Closed
Bug 1450740
Opened 6 years ago
Closed 6 years ago
Don't unshare network namespace when using X11 and /tmp/.X11-unix isn't available
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | unaffected |
| firefox60 | --- | fixed |
| firefox61 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
gcp
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details |
I'm breaking this out of bug 1449594 because a workaround was already landed under that bug. The problem is partially described in [1], but I forgot something: that situation can also happen if the browser is run with access to the X server's network namespace but without access to /tmp/.X11-unix. (I did mention this in one of the commits for bug 1440206, but apparently didn't realize all of the implications at the time.) In particular, this is a problem for container-like environments like Snap that allow access to the network namespace but create a new mount namespace with a private /tmp (and don't bind-mount /tmp/.X11-unix, because normally the abstract namespace sockets suffice). (Note that if the browser is chroot()ed — more precisely, if the process's root directory isn't its mount namespace's root — then we're forbidden from creating new user namespaces as a protection against chroot escapes and none of this matters, but that's usually not the case in modern Linux containers.) This situation should be detectable by checking whether the /tmp/.X11-unix directory exists. It would also be possible to use getpeername() and hard-code some knowledge about how Xorg arranges its sockets to check for the specific socket that would be used, but that's more code and more possibly-fragile assumptions so I'd prefer not to if it's not necessary. [1] https://searchfox.org/mozilla-central/rev/b80994a43e5d92c2f79160ece176127eed85dcc9/security/sandbox/linux/launch/SandboxLaunch.cpp#89-95
|
Assignee | |
Comment 1•6 years ago
|
||
Self-contained STR: unshare -Umr # this starts a subshell; use it for the following commands mount -t tmpfs tmpfs /tmp firefox --new-instance
| Comment hidden (mozreview-request) |
|
||
Comment 3•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8964424 [details] Bug 1450740 - Don't sandbox network namespace when X11 named sockets aren't accessible. https://reviewboard.mozilla.org/r/233156/#review238918 ::: security/sandbox/linux/launch/SandboxLaunch.cpp:106 (Diff revision 1) > + // remote. See also bug 1450740. > + // > + // Unfortunately, the Xorg client libraries prefer the abstract > + // addresses, so this isn't directly detectable by inspecting the > + // parent process's socket. However, in a container with a > + // private /tmp that isn't running its own X server Part of the comment went missing.
Attachment #8964424 -
Flags: review?(gpascutto) → review+
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #3) > Comment on attachment 8964424 [details] > > + // private /tmp that isn't running its own X server > > Part of the comment went missing. Thanks; I'm not sure how that happened. Fixed.
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ddd9187ed66d Don't sandbox network namespace when X11 named sockets aren't accessible. r=gcp
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ddd9187ed66d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
|
Assignee | |
Comment 8•6 years ago
|
||
Can you test the latest Nightly with the Snap packaging and without the patch from bug 1449594?
Flags: needinfo?(jlorenzo)
|
|
Assignee | |
Comment 9•6 years ago
|
||
(ni? myself to request uplift once this has had a day or two on Nightly)
Flags: needinfo?(jld)
|
||
Comment 10•6 years ago
|
||
Sorry, we don't build Snaps against Nightly yet. This is due to historical reasons where nightlies have been really different from betas and releases. The work will be done in bug 1451694, though.
Flags: needinfo?(jlorenzo)
See Also: → 1451694
|
|
Assignee | |
Comment 11•6 years ago
|
||
Comment on attachment 8964424 [details] Bug 1450740 - Don't sandbox network namespace when X11 named sockets aren't accessible. Approval Request Comment [Feature/Bug causing the regression]: Bug 1126437 (sandbox improvements) [User impact if declined]: In some container environments, browser may not display content (tab crash on every page), and the Snap package has a significantly weakened sandbox as a workaround. [Is this code covered by automated tests?]: Sandboxing in general has tests; the Snap package doesn't. [Has the fix been verified in Nightly?]: Yes, using the STR from comment #1. [Needs manual test from QE? If yes, steps to reproduce]: Optional; STR is in comment #1. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Low risk. [Why is the change risky/not risky?]: This just turns off a small part of the sandbox in an unusual case. [String changes made/needed]: None.
Flags: needinfo?(jld)
Attachment #8964424 -
Flags: approval-mozilla-beta?
|
||
Comment 12•6 years ago
|
||
Comment on attachment 8964424 [details] Bug 1450740 - Don't sandbox network namespace when X11 named sockets aren't accessible. Fix a Linux sandboxing regression. Approved for 60.0b11.
Attachment #8964424 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 13•6 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/73fab5fbc843
You need to log in
before you can comment on or make changes to this bug.
Description
•