Closed Bug 1284588 Opened 8 years ago Closed 8 years ago

OS X: Disable content process write access to user files in the home directory

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox50 --- affected
firefox52 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sbmc1)

Attachments

(2 files)

WIP patch that disable write access to the majority of the home directory, not ready for review
1.33 KB, patch
Details | Diff | Splinter Review
Bug 1284588 - OS X: Disable content process write access to user files in the home directory;
58 bytes, text/x-review-board-request
gcp
: review+
Details
This bug is for the changes required to disable write access to user files in the home directory from the content process on macOS. With this bug, the intent is not to remove all write access to the home directory, but everything outside of some specific directories within ~/Library. Within ~/Library, the content process uses write access to NS_APP_CONTENT_PROCESS_TEMP_DIR and some addons write to files within the Firefox profile directory. Access to those directories (which are within ~/Library) will be removed in follow-up work.
Depends on: 1228022
Whiteboard: sbmc1
This disables content process write access to most of the home directory. I'm using it for testing. Until 1228022 is fixed, this will break printing to file.
Assignee: nobody → haftandilian
Blocks: 1303192
Comment on attachment 8793534 [details] Bug 1284588 - OS X: Disable content process write access to user files in the home directory; https://reviewboard.mozilla.org/r/80214/#review79124
Attachment #8793534 - Flags: review?(gpascutto) → review+
Looks like autoland couldn't rebase this patch for landing.
Flags: needinfo?(haftandilian)
Keywords: checkin-needed
Sorry about that. It applied cleanly in my repo. I'll update reviewboard and reflag this checkin-needed.
Flags: needinfo?(haftandilian)
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1e8a7c6dcea1 OS X: Disable content process write access to user files in the home directory; r=gcp
Keywords: checkin-needed
Backed out for leaks in browser-chrome tests on OS X 10.10 debug: https://hg.mozilla.org/integration/autoland/rev/b1ed83464642 Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=1e8a7c6dcea1d73db0da4c61b2dfe4b4cbaec79f More tests tun and failed for https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=735ae776c393e7c2f7c9d64a12a61b5f7689a583 Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=3992627&repo=autoland 02:41:44 WARNING - TEST-UNEXPECTED-FAIL | leakcheck | tab process: missing output line for total leaks! 02:41:44 INFO - TEST-INFO | leakcheck | missing output line from log file /var/folders/f6/kjqp0l7n7cb307nv1hq0lrf400000w/T/tmpgFyenB.mozrunner/runtests_leaks_tab_pid1975.log
Flags: needinfo?(haftandilian)
Flags: needinfo?(haftandilian)
See Also: → 1281306
Didn't mean to clear the needinfo. I'm trying to determine if this change is causing the "leakcheck | missing output line from log file ..." failure or if these are just instances of bug 1281306. This fix shouldn't affect JS object allocation/dealloc and shouldn't affect content processes ability to write to /var.
Flags: needinfo?(haftandilian)
The leakcheck "missing output line for total leaks" failures were caused by my fix for this bug. I couldn't reproduce the failures locally by running individual tests, but I could reproduce them reliably with "./mach test toolkit/content/tests/browser/" in debug. The issue is that my changes blocked all write access to the filesystem from the content process (apart from the content temp dir and a few /var subdirectories), this breaks the leakcheck because it writes to a file in /var from the content process. This is in the OS X $TMPDIR and here's an example of the path which is per-OSX-user. /var/folders/46/188abcdeadfadfadfadfrgsnx2m0000gn/T/tmp1Txao8.mozrunner/runtests_leaks_tab_pid<PID>.log I'll update the fix to not limit write-blocking to the home directory and file a bug on our tests writing to the filesystem from the content process. Writing to $TMPDIR is a reasonable place to write to, but our long term goal is to eventually prevent all filesystem I/O by the content process.
Flags: needinfo?(haftandilian)
See Also: → 1303987
Attachment #8793534 - Flags: review+ → review?(gpascutto)
Comment on attachment 8793534 [details] Bug 1284588 - OS X: Disable content process write access to user files in the home directory; https://reviewboard.mozilla.org/r/80214/#review80314 As discussed on IRC, we can follow up with another bug/patch to disable write except in the OS TMPDIR.
Attachment #8793534 - Flags: review?(gpascutto) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/cde8b9afb577 OS X: Disable content process write access to user files in the home directory; r=gcp
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/cde8b9afb577
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
See Also: → 1306508
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: