Closed Bug 1715182 Opened 3 years ago Closed 3 years ago

Support pathname-like abstract socket addresses in the Linux sandbox file broker

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
91 Branch
Project Flags:
Fission Milestone M7a
Tracking Flags:
Tracking Status
firefox91 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(2 files, 1 obsolete file)

Bug 1715182 - Sandbox broker abstract socket connect support. r?gcp
48 bytes, text/x-phabricator-request
Details | Review
Bug 1715182 - Tests for SandboxBroker abstract socket r?handyman
48 bytes, text/x-phabricator-request
Details | Review

The Linux sandbox file broker has limited support for connect, returning a new connected socket which the client uses to replace the previous fd in place. Currently this supports named Unix-domain sockets only — those are filesystem objects with paths, so they fit into the existing framework — and doesn't handle the Linux extension of abstract addresses: the first byte is zero, and the remainder is an opaque octet string whose length is derived from the accompanying address length (socklen_t).

However, Xorg listens on both a named socket (e.g., /tmp/.X11-unix/X0) and an abstract address whose contents is the same as the path (e.g., "\0/tmp/.X11-unix/X0" but without a trailing NUL). If the client is run in a context that shares the network namespace with the server, but doesn't share /tmp (like certain kinds of container or a chroot environment), then it needs to access the abstract address. In particular, bug 1450740 indicates that this applies to Snap packages.

Currently this only matters in that we have to avoid unsharing the network namespace for content processes in that situation, but bug 1635451 will delay X11 connections until after sandbox startup. Therefore, we'll need support for the subset of abstract addresses whose byte strings correspond to filesystem paths.

Severity: -- → S4
Priority: -- → P1

Tracking for Fission Milestone M7a since this bug blocks M7a bug 1635451.

Fission Milestone: --- → M7a
OS: Unspecified → Linux

FIXME needs more comments.

Attachment #9228708 - Attachment is obsolete: true
Attachment #9228772 - Attachment description: WIP: Bug 1715182 - Tests for SandboxBroker abstract socket → Bug 1715182 - Tests for SandboxBroker abstract socket
Attachment #9228771 - Attachment description: WIP: Bug 1715182 - Sandbox broker abstract socket connect support. → Bug 1715182 - Sandbox broker abstract socket connect support.
Attachment #9228771 - Attachment description: Bug 1715182 - Sandbox broker abstract socket connect support. → Bug 1715182 - Sandbox broker abstract socket connect support. r?gcp
Attachment #9228772 - Attachment description: Bug 1715182 - Tests for SandboxBroker abstract socket → Bug 1715182 - Tests for SandboxBroker abstract socket r?handyman

The static analysis build error reported seems to be a tooling issue, after checking with :andi: https://bugzilla.mozilla.org/show_bug.cgi?id=1718217

Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/76e214b1bbb2
Sandbox broker abstract socket connect support. r=gcp
https://hg.mozilla.org/integration/autoland/rev/e4ff46a5ad27
Tests for SandboxBroker abstract socket r=handyman

https://hg.mozilla.org/mozilla-central/rev/76e214b1bbb2
https://hg.mozilla.org/mozilla-central/rev/e4ff46a5ad27

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox91: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: