1417005 - [Mac] Allow disabling sandboxing

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect, P1)

Description

[Gund]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36

Steps to reproduce:

According to the link https://wiki.mozilla.org/Security/Sandbox#Local_Build_Options, We can disable the sandbox using "--disable-content-sandbox" & "--disable-sandbox", but these are build time options. Can we have these parameters as runtime options so that we can disable/enable sandbox during the browser launch like chrome(https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design).


Actual results:

Currently the flags are available as build time parameters only. 


Currently with sandbox enabled, whenever I try to launch FF 57 beta or make any search in new tab, I'm seeing the below error in system logs and tab crashes(screenshot attached)

"kernel[0]: Sandbox: plugin-container(92759) deny forbidden-sandbox-reinit"

Comment 1

[Alex Gaynor [:Alex_Gaynor]]

This can be accomplished with environment variables: https://wiki.mozilla.org/Security/Sandbox#Environment_variables

Please be aware that we can't make any claims about the security of the sandbox when you're running it under your own policy.

Comment 2

[Gund]

I'm running FF 57 Beta on Sierra & High Sierra with mac os sandbox functionality. Is there a way to disable the firefox inbuilt sandbox so that I can use macos sandbox. After setting the environment variables, I verified that the flag security.sandbox.content.level was set to 0, but still on opening the browser, the browser crashed. Crash report - https://crash-stats.mozilla.com/report/index/bc4e61a7-9665-4657-b612-b84690171108#tab-details

I'm trying to run the firefox with below command
/usr/bin/sandbox-exec  -f /<my-sandbox-path>/sandbox.sb /Applications/Firefox.app/Contents/MacOS/firefox-bin

Not sure if there are any issues in sandboxing rules because it was working fine will Firefox 56 version and it crashes 57 beta, 57 stable, 58 beta.

Comment 3

[Jim Mathies [:jimm]]

We're not going to work on this but contributions welcome.

Comment 4

[Haik Aftandilian [:haik]]

The Mac implementation doesn't respect MOZ_DISABLE_GMP_SANDBOX hence sandboxing can't be completely disabled at runtime on OS X. The media team would also like to be able to disable the plugin sandbox in some test/debugging scenarios without a recompile. I don't think there's a specific reason we don't respect MOZ_DISABLE_GMP_SANDBOX on Mac. I'll confirm and then get this fixed. For reference, we don't allow completely disabling the content sandbox via prefs (since bug 1358223 landed), but we still allow it via MOZ_DISABLE_CONTENT_SANDBOX.

Comment 5

[Haik Aftandilian [:haik]]

Attachment: Bug 1417005 - [Mac] Respect MOZ_DISABLE_GMP_SANDBOX

Respect MOZ_DISABLE_GMP_SANDBOX so that the GMP sandbox
can be disabled from the command line.

Review commit: https://reviewboard.mozilla.org/r/215490/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/215490/

Comment 6

[Haik Aftandilian [:haik]]

Comment on attachment 8945266 [details]
Bug 1417005 - [Mac] Respect MOZ_DISABLE_GMP_SANDBOX

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/215490/diff/1-2/

Comment 7

[Chris Pearce [:cpearce (Not reading bugmail)]]

Comment on attachment 8945266 [details]
Bug 1417005 - [Mac] Respect MOZ_DISABLE_GMP_SANDBOX

https://reviewboard.mozilla.org/r/215490/#review221112

Nice & easy.

Comment 8

[Alex Gaynor [:Alex_Gaynor]]

Comment on attachment 8945266 [details]
Bug 1417005 - [Mac] Respect MOZ_DISABLE_GMP_SANDBOX

https://reviewboard.mozilla.org/r/215490/#review221348

Comment 9

[Pulsebot]

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/33893b1ab985
[Mac] Respect MOZ_DISABLE_GMP_SANDBOX r=Alex_Gaynor,cpearce

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/33893b1ab985