1299329 - Remove printing-related privileges from content process sandbox

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect)

Description

[Haik Aftandilian [:haik]]

Once bug 1090454 is fixed, we can remove the printing-related privileges from the content process sandbox, reducing the content process attack surface.

Comment 1

[Haik Aftandilian [:haik]]

Attachment: Bug 1299329 - Remove printing-related privileges from content process sandbox;

Review commit: https://reviewboard.mozilla.org/r/80138/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/80138/

Comment 2

[Haik Aftandilian [:haik]]

See reviewboard for the patch. The removal of (allow mach-register) triggers some console sandbox messages on OS X 10.11 (El Capitan) which I don't think are a concern. So far I've tested on 10.12 (Sierra) and 10.11 and got some coverage on 10.10 (Yosemite) via try[1].

Examples of the sandbox console messages:

  9/21/16 9:05:17.815 AM plugin-container[28788]: void __CFPasteboardSetup() : Failed to allocate communication port for com.apple.CFPasteboardClient; this is likely due to sandbox restrictions

  9/21/16 9:05:44.660 AM sandboxd[368]: ([28788]) plugin-container(28788) deny mach-register com.apple.axserver (per-pid)

  9/21/16 9:05:44.688 AM sandboxd[368]: ([28788]) plugin-container(28788) deny mach-register com.apple.tsm.portname (per-pid)

The mach-register capability appears to be required for a process (aka mach task) to create a port that is accessible by other tasks. The CFPasteBoardSetup is part of the OS X PasteBoard[2]. I've done manual copy-paste  tests of text and some images, and drag-n-drop, and haven't noticed any problems.

I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps will not have the mach-register permission hence it makes sense that OS X libraries would be reworked in Sierra to not trigger these sandbox violations.

On 10.11, the CFPasteBoard warnings are triggered by the following stack from the NSApplication event loop.

Thread 0:
0   libsystem_kernel.dylib            0x00007fff90dfdf72 mach_msg_trap + 10
1   libxpc.dylib                      0x00007fff8e1f3b43 xpc_pipe_routine + 249
2   libxpc.dylib                      0x00007fff8e1f39de _xpc_interface_routine + 163
3   libxpc.dylib                      0x00007fff8e1fa453 bootstrap_register2 + 184
4   CoreFoundation                    0x00007fff8ec5d1ea __CFMessagePortCreateLocal + 746
5   CoreFoundation                    0x00007fff8ec5ceeb CFMessagePortCreatePerProcessLocal + 27
6   CoreFoundation                    0x00007fff8ec5c4c6 CFPasteboardCreate + 1094
7   HIToolbox                         0x00007fff98afb5d3 isPrefsGetDefaultAsciiKeyboardLayout + 61
8   HIToolbox                         0x00007fff98afb0c9 isPrefsCreateCacheFromEnabledAndDefaultInputSources + 25
9   HIToolbox                         0x00007fff98afaa88 islGetInputSourceListWithAdditions + 146
10  HIToolbox                         0x00007fff98afa9d5 TSMGetInputSourceCountWithFilteredAdditions + 39
11  HIToolbox                         0x00007fff98af9eba TISCreateInputSourceList + 89
12  HIToolbox                         0x00007fff98af9b30 SyncHandwritingHotKey + 128
13  HIToolbox                         0x00007fff98af8dc9 _FirstEventTime + 1056
14  HIToolbox                         0x00007fff98af887b RunCurrentEventLoopInMode + 49
15  HIToolbox                         0x00007fff98af8677 ReceiveNextEventCommon + 184
16  HIToolbox                         0x00007fff98af85af _BlockUntilNextEventMatchingListInModeWithFilter + 71
17  AppKit                            0x00007fff94e46df6 _DPSNextEvent + 1067
18  AppKit                            0x00007fff94e46226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
19  XUL                               0x00000001120d56b2 -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 82 (nsAppShell.mm:121)

1. https://treeherder.mozilla.org/#/jobs?repo=try&revision=df8e88d8ae3f6fd4b0193b038b149e5e138ebf6c&selectedJob=27747050

2. https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/PasteboardGuide106/Articles/pbGettingStarted.html#//apple_ref/doc/uid/TP40008150-SW1

Comment 3

[Gian-Carlo Pascutto [:gcp]]

Comment on attachment 8793399 [details]
Bug 1299329 - Remove printing-related privileges from content process sandbox;

https://reviewboard.mozilla.org/r/80138/#review79118

Comment 4

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/f06bf582785b
Remove printing-related privileges from content process sandbox; r=gcp

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f06bf582785b

Comment 6

[Haik Aftandilian [:haik]]

(In reply to Haik Aftandilian [:haik] from comment #2)
> I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps
> will not have the mach-register permission hence it makes sense that OS X
> libraries would be reworked in Sierra to not trigger these sandbox
> violations.

Tests I ran today on Sierra 10.12 (first official release) are now showing the tsm.portname sandbox violation in the Console so I'll look into ways we might prevent these messages in the console. I don't know why I didn't see them before. It could be that the behavior of the Console.app changed (it has changed significantly in Sierra), the OS changed, or I just didn't notice them.

Comment 7

[Gerry Chang [:gchang]]

Mark 51 as fix-optional. If it's worth uplifting to 51, feel free to nominate it.

Comment 8

[Haik Aftandilian [:haik]]

[Tracking Requested - why for this release]:
Remote printing on Mac is already enabled in 51 (due to 1228022 being fixed in 51) and so the privileges being removed here are not needed in 51. This is part of the work required for our level=1 Mac content sandbox and is worth uplifting to get us closer to release given it is relatively low risk. This fix does trigger some warnings in the terminal when Firefox is run from the command line (bug 1306663).

Comment 9

[Gerry Chang [:gchang]]

Track 51+ as remote printing on Mac is enabled in 51.

Comment 10

[Haik Aftandilian [:haik]]

Due to bug 1310165 emerging, I'd like to cancel the uplift request for build 51. Gerry, could you minus this for build 51?