Closed
Bug 1078971
Opened 10 years ago
Closed 8 years ago
Can we un-whitelist getdents for B2G content sandboxing?
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jld, Unassigned)
References
Details
(Whiteboard: sb-)
Bug 1026099 might have been the last thing trying to readdir(3) from a sandboxed content process. If it was, then we can drop getdents(2) from the whitelist.
(Even though it would have been limited to directories the process could get a file descriptor for, once we did something about open(2), it would be nice to not have that piece of attack surface.)
Currently trying on emulator: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=253b856f2c1d (the debug mochi-6 breakage seems to be unrelated), and some level of testing on physical hardware and/or non-ICS is called for as well.
|
Reporter | |
Comment 1•10 years ago
|
||
Unfortunately, WebGL:
Thread 0 (crashed)
0 libc.so + 0x20890
1 libc.so!__readdir_locked [dirent.cpp : 84 + 0xf]
2 libc.so!readdir_r [dirent.cpp : 117 + 0x5]
3 libEGL.so + 0x344ef
4 libEGL.so!android::Loader::load_driver(char const*, android::egl_connection_t*, unsigned int) [Loader.cpp : 294 + 0xb]
5 libEGL.so!android::Loader::open(android::egl_connection_t*) [Loader.cpp : 175 + 0x5]
6 libEGL.so!android::egl_init_drivers() [egl.cpp : 316 + 0x5]
7 libEGL.so!eglGetDisplay [eglApi.cpp : 212 + 0x3]
8 libxul.so!mozilla::gl::GLLibraryEGL::EnsureInitialized() [GLLibraryEGL.h : 140 + 0x5]
9 libxul.so!mozilla::gl::GLContextProviderEGL::CreateHeadless() [GLContextProviderEGL.cpp : 884 + 0x5]
10 libxul.so!mozilla::WebGLContext::CreateOffscreenGL(bool) [WebGLContext.cpp : 528 + 0x5]
11 libxul.so!mozilla::WebGLContext::SetDimensions(int, int) [WebGLContext.cpp : 880 + 0x7]
12 libxul.so!mozilla::dom::HTMLCanvasElement::UpdateContext(JSContext*, JS::Handle<JS::Value>) [HTMLCanvasElement.cpp : 842 + 0x9]
13 libxul.so!mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) [HTMLCanvasElement.cpp : 754 + 0x9]
14 libxul.so!mozilla::dom::HTMLCanvasElementBinding::getContext [HTMLCanvasElementBinding.cpp : 215 + 0x3]
15 libxul.so!mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) [BindingUtils.cpp : 2408 + 0x3]
|
|
Reporter | |
Comment 2•10 years ago
|
||
(Not so much WONTFIX as CANTFIX.)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
|
||
Comment 3•10 years ago
|
||
We can hack libEGL.so though, if that helps you. That's actually all open - it's just a wrapper to load the real libEGL.so blob. Alternately, maybe we can call GLLibraryEGL::EnsureInitialized() early on so it doesn't need to be called after sandboxing is enabled.
|
|
Reporter | |
Comment 4•10 years ago
|
||
It's worth a try, I guess.
Assignee: jld → nobody
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
Reporter | |
Comment 5•10 years ago
|
||
But wait; there's more:
Thread 0 (crashed)
0 libc.so + 0x3c6a6
1 libc.so!readdir [dirent.cpp : 84 + 0x1a]
2 libc.so!sysconf [ScopedReaddir.h : 39 + 0x8]
3 libnss3.so!PR_GetNumberOfProcessors [prsystem.c : 246 + 0xc]
4 libxul.so!nsSystemInfo::Init() [nsSystemInfo.cpp : 215 + 0x5]
|
|
Reporter | |
Comment 6•10 years ago
|
||
Move process sandboxing bugs to the new Bugzilla component.
(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)
Component: Security → Security: Process Sandboxing
|
||
Updated•9 years ago
|
Whiteboard: sb-
|
|
Reporter | |
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 10 years ago → 8 years ago
OS: Linux → Gonk (Firefox OS)
Hardware: x86_64 → All
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•