1213998 - chroot content processes on desktop Linux

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect, P1)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

This is the desktop version of bug 1151632 — once all filesystem access is brokered (including local-domain sockets), then we can chroot the content process.  (It should also be possible to unshare its network namespace at or before that point; if not, we'll need a separate bug, but I'll let whoever gets to that point decide how to handle it.)  This will, in addition to being general defense-in-depth, prevent the socketpair/sendmsg interaction described in bug 1066750.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

This might be doable now that filesystem brokering (bug 1289718) has landed.  The one problem is if libraries are trying to use named Unix-domain sockets (but not the Linux “abstract namespace” extension; that's scoped to the network namespace instead) after sandbox startup, and I think PulseAudio typically does that.

As for comment #0's optimism about the network namespace: that's going to be blocked by PulseAudio (when configured for a remote audio server) and possibly also WebRTC.  And maybe other things I'm forgetting right now.  We didn't need direct network access for WebRTC on B2G, but that might have been using platform-specific code that didn't carry over to desktop; this needs more investigation.

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1213998 - Apply chroot() to sandboxed content processes on Linux.

Review commit: https://reviewboard.mozilla.org/r/214796/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/214796/

Comment 3

[Gian-Carlo Pascutto [:gcp]]

Comment on attachment 8944637 [details]
Bug 1213998 - Apply chroot() to sandboxed content processes on Linux.

https://reviewboard.mozilla.org/r/214796/#review220576

Comment 4

[Mozilla Autoland]

We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s a0df58d4ff29869d84436e3cde2a2f5f8a8c163f -d d727648d21a1: rebasing 445310:a0df58d4ff29 "Bug 1213998 - Apply chroot() to sandboxed content processes on Linux. r=gcp" (tip)
merging security/sandbox/linux/launch/SandboxLaunch.cpp
warning: conflicts while merging security/sandbox/linux/launch/SandboxLaunch.cpp! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Comment on attachment 8944637 [details]
Bug 1213998 - Apply chroot() to sandboxed content processes on Linux.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/214796/diff/1-2/

Comment 6

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46c4a5ce6e0f
Apply chroot() to sandboxed content processes on Linux. r=gcp

Comment 7

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/46c4a5ce6e0f