Closed Bug 1370578 Opened 7 years ago Closed 7 years ago

Extend sandboxing telemetry probes for Linux features

Categories

(Core :: Security: Process Sandboxing, enhancement)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
x86_64
Linux
Type:
enhancement
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: gcp, Assigned: jld)

Details

(Whiteboard: sblc3)

Attachments

(1 file)

Bug 1370578 - Extend telemetry for support of some Linux sandbox features. data-r?bsmedberg
59 bytes, text/x-review-board-request
gcp
: review+
benjamin
: review+
Details
Looking at the sandboxing telemetry for Linux features, seccomp is now mostly universal, but tsync isn't (~90%), and User Namespaces are between 75-85%. We probably want to extend the telemetry for the last 2. I'm not sure we care how much coverage tsync has?
It might still be worth gathering data on tsync, but I'm not sure. The only design decision we'll need to make that involves tsync is whether to disable pid namespace support (bug 1151624) if there's no tsync or try to adapt the signal broadcast code to deal with it. (procfs uses pids/tids from the namespace where it was mounted, not the namespace of the task accessing it.) The benefit there is relatively minor and we could decide that we're already past the point were it'd be worth it, but more data wouldn't hurt. Also, someday I'd like to remove all that code, but it's not really a maintenance problem (bug 1257361 notwithstanding) so there's no hurry. User namespaces I'm more interested in, because it's possible that support won't ever converge on 100%. The two classes of security bugs that discourage enabling it are corner cases in authorization, like [CVE-2014-8989][] or [CVE-2014-4014][], and exposure of kernel attack surface normally limited to root, like [CVE-2017-7308][]. I'm willing to believe that new bugs in the former class are unlikely to be added now that user namespaces are better understood and any existing bugs will eventually go extinct, but the latter can be added by essentially any change. Also, the Telemetry Evolution Dashboard for unprivileged user namespaces shows it *decreasing* over the last two release cycles, especially in the e10s-capable subpopulation, so that's another reason we need to continue keeping an eye on it. [CVE-2014-8989]: https://lwn.net/Articles/626665/ [CVE-2014-4014]: https://www.cvedetails.com/cve/CVE-2014-4014/ [CVE-2017-7308]: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Whiteboard: sblc3
Assignee: nobody → jld
52 is when Arch enabled Telemetry, and the date of this change exactly matches a sudden large increase in the non-userns population (from ~5% to ~10%, then slowly increasing to ~13%): https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/firefox&id=0368ebdb85ec
Comment on attachment 8878717 [details] Bug 1370578 - Extend telemetry for support of some Linux sandbox features. data-r?bsmedberg MozReview doesn't understand “data-r?”; setting it myself. Also, I notice that this isn't marked opt-out, which I'd assume would give us a small and probably unrepresentative subset of release users, but the sample counts on the telemetry.mozilla.org dashboard seem relatively high.
Attachment #8878717 - Flags: feedback?(benjamin)
Comment on attachment 8878717 [details] Bug 1370578 - Extend telemetry for support of some Linux sandbox features. data-r?bsmedberg https://reviewboard.mozilla.org/r/150026/#review155132 ::: toolkit/components/telemetry/Histograms.json:12511 (Diff revision 1) > }, > "SANDBOX_MEDIA_ENABLED": { > "record_in_processes": ["main", "content"], > "alert_emails": ["gcp@mozilla.com"], > "bug_numbers": [1098428], > "expires_in_version": "55", Do we care about this one? ::: toolkit/components/telemetry/Histograms.json:12520 (Diff revision 1) > }, > "SANDBOX_CONTENT_ENABLED": { > "record_in_processes": ["main", "content"], > "alert_emails": ["gcp@mozilla.com"], > "bug_numbers": [1098428], > "expires_in_version": "55", Same? It's a function of the others I guess, but seems good to have.
Attachment #8878717 - Flags: review?(gpascutto) → review+
Comment on attachment 8878717 [details] Bug 1370578 - Extend telemetry for support of some Linux sandbox features. data-r?bsmedberg https://reviewboard.mozilla.org/r/150026/#review155280 data-r=me
Attachment #8878717 - Flags: review+
Attachment #8878717 - Flags: feedback?(benjamin)
You're correct that currently this is opt-in, and you can't make much if any conclusion about the release population from this. That might matter for Linux in particular because of the distros! Note that t.m.o only ever shows you the opt-in population, as a result of its design, so if you want to analyze the opt-out population you need to use custom queries or work with a data engineering partner.
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fba69ee2166a Extend telemetry for support of some Linux sandbox features. r=gcp data-r=bsmedberg
https://hg.mozilla.org/mozilla-central/rev/fba69ee2166a
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: