Closed Bug 1697471 Opened 5 years ago Closed 5 years ago

Firefox macOS uses DYLD_INSERT_LIBRARIES

Categories

(Core Graveyard :: Plug-ins, enhancement)

Product:
Core Graveyard
Component:
Plug-ins
Version:
Firefox 86
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1562756

People

(Reporter: fitzl.csaba, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36

Steps to reproduce:

Start Firefox

Actual results:

Firefox for macOS uses "DYLD_INSERT_LIBRARIES" process injection on every tab process.

/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 4 -isForBrowser -prefsLen 6903 -prefMapSize 230885 -sbStartup -sbAppPath /Applications/Firefox.app -sbLevel 3 -sbAllowAudio -sbAllowWindowServer -parentBuildID 20210208133944 -appdir /Applications/Firefox.app/Contents/Resources/browser -profile /Users/gandalf/Library/Application Support/Firefox/Profiles/by27jn5l.default-release 27467 gecko-crash-server-pipe.27467 org.mozilla.machname.1476448858 tab

The dylib injected is /Applications/Firefox.app/Contents/MacOS/libplugin_child_interpose.dylib

Based on the name I suppose you try to do interposing here. But the DYLIB has an empty TEXT segment and doesn't have an interpose section. I have no idea what you try to achieve here, but it looks phishy.

Also this prevents you from solving https://bugzilla.mozilla.org/show_bug.cgi?id=1562756

Expected results:

Don't use DYLD_INSERT_LIBRARIES please. It poses a security risk.

I do not possess the knowledge to understand this report, however, I believe that the (Core) Geeko Profiles could be an appropriate component for this issue. If incorrect, please set a more appropriate one than reverting to Untriaged or General. Another possible component could be Security.

Furthermore, I am blocking bug 1562756 based on the information provided above.
I am not confirming it since I am can't know whether it's valid or not.
If more testing is required, please NI me.

Thank you for the report!

Blocks: 1562756
Component: Untriaged → Gecko Profiler
Product: Firefox → Core
Component: Gecko Profiler → Plug-ins

Thanks for the report. This work is in progress. Bug 1682030 "Mass removal of NPAPI plugin code" is going to remove libplugin_child_interpose.dylib and then we'll try to move forward with attempting to block the use of dyld environment variables using the hardened runtime entitlement com.apple.security.cs.allow-dyld-environment-variables=false. In the past we had some tests that depend on DYLD_INSERT_LIBRARIES so we may have to workaround that.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1562756#c3 and later comments for a bit more background.

I'm going to close this bug as a dupe of bug 1562756 which should cover addressing this.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.