1640345 - Add pref to prevent content processes from connecting to the X server

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, enhancement, P1)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

If we had a pref to set MOZ_HEADLESS for content processes (as described in bug 1129492 comment #21) and turn off the file broker rules that allow brokered connections to the X server (needed for some GL interposition layers), then that could be combined with the widget.disable-native-theme-for-content pref to yield a browser where:

1. Content processes shouldn't be able to communicate directly with the X server
2. WebGL and Flash are broken
3. A lot of automated tests are broken because of the widget theme change

So that configuration isn't shippable yet, but it could be useful for use cases that weren't going to use WebGL or Flash anyway, and for experimenting to see if anything else is broken that we don't know about.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Attachment: Bug 1640345 - Add a hidden pref to prevent sandboxed content processes from connecting to the X server.

This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:

1. Sets the MOZ_HEADLESS env var for content processes, so that they
   don't initialize GTK and don't connect to the X server.

2. Disallows brokered access to parts of the filesystem used only for
   graphics -- most critically connecting to the X11 socket itself, but
   also opening GPU device nodes and the parts of sysfs used by Mesa, for
   example.

This is experimental; use at your own risk.

Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content

Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.

Comment 2

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f8b6494d3eb
Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp

Comment 3

[Noemi Erli[:noemi_erli]]

Backed out 4 changesets (Bug 1644917, Bug 1640345) for causing failures in browser_preferences_usage.js CLOSED TREE

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedTaskRun=I4JjFG4AR8mDDVcT2gfYNg.0&resultStatus=testfailed%2Cbusted%2Cexception&revision=0f8b6494d3eb9dad4c7f455f5ee89ad2a2d77e5b

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307967950&repo=autoland&lineNumber=7884
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=307974242&repo=autoland&lineNumber=2074

Backout: https://hg.mozilla.org/integration/autoland/rev/adc328596e28636b03fabe701ec6a4d07054e5af

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

See bug 1644917 comment #6.

Comment 5

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5980f36397c5
Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp

Comment 6

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/5980f36397c5