Closed Bug 1046525 Opened 10 years ago Closed 10 years ago

Allow get{e,}gid and sched_{g,s}etparam in sandboxed content processes.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34
Project Flags:
blocking-b2g 2.0M+
Tracking Flags:
Tracking Status
firefox32 --- wontfix
firefox33 --- wontfix
firefox34 --- fixed
b2g-v2.0 --- wontfix
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(2 files)

bug1046525-more-syscalls-hg0.diff
2.80 KB, patch
kang
: review+
Details | Diff | Splinter Review
bug1046525-more-syscalls-20m-hg0.diff
2.83 KB, patch
jld
: review+
Details | Diff | Splinter Review
I've found some more syscalls that content processes use via media libraries and graphics drivers, on B2G prototype hardware. get{e,}gid shouldn't be as harmless as get{e,}uid, already allowed for similar reasons. sched_{g,s}etparam basically aren't anything we don't already allow with sched_{g,s}etscheduler. (In particular, sched_setscheduler also sets the parameters, so sched_setparam is just a special case.)
Comment on attachment 8465178 [details] [diff] [review] bug1046525-more-syscalls-hg0.diff Review of attachment 8465178 [details] [diff] [review]: ----------------------------------------------------------------- Note: I'm generally just r+'ing these but I feel like this should be mentionned in the bugs: any call added increase the kernel attack surface (generally I'm also more suspicious about setters than getters obviously) That said, first we need everything working so yeah :)
Attachment #8465178 - Flags: review?(gdestuynder) → review+
(In reply to Guillaume Destuynder [:kang] (use NEEDINFO!) from comment #2) > Note: I'm generally just r+'ing these but I feel like this should be > mentionned in the bugs: > any call added increase the kernel attack surface (generally I'm also more > suspicious about setters than getters obviously) Agreed; we should consider limiting those at some point; maybe restrict the scheduler policy id, if it could allow access to badly tested alternative scheduling code that we don't use, and restrict the set* calls to the calling thread (although on B2G the userid check should already take care of that). With these calls, given that they're used by audio/video libraries, I'd be worried about performance regressions from denying access to that kind of scheduler control. Once we the Flame KitKat port is done and being used for perf testing we should be in a better position to address that kind of thing.
https://hg.mozilla.org/mozilla-central/rev/9a9d70cf2224
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
blocking-b2g: --- → 2.0M?
As required.
blocking-b2g: 2.0M? → 2.0M+
Hi Jed, can you provide a patch for 2.0m? Thanks!
Flags: needinfo?(jld)
No longer blocks: 1009995
Blocks: 1009995
Patch for uplift to 2.0M (the m-c patch doesn't apply cleanly). Tested locally. Carrying over r+.
Attachment #8489563 - Flags: review+
Flags: needinfo?(jld)
Blocks: Woodduck
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: