Closed Bug 1445003 Opened 2 years ago Closed 2 years ago

RenderDoc's networking conflicts with sandboxing

Categories

(Core :: Security: Process Sandboxing, defect, P1)

60 Branch
Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

Crash Data

Attachments

(1 file)

RenderDoc (https://renderdoc.org/) seems to work by having the process that's using GL accept socket connections from the tools; this uses the Internet domain on desktop Linux.  (On Android it uses Unix-domain abstract addresses, which I assume is because an app without Internet permissions on Android can't create Internet-domain sockets, but that would have the same problems.)

The socket is created/bound early in startup, before the seccomp-bpf policy is applied, but (1) the policy doesn't allow accept/accept4, and (2) on distributions that allow it, the process is already in a separate network namespace at that point, which means nothing could connect to the socket anyway.

It should be enough to detect it via env vars and lower the sandbox level.
Better idea: allow accept() — which needs to be handled specially anyway because it's not allowed at levels 1-3 in the aftermath of bug 1358647 and bug 1362537 — and don't unshare the network namespace (like for remote X11), but otherwise leave the network/socket restrictions intact (no outbound connections, no new listening sockets, etc.).

This seems to work: RenderDoc can connect to child processes and determine whether they're using GL.  However, it can't capture, apparently because we're rendering to an offscreen surface so it doesn't know what the start/end of a frame is; this is not affected by sandboxing, but if capturing WebGL would fail on 60 anyway, then there's not much point in uplifting this.
Comment on attachment 8958659 [details]
Bug 1445003 - Detect RenderDoc and adjust the sandbox policy so it can work.

https://reviewboard.mozilla.org/r/227576/#review233416

::: security/sandbox/common/SandboxSettings.cpp:13
(Diff revision 1)
>  
>  #include "mozilla/ModuleUtils.h"
>  #include "mozilla/Preferences.h"
>  
>  #include "prenv.h"
> +#include <stdio.h>

Debugging leftover?
Attachment #8958659 - Flags: review?(gpascutto) → review+
Comment on attachment 8958659 [details]
Bug 1445003 - Detect RenderDoc and adjust the sandbox policy so it can work.

https://reviewboard.mozilla.org/r/227576/#review233516

::: security/sandbox/common/SandboxSettings.cpp:13
(Diff revision 1)
>  
>  #include "mozilla/ModuleUtils.h"
>  #include "mozilla/Preferences.h"
>  
>  #include "prenv.h"
> +#include <stdio.h>

Yes; thanks for spotting that.
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0b8d58958178
Detect RenderDoc and adjust the sandbox policy so it can work. r=gcp
https://hg.mozilla.org/mozilla-central/rev/0b8d58958178
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.