Closed
Bug 1511560
Opened 6 years ago
Closed 5 years ago
Refactor seccomp-bpf policies so that SandboxPolicyCommon can (optionally) enable file brokering and shared memory creation
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
RESOLVED
FIXED
mozilla67
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(4 files)
I ran into a few things that needed to be moved from ContentSandboxPolicy into SandboxPolicyCommon to enable shared memory and file brokering (for reuse by the RDD policy) beyond just moving the broker hooks, and it seemed potentially confusing land all that as part of bug 1500297 with its unassuming initial description. So bug 1500297 will just be about adjusting ContentSandboxPolicy (and restoring sandbox level 1) as described there, the seccomp policy refactoring will all go here, and the rest of the RDD sandbox will belong to bug 1506291.
Assignee | ||
Comment 1•6 years ago
|
||
This will allow other policies to use brokering if needed (e.g., RDD and similar utility processes may need to access /dev/shm to create shared memory). The concrete policy class can deny filesystem access completely (matching the current behavior of the GMP policy) by passing nullptr to the superclass constructor instead. Depends on D14520
Assignee | ||
Comment 2•6 years ago
|
||
Depends on D14521
Assignee | ||
Comment 3•6 years ago
|
||
The sandbox broker uses socketpair to construct the per-request channels over which responses are sent; thus, if and only if the policy will be using brokering, it will allow socketpair as safely as possible (i.e., denying datagram sockets if possible). Depends on D14522
Assignee | ||
Comment 4•6 years ago
|
||
File descriptors are sometimes dup()ed in the process of communicating them over IPC; some of this may be unnecessary (due to insufficient use of move-only types), but dup() is relatively harmless. It was previously allowed for both content and GMP, so this doesn't change anything. The handling of ftruncate is a little complicated -- it's used for IPC shared memory, but only when creating segments; so GMP doesn't allow it and should continue not allowing it, but content needs it and RDD will as well. As a result, the subclass indicates if it will be needed. Note that even when we have memfd_create support (bug 1440203), ftruncate is still necessary even though brokering may not. Depends on D14523
Updated•6 years ago
|
Attachment #9031324 -
Attachment description: Bug 1511560 - Move syscalls used by malloc into SandboxPolicyCommon. → Bug 1511560 - Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon.
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/48431f63d842 Move the Linux sandbox broker hooks into SandboxPolicyCommon. r=gcp https://hg.mozilla.org/integration/autoland/rev/bab79f855962 Move syscalls for adjusting memory mapping properties into SandboxPolicyCommon. r=gcp https://hg.mozilla.org/integration/autoland/rev/db2dee78ddb0 Move the socketpair handling into SandboxPolicyCommon. r=gcp https://hg.mozilla.org/integration/autoland/rev/94cb1fe9db5e Allow dup and ftruncate (when needed) in SandboxPolicyCommon. r=gcp
Comment 6•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/48431f63d842
https://hg.mozilla.org/mozilla-central/rev/bab79f855962
https://hg.mozilla.org/mozilla-central/rev/db2dee78ddb0
https://hg.mozilla.org/mozilla-central/rev/94cb1fe9db5e
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in
before you can comment on or make changes to this bug.
Description
•