Open Bug 1198552 Opened 9 years ago Updated 2 years ago

Memory reporter opens /proc/self/{statm,smaps} in sandboxed content processes

Categories

(Toolkit :: about:memory, defect)

Unspecified
Linux
defect

Tracking

()

Tracking Status
firefox43 --- wontfix
firefox56 --- wontfix
firefox57 --- affected
firefox58 --- affected
firefox59 --- ?

People

(Reporter: jld, Unassigned)

References

Details

(Keywords: perf, Whiteboard: sb+)

The memory reporter opens /proc/self/{statm,smaps} in sandboxed content processes, to get info on the process's memory usage. This will need to be whitelisted in the sandbox broker policy for now, but there might be a better way to handle it.
Whiteboard: sb+
OS: Unspecified → Linux
Priority: -- → P3
I have been told that it is flooding log kernel message now: <Corsac> Oct 3 23:12:42 scapa kernel: [40278.600669] grsec: denied read of sensitive /proc/pid/statm entry via fd passed across exec by /usr/lib/firefox/firefox[Web Content:3451] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/firefox/firefox[Gecko_IOThread:3343] uid/euid:1000/1000 gid/egid:1000/1000 gcp, do you care about that for the l3 sandboxing?
Flags: needinfo?(gpascutto)
We do, although that appears to be a grsecurity kernel, not a normal one. This might end up with quite some work on the memory reporter code...
Flags: needinfo?(gpascutto)
By the way, you might get this warning as far back as Firefox 54, I think? Even with write-only sandboxing, the file broker will still intercept the read and use fd passing to the child.
Keywords: perf
Priority: P3 → --
This has, in fact, been observed in Firefox 54: https://github.com/NixOS/nixpkgs/issues/25743#issuecomment-319113908 This bug probably belongs in the about:memory component. I suspect that the procfs memory info isn't extremely important on desktop (or at least less important than it was on B2G); not unimportant, but maybe not important enough to make nontrivial changes just for the benefit of grsec kernels. But I'll leave that to the people who are actively working on memory reporting these days. One possible fix — and this does seem to work with procfs files — would be to open the files during startup, keep them open, and seek back to the beginning between reads. (In this case everything is main-thread-only if I recall correctly, but for thread safety the same idea using pread() could work.) Alternately, there's the option of having the parent process compute the system memory info on the content processes's behalf and adjoin it to their reports when they're sent up over IPC. I was concerned that there might be some other grsec restriction about that, but what I've found suggests that same-user procfs access is allowed.
Moving component because I agree with jld. The sandboxing layer is doing what it has to do and grsecurity is "correctly" [1] warning that sensitive info is traveling to the parent. It's up to the memory reporting layer to decide if they really need this info or not. Any solution on the sandboxing side is always going to be a gross hack. [1] I'm using quotation marks because it has no problem with this information AND everything else being available to the process that's exposed to the internet, yet warns when it's one of the only things available. So the warning is a bit backwards in this case.
Component: Security: Process Sandboxing → about:memory
Product: Core → Toolkit
(In reply to Gian-Carlo Pascutto [:gcp] from comment #5) > [1] I'm using quotation marks because it has no problem with this > information AND everything else being available to the process that's > exposed to the internet, yet warns when it's one of the only things > available. So the warning is a bit backwards in this case. For what it's worth, the grsec maintainer mentioned that this is “to avoid fooling some suid apps into infoleak”, which is a little more understandable… and makes this a false positive, because the opener's and reader's credentials are equivalent.
Here's my understanding of things. xpcom/base/nsMemoryReporterManager.cpp - Reads /proc/self/statm to get the "vsize" and "resident" measurements, which are important. - Reads /proc/self/smaps to get the "resident-unique" measurement, which is less important though still useful. - These happen in the individual processes, both chrome and content. xpcom/base/SystemMemoryReporter.cpp - Reads /proc/self/smaps to implement the entire "system" memory reporter, which is only enabled if the "memory.system_memory_reporter" pref is set (and it's off by default). - This only runs in the chrome process. So only nsMemoryReporterManager.cpp needs changing. It shouldn't be too hard to get the chrome process to read /proc/<pid>/{statm,smaps} on behalf of all the content processes, and also report the measurements to the memory reporter manager on their behalf, and then the content processes wouldn't need to do anything. jld, does all that sound right to you?
Flags: needinfo?(jld)
(In reply to Nicholas Nethercote [:njn] from comment #7) > So only nsMemoryReporterManager.cpp needs changing. It shouldn't be too hard > to get the chrome process to read /proc/<pid>/{statm,smaps} on behalf of all > the content processes, and also report the measurements to the memory > reporter manager on their behalf, and then the content processes wouldn't > need to do anything. > > jld, does all that sound right to you? Yes, that sounds good.
Flags: needinfo?(jld)
The current grsecurity code won't have any problems with this, so there's no need to add a workaround if it's solely for us. I apologize for the delay on this, but I only heard about the issue relatively recently via searching on Twitter. Please feel free to loop me in on problems like this in the future (spender@grsecurity.net) to avoid needless frustration; we definitely don't want to be putting Mozilla in a position of implementing workarounds for us, or wasting time on things we can resolve quickly together. I had a very good experience working with Robert O'Callahan to eliminate the need for workarounds in 'rr' that didn't require weakening the security properties of restrictions it had trouble with. Thank you! -Brad
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.