Closed Bug 1640345 Opened 10 months ago Closed 8 months ago

Add pref to prevent content processes from connecting to the X server

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Desktop
Linux
enhancement

Tracking

()

RESOLVED FIXED
mozilla80
Tracking Status
firefox80 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

If we had a pref to set MOZ_HEADLESS for content processes (as described in bug 1129492 comment #21) and turn off the file broker rules that allow brokered connections to the X server (needed for some GL interposition layers), then that could be combined with the widget.disable-native-theme-for-content pref to yield a browser where:

  1. Content processes shouldn't be able to communicate directly with the X server
  2. WebGL and Flash are broken
  3. A lot of automated tests are broken because of the widget theme change

So that configuration isn't shippable yet, but it could be useful for use cases that weren't going to use WebGL or Flash anyway, and for experimenting to see if anything else is broken that we don't know about.

Priority: -- → P1
Depends on: 1644917
See Also: → 1470983

This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:

  1. Sets the MOZ_HEADLESS env var for content processes, so that they
    don't initialize GTK and don't connect to the X server.

  2. Disallows brokered access to parts of the filesystem used only for
    graphics -- most critically connecting to the X11 socket itself, but
    also opening GPU device nodes and the parts of sysfs used by Mesa, for
    example.

This is experimental; use at your own risk.

Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content

Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f8b6494d3eb
Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp
Flags: needinfo?(jld)
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5980f36397c5
Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
You need to log in before you can comment on or make changes to this bug.