Open
Bug 1199051
Opened 9 years ago
Updated 2 years ago
Can we not whitelist all of NS_GRE_DIR in sandboxed content processes?
Categories
(Core :: Security: Process Sandboxing, defect, P3)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | affected |
People
(Reporter: jld, Unassigned)
References
Details
(Whiteboard: sb+)
For bug 930258 I'm going to allow read access to all files under NS_GRE_DIR (/system/b2g on B2G) if nobody complains too loudly. This is, of course, not ideal for keeping the whitelist minimal, but it can be reduced later.
Specific things known to be read from there currently:
* NSS libraries, dynamically loaded when content uses WebRTC or cryptography APIs.
* Web apps on B2G, sometimes (but bug 1119692 will change that).
* Data for reftests.
* Speech recognition models, which were added earlier this year.
* Any loaded ELF object, when profiling; see bug 1198515
But there's a larger question of policy: currently Gecko developers have been able to open arbitrary files in NS_GRE_DIR from content-process code, and it's hard to argue that it's inherently a security problem. But if we change it to a specific whitelist, then Gecko developers adding new features — like the speech recognition example, above — will need to know to update that whitelist, or else get mysterious failures that don't make sense in terms of the OS's normal permission model. (And for the time being this is only B2G — desktop platforms won't be in a position to impose this kind of restriction until 1196384 is resolved — so testing on desktop won't show any problems.)
So that's not really ideal — but is it worse than any other part of the filesystem that's not getting a blanket exemption (e.g., /proc/self)? I'm not sure, but the immediate goal is to get bug 930258 landed and clean up the details later.
|
Reporter | |
Comment 1•9 years ago
|
||
(In reply to Jed Davis [:jld] from comment #0)
> * Web apps on B2G, sometimes (but bug 1119692 will change that).
s/will change/has changed/. We shouldn't need to open /system/b2g/webapps in content processes anymore.
|
||
Updated•9 years ago
|
Whiteboard: sblc2
|
||
Comment 2•8 years ago
|
||
Moving to sblc3 which concludes removing/restricting file system access.
Whiteboard: sblc2 → sblc3
|
|
||
Comment 3•7 years ago
|
||
Priority: -- → P3
|
|
||
Updated•7 years ago
|
Whiteboard: sblc3 → sb+
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•