Closed Bug 1151632 Opened 7 years ago Closed 5 years ago
chroot content processes on B2G
When bug 930258 is done, B2G content processes won't be accessing the filesystem directly, so they can be chroot()ed into a deleted directory as in bug 1151607. This will avoid any cases where filesystem path lookup isn't, or can't be, prevented by seccomp-bpf; e.g., bug 1066750.
This applies the chroot()-to-deleted-directory code to content processes on B2G if a file broker is being used, and it passes Try (https://treeherder.mozilla.org/#/jobs?repo=try&revision=e6e1032ea149) and it *almost* looks right. In fact, it's badly broken: it reintroduces bug 970676 for processes not started through Nuwa. To make this work, I have to start child processes as root (partially reversing my own work in bug 977859, ironically) and then have them change uid after calling SandboxEarlyInit… but while they're still single-threaded except for the chroot helper. This patch's problem is the SetCurrentProcessPrivileges call in nsEmbedFunctions — it's there because it needs to be in libxul to access that symbol, but when I wrote that I forgot that we've already initialized Binder at that point, so we get Binder threads running as root. (Also, the way I tripped over bug 970676 in the first place no longer catches this — tgkill within the same process is always allowed, ignoring uids, as of [065add3] in 2.6.35.) I'm not quite sure what the best fix is, but I'm posting the work-in-progress anyway. I might not be getting back to this soon, and it's also a nice demonstration of why this needs to be done carefully. [065add3]: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=065add3941bdca54fe04ed3471a96bce9af88793
Attachment #8673389 - Flags: review-
Thought: have SandboxEarlyInit call SetCurrentProcessPrivileges via a function pointer sent down into libmozsandbox the same way as the crash callback, the same way SandboxEarlyInit drops capabilities on desktop.
B2G-specific sandboxing bugs are WONTFIX. (I'm reasonably sure these bugs don't have implications for other platforms, but comment if I missed something.)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.