Closed Bug 1386279 Opened 7 years ago Closed 7 years ago

Content child process crashes while accessing /usr/share/X11/xkb (fedora)


(Core :: Security: Process Sandboxing, defect, P1)




Tracking Status
firefox57 --- fixed


(Reporter: stransky, Assigned: jld)



(Whiteboard: sb+)


(1 file)

I see regular crashes of content process with:

Sandbox: Sandbox: SandboxBroker: denied op=1 rflags=5 perms=3 path=/usr/share/X11/xkb for pid=24892 error="No such file or directory"
SandboxBroker: denied op=1 rflags=5 perms=3 path=/usr/share/X11/xkb for pid=6232 error="No such file or directory"
Sandbox: SandboxBroker: denied op=1 rflags=5 perms=3 path=/usr/share/X11/xkb for pid=6146 error="No such file or directory"
Sandbox: Rejected errno -13 op 1 flags 05 path /usr/share/X11/xkb
Sandbox: Rejected errno -13 op 1 flags 05 path /usr/share/X11/xkb

access(/usr/share/X11/xkb) -> Permission denied

the /usr/share/X11/xkb directory contains keyboard input config and it's accessed by libxkbcommon library which is a part of Gtk/Gnome on linux:

[komat@localhost ~]$ ll /usr/share/X11
total 88
drwxr-xr-x.  2 root root  4096 Jul 24 10:21 app-defaults
drwxr-xr-x.  7 root root  4096 Feb 12 06:38 fonts
drwxr-xr-x. 64 root root  4096 Jun 16 09:24 locale
-rw-r--r--   1 root root 17975 Feb 12 06:44 rgb.txt
drwxr-xr-x   2 root root  4096 Jun 16 09:31 x11perfcomp
-rw-r--r--   1 root root 42077 Sep  3  2015 XErrorDB
drwxr-xr-x.  8 root root  4096 Jun  1 00:53 xkb
drwxr-xr-x.  2 root root  4096 Jun 16 09:39 xorg.conf.d

[komat@localhost ~]$ ll /usr/share/X11/xkb
total 24
drwxr-xr-x.  2 root root 4096 Jun 16 09:23 compat
drwxr-xr-x.  4 root root 4096 Jun 16 09:23 geometry
drwxr-xr-x.  4 root root 4096 Jun 16 09:23 keycodes
drwxr-xr-x.  2 root root 4096 Jun 16 09:23 rules
drwxr-xr-x. 14 root root 4096 Jun 16 09:42 symbols
drwxr-xr-x.  2 root root 4096 Jun 16 09:23 types
Distro is Fedora 26 with latest mozilla-central.
/usr/share is whitelisted:

Also, the errors have "op=1" instead of "op=access", which means they're being made by the AuditPermissive mode, yet they have "denied" instead of "would have denied".

Are you sure your m-c is current? Do you have something special related to the sandbox in the environment?
That looks like a version of m-c from before bug 1308400, which is where that error message changed to use operation names (and remove the meaningless errno).

I think the problem might be that it's passing R_OK|X_OK, not just R_OK, and we consider nothing “executable”[1].  That more or less makes sense for regular files, given that execve() is not allowed, although I don't know if it makes any difference to do that vs. return the actual executability.  However, this is a directory, and any directory that's MAY_ACCESS in the policy and X_OK for real is effectively X_OK for the client.

See also bug 1382246 — the reason why the brokered access() doesn't call the real access() is no longer relevant.

I tested latest trunk, still crashes. There's the output:

Sandbox: SandboxBroker: denied op=access rflags=5 perms=3 path=/usr/share/X11/xkb for pid=5676
Sandbox: SandboxBroker: denied op=access rflags=5 perms=3 path=/usr/share/X11/xkb for pid=5730
Sandbox: Failed errno -13 op 1 flags 05 path /usr/share/X11/xkb
Sandbox: Failed errno -13 op 1 flags 05 path /usr/share/X11/xkb
access(/usr/share/X11/xkb) -> Permission denied
Assignee: nobody → jld
Priority: -- → P1
Summary: Content child process crashes while accessing /usr/share/X11/xkb → Content child process crashes while accessing /usr/share/X11/xkb (fedora)
Whiteboard: sb+
I don't know if this has any observable interaction with bug 1292249, but I'm noting it for future reference.
See Also: → 1292249
Comment on attachment 8895160 [details]
Bug 1386279 - Renovate Linux sandbox file broker handling of access().
Attachment #8895160 - Flags: review?(gpascutto) → review+
Pushed by
Renovate Linux sandbox file broker handling of access(). r=gcp
Also, I looked at upstream libxkbcommon, and it seems to use eaccess(), which glibc emulates imperfectly on top of stat() because Linux doesn't support it (nor faccessat with AT_EACCESS; Linux's faccessat doesn't take flags at all).  If Fedora has local patches to use access() instead, that might explain why this showed up only on Fedora.
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.


