Closed Bug 1126437 Opened 5 years ago Closed 2 years ago

Remove socket creation/connect from Desktop Linux content processes

Categories

(Core :: Security: Process Sandboxing, defect, P2)

All
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: sb+)

Attachments

(2 files, 1 obsolete file)

The other half of bug 942698 is sockets.

One known problem here is audio access — one of the possible backends is PulseAudio, which uses sockets to send audio data to the server (typically Unix-domain for a local audio server, but remote audio over IP is possible), and connects to the X11 server to try to read configuration information from root window properties (also possibly remote, and very problematic for security in any case).

Hopefully it will be possible to address these issues with high-level remoting, but it's not completely implausible to add a "connect to local socket" operation to the file broker if need be.
Whiteboard: sb+
Moving to sblc4 which deals with this issue.
Whiteboard: sb+ → sblc4
blocked by media work on cubeb. tbc end of H1.
Whiteboard: sblc4 → sblc5
Summary: Remove socket creation/connect/bind from Desktop Linux content processes → Remove socket creation/connect from Desktop Linux content processes
Priority: -- → P3
Blocks: sb-audio
No longer depends on: sb-audio
No longer blocks: sb-audio
The fix for bug 1384292 doesn't stop the socket()ing, but I'm planning to quietly deny socket() anyway.
No longer depends on: 1384292
Whiteboard: sblc5
Assignee: nobody → jld
Priority: P3 → P2
Whiteboard: sb+
Comment on attachment 8944632 [details]
Bug 1126437 - Add Linux content sandbox level 4 for blocking socket APIs.

https://reviewboard.mozilla.org/r/214780/#review220420


Static analysis found 1 defect in this patch.
 - 1 defect found by clang-tidy

You can run this analysis locally with:
 - `./mach static-analysis check path/to/file.cpp` (C/C++)


If you see a problem in this automated review, please report it here: http://bit.ly/2y9N9Vx


::: security/sandbox/linux/SandboxFilter.cpp:383
(Diff revision 1)
>  
> +  bool BelowLevel(int aLevel) const {
> +    return mParams.mLevel < aLevel;
> +  }
> +  ResultExpr AllowBelowLevel(int aLevel, ResultExpr aOrElse) const {
> +    return BelowLevel(aLevel) ? Allow() : aOrElse;

Warning: Parameter 'aorelse' is passed by value and only copied once; consider moving it to avoid unnecessary copies [clang-tidy: performance-unnecessary-value-param]

    return BelowLevel(aLevel) ? Allow() : aOrElse;
                                          ^
                                          std::move( )
Comment on attachment 8944631 [details]
Bug 1126437 - Reorganize content sandbox params extracted from libxul APIs.

https://reviewboard.mozilla.org/r/214778/#review220564
Attachment #8944631 - Flags: review?(gpascutto) → review+
Comment on attachment 8944632 [details]
Bug 1126437 - Add Linux content sandbox level 4 for blocking socket APIs.

https://reviewboard.mozilla.org/r/214780/#review220582

::: browser/app/profile/firefox.js:1099
(Diff revision 1)
>  // its Windows/Mac counterpart, but on Linux it's an integer which means:
>  // 0 -> "no sandbox"
>  // 1 -> "content sandbox using seccomp-bpf when available"
>  // 2 -> "seccomp-bpf + write file broker"
>  // 3 -> "seccomp-bpf + read/write file brokering"
> +// 4 -> 3 + network/socket restrictions

"3" -> "all the above" plus
Attachment #8944632 - Flags: review?(gpascutto) → review+
Attachment #8944631 - Attachment is obsolete: true
Comment on attachment 8945007 [details]
Bug 1126437 - Reorganize content sandbox params extracted from libxul APIs.

MozReview is confused.  This patch is unchanged; carrying over r+.
Attachment #8945007 - Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb5e75c2d0c8
Reorganize content sandbox params extracted from libxul APIs. r=gcp
https://hg.mozilla.org/integration/mozilla-inbound/rev/35083f8586e7
Add Linux content sandbox level 4 for blocking socket APIs. r=gcp
https://hg.mozilla.org/mozilla-central/rev/bb5e75c2d0c8
https://hg.mozilla.org/mozilla-central/rev/35083f8586e7
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment on attachment 8945007 [details]
Bug 1126437 - Reorganize content sandbox params extracted from libxul APIs.

See comment #13.
Attachment #8945007 - Flags: review?(gpascutto) → review+
No longer depends on: 1440206
Depends on: 1449594
You need to log in before you can comment on or make changes to this bug.