Closed
Bug 1463353
Opened 6 years ago
Closed 6 years ago
contentSandboxRules does not explcitly list 'com.apple.fonts' mach service
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox62 | --- | fixed |
People
(Reporter: alex.plaskett, Assigned: haik)
References
(Blocks 1 open bug)
Details
(Whiteboard: sb?)
Attachments
(1 file)
As part of the initialisation of a content process a connection to the mach service 'com.apple.fonts' is established and used throughout the process lifetime. This occurs before sandbox_init_with_parameters() is called and therefore ends up with a mach port with send rights within the process space. Currently 'com.apple.fonts' is not listed within the contentSandboxRules mach-lookup rules explicitly. This can be seen by setting a breakpoint on 'xpc_connection_create_mach_service' on process startup, examining the ports using 'lsmp' or interception of the XPC communications using function hooking. From looking at the stack trace, this seems to occur due to AppKit/CoreText being initialised before the sandbox_init is called (https://bugzilla.mozilla.org/show_bug.cgi?id=1431441) Whilst this implicit functionality would prevent against malicious additional connections to 'com.apple.fonts' after the sandbox is established, in practical terms, an attacker with code execution within the content process could make use of the existing mach port for communication (for example by hooking / mutation of on-going XPC messages to the service). It is therefore recommended this is reviewed and potentially included within the sandbox profile, so the exposure is documented. This was also considered within the past (https://bugzilla.mozilla.org/show_bug.cgi?id=1284291)
|
||
Updated•6 years ago
|
Whiteboard: sb?
|
Assignee | |
Comment 1•6 years ago
|
||
This bug can be made public. Not listing the font services in the policy doesn't reduce security. Our content processes need access to font services so it makes sense to include them in the content sandbox policy. At present, they are not listed, but the services are usable because they are used before the sandbox is enabled (and the registration happens as a side effect). We will need to do this when we address bug 1431441.
Assignee: nobody → haftandilian
Priority: -- → P1
|
||
Updated•6 years ago
|
Group: dom-core-security
|
|
Assignee | |
Comment 2•6 years ago
|
||
Looking at /System/Library/Sandbox/Profiles/application.sb on different OS versions, com.apple.FontServer is only used by 10.9-10.11. com.apple.FontObjectsServer is used by 10.9-10.13. And com.apple.fonts is used on 10.12 and 10.13. When we implement bug 1431441, we can tackle other services we are implicitly registering and either list them in the policy or avoid using them if possible.
| Comment hidden (mozreview-request) |
|
||
Comment 4•6 years ago
|
||
| mozreview-review | ||
Comment on attachment 8981976 [details] Bug 1463353 - contentSandboxRules does not explcitly list 'com.apple.fonts' mach service. https://reviewboard.mozilla.org/r/247994/#review254104 ::: security/sandbox/mac/SandboxPolicies.h:347 (Diff revision 1) > + (allow mach-lookup > + (global-name "com.apple.fonts") > + (global-name "com.apple.FontObjectsServer")) > + (if (<= macosMinorVersion 11) > + (allow mach-lookup (global-name "com.apple.FontServer"))) Please add a comment saying that even if it appears to be working without these, it's because the connection was opened very early, that way we don't accidentally remove it next time someone looks, until we move sandbox activation earlier :-)
Attachment #8981976 -
Flags: review?(agaynor) → review+
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 6•6 years ago
|
||
| mozreview-review-reply | ||
Comment on attachment 8981976 [details] Bug 1463353 - contentSandboxRules does not explcitly list 'com.apple.fonts' mach service. https://reviewboard.mozilla.org/r/247994/#review254104 > Please add a comment saying that even if it appears to be working without these, it's because the connection was opened very early, that way we don't accidentally remove it next time someone looks, until we move sandbox activation earlier :-) Done. Thanks.
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b6ebcc05cf30 contentSandboxRules does not explcitly list 'com.apple.fonts' mach service. r=Alex_Gaynor
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b6ebcc05cf30
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•