Make the privileged about/mozilla content processes Medium Integrity
Categories
(Core :: DOM: Content Processes, enhancement)
Tracking
()
People
(Reporter: tjr, Assigned: tjr)
References
Details
(Keywords: sec-want)
As noted in the sandbox meeting today - and also in Bug 1554110 although that's about a different situation - a content process can debug another content process. Fixing that requires INTEGRITY_LEVEL_UNTRUSTED which requires a lot of refactoring we're also doing for win32k.sys lockdown.
However, a hack available to us would be to start the privileged content processes (both the Privileged About Process and the Privileged Mozilla Content Process) with Medium Integrity which would prevent them from being debugged by a (Web) Content Process running with Low Integrity.
Obviously if you can get RCE in either of the Privileged Content Processes that's bad; but how bad is it from an OS sandboxing perspective? You can't debug the parent process right?
Bob - do I have that all this correct? Should we do this?
|
||
Comment 1•5 years ago
|
||
I'm going to assume that you meant to needinfo Bob Owen.
|
||
Comment 2•5 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #0)
...
Obviously if you can get RCE in either of the Privileged Content Processes that's bad; but how bad is it from an OS sandboxing perspective? You can't debug the parent process right?
The parent process is medium integrity as well, so from an integrity level point of view you would be able to.
However it turns out that process (and thread) objects are secured with ACLs, so actually these content processes probably couldn't open the parent process.
Every days a school day.
However, this (hopefully) leads to a very simple fix for bug 1554110, so I'll close this invalid.
|
||
Updated•4 years ago
|
Description
•