Closed Bug 1498614 Opened 7 years ago Closed 6 years ago

Enable android:isolatedProcess on Fennec

Categories

(Core :: Security: Process Sandboxing, enhancement, P5)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Android
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: cpeterson, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [geckoview])

Attachments

(1 obsolete file)

If android:isolatedProcess is set to true, this service will run under a special process that is isolated from the rest of the system and has no permissions of its own. The only communication with it is through the Service API (binding and starting). https://developer.android.com/guide/topics/manifest/service-element#isolated
This idea has come up occasionally over the past few years. If I remember correctly there are still some open questions: 1. Are we going to continue using Android's service facility, or fork/exec child processes like on desktop, or some combination of those? This feature seems to require at least one service launch somewhere. (See also bug 1470591, which probably can't work in a service-launched process.) 2. How isolated is the process in concrete terms, and is that going to cause problems? What files can it read, and does that include Gecko itself (e.g., the omnijar or equivalent)? Are there interactions with, e.g., using GPU drivers for WebGL? On devices with seccomp-bpf we might be able to use system call interception and brokering to relax the restrictions, like on desktop, but intervening at the system call level is risky when we can't do per-device pre-release testing like we did on B2G, given the presence of hardware-specific plugins/libraries.
Priority: -- → P2
(In reply to Jed Davis [:jld] (⏰UTC-6) from comment #1) > This idea has come up occasionally over the past few years. If I remember > correctly there are still some open questions: > > 1. Are we going to continue using Android's service facility, or fork/exec > child processes like on desktop, or some combination of those? This feature > seems to require at least one service launch somewhere. (See also bug > 1470591, which probably can't work in a service-launched process.) I don't foresee us moving away from services. It seems likely that Android may completely block fork/exec one day, so we would like to stay on a blessed path as much as possible. (Chrome uses services too). > > 2. How isolated is the process in concrete terms, and is that going to cause > problems? What files can it read, and does that include Gecko itself (e.g., > the omnijar or equivalent)? Are there interactions with, e.g., using GPU > drivers for WebGL? I believe the only thing it really does is drop Android permissions, but some more investigation is probably necessary. All we have from the docs is: > If set to true, this service will run under a special process that is isolated from the rest of the system and has no permissions of its own. The only communication with it is through the Service API (binding and starting). > > On devices with seccomp-bpf we might be able to use system call interception > and brokering to relax the restrictions, like on desktop, but intervening at > the system call level is risky when we can't do per-device pre-release > testing like we did on B2G, given the presence of hardware-specific > plugins/libraries. Apparently Chrome is using this with some success on Android[0], so maybe we can figure this out too? I think I would break that work out into a different bug, though. [0] https://bugs.chromium.org/p/chromium/issues/detail?id=166704
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #2) > (In reply to Jed Davis [:jld] (⏰UTC-6) from comment #1) > > 2. How isolated is the process in concrete terms, and is that going to cause > > problems? What files can it read, and does that include Gecko itself (e.g., > > the omnijar or equivalent)? Are there interactions with, e.g., using GPU > > drivers for WebGL? > > I believe the only thing it really does is drop Android permissions, but > some more investigation is probably necessary. My understanding is that it's more than that, and involves SELinux (and may be keyed off of special uids, although we probably don't need to care about that). I think gcp found the policy source files at one point, but I don't remember the details. > > On devices with seccomp-bpf we might be able to use system call interception > > and brokering to relax the restrictions, like on desktop, but intervening at > > the system call level is risky when we can't do per-device pre-release > > testing like we did on B2G, given the presence of hardware-specific > > plugins/libraries. > > Apparently Chrome is using this with some success on Android[0], so maybe we > can figure this out too? I think I would break that work out into a > different bug, though. > > [0] https://bugs.chromium.org/p/chromium/issues/detail?id=166704 Right, but I believe that Google has some leverage over Android device vendors if their driver blobs would break Chrome; we wouldn't have that with Firefox. This has come up before when it's been discussed as an extra layer of sandboxing, but it could also be used to relax the SELinux sandbox if we need to; in that case it could possibly use a default-allow policy, which is less risky but not without risk. But if the SELinux policy works as-is, then that doesn't matter for this bug; I was just bringing it up as an option we might have.
>Yeah, the selinux policy for isolated processes is here That file is near empty. Probably: http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/isolated_app.te
Assignee: nobody → gpascutto
Depends on: 1522878
Depends on: 1522886
Depends on: 1522890
Depends on: 1522954
Depends on: 1523577
Depends on: 1523639

Most of the remaining tests that fail on try pass locally. Only relevant error seems to be: E/GeckoConsole( 3878): [JavaScript Error: "1549305438845 Toolkit.Telemetry ERROR TelemetryStorage::removeFHRDatabase - failed to remove /storage/sdcard/tests/profile/healthreport.sqlite-shm: Error: OS.File has been shut down. Rejecting post to remove(resource://gre/modules/osfile/osfile_async_front.jsm:400:29) JS Stack trace: post@osfile_async_front.jsm:400:2

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #4)

Yeah, the selinux policy for isolated processes is here:
http://androidxref.com/9.0.0_r3/xref/system/sepolicy/prebuilts/api/28.0/
public/isolated_app.te

Also relevant:
http://androidxref.com/9.0.0_r3/xref/device/google/marlin/sepolicy/app.te

So we probably can't access the GPU. That's bad.

(In reply to Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ from comment #3)

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #2)

(In reply to Jed Davis [:jld] (⏰UTC-6) from comment #1)

  1. How isolated is the process in concrete terms, and is that going to cause
    problems? What files can it read, and does that include Gecko itself (e.g.,
    the omnijar or equivalent)? Are there interactions with, e.g., using GPU
    drivers for WebGL?

I believe the only thing it really does is drop Android permissions, but
some more investigation is probably necessary.

My understanding is that it's more than that, and involves SELinux (and may
be keyed off of special uids, although we probably don't need to care about
that). I think gcp found the policy source files at one point, but I don't
remember the details.

On devices with seccomp-bpf we might be able to use system call interception
and brokering to relax the restrictions, like on desktop, but intervening at
the system call level is risky when we can't do per-device pre-release
testing like we did on B2G, given the presence of hardware-specific
plugins/libraries.

Apparently Chrome is using this with some success on Android[0], so maybe we
can figure this out too? I think I would break that work out into a
different bug, though.

[0] https://bugs.chromium.org/p/chromium/issues/detail?id=166704

Right, but I believe that Google has some leverage over Android device
vendors if their driver blobs would break Chrome; we wouldn't have that with
Firefox. This has come up before when it's been discussed as an extra layer
of sandboxing, but it could also be used to relax the SELinux sandbox if we
need to; in that case it could possibly use a default-allow policy, which is
less risky but not without risk. But if the SELinux policy works as-is,
then that doesn't matter for this bug; I was just bringing it up as an
option we might have.

Hi

If an app or apps knowly or without user know exploit seLinux and change to Premissive mode Users Data at risk.

Malicious apss can take advantage for users browsing data.

Summary: Enable android:isolatedProcess → Enable android:isolatedProcess on Fennec

We probably won't get to doing this for Fennec (which doesn't have actual e10s between Gecko chrome and content anyway), but Fenix has some of the same issues with the Java side already peeking about too much.

Assignee: gpascutto → nobody
Priority: P2 → P5

(In reply to Gian-Carlo Pascutto [:gcp] from comment #17)

We probably won't get to doing this for Fennec (which doesn't have actual e10s between Gecko chrome and content anyway), but Fenix has some of the same issues with the Java side already peeking about too much.

What do we need to do to enable android:isolatedProcess for GeckoView's processes? Will Fenix need to do some work on the app side?

Fennec is moving to the ESR 68 branch, so like you said, we won't probably won't support android:isolatedProcess for Fennec. Should we open new bugs for GeckoView and Fenix?

Flags: needinfo?(gpascutto)
Whiteboard: [geckoview:p2] → [geckoview]

What do we need to do to enable android:isolatedProcess for GeckoView's processes? Will Fenix need to do some work on the app side?

It needs a similar set of fixes as the dependent bugs here (they would largely apply to Fenix as well) so the Java content-side code doesn't go outside the sandbox, modifying the manifest, and then likely some amount of fixes in the content process.

I was doing some exploratory work here but didn't get very far. bholley is also looking at multi-e10s on Android.

We should file a new bug for GeckoView(-example), and I'll have to check which of the dependents would also apply to that.

Flags: needinfo?(gpascutto)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Attachment #9036000 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: