Closed Bug 1465911 Opened 7 years ago Closed 6 years ago

Disable CPOWs outside of test mode

Categories

(Core :: JavaScript Engine, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

Details

Attachments

(2 files)

Nothing outside except tests should require CPOWs to work nowadays. CPOWs represent a huge IPC attack surface, which we should disable for normal builds.
See Also: → 1465860
We can't actually disable CPOWs completely, because we still use them as tokens to pass around from child->parent->child in the context menu. But what we can do is disable all the methods. That should drastically reduce the IPC surface. JavaScriptParent::allowMessage already has code that does this. I wonder if we could just rip of this out and replace it with xpc::IsInAutomation(). However it does seem nice to even disable some of this stuff in test mode when possible, so we should probably just keep it.
Assignee: nobody → evilpies
This code seems total convoluted to me. I feel like we should just always disallow "unsafe" CPOW usage and even remove the pref for that. Also maybe we can warn about "safe" CPOW usage, but this might cause some log spam, I don't know.
Attachment #8984391 - Flags: feedback?(mrbkap)
I think we also need to add something to WrapperAnswer::Recv* to prevent child->parent CPOW IPC calls.
Attachment #8984391 - Flags: feedback?(mrbkap) → review+
For the WrapperAnswer case, should I use 1. CrashIfNotInAutomation(), this would crash the parent even in release 2. if (!InAutomation()) return false, kills the child process 3. if (!InAutomation()) *rs = ReturnStatus(SomethingBad()), could be handled gracefully by throwing an exception in the child.
Flags: needinfo?(mrbkap)
(In reply to Tom Schuster [:evilpie] from comment #5) > For the WrapperAnswer case, should I use > 1. CrashIfNotInAutomation(), this would crash the parent even in release > 2. if (!InAutomation()) return false, kills the child process > 3. if (!InAutomation()) *rs = ReturnStatus(SomethingBad()), could be handled My preference would be 2: I don't think it's worth killing the parent over this, but we should definitely be killing the child so the dev that would have introduced this use fixes it sooner rather than later.
Flags: needinfo?(mrbkap)
Comment on attachment 8986769 [details] [diff] [review] Disable CPOWs also when receiving message from the child. r? Because this change is not test at all, I plan on landing this after the merge.
Attachment #8986769 - Flags: review?(mrbkap)
Attachment #8986769 - Flags: review?(mrbkap) → review+
Thanks for taking care of this!
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cfc300ef2cf9 Disable CPOWs outside of test mode. r=mrbkap https://hg.mozilla.org/integration/mozilla-inbound/rev/c24b5f6944bb Disable CPOWs also when receiving message from the child. r=mrbkap
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: