Closed Bug 1511560 Opened 11 months ago Closed 8 months ago

Refactor seccomp-bpf policies so that SandboxPolicyCommon can (optionally) enable file brokering and shared memory creation

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Unspecified
Linux
enhancement

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox67 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 1 open bug)

Details

Attachments

(4 files)

I ran into a few things that needed to be moved from ContentSandboxPolicy into SandboxPolicyCommon to enable shared memory and file brokering (for reuse by the RDD policy) beyond just moving the broker hooks, and it seemed potentially confusing land all that as part of bug 1500297 with its unassuming initial description.

So bug 1500297 will just be about adjusting ContentSandboxPolicy (and restoring sandbox level 1) as described there, the seccomp policy refactoring will all go here, and the rest of the RDD sandbox will belong to bug 1506291.
This will allow other policies to use brokering if needed (e.g., RDD and
similar utility processes may need to access /dev/shm to create shared
memory).  The concrete policy class can deny filesystem access completely
(matching the current behavior of the GMP policy) by passing nullptr to
the superclass constructor instead.

Depends on D14520
The sandbox broker uses socketpair to construct the per-request channels
over which responses are sent; thus, if and only if the policy will be
using brokering, it will allow socketpair as safely as possible (i.e.,
denying datagram sockets if possible).

Depends on D14522
File descriptors are sometimes dup()ed in the process of communicating
them over IPC; some of this may be unnecessary (due to insufficient
use of move-only types), but dup() is relatively harmless.  It was
previously allowed for both content and GMP, so this doesn't change
anything.

The handling of ftruncate is a little complicated -- it's used for IPC
shared memory, but only when creating segments; so GMP doesn't allow
it and should continue not allowing it, but content needs it and RDD
will as well.  As a result, the subclass indicates if it will be needed.

Note that even when we have memfd_create support (bug 1440203),
ftruncate is still necessary even though brokering may not.

Depends on D14523
Attachment #9031324 - Attachment description: Bug 1511560 - Move syscalls used by malloc into SandboxPolicyCommon. → Bug 1511560 - Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon.
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/48431f63d842
Move the Linux sandbox broker hooks into SandboxPolicyCommon. r=gcp
https://hg.mozilla.org/integration/autoland/rev/bab79f855962
Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon. r=gcp
https://hg.mozilla.org/integration/autoland/rev/db2dee78ddb0
Move the socketpair handling into SandboxPolicyCommon. r=gcp
https://hg.mozilla.org/integration/autoland/rev/94cb1fe9db5e
Allow dup and ftruncate (when needed) in SandboxPolicyCommon. r=gcp
You need to log in before you can comment on or make changes to this bug.