Closed Bug 1376976 Opened 7 years ago Closed 7 years ago

[mac] restrict the sysctl-read access in content

Categories

(Core :: Security: Process Sandboxing, enhancement)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)

References

(Blocks 1 open bug)

Details

(Keywords: sec-other, Whiteboard: sbmc3 [keep hidden while https://crbug.com/738129 is hidden][adv-main56-][post-critsmash-triage])

Attachments

(1 file, 4 obsolete files)

sysctl-lockdown.diff
4.72 KB, patch
haik
: review+
Details | Diff | Splinter Review
Right now our sandbox policy has a blanket |(allow sysctl-read)|. There's apparently a way to restrict the which sysctls are allowed though! From |com.apple.AnnotationKit.MigratorService.sb| in |/System/Library/Sandbox/Profiles|: (allow sysctl-read (sysctl-name "hw.physicalcpu_max")) We should copy this pattern and restrict this only to the sysctls we need! Per :jld, sysctl's can be used to obtain the mac address and other details.
That file doesn't exist on OS X 10.10, and I don't see anything else in /System/Library/Sandbox/Profiles filtering by sysctl selector, so it's possible that this isn't doable on older OS versions; we should check that.
https://opensource.apple.com/source/Libinfo/Libinfo-459.40.1/gen.subproj/getifaddrs.c.auto.html is an example of what we *don't* want to allow; even if that doesn't expose MAC addresses directly, it would show non-privacy-enabled IPv6 addresses (e.g., link-local) which contain the MAC address.
Group: dom-core-security
:haik tested this out on a 10.9 box and it's sadly an error there, it looks fine on try (10.10) so we'll have to make this conditional on a newer OS.
Attached patch sysctl-lockdown.diff (obsolete) — Splinter Review
Assignee: nobody → agaynor
Attachment #8883574 - Flags: review?(jld)
Attachment #8883574 - Flags: review?(haftandilian)
Comment on attachment 8883574 [details] [diff] [review] sysctl-lockdown.diff Clearing the reviews until I add the 10.9 bits
Attachment #8883574 - Flags: review?(jld)
Attachment #8883574 - Flags: review?(haftandilian)
Attached patch sysctl-lockdown.diff (obsolete) — Splinter Review
Attachment #8883574 - Attachment is obsolete: true
Attachment #8883622 - Flags: review?(jld)
Attachment #8883622 - Flags: review?(haftandilian)
Comment on attachment 8883622 [details] [diff] [review] sysctl-lockdown.diff Review of attachment 8883622 [details] [diff] [review]: ----------------------------------------------------------------- I'm a little concerned about the possibility of OS updates introducing more sysctls, especially for CPU features, but I'm not seeing a way to address a sysctl subtree, so this might be the best we can do. (The CPU info can mostly(?) be obtained from the CPUID instruction, so fine-grained restrictions on those sysctls might not actually be hiding anything.)
Attachment #8883622 - Flags: review?(jld) → review+
|sysctl-name-regex| does exist, if we wanted to whitelist all of |hw\.| or another tree. (Haven't checked the exact version support for it). Precise whitelist obviously gives us more control, and fails-closed making it more secure, whitelisting full trees fails-open in the event a privacy-compromising option is added to a tree we trusted (an example of this I ran into was that |hostname| is under the |kern| tree). I could go either way, so if anyone feels strongly I'd love to hear about it.
(Also apparently |sysctl-name-prefix|, which is slightly prettier than -regex but functionally equivalent as far as I can tell)
Honestly, I'm not sure either. There's also the problem that the sysctl(8) command doesn't show some things, even with the -o flag to show “opaque” values — the `pcblist` nodes (== `netstat -an`) do show up, but `net.route` shows only a harmless-looking boolean flag `net.route.verbose` even though that's the subtree that getifaddrs() uses. So that's not a safe way to check what a subtree exposes.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #10) > (Also apparently |sysctl-name-prefix|, which is slightly prettier than > -regex but functionally equivalent as far as I can tell) That doesn't exist on 10.10, but -regex does (and works).
The lack of ability to reliably introspect these things to me is a compelling argument that we should at least _try_ the pure-whitelist, and only switch to prefixes once we learn that it's a terrible idea because everything breaks :-) (Most sysctl callsites in our code have defaults, so depending on your perspective that either means the failures will be silent, or they won't be super disruptive).
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #13) > The lack of ability to reliably introspect these things to me is a > compelling argument that we should at least _try_ the pure-whitelist, and > only switch to prefixes once we learn that it's a terrible idea because > everything breaks :-) (Most sysctl callsites in our code have defaults, so > depending on your perspective that either means the failures will be silent, > or they won't be super disruptive). I think it's worth trying the whitelist too. One concern is that new OS versions might introduce low-level code that use a sysctl we block for CPU-specific optimizations. It could silently fallback to a slower path and we wouldn't know apart from messages in Console. But that's the nature of this work.
Comment on attachment 8883622 [details] [diff] [review] sysctl-lockdown.diff Review of attachment 8883622 [details] [diff] [review]: ----------------------------------------------------------------- I agree with :jld and think this is a little risky, but well understood. We want the strongest sandbox that allows the browser to work so it's worth trying.
Attachment #8883622 - Flags: review?(haftandilian) → review+
Let's add a test for this in security/sandbox/test/browser_content_sandbox_syscalls.js.
Attached patch sysctl-lockdown.diff (obsolete) — Splinter Review
Attachment #8883622 - Attachment is obsolete: true
Attachment #8883996 - Flags: review?(jld)
Attachment #8883996 - Flags: review?(haftandilian)
Alex: this appears to be work on improving our sandbox and not really a vulnerability per se. Does it need to remain hidden?
Flags: needinfo?(agaynor)
I didn't originally think it did. :jld marked it as a security (maybe because he filed an equivilant Chromium bug as a security bug?). :jld, can you confirm?
Flags: needinfo?(agaynor) → needinfo?(jld)
Blocks: 1359559
Comment on attachment 8883996 [details] [diff] [review] sysctl-lockdown.diff Why the TODO for net.inet?
Attachment #8883996 - Flags: review?(haftandilian) → review+
Doh, meant to delete that |TODO|, I already confirmed it was fine.
Yes, I hid this bug because I filed https://crbug.com/738129 (linked less readably in this bug's See Also section), which they've opted to leave hidden even though they consider it a “minor privacy issue”. I also mentioned on that bug that this bug was briefly public.
Flags: needinfo?(jld)
Attached patch sysctl-lockdown.diff (obsolete) — Splinter Review
Attachment #8883996 - Attachment is obsolete: true
Attachment #8883996 - Flags: review?(jld)
Attachment #8884061 - Flags: review?(jld)
Sorry for not noting this earlier, but it just occurred to me that we need to make the test not apply to OS X 10.9. Low priority since we're not running 10.9 on treeherder right now. We might end up doing that later for ESR builds. I don't know the best way to do it, but Google led me to sw_vers which works on 10.9: $ sw_vers -productVersion 10.9.5
I think sysctlbyname("kern.osrelease") >= "14.0.0" would work (14.0.0 was the Darwin release corresponding to 10.10). I think we must have an existing internal API for this, so I'll look for that first before doing it the funny way :-)
Ok, I think this resolves all the review feedback! What's the process for landing a change like this?
Attachment #8884061 - Attachment is obsolete: true
Attachment #8884061 - Flags: review?(jld)
Attachment #8884324 - Flags: review?(haftandilian)
Attachment #8884324 - Flags: review?(haftandilian) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/beec1017eefaec856040a49e49c6e477582f2a72
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox54: --- → wontfix
status-firefox55: --- → wontfix
status-firefox56: --- → fixed
status-firefox-esr52: --- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Keywords: sec-other
Whiteboard: sbmc3 → sbmc3 [keep hidden while https://crbug.com/738129 is hidden]
Group: dom-core-security → core-security-release
The Chromium bug is still hidden, but this unit test landed and the comment pretty much lets the cat out of the bag (if in fact the cat was ever in the bag): https://chromium.googlesource.com/chromium/src.git/+/9e96523ae3dee27d2af4d48fbfcc12881aa8e721/content/renderer/sandbox_mac_v2_unittest.mm#154
Good enough for me. Dan, can you unhidden this?
Flags: needinfo?(dveditz)
Whiteboard: sbmc3 [keep hidden while https://crbug.com/738129 is hidden] → sbmc3 [keep hidden while https://crbug.com/738129 is hidden][adv-main56-]
Flags: qe-verify-
Whiteboard: sbmc3 [keep hidden while https://crbug.com/738129 is hidden][adv-main56-] → sbmc3 [keep hidden while https://crbug.com/738129 is hidden][adv-main56-][post-critsmash-triage]
Group: core-security-release
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: