Closed Bug 1151632 Opened 9 years ago Closed 7 years ago

chroot content processes on B2G


(Core :: Security: Process Sandboxing, defect)

Gonk (Firefox OS)
Not set



Tracking Status
firefox40 --- affected


(Reporter: jld, Assigned: jld)


(Blocks 2 open bugs)


(Whiteboard: sb-)


(1 file)

When bug 930258 is done, B2G content processes won't be accessing the filesystem directly, so they can be chroot()ed into a deleted directory as in bug 1151607.  This will avoid any cases where filesystem path lookup isn't, or can't be, prevented by seccomp-bpf; e.g., bug 1066750.
This applies the chroot()-to-deleted-directory code to content processes on B2G if a file broker is being used, and it passes Try ( and it *almost* looks right.

In fact, it's badly broken: it reintroduces bug 970676 for processes not started through Nuwa.

To make this work, I have to start child processes as root (partially reversing my own work in bug 977859, ironically) and then have them change uid after calling SandboxEarlyInit… but while they're still single-threaded except for the chroot helper.

This patch's problem is the SetCurrentProcessPrivileges call in nsEmbedFunctions — it's there because it needs to be in libxul to access that symbol, but when I wrote that I forgot that we've already initialized Binder at that point, so we get Binder threads running as root.  (Also, the way I tripped over bug 970676 in the first place no longer catches this — tgkill within the same process is always allowed, ignoring uids, as of [065add3][] in 2.6.35.)

I'm not quite sure what the best fix is, but I'm posting the work-in-progress anyway.  I might not be getting back to this soon, and it's also a nice demonstration of why this needs to be done carefully.

Attachment #8673389 - Flags: review-
Thought: have SandboxEarlyInit call SetCurrentProcessPrivileges via a function pointer sent down into libmozsandbox the same way as the crash callback, the same way SandboxEarlyInit drops capabilities on desktop.
Whiteboard: sb-
B2G-specific sandboxing bugs are WONTFIX.  (I'm reasonably sure these bugs don't have implications for other platforms, but comment if I missed something.)
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.