Closed Bug 1299329 Opened 3 years ago Closed 3 years ago

Remove printing-related privileges from content process sandbox

Categories

(Core :: Security: Process Sandboxing, defect)

51 Branch
x86_64
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox51 --- fix-optional
firefox52 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sbmc1)

Attachments

(1 file)

Once bug 1090454 is fixed, we can remove the printing-related privileges from the content process sandbox, reducing the content process attack surface.
Assignee: nobody → haftandilian
Depends on: 1090454
Whiteboard: sbmc1
See reviewboard for the patch. The removal of (allow mach-register) triggers some console sandbox messages on OS X 10.11 (El Capitan) which I don't think are a concern. So far I've tested on 10.12 (Sierra) and 10.11 and got some coverage on 10.10 (Yosemite) via try[1].

Examples of the sandbox console messages:

  9/21/16 9:05:17.815 AM plugin-container[28788]: void __CFPasteboardSetup() : Failed to allocate communication port for com.apple.CFPasteboardClient; this is likely due to sandbox restrictions

  9/21/16 9:05:44.660 AM sandboxd[368]: ([28788]) plugin-container(28788) deny mach-register com.apple.axserver (per-pid)

  9/21/16 9:05:44.688 AM sandboxd[368]: ([28788]) plugin-container(28788) deny mach-register com.apple.tsm.portname (per-pid)

The mach-register capability appears to be required for a process (aka mach task) to create a port that is accessible by other tasks. The CFPasteBoardSetup is part of the OS X PasteBoard[2]. I've done manual copy-paste  tests of text and some images, and drag-n-drop, and haven't noticed any problems.

I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps will not have the mach-register permission hence it makes sense that OS X libraries would be reworked in Sierra to not trigger these sandbox violations.

On 10.11, the CFPasteBoard warnings are triggered by the following stack from the NSApplication event loop.

Thread 0:
0   libsystem_kernel.dylib            0x00007fff90dfdf72 mach_msg_trap + 10
1   libxpc.dylib                      0x00007fff8e1f3b43 xpc_pipe_routine + 249
2   libxpc.dylib                      0x00007fff8e1f39de _xpc_interface_routine + 163
3   libxpc.dylib                      0x00007fff8e1fa453 bootstrap_register2 + 184
4   CoreFoundation                    0x00007fff8ec5d1ea __CFMessagePortCreateLocal + 746
5   CoreFoundation                    0x00007fff8ec5ceeb CFMessagePortCreatePerProcessLocal + 27
6   CoreFoundation                    0x00007fff8ec5c4c6 CFPasteboardCreate + 1094
7   HIToolbox                         0x00007fff98afb5d3 isPrefsGetDefaultAsciiKeyboardLayout + 61
8   HIToolbox                         0x00007fff98afb0c9 isPrefsCreateCacheFromEnabledAndDefaultInputSources + 25
9   HIToolbox                         0x00007fff98afaa88 islGetInputSourceListWithAdditions + 146
10  HIToolbox                         0x00007fff98afa9d5 TSMGetInputSourceCountWithFilteredAdditions + 39
11  HIToolbox                         0x00007fff98af9eba TISCreateInputSourceList + 89
12  HIToolbox                         0x00007fff98af9b30 SyncHandwritingHotKey + 128
13  HIToolbox                         0x00007fff98af8dc9 _FirstEventTime + 1056
14  HIToolbox                         0x00007fff98af887b RunCurrentEventLoopInMode + 49
15  HIToolbox                         0x00007fff98af8677 ReceiveNextEventCommon + 184
16  HIToolbox                         0x00007fff98af85af _BlockUntilNextEventMatchingListInModeWithFilter + 71
17  AppKit                            0x00007fff94e46df6 _DPSNextEvent + 1067
18  AppKit                            0x00007fff94e46226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
19  XUL                               0x00000001120d56b2 -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 82 (nsAppShell.mm:121)

1. https://treeherder.mozilla.org/#/jobs?repo=try&revision=df8e88d8ae3f6fd4b0193b038b149e5e138ebf6c&selectedJob=27747050

2. https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/PasteboardGuide106/Articles/pbGettingStarted.html#//apple_ref/doc/uid/TP40008150-SW1
Comment on attachment 8793399 [details]
Bug 1299329 - Remove printing-related privileges from content process sandbox;

https://reviewboard.mozilla.org/r/80138/#review79118
Attachment #8793399 - Flags: review?(gpascutto) → review+
Keywords: checkin-needed
No longer depends on: 1090454
Depends on: 1228022
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/f06bf582785b
Remove printing-related privileges from content process sandbox; r=gcp
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/f06bf582785b
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
See Also: → 1306239
(In reply to Haik Aftandilian [:haik] from comment #2)
> I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps
> will not have the mach-register permission hence it makes sense that OS X
> libraries would be reworked in Sierra to not trigger these sandbox
> violations.

Tests I ran today on Sierra 10.12 (first official release) are now showing the tsm.portname sandbox violation in the Console so I'll look into ways we might prevent these messages in the console. I don't know why I didn't see them before. It could be that the behavior of the Console.app changed (it has changed significantly in Sierra), the OS changed, or I just didn't notice them.
See Also: → 1306663
Mark 51 as fix-optional. If it's worth uplifting to 51, feel free to nominate it.
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
[Tracking Requested - why for this release]:
Remote printing on Mac is already enabled in 51 (due to 1228022 being fixed in 51) and so the privileges being removed here are not needed in 51. This is part of the work required for our level=1 Mac content sandbox and is worth uplifting to get us closer to release given it is relatively low risk. This fix does trigger some warnings in the terminal when Firefox is run from the command line (bug 1306663).
Track 51+ as remote printing on Mac is enabled in 51.
Due to bug 1310165 emerging, I'd like to cancel the uplift request for build 51. Gerry, could you minus this for build 51?
Flags: needinfo?(gchang)
Flags: needinfo?(gchang)
See Also: → 1324610
You need to log in before you can comment on or make changes to this bug.