Closed
Bug 1151632
Opened 9 years ago
Closed 7 years ago
chroot content processes on B2G
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | affected |
People
(Reporter: jld, Assigned: jld)
References
(Blocks 2 open bugs)
Details
(Whiteboard: sb-)
Attachments
(1 file)
|
7.81 KB,
patch
|
jld
:
review-
|
Details | Diff | Splinter Review |
When bug 930258 is done, B2G content processes won't be accessing the filesystem directly, so they can be chroot()ed into a deleted directory as in bug 1151607. This will avoid any cases where filesystem path lookup isn't, or can't be, prevented by seccomp-bpf; e.g., bug 1066750.
|
Assignee | |
Comment 1•8 years ago
|
||
This applies the chroot()-to-deleted-directory code to content processes on B2G if a file broker is being used, and it passes Try (https://treeherder.mozilla.org/#/jobs?repo=try&revision=e6e1032ea149) and it *almost* looks right. In fact, it's badly broken: it reintroduces bug 970676 for processes not started through Nuwa. To make this work, I have to start child processes as root (partially reversing my own work in bug 977859, ironically) and then have them change uid after calling SandboxEarlyInit… but while they're still single-threaded except for the chroot helper. This patch's problem is the SetCurrentProcessPrivileges call in nsEmbedFunctions — it's there because it needs to be in libxul to access that symbol, but when I wrote that I forgot that we've already initialized Binder at that point, so we get Binder threads running as root. (Also, the way I tripped over bug 970676 in the first place no longer catches this — tgkill within the same process is always allowed, ignoring uids, as of [065add3][] in 2.6.35.) I'm not quite sure what the best fix is, but I'm posting the work-in-progress anyway. I might not be getting back to this soon, and it's also a nice demonstration of why this needs to be done carefully. [065add3]: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=065add3941bdca54fe04ed3471a96bce9af88793
Attachment #8673389 -
Flags: review-
|
|
Assignee | |
Comment 2•8 years ago
|
||
Thought: have SandboxEarlyInit call SetCurrentProcessPrivileges via a function pointer sent down into libmozsandbox the same way as the crash callback, the same way SandboxEarlyInit drops capabilities on desktop.
|
||
Updated•8 years ago
|
Whiteboard: sb-
|
|
Assignee | |
Comment 3•7 years ago
|
||
B2G-specific sandboxing bugs are WONTFIX. (I'm reasonably sure these bugs don't have implications for other platforms, but comment if I missed something.)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•