Closed Bug 1555810 Opened 1 year ago Closed 1 year ago

Make the privileged about/mozilla content processes Medium Integrity

Categories

(Core :: DOM: Content Processes, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: tjr, Assigned: tjr)

References

Details

(Keywords: sec-want)

As noted in the sandbox meeting today - and also in Bug 1554110 although that's about a different situation - a content process can debug another content process. Fixing that requires INTEGRITY_LEVEL_UNTRUSTED which requires a lot of refactoring we're also doing for win32k.sys lockdown.

However, a hack available to us would be to start the privileged content processes (both the Privileged About Process and the Privileged Mozilla Content Process) with Medium Integrity which would prevent them from being debugged by a (Web) Content Process running with Low Integrity.

Obviously if you can get RCE in either of the Privileged Content Processes that's bad; but how bad is it from an OS sandboxing perspective? You can't debug the parent process right?

Bob - do I have that all this correct? Should we do this?

Flags: needinfo?
Flags: needinfo?
Keywords: sec-want

I'm going to assume that you meant to needinfo Bob Owen.

Flags: needinfo?(bobowencode)

(In reply to Tom Ritter [:tjr] from comment #0)
...

Obviously if you can get RCE in either of the Privileged Content Processes that's bad; but how bad is it from an OS sandboxing perspective? You can't debug the parent process right?

The parent process is medium integrity as well, so from an integrity level point of view you would be able to.
However it turns out that process (and thread) objects are secured with ACLs, so actually these content processes probably couldn't open the parent process.
Every days a school day.

However, this (hopefully) leads to a very simple fix for bug 1554110, so I'll close this invalid.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bobowencode)
Resolution: --- → INVALID
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.