[macOS] Create a new sandbox profile for the socket process
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox76 | --- | fixed |
People
(Reporter: haik, Assigned: haik)
References
Details
Attachments
(1 file)
For bug 1611288 which is turns on sandboxing for the socket process, we first need a new sandbox profile for networking processes. This bug is for landing a new profile to be used for the socket process on macOS.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
WIP - Not ready to land.
Assignee | ||
Comment 2•4 years ago
|
||
The posted patch isn't ready to land and has had only minimal testing. It needs more testing and validation (including on older macOS releases) and research to understand what some of the services do. For reference, I looked at what the macOS included profiles allow (especially application.sb and system.sb from /System/Library/Sandbox/Profiles/) and what Chromium is doing for the network process. At this time, on Nightly, our socket process is only being used for WebRTC, though it is launched at browser startup time.
I tested with Michael's patch from bug 1611288 with a small change:
/* static */
MacSandboxType SocketProcessHost::GetMacSandboxType() {
- return GeckoChildProcessHost::GetDefaultMacSandboxType();
+ return MacSandboxType_Socket;
}
#endif
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
I've updated the patches after doing more testing. The socket sandbox policy includes what appear to be needed for network I/O, OS DNS resolution, and cert database access. I've been testing with Michael's patch from bug 1611288. Tested basic WebRTC functionality on 10.9, 10.10, 10.11, 10.14, and 10.15. Tested a WebRTC call while switching between network interfaces by unplugging ethernet to force switch to wifi and vice versa on 10.11 and 10.15. Verified this patch alone is clean on try.
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b9bf352a94d2 Create a new sandbox profile for the socket process r=spohl
Comment 5•4 years ago
|
||
bugherder |
Description
•