=0ed654d22aea or https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=0ed654d22aea
Attachment #8467948 - Flags: review?(rjesup)
Attachment #8467948 - Flags: review?(gdestuynder)
Comment on attachment 8467948 [details] [diff] [review]
bug1043733-gmp-mandatory-sandbox-hg0.diff

Review of attachment 8467948 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/sandbox/linux/Sandbox.cpp
@@ -278,5 @@
> -      didAnything = true;
> -    }
> -    /*
> -     * Bug 880797: when all B2G devices are required to support
> -     * seccomp-bpf, this should exit/crash if InstallSyscallFilter

I take it bug 880797 has been resolved?  I see InstallSyscallFilter handles the MOZ_CRASH itself
Attachment #8467948 - Flags: review?(rjesup) → review+
Comment on attachment 8467948 [details] [diff] [review]
bug1043733-gmp-mandatory-sandbox-hg0.diff

Review of attachment 8467948 [details] [diff] [review]:
-----------------------------------------------------------------

I added the documentation for the new flags from this patch here: https://wiki.mozilla.org/index.php?title=Security/Sandbox
Attachment #8467948 - Flags: review?(gdestuynder) → review+
(In reply to Randell Jesup [:jesup] from comment #2)
> > -     * Bug 880797: when all B2G devices are required to support
> > -     * seccomp-bpf, this should exit/crash if InstallSyscallFilter
> 
> I take it bug 880797 has been resolved?  I see InstallSyscallFilter handles
> the MOZ_CRASH itself

Bug 880797 is… complicated, and I've updated it to try to address that.  The overall behavior for content processes / on B2G isn't changed here.  What this bug does do is make the optional-ness of sandboxing explicit, and make it conceptually the responsibility of the caller; see in particular the ContentParent change here (and contrast with the GMPParent/GMPChild change).
https://hg.mozilla.org/mozilla-central/rev/20dbe115d628
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Approval Request Comment
[Feature/regressing bug #]: Bug 1012951
[User impact if declined]: OpenH264 could run unsandboxed on systems without sandboxing support — where we never intended to support OpenH264, and where we will remove that support in the next release.
[Describe test coverage new/current, TBPL]: Covered by existing GMP testing.
[Risks and why]: Minimal.
[String/UUID change made/needed]: None.
Attachment #8473929 - Flags: review+
Attachment #8473929 - Flags: approval-mozilla-aurora?
Attachment #8473929 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
See Also: → 1070036
See Also: → 1072363
You need to log in before you can comment on or make changes to this bug.