Closed Bug 1076612 Opened 10 years ago Closed 10 years ago

Prevent dangerous certified permissions from being side-loaded

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Platform:
All
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1064108

People

(Reporter: pauljt, Unassigned)

References

Details

Attachments

(1 file)

Screen Shot 2014-10-02 at 1.17.46 pm.png
160.84 KB, image/png
Details
We are changing the debugging restrictions on b2g to allow debugging of all apps that have been sideloaded, regardless of app type. (previously sideloading of certified apps was allowed, but they could not be debugged, to prevent debugging of gaia apps). However it occurred to me that sideloading an app which has an embed-apps permission, you can make a debug-able app which is allowed to embed gaia apps. If you omit the remote=true iframe attribute, this embedded gaia app will actually run in the same process as the sideloaded app, and it is possible to use the devtools debugger to then execute javascript in the context of the embedded app (see attached screenshot of debugging a test app, which has the gaia clock app embedded in it). To fix these we could just prevent sideloading of apps with the "embed-apps" permission. We should probably the "engineering-mode" permission as well while we are at it, since that potentially has similar consequences, depending on how vendors extend this API. I was thinking that rather than blacklisting, having a whitelist in the permissions installer might be a better way to go (since we know the system by the preference b2g.system_manifest_url). But not sure this solution extends to the engineering-mode API. TLDR: prevent side-loading of apps with either the "embed-apps" or "engineering-mode" permissions, unless dev-tools mode is enabled.
Blocks: 1019714
No longer blocks: 1035916
"embed-widgets" complicates this a bit? I think in this context I think "embed-widgets" is just as dangerous, isn't it? I.e. any app that has a widget could be embedded by an app with the embed-widgets permission, and then have a debugger attached as above. But if we just forbid "embed-widgets" developers wont be able to test homescreen apps that need this permission, unless devtools mode is enabled. Maybe that's a security trade-off we will need to live with - i.e cant test embed-widgets permission with being it devtools mode To be clear, I'm thinking something like: 1. add a pref which has a blacklist of permissions which are forbidden to sideload: pref("devtools.forbidden-permissions", "embed-apps,engineering-mode,embed-widgets"); 2. Add a check in loop which install permissions in permissionsInstaller[1] to prevent these when adding permissions. Something like checking this blacklist, and the state of devtools mode, ie: if (permissionsBlacklist[permName] && aApp.sideloaded && !devToolsModeEnabled) { Cu.reportError("PermissionsInstaller.jsm: '" + permName + "'" + " is forbidden to be sideloaded when devtools mode is disabled"); dump("PermissionsInstaller.jsm: '" + permName + "'" + " is forbidden to be sideloaded when devtools mode is disabled"); continue; } [1] https://mxr.mozilla.org/mozilla-central/source/dom/apps/PermissionsInstaller.jsm#133 Is that an acceptable way to address this risk?
This bug looks like a dupe of bug 1064108?
(In reply to Alexandre Poirot [:ochameau] from comment #3) > This bug looks like a dupe of bug 1064108? Yes since you blocked the permissions in that bug, thanks.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Resolution: FIXED → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: