Pref off bug 1074561 and disallow unsandboxed media plugins by default

RESOLVED FIXED in mozilla38



Security: Process Sandboxing
3 years ago
3 years ago


(Reporter: jld, Assigned: jld)


(Blocks: 1 bug)


Firefox Tracking Flags

(Not tracked)



(1 attachment)



3 years ago
We're having some second thoughts about bug 1074561, which allowed Linux systems without seccomp-bpf support to run OpenH264 (or, more generally, non-EME media plugins) unsandboxed.  Specifically, it means that if a security vulnerability is found in OpenH264 (e.g., CVE-2014-8001 / CVE-2014-8002) and we need to rate its severity with respect to Firefox, we can depend on the fact that it's sandboxed… except on a few percent of Linux desktops (i.e., perhaps one in a thousand Firefoxes).

The current plan is to disable that by default, but allow a sufficiently advanced user to override it.  A pref in about:config to select whether sandboxing is required or best-effort (sandboxed if supported, run without sandboxing otherwise), and defaulting to required, should be enough.

Comment 1

3 years ago
Move process sandboxing bugs to the new Bugzilla component.

(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)
Component: Security → Security: Process Sandboxing

Comment 2

3 years ago
Created attachment 8553788 [details] [diff] [review]

This disables by default the part of bug 1074561 that allows unsandboxed media plugins; the check for unsandboxed CDMs is left unchanged, meaning that they are disallowed regardless of this pref (as mentioned in a code comment and the commit message).

I've tested this locally — I don't know if there's a good way to run tests that require starting Gecko with non-default prefs? — and pushed to try:
Attachment #8553788 - Flags: review?(rjesup)


3 years ago
Attachment #8553788 - Flags: review?(rjesup) → review+
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Here's a thought: BSDs or non-i386/non-x86-64 don't have MOZ_GMP_SANDBOX enabled. Yet they can't benefit from this pref.

Comment 6

3 years ago
(In reply to Mike Hommey [:glandium] from comment #5)
> Here's a thought: BSDs or non-i386/non-x86-64 don't have MOZ_GMP_SANDBOX
> enabled. Yet they can't benefit from this pref.

That's a good point.  The question of whether OpenH264 (or clearkey EME) should be allowed on --disable-gmp-sandbox platforms belongs to the WebRTC module owner, I think?

One complication is that the MOZ_DISABLE_GMP_SANDBOX env var should also disable the requirement of sandboxing — it wouldn't be very useful otherwise — so this would need to distinguish:

1. not available on platform (deny?)
2. available but disabled by user (allow)
3. available on platform but not on this particular system (deny)
4. usable (allow)

Currently cases 1 and 2 are conflated (and, by comparison, Windows and Mac OS X don't have to deal with case 3 or case 1).
Flags: needinfo?(rjesup)
Seems straightforward, unless I'm missing something:

1. Platform or system that doesn't support sandboxing (BSD, etc):
   Default: disallow GMP (all)
   pref set: allow unsandboxed GMP/OpenH264 (but not CDMs)
2. Platform/system does allow sandboxing:
   Allow GMP (all)
Flags: needinfo?(rjesup)


3 years ago
Blocks: 1141825
You need to log in before you can comment on or make changes to this bug.