Closed Bug 1614983 Opened 4 years ago Closed 4 years ago

[macOS] Create a new sandbox profile for the socket process

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla76

Tracking Flags:

Tracking

Status

firefox76

---

fixed

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(1 file)

Bug 1614983 - Create a new sandbox profile for the socket process r?spohl! 4 years ago Haik Aftandilian [:haik] 47 bytes, text/x-phabricator-request		Details \| Review

Haik Aftandilian [:haik]

Assignee

Description

•

4 years ago

For bug 1611288 which is turns on sandboxing for the socket process, we first need a new sandbox profile for networking processes. This bug is for landing a new profile to be used for the socket process on macOS.

Haik Aftandilian [:haik]

Assignee

Updated

•

4 years ago

Assignee: nobody → haftandilian

Priority: -- → P1

Haik Aftandilian [:haik]

Assignee

Updated

•

4 years ago

Blocks: 1611288

Haik Aftandilian [:haik]

Assignee

Comment 1

•

4 years ago

Attached file Bug 1614983 - Create a new sandbox profile for the socket process r?spohl! — Details

WIP - Not ready to land.

Haik Aftandilian [:haik]

Assignee

Comment 2

•

4 years ago

The posted patch isn't ready to land and has had only minimal testing. It needs more testing and validation (including on older macOS releases) and research to understand what some of the services do. For reference, I looked at what the macOS included profiles allow (especially application.sb and system.sb from /System/Library/Sandbox/Profiles/) and what Chromium is doing for the network process. At this time, on Nightly, our socket process is only being used for WebRTC, though it is launched at browser startup time.

I tested with Michael's patch from bug 1611288 with a small change:

 /* static */
 MacSandboxType SocketProcessHost::GetMacSandboxType() {
-  return GeckoChildProcessHost::GetDefaultMacSandboxType();
+  return MacSandboxType_Socket;
 }
 #endif

Phabricator Automation

Updated

•

4 years ago

Attachment #9129641 - Attachment description: Bug 1614983 - WIP - Create a new sandbox profile for the socket process → Bug 1614983 - Create a new sandbox profile for the socket process r?spohl!

Haik Aftandilian [:haik]

Assignee

Comment 3

•

4 years ago

I've updated the patches after doing more testing. The socket sandbox policy includes what appear to be needed for network I/O, OS DNS resolution, and cert database access. I've been testing with Michael's patch from bug 1611288. Tested basic WebRTC functionality on 10.9, 10.10, 10.11, 10.14, and 10.15. Tested a WebRTC call while switching between network interfaces by unplugging ethernet to force switch to wifi and vice versa on 10.11 and 10.15. Verified this patch alone is clean on try.

Pulsebot

Comment 4

•

4 years ago

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b9bf352a94d2
Create a new sandbox profile for the socket process r=spohl

Andrei Ciure[:aciure]

Comment 5

•

4 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/b9bf352a94d2

Status: NEW → RESOLVED

Closed: 4 years ago

status-firefox76: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla76

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

[macOS] Create a new sandbox profile for the socket process

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Tracking

()

People

(Reporter: haik, Assigned: haik)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type