Seccomp sandbox violation: sys_fchown called in content process of Firefox desktop

RESOLVED FIXED in Firefox 48

Status

()

Core
Security: Process Sandboxing
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tedd, Assigned: tedd)

Tracking

unspecified
mozilla48
Points:
---

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: sblc1)

Attachments

(2 attachments)

(Assignee)

Description

2 years ago
Created attachment 8734180 [details]
Seccomp error log + symbol information

When enabling content sandboxing on Linux desktop (using ac_add_options --enable-content-sandbox), the content process crashes early on due to a seccomp violation when calling sys_fchown.

The code seems to be related to pulseaudio, so this might no longer be an issue once Bug 1104619 is fixed.

Updated

2 years ago
Whiteboard: sb? → sblc1
(Assignee)

Comment 2

2 years ago
:jld, any objections to add sys_fchown() to the whitelist for now, so that we can get seccomp enabled on nightly? I think we can experiment to remove it once Bug 1104619 has landed, or later on when we try to tighten the sandbox.
Flags: needinfo?(jld)
(In reply to Julian Hector [:tedd] [:jhector] from comment #2)
> :jld, any objections to add sys_fchown() to the whitelist for now, so that
> we can get seccomp enabled on nightly? I think we can experiment to remove
> it once Bug 1104619 has landed, or later on when we try to tighten the
> sandbox.

No objections.  fchown can't do much as an unprivileged user (running Firefox as root isn't supported, and see also bug 1199481), and in any case this isn't a meaningful sandbox yet.
Flags: needinfo?(jld)
(Assignee)

Comment 4

2 years ago
Ok, thanks I will get a patch ready.
Assignee: nobody → julian.r.hector
(Assignee)

Comment 5

2 years ago
Created attachment 8740917 [details] [diff] [review]
Add sys_fchown to seccomp whitelist r=jld

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=09edc84cff30
Attachment #8740917 - Flags: review?(jld)
Attachment #8740917 - Flags: review?(jld) → review+
(Assignee)

Updated

2 years ago
Keywords: checkin-needed

Comment 7

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b26d5448b54c
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.