1663550 - Linux sandbox support for ARM and ARM64 (aarch64)

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, enhancement, P2)

Description

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Over a long weekend last year I got the Linux sandbox working on 32-bit and 64-bit ARM (which are Tier 3 and Tier 2, respectively, so not “officially” supported like x86) and recently I finally got around to cleaning up the patches.

ARM Linux probably isn't a high priority for attacks, but it does see some use, and we mostly have code for it already. The largest source of code changes was actually Linux/arm64's removal of syscalls that were redundant (up to reordering arguments and inserting constant arguments) when it was created — including all of the non-at filesystem syscalls, like open vs. openat.

Note that the 32-bit ARM Linux build is currently broken in the non-Android case due to bug 1526653 and bug 1663095; I have local workarounds that I've been testing with (similar to what Linux distributions have to do).

Also, I haven't tried running any automated tests; I've tested only basic browsing, and there's a limit to what I can test (e.g., I don't have anything with working GL acceleration).

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Add security/sandbox/chromium files needed for ARM/ARM64.

Chromium's Linux sandboxing code needs some architecture-specific files
for ARM and ARM64 that we don't currently include in our partial import.
These are copied from Chromium tag 81.0.4044.138 (matching the latest
import of the rest of security/sandbox/chromium) without changes.

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Add "arm" and "arm64" architecture names to Linux sandbox telemetry.

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Remove obsolete sandbox rule allowing utime().

We no longer use GConf (bug 1433685), so we can remove the sandbox rule
allowing it to call utime(). That syscall doesn't exist on ARM or ARM64,
so this rule would have to be ifdef'ed if it were re-added.

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Minor cleanups for Linux sandbox policy.

Not strictly part of ARM support, but worth committing, and in
particular printing the AT_* flags in hex is helpful for matching them
against headers when *at syscalls fail.

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Rearrange the broker glue to handle none of the non-`at` syscalls existing.

Linux/arm64 seems to exclude any syscalls that were redundant when it was
created (specifically, that can be implemented in terms of another by
inserting constant arguments), which includes all the of the non-at
filesystem syscalls --- for example, open vs. openat.

This patch rearranges ifdefs to handle that case; later patches will
fill in the currently unhandled syscalls in the at-only side.

Comment 6

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Implement brokering for the remaining `at` syscalls in the Linux sandbox.

Linux/arm64 omits syscalls that can be implemented in terms of newer
syscalls by inserting constant arguments; this means that all of the
basic filesystem operations use the at versions, like unlinkat
replacing both unlink and rmdir. We've supported some of them when
x86 libcs started using them, but there are several others we were
missing; this patch adds them.

Comment 7

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Update sandbox policy for various syscalls obsoleted on Linux/arm64.

In addition to e.g. lacking open in favor of openat, Linux/arm64
also removes a number of older syscalls along similar lines, like dup2
in favor of dup3, and all variants of select other than pselect6.

Comment 8

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Fix the alignment of the stack for the sandbox's clone() trampoline.

The ABI on ARM64 requires 16-byte stack alignment, and that includes the
small temporary stack that exists only so that we can longjmp off of
it in the child process after calling clone.

Comment 9

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

Attachment: Bug 1663550 - Enable sandbox on Linux/arm and Linux/arm64.

Comment 10

[Pulsebot]

Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f949e70af6e7
Add security/sandbox/chromium files needed for ARM/ARM64. r=bobowen
https://hg.mozilla.org/integration/autoland/rev/fa07b7780af5
Add "arm" and "arm64" architecture names to Linux sandbox telemetry. r=gcp
https://hg.mozilla.org/integration/autoland/rev/d91555bddbef
Remove obsolete sandbox rule allowing utime(). r=gcp
https://hg.mozilla.org/integration/autoland/rev/ce2a02153703
Minor cleanups for Linux sandbox policy. r=gcp
https://hg.mozilla.org/integration/autoland/rev/c625170a8755
Rearrange the broker glue to handle none of the non-`at` syscalls existing. r=gcp
https://hg.mozilla.org/integration/autoland/rev/0f72af1970ca
Implement brokering for the remaining `at` syscalls in the Linux sandbox. r=gcp
https://hg.mozilla.org/integration/autoland/rev/5cbea38d1301
Update sandbox policy for various syscalls obsoleted on Linux/arm64. r=gcp
https://hg.mozilla.org/integration/autoland/rev/44f258418d94
Fix the alignment of the stack for the sandbox's clone() trampoline. r=gcp
https://hg.mozilla.org/integration/autoland/rev/49e60e08ca4c
Enable sandbox on Linux/arm and Linux/arm64. r=gcp,glandium

Comment 11

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/f949e70af6e7
https://hg.mozilla.org/mozilla-central/rev/fa07b7780af5
https://hg.mozilla.org/mozilla-central/rev/d91555bddbef
https://hg.mozilla.org/mozilla-central/rev/ce2a02153703
https://hg.mozilla.org/mozilla-central/rev/c625170a8755
https://hg.mozilla.org/mozilla-central/rev/0f72af1970ca
https://hg.mozilla.org/mozilla-central/rev/5cbea38d1301
https://hg.mozilla.org/mozilla-central/rev/44f258418d94
https://hg.mozilla.org/mozilla-central/rev/49e60e08ca4c