Closed Bug 1294286 Opened 8 years ago Closed 5 years ago

Restrict clock_getres the same way as clock_gettime

Categories

(Core :: Security: Process Sandboxing, defect, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox72 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

(Whiteboard: sblc5)

Attachments

(1 file)

Bug 1294286 - Filter clock IDs in clock_getres sandbox rule.
47 bytes, text/x-phabricator-request
Details | Review 
Some background that hasn't made it into Bugzilla yet:

On Linux, clockid_t can contain a process ID or thread ID, as part of implementing the clock_getcpuclockid and pthread_getcpuclockid APIs.  This header comment mostly explains the encoding (give or take a ones' complement):

https://github.com/torvalds/linux/blob/9512c47ec/include/linux/posix-timers.h#L31

But it's a little more complicated than that, because that describes the format iff the sign bit is set:

https://github.com/torvalds/linux/blob/9512c47ec/kernel/time/posix-timers.c#L585

For nonnegative ints, these are defined (the “process” and “thread” in question refer to the caller in this case):

https://github.com/torvalds/linux/blob/9512c47ec/include/uapi/linux/time.h#L45


This feature is known to Chromium and was blocked in https://crbug.com/374479 by applying a small list of allowed clocks (initially for NaCl, but the policy was later applied to other process types in https://crbug.com/413469 and https://crbug.com/413855).

We've taken a similar approach for clock_gettime (originally for GMP, later made part of the “common” ruleset also used by content), but clock_getres is currently allowed for all clockid_t values.  That should be fixed; no need to leak information if we don't have to.
Whiteboard: sblc3
Whiteboard: sblc3 → sblc5
Priority: -- → P3
See Also: → 1598040

The clockid_t type on Linux has a space of values with encode a pid and
refer to various measures of another process's CPU usage; clock_getres
would, thereby, allow probing whether other processes exist. This is
a relatively small information leak into the sandboxes, but there's no
reason to allow it.

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a8082b9b4ed1
Filter clock IDs in clock_getres sandbox rule. r=gcp

https://hg.mozilla.org/mozilla-central/rev/a8082b9b4ed1

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: