Closed Bug 1177594 Opened 9 years ago Closed 9 years ago

Use a USER_RESTRICTED token level on GMP process when integrity levels are available.

Categories

(Core :: Security: Process Sandboxing, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox40 + fixed
firefox41 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

Details

Attachments

(1 file)

There is a possibility that the USER_LOCKDOWN token level could be causing loading problems on platforms other than Win10.

When we are already running at untrusted integrity level, dropping back to the USER_RESTRICTED token level then shouldn't affect the effectiveness of the sandbox and might help with certain problems.
Sorry this took a while, I realised that I should really also take out the other part of this, when we're not using the lockdown token level but I'm having trouble testing it here.
Also, I should probably test it on different versions as well, so I'll pick that up in a follow-up.
Attachment #8626386 - Flags: review?(cpearce)
Comment on attachment 8626386 [details] [diff] [review]
bug1177594.patchUse a USER_RESTRICTED token level on GMP process when integrity levels are available.

Review of attachment 8626386 [details] [diff] [review]:
-----------------------------------------------------------------

We should uplift this to 40; it may be hurting people using EME in the wild.
Attachment #8626386 - Flags: review?(cpearce) → review+
Assignee: nobody → bobowen.code
Status: NEW → ASSIGNED
Comment on attachment 8626386 [details] [diff] [review]
bug1177594.patchUse a USER_RESTRICTED token level on GMP process when integrity levels are available.

Approval Request Comment
[Feature/regressing bug #]:
USER_LOCKDOWN was originally set for bug 1094370.

[User impact if declined]:
If this is the cause of the issues, then the user will not be able to use the Adobe CDM to play media content.

[Describe test coverage new/current, TreeHerder]:
EME and openh264 have mochitest coverage.

[Risks and why]:
Low: simple patch and this reduces this particular sandbox setting and so shouldn't cause any issues.
In addition this was the original setting that GMP shipped with.

[String/UUID change made/needed]:
None
Attachment #8626386 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/5fb9272062b9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Comment on attachment 8626386 [details] [diff] [review]
bug1177594.patchUse a USER_RESTRICTED token level on GMP process when integrity levels are available.

Same request as per comment 4, but for beta 40
Attachment #8626386 - Flags: approval-mozilla-aurora? → approval-mozilla-beta?
[Tracking Requested - why for this release]: We need to get this uplifted so that we can rule it out as a cause of crashes in the EME plugin process.
I must remember to uplift.
Flags: needinfo?(cpearce)
Adding a tracking flag for FF40 and a qe-verify tracking flag so the fix is verified.
Flags: qe-verify+
Comment on attachment 8626386 [details] [diff] [review]
bug1177594.patchUse a USER_RESTRICTED token level on GMP process when integrity levels are available.

Approving for Beta. The try push was clean according to Chris.
Attachment #8626386 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(cpearce)
Is there any proper method to manually verify this? If yes, can you please provide me some steps to do it? Thanks!
Flags: needinfo?(bobowen.code)
To verify that the setting has taken effect properly, you could use something like sysinternal's process explorer.

* Navigate to http://people.mozilla.org/~cpearce/mse-clearkey/
* In process explorer check the properties (from right-click menu) of the GMP plugin-container.exe process (this will have geckomediaplugin at the end of the command line)
* The security tab should still have the SeChangeNotifyPrivilege enabled

To actually test whether this fixes any CDM loading problems, we'd need to be able to re-produce them, so we'll probably have to rely on monitoring crashes for that.
Flags: needinfo?(bobowen.code)
(In reply to Bob Owen (:bobowen) from comment #14)
> To verify that the setting has taken effect properly, you could use
> something like sysinternal's process explorer.
> 
> * Navigate to http://people.mozilla.org/~cpearce/mse-clearkey/
> * In process explorer check the properties (from right-click menu) of the
> GMP plugin-container.exe process (this will have geckomediaplugin at the end
> of the command line)
> * The security tab should still have the SeChangeNotifyPrivilege enabled
> 
> To actually test whether this fixes any CDM loading problems, we'd need to
> be able to re-produce them, so we'll probably have to rely on monitoring
> crashes for that.

I've verified on Windows 7 64bit using Firefox 40 Beta 2 (buildID: 20150706172413) and Aurora 41.0a2 (buildID: 20150707004003) following your steps and everything is as expected: the security tab have the SeChangeNotifyPrivilege enabled. 

Removing the "qe-verify+" flag since no more manual testing is needed.
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.