Support pathname-like abstract socket addresses in the Linux sandbox file broker
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox91 | --- | fixed |
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(2 files, 1 obsolete file)
The Linux sandbox file broker has limited support for connect
, returning a new connected socket which the client uses to replace the previous fd in place. Currently this supports named Unix-domain sockets only — those are filesystem objects with paths, so they fit into the existing framework — and doesn't handle the Linux extension of abstract addresses: the first byte is zero, and the remainder is an opaque octet string whose length is derived from the accompanying address length (socklen_t
).
However, Xorg listens on both a named socket (e.g., /tmp/.X11-unix/X0
) and an abstract address whose contents is the same as the path (e.g., "\0/tmp/.X11-unix/X0"
but without a trailing NUL). If the client is run in a context that shares the network namespace with the server, but doesn't share /tmp
(like certain kinds of container or a chroot
environment), then it needs to access the abstract address. In particular, bug 1450740 indicates that this applies to Snap packages.
Currently this only matters in that we have to avoid unsharing the network namespace for content processes in that situation, but bug 1635451 will delay X11 connections until after sandbox startup. Therefore, we'll need support for the subset of abstract addresses whose byte strings correspond to filesystem paths.
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Tracking for Fission Milestone M7a since this bug blocks M7a bug 1635451.
Comment 2•3 years ago
|
||
FIXME needs more comments.
Comment 3•3 years ago
|
||
FIXME needs more comments.
Comment 4•3 years ago
|
||
Depends on D118716
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 6•3 years ago
|
||
Comment 7•3 years ago
|
||
Comment 8•3 years ago
|
||
Comment 9•3 years ago
|
||
Comment 10•3 years ago
|
||
The static analysis build error reported seems to be a tooling issue, after checking with :andi
: https://bugzilla.mozilla.org/show_bug.cgi?id=1718217
Comment 11•3 years ago
|
||
Pushed by alissy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/76e214b1bbb2 Sandbox broker abstract socket connect support. r=gcp https://hg.mozilla.org/integration/autoland/rev/e4ff46a5ad27 Tests for SandboxBroker abstract socket r=handyman
Comment 12•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/76e214b1bbb2
https://hg.mozilla.org/mozilla-central/rev/e4ff46a5ad27
Description
•