Open Bug 1657849 Opened 5 years ago Updated 11 months ago

media plugin seccomp sandbox should allow __NR_sched_setscheduler

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Version:
79 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: nsz.foo, Assigned: jld)

Details

Attachments

(1 file)

Bug 1657849 - Allow sched_setscheduler(2) on musl libc in GMP and RDD sandbox. r=gerard-majax,jld
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0

Steps to reproduce:

playing certain audio pod cast (details are not relevant) after a libc update on linux.

Actual results:

no audio plays and firefox hangs.

but it works as expected if i run firefox with MOZ_DISABLE_GMP_SANDBOX=1

Expected results:

(seccomp sandbox failure should never be a hang: it should be clear to the user what security policy violation happened so a reasonable bug report can be sent to distro or other maintainers involved.)

in this case the problem is that the libc update blocks all signals around the sched_setscheduler syscall in pthread_setschedparam to fix a bug: http://git.musl-libc.org/cgit/musl/commit/?id=7cc9496a18c3fa665c286b8be41d790c795e0171

the seccomp 'trap' mechanism is broken in that if sigsys is blocked then the process crashes instead of handling the signal. there are reasons why a libc needs to block all signals around this particular syscall so i think it should be 'allowed' in the media plugin sandbox, i.e. this should be unconditional Allow():

https://searchfox.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp#1470

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: Process Sandboxing
Product: Firefox → Core

sorry the observed hang is probably unrelated to seccomp. (it's just non-deterministic and here it happened with sandbox and not without it, and e.g. hard to reproduce under strace, now i managed to reproduce a hang under strace and there is no seccomp or sigsys involved)

but independently of the hang that i'm dealing with, the mentioned seccomp policy should be fixed: trap policy should not be used for sched_setscheduler.

Severity: -- → S4
Assignee: nobody → jld
Priority: -- → P2

While the details have changed a bit since this bug was opened, it's still very relevant - musl libc may use sched_setscheduler on a new thread right after cloning (link), and blocking the syscall leads in some cases to the thread getting killed by SIGSYS, even though it's supposed to receive an -EPERM; the workaround from bug 1742993 doesn't quite apply either, since it's only for the calling thread.

(In reply to Patrycja Rosa [:ptrcnull] (she/her) from comment #3)

While the details have changed a bit since this bug was opened, it's still very relevant - musl libc may use sched_setscheduler on a new thread right after cloning (link), and blocking the syscall leads in some cases to the thread getting killed by SIGSYS, even though it's supposed to receive an -EPERM; the workaround from bug 1742993 doesn't quite apply either, since it's only for the calling thread.

I am on gentoo and I believe this issue is what is causing tabs to crash https://bugzilla.mozilla.org/show_bug.cgi?id=1883915.

Not sure of a solution to this and looking through the alpine repos im not sure which patch would fix this.

Maybe you should submit your patch patrycja? with some ifdef specific to musl

Flags: needinfo?(bugzilla)
Flags: needinfo?(bugzilla)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: