Closed Bug 1525086 Opened 5 years ago Closed 5 years ago

[Mac] Start the RDD sandbox earlier

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(7 files)

Bug 1525086 - Part 1 - Split up sandbox policies, create utility policy for the RDD process r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 2 - Remove unneeded params and permissions from the utility sandbox r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 3a - Move sandbox param logic to GeckoChildProcessHost and MacSandboxInfo to be more reusable r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 4 - Cache the result of nsMacUtilsImpl::GetAppPath r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 5 - Update ContentParent to use new MacSandboxInfo param methods r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 6 - Use AssertMacSandboxEnabled() for the RDD process, change the assert to use sandbox_check() r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525086 - Part 3b - Start the RDD sandbox earlier r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone of Bug #1498742 +++

Like with bug 1431441 which applied to the Mac sandbox for content processes, we should start the RDD sandbox early during process startup and unify the code with the content sandbox as much as possible.

No longer depends on: 1498742
See Also: → 1498742, 1431441
Depends on: 1529390
No longer depends on: 1529390
See Also: → 1529390

In testing so far, starting the RDD sandbox earlier allows us to drop the connection to the windowserver and coreservices, but it breaks setting the process name resulting in Activity Monitor showing the process as "plugin-container". I've filed bug 1529390 to rename Mac content processes. For now, I'm working on code changes to start the sandbox earlier while still allowing access to the services needed to set the process name.

Move sandbox policies for different process types into their own files.

Create a new "utility" policy cloned from the GMP policy to be used for basic utility-type processes.

Use the utility policy for the RDD process.

Remove the unused plugin binary path and app binary path parameters and cleanup file path permissions.

Explicitly allow access to launchservicesd to allow SetProcessName() to work when the sandbox is started during startup.

Depends on D22405

Start the RDD process earlier by changing RDDProcessHost to pass the necessary command line arguments for enabling the sandbox.

Per lsmp output on 10.14.3, starting the RDD process sandbox removes access to WindowServer, coreservicesd, lsd and distnoted.

Add a pref (defaulting to on) to control enabling starting the RDD process earlier.

Move sandbox CLI param logic into MacSandboxInfo.

Depends on D22408

Cache the result of nsMacUtilsImpl::GetAppPath() to avoid doing I/O on repeated calls.

Depends on D22409

Use the new MacSandboxInfo CLI param methods to setup the content process command line arguments.

Depends on D22410

When the RDD process sandbox is started at launch, assert the sandbox has been enabled in the Init message.

Change AssertMacSandboxEnabled() to use the undocumented sandbox_check() function instead of sandbox_init().

Depends on D22411

Attachment #9049014 - Attachment description: Bug 1525086 - Part 3 - Start the RDD sandbox earlier r?Alex_Gaynor → Bug 1525086 - Part 3a - Move sandbox param logic to GeckoChildProcessHost and MacSandboxInfo to be more reusable r?Alex_Gaynor

Start the RDD process earlier by changing RDDProcessHost to pass the necessary command line arguments for enabling the sandbox.

Per lsmp output on 10.14.3, starting the RDD process sandbox removes access to WindowServer, coreservicesd, lsd and distnoted.

Add a pref (defaulting to on) to control enabling starting the RDD process earlier.

Depends on D22409

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4c6dfbf1662d
Part 1 - Split up sandbox policies, create utility policy for the RDD process r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/4fc01165236c
Part 2 - Remove unneeded params and permissions from the utility sandbox r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/49a9f3abb9a9
Part 3a - Move sandbox param logic to GeckoChildProcessHost and MacSandboxInfo to be more reusable r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/08e70a4f1768
Part 3b - Start the RDD sandbox earlier r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/0e5f0e49adac
Part 4 - Cache the result of nsMacUtilsImpl::GetAppPath r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/beca0789c9df
Part 5 - Update ContentParent to use new MacSandboxInfo param methods r=Alex_Gaynor
https://hg.mozilla.org/integration/autoland/rev/c83b5d6e0777
Part 6 - Use AssertMacSandboxEnabled() for the RDD process, change the assert to use sandbox_check() r=Alex_Gaynor
Assignee: nobody → haftandilian
Depends on: 1539796
Depends on: 1540288
Depends on: 1541230
Depends on: 1542015
See Also: → 1542015
See Also: → 1555168
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: