Closed
Bug 1328896
Opened 8 years ago
Closed 7 years ago
Remove or restrict fcntl in desktop content processes
Categories
(Core :: Security: Process Sandboxing, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla58
People
(Reporter: jld, Assigned: jld)
References
Details
(Whiteboard: sb+)
Attachments
(1 file)
fcntl is somewhat dangerous, and we're currently allowing it with no restrictions for content processes. Specifically: F_SETFL with the O_ASYNC flag set causes the process to be sent SIGIO whenever I/O is possible on the file descriptor, F_SETSIG can change which signal is sent, and F_SETOWN can retarget that signal to another process (or, using the Linux extension F_SETOWN_EX, a specific thread in another process). In other words, currently it's equivalent to unrestricted tgkill.
(fcntl isn't allowed at all in the GMP policy, and this is why.)
pid namespace isolation (bug 1151624) would mitigate that, but we don't even have code for that, and being able to use it will depend on unprivileged user namespaces *and* seccomp tsync.
Also, just from skimming the fcntl man page, locks and leases allow interactions we'd like to avoid, and in general it exposes a bunch of attack surface we probably mostly don't need.
So, we should restrict fcntl as much as feasible, ideally with a default deny policy, but the usual problems with system libraries apply. At the very least we should be able to block all the components of the signal send gadget.
Updated•8 years ago
|
Whiteboard: sb+
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → jld
Updated•7 years ago
|
Priority: -- → P2
Comment hidden (mozreview-request) |
Comment 2•7 years ago
|
||
mozreview-review |
Comment on attachment 8919575 [details]
Bug 1328896 - Restrict fcntl() in sandboxed content processes.
https://reviewboard.mozilla.org/r/190414/#review196392
Attachment #8919575 -
Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ff9088972319
Restrict fcntl() in sandboxed content processes. r=gcp
Comment 4•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•