Closed Bug 1465911 Opened 6 years ago Closed 6 years ago

Disable CPOWs outside of test mode

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

Details

Attachments

(2 files)

Disable CPOWs outside of test mode
2.71 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
Disable CPOWs also when receiving message from the child. r?
6.46 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review 
Nothing outside except tests should require CPOWs to work nowadays. CPOWs represent a huge IPC attack surface, which we should disable for normal builds.
See Also: → 1465860
We can't actually disable CPOWs completely, because we still use them as tokens to pass around from child->parent->child in the context menu. But what we can do is disable all the methods. That should drastically reduce the IPC surface. JavaScriptParent::allowMessage already has code that does this. I wonder if we could just rip of this out and replace it with xpc::IsInAutomation(). However it does seem nice to even disable some of this stuff in test mode when possible, so we should probably just keep it.
Assignee: nobody → evilpies
This code seems total convoluted to me. I feel like we should just always disallow "unsafe" CPOW usage and even remove the pref for that. Also maybe we can warn about "safe" CPOW usage, but this might cause some log spam, I don't know.
Attachment #8984391 - Flags: feedback?(mrbkap)
I think we also need to add something to WrapperAnswer::Recv* to prevent child->parent CPOW IPC calls.
Attachment #8984391 - Flags: feedback?(mrbkap) → review+
For the WrapperAnswer case, should I use 
1. CrashIfNotInAutomation(), this would crash the parent even in release
2. if (!InAutomation()) return false, kills the child process
3. if (!InAutomation()) *rs = ReturnStatus(SomethingBad()), could be handled gracefully by throwing an exception in the child.
Flags: needinfo?(mrbkap)
(In reply to Tom Schuster [:evilpie] from comment #5)
> For the WrapperAnswer case, should I use 
> 1. CrashIfNotInAutomation(), this would crash the parent even in release
> 2. if (!InAutomation()) return false, kills the child process
> 3. if (!InAutomation()) *rs = ReturnStatus(SomethingBad()), could be handled

My preference would be 2: I don't think it's worth killing the parent over this, but we should definitely be killing the child so the dev that would have introduced this use fixes it sooner rather than later.
Flags: needinfo?(mrbkap)
Comment on attachment 8986769 [details] [diff] [review]
Disable CPOWs also when receiving message from the child. r?

Because this change is not test at all, I plan on landing this after the merge.
Attachment #8986769 - Flags: review?(mrbkap)
Attachment #8986769 - Flags: review?(mrbkap) → review+
Thanks for taking care of this!
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cfc300ef2cf9
Disable CPOWs outside of test mode. r=mrbkap
https://hg.mozilla.org/integration/mozilla-inbound/rev/c24b5f6944bb
Disable CPOWs also when receiving message from the child. r=mrbkap
https://hg.mozilla.org/mozilla-central/rev/cfc300ef2cf9
https://hg.mozilla.org/mozilla-central/rev/c24b5f6944bb
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: