Closed Bug 1213998 Opened 4 years ago Closed 2 years ago

chroot content processes on desktop Linux

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Depends on 1 open bug, Blocks 3 open bugs)

Details

(Whiteboard: sb+)

Attachments

(1 file)

This is the desktop version of bug 1151632 — once all filesystem access is brokered (including local-domain sockets), then we can chroot the content process.  (It should also be possible to unshare its network namespace at or before that point; if not, we'll need a separate bug, but I'll let whoever gets to that point decide how to handle it.)  This will, in addition to being general defense-in-depth, prevent the socketpair/sendmsg interaction described in bug 1066750.
Whiteboard: sb+
This might be doable now that filesystem brokering (bug 1289718) has landed.  The one problem is if libraries are trying to use named Unix-domain sockets (but not the Linux “abstract namespace” extension; that's scoped to the network namespace instead) after sandbox startup, and I think PulseAudio typically does that.

As for comment #0's optimism about the network namespace: that's going to be blocked by PulseAudio (when configured for a remote audio server) and possibly also WebRTC.  And maybe other things I'm forgetting right now.  We didn't need direct network access for WebRTC on B2G, but that might have been using platform-specific code that didn't carry over to desktop; this needs more investigation.
Depends on: 1289718
No longer depends on: 1362220
Blocks: sb-audio
No longer blocks: sb-audio
Assignee: nobody → jld
Priority: -- → P2
See Also: → 1430949
Comment on attachment 8944637 [details]
Bug 1213998 - Apply chroot() to sandboxed content processes on Linux.

https://reviewboard.mozilla.org/r/214796/#review220576
Attachment #8944637 - Flags: review?(gpascutto) → review+
Priority: P2 → P1
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s a0df58d4ff29869d84436e3cde2a2f5f8a8c163f -d d727648d21a1: rebasing 445310:a0df58d4ff29 "Bug 1213998 - Apply chroot() to sandboxed content processes on Linux. r=gcp" (tip)
merging security/sandbox/linux/launch/SandboxLaunch.cpp
warning: conflicts while merging security/sandbox/linux/launch/SandboxLaunch.cpp! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46c4a5ce6e0f
Apply chroot() to sandboxed content processes on Linux. r=gcp
https://hg.mozilla.org/mozilla-central/rev/46c4a5ce6e0f
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.