1198550 - Profiler reads /proc/self/maps in sandboxed content processes

Status: NEW

(Core :: Security: Process Sandboxing, defect, P3)

Description

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

On B2G, when the profiler is started — usually asynchronously with profile.sh — it reads /proc/self/maps to find loaded objects, because there is no dl_iterate_phdr.  See SharedLibraryInfo::GetInfoForSelf in tools/profiler/core/shared-libraries-linux.cc

The file open can be remoted (bug 930258), so this isn't a blocker, but if we want to do something else (e.g., preload the library info before sandboxing, or use IPC) this bug is here.

Obligatory tedious footnote: it actually opens /proc/%d/maps sprintf'ed with the value of getpid(), which will break with pid namespaces, and /proc/self paths need to be rewritten anyway before being remoted.  This detail is not hugely relevant to the question of removing it from the filesystem broker policy.

Also: the library info isn't just for symbolication; the ARM EH unwinder needs it to find the unwind tables.

Comment 1

[Jim Mathies [:jimm]]

https://dxr.mozilla.org/mozilla-central/rev/52285ea5e54c73d3ed824544cef2ee3f195f05e6/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#98

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Update: we're still using /proc/self/maps on desktop Linux, and we're now also trying (and failing, as of bug 1308400) to readlink /proc/self/exe.

https://searchfox.org/mozilla-central/rev/8d084472a955c9ef0f523c743cbad2460efd7688/tools/profiler/core/shared-libraries-linux.cc#118

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

…and this will probably break under grsecurity, like bug 1198552 comment #1 et seq.