Open Bug 1198550 Opened 9 years ago Updated 2 years ago

Profiler reads /proc/self/maps in sandboxed content processes

Categories

(Core :: Security: Process Sandboxing, defect, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox43 --- affected

People

(Reporter: jld, Unassigned)

References

Details

(Whiteboard: sb+) 

On B2G, when the profiler is started — usually asynchronously with profile.sh — it reads /proc/self/maps to find loaded objects, because there is no dl_iterate_phdr.  See SharedLibraryInfo::GetInfoForSelf in tools/profiler/core/shared-libraries-linux.cc

The file open can be remoted (bug 930258), so this isn't a blocker, but if we want to do something else (e.g., preload the library info before sandboxing, or use IPC) this bug is here.

Obligatory tedious footnote: it actually opens /proc/%d/maps sprintf'ed with the value of getpid(), which will break with pid namespaces, and /proc/self paths need to be rewritten anyway before being remoted.  This detail is not hugely relevant to the question of removing it from the filesystem broker policy.

Also: the library info isn't just for symbolication; the ARM EH unwinder needs it to find the unwind tables.
Whiteboard: sb+
OS: Unspecified → Linux
Priority: -- → P3
Update: we're still using /proc/self/maps on desktop Linux, and we're now also trying (and failing, as of bug 1308400) to readlink /proc/self/exe.

https://searchfox.org/mozilla-central/rev/8d084472a955c9ef0f523c743cbad2460efd7688/tools/profiler/core/shared-libraries-linux.cc#118
…and this will probably break under grsecurity, like bug 1198552 comment #1 et seq.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.