Closed Bug 1151632 Opened 8 years ago Closed 6 years ago

chroot content processes on B2G

Categories

(Core :: Security: Process Sandboxing, defect)

All
Gonk (Firefox OS)
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox40 --- affected

People

(Reporter: jld, Assigned: jld)

References

(Blocks 2 open bugs)

Details

(Whiteboard: sb-)

Attachments

(1 file)

When bug 930258 is done, B2G content processes won't be accessing the filesystem directly, so they can be chroot()ed into a deleted directory as in bug 1151607.  This will avoid any cases where filesystem path lookup isn't, or can't be, prevented by seccomp-bpf; e.g., bug 1066750.
This applies the chroot()-to-deleted-directory code to content processes on B2G if a file broker is being used, and it passes Try (https://treeherder.mozilla.org/#/jobs?repo=try&revision=e6e1032ea149) and it *almost* looks right.

In fact, it's badly broken: it reintroduces bug 970676 for processes not started through Nuwa.

To make this work, I have to start child processes as root (partially reversing my own work in bug 977859, ironically) and then have them change uid after calling SandboxEarlyInit… but while they're still single-threaded except for the chroot helper.

This patch's problem is the SetCurrentProcessPrivileges call in nsEmbedFunctions — it's there because it needs to be in libxul to access that symbol, but when I wrote that I forgot that we've already initialized Binder at that point, so we get Binder threads running as root.  (Also, the way I tripped over bug 970676 in the first place no longer catches this — tgkill within the same process is always allowed, ignoring uids, as of [065add3][] in 2.6.35.)

I'm not quite sure what the best fix is, but I'm posting the work-in-progress anyway.  I might not be getting back to this soon, and it's also a nice demonstration of why this needs to be done carefully.

[065add3]: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=065add3941bdca54fe04ed3471a96bce9af88793
Attachment #8673389 - Flags: review-
Thought: have SandboxEarlyInit call SetCurrentProcessPrivileges via a function pointer sent down into libmozsandbox the same way as the crash callback, the same way SandboxEarlyInit drops capabilities on desktop.
Whiteboard: sb-
B2G-specific sandboxing bugs are WONTFIX.  (I'm reasonably sure these bugs don't have implications for other platforms, but comment if I missed something.)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.