1043733 - Require sandboxing for media plugins on Linux.

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

As a followup from bug 1039819, and to summarize recent discussion in #media: this bug is to disable Gecko Media Plugin support on Linux hosts that don't support seccomp-bpf sandboxing.

Also, at this point it would be good to have a way for a user to check their sandboxing support status.  Chromium has an about:sandbox page for this.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: bug1043733-gmp-mandatory-sandbox-hg0.diff

A few infrastructure changes:

* Once we start trying to enable sandboxing, either it works or we crash.

* Whether sandboxing is expected to work (or "work" by doing nothing, if disabled) is exposed to callers of the sandboxing code, so they can take steps earlier than sandbox start time, like disabling media plugin loading so that the browser doesn't advertise media capabilities it can't actually use.

* To make this all (hopefully) simpler, the testing for seccomp-bpf support and environment variables is now done in a static initializer, setting flags used elsewhere in the code.

Also of note:

* Disabling GMP support is accomplished by failing calls to GeckoMediaPluginService::AddPluginDirectory.

Try: https://tbpl.mozilla.org/?tree=Try&rev=0ed654d22aea or https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=0ed654d22aea

Comment 2

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8467948 [details] [diff] [review]
bug1043733-gmp-mandatory-sandbox-hg0.diff

Review of attachment 8467948 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/sandbox/linux/Sandbox.cpp
@@ -278,5 @@
> -      didAnything = true;
> -    }
> -    /*
> -     * Bug 880797: when all B2G devices are required to support
> -     * seccomp-bpf, this should exit/crash if InstallSyscallFilter

I take it bug 880797 has been resolved?  I see InstallSyscallFilter handles the MOZ_CRASH itself

Comment 3

[Guillaume Destuynder [:kang] [this account is no longer active]]

Comment on attachment 8467948 [details] [diff] [review]
bug1043733-gmp-mandatory-sandbox-hg0.diff

Review of attachment 8467948 [details] [diff] [review]:
-----------------------------------------------------------------

I added the documentation for the new flags from this patch here: https://wiki.mozilla.org/index.php?title=Security/Sandbox

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

(In reply to Randell Jesup [:jesup] from comment #2)
> > -     * Bug 880797: when all B2G devices are required to support
> > -     * seccomp-bpf, this should exit/crash if InstallSyscallFilter
> 
> I take it bug 880797 has been resolved?  I see InstallSyscallFilter handles
> the MOZ_CRASH itself

Bug 880797 is… complicated, and I've updated it to try to address that.  The overall behavior for content processes / on B2G isn't changed here.  What this bug does do is make the optional-ness of sandboxing explicit, and make it conceptually the responsibility of the caller; see in particular the ContentParent change here (and contrast with the GMPParent/GMPChild change).

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

https://hg.mozilla.org/integration/mozilla-inbound/rev/20dbe115d628

Comment 6

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/20dbe115d628

Comment 7

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Patch for uplift to Aurora

Approval Request Comment
[Feature/regressing bug #]: Bug 1012951
[User impact if declined]: OpenH264 could run unsandboxed on systems without sandboxing support — where we never intended to support OpenH264, and where we will remove that support in the next release.
[Describe test coverage new/current, TBPL]: Covered by existing GMP testing.
[Risks and why]: Minimal.
[String/UUID change made/needed]: None.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/8bcaa2c7dab7