Open Bug 1756236 Opened 4 years ago Updated 2 months ago

Figure out how to chroot/use namespace isolation in flatpak

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Linux
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: emersonbernier, Unassigned)

References

(Blocks 1 open bug)

Details

Steps to reproduce:

Flatpak firefox internal sandbox isn't effective due to lack of direct User Namespaces access. Open about:support in firefox flatpak app, then navigate to Sandbox section.

Actual results:

User Namespaces are set to false which means most parts of internal sandboxing are disabled.

Expected results:

Some workaround for lack of user namespaces should be considered. Chromium for example uses zypak project which may be used for inspiration: https://github.com/refi64/zypak

OS: Unspecified → Linux

The Bugbug bot thinks this bug should belong to the 'Core::Security: Process Sandboxing' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: Process Sandboxing
Product: Firefox → Core

most parts of internal sandboxing are disabled

Hmm? You lose the namespace isolation, and by extension the chroot, but that's it. It's definitely nice to have, but to say it's "most" of the sandboxing seems a misrepresentation. Note that some distros disable the kernel support for them by default, so that's what they currently get regardless of Flatpak.

Maybe there's confusion here because Chrome assumes it can always have either namespaces or a setuid root helper if it wants a sandbox, but Firefox is designed to still have sandboxing without the latter - we don't want to ship setuid binaries.

internal sandbox isn't effective due to lack of direct User Namespaces access

Are you aware of some EoP or sandbox bypass that's made possible by the lack of user namespaces currently? From our perspective it's (additional) defense in depth, not a required component to have sandboxing.

Severity: -- → S3
Priority: -- → P3
Hardware: Unspecified → All
Summary: Figure out how to make firefox internal sandbox effective in flatpak → Figure out how to chroot/use namespace isolation in flatpak
Version: unspecified → Trunk

(In reply to Gian-Carlo Pascutto [:gcp] from comment #2)

most parts of internal sandboxing are disabled

Hmm? You lose the namespace isolation, and by extension the chroot, but that's it. It's definitely nice to have, but to say it's "most" of the sandboxing seems a misrepresentation. Note that some distros disable the kernel support for them by default, so that's what they currently get regardless of Flatpak.

I had a chat with mozila dev on #flatpaks irc channel and I was told that without user namespaces only seccomp part of sandbox is still active. It could be that seccomp stands for most of the existing sandbox alone, I don't know. They also suggested ff could use flatpak-spawn like webkit does: https://github.com/WebKit/WebKit/blob/main/Source/WebKit/UIProcess/Launcher/glib/FlatpakLauncher.cpp#L36

BTW: after latest debian release enabled user namespaces by default there is no major linux distro which disables them.

Maybe there's confusion here because Chrome assumes it can always have either namespaces or a setuid root helper if it wants a sandbox, but Firefox is designed to still have sandboxing without the latter - we don't want to ship setuid binaries.

To my knowledge there are two techniques for self-sandboxing apps under linux: user namespaces and setuid root helpers. Neither of chromium or flatpak sandboxes would exist without one those. If ff can't access both then how it creates its sandbox, i.e. how it's limiting file, network and other resource access per process?

internal sandbox isn't effective due to lack of direct User Namespaces access

Are you aware of some EoP or sandbox bypass that's made possible by the lack of user namespaces currently? From our perspective it's (additional) defense in depth, not a required component to have sandboxing.

I meant if there is not much sandbox without user namespaces then there's not much to bypass as resources are freely available. I admit I may be wrong due to lack of understanding inner workings of ff sandbox. The wiki says ff "Uses Unprivileged User Namespaces (if available)" but for what exactly namespaces are used for?

If ff can't access both then how it creates its sandbox, i.e. how it's limiting file, network and other resource access per process?

We intercept the syscalls via seccomp-bpf.

The wiki says ff "Uses Unprivileged User Namespaces (if available)" but for what exactly namespaces are used for?

chrooting (which would require a setuid binary otherwise), and also IPC and network isolation for processes where that is possible. Because of the above, it's defense in depth. (I think there's also experimental patches for PID isolation, somewhere...)

BTW: after latest debian release enabled user namespaces by default there is no major linux distro which disables them.

Ah, that's cool. Arch (and derivatives) is/was another holdout.

They also suggested ff could use flatpak-spawn like webkit does

Right now we just fork(), so replacing that with flatpak-spawn would cause a massive increase in memory usage? You would no longer have CoW sharing of memory. I suspect this only deals with launching the main process (or WebKit would have the same memory usage problem?), and it's not clear to me the "Flatpak Sandbox" it's creating is comparable to what we have now (even with just seccomp-bpf). We launch our subprocesses with specific, nailed down sandboxes. So I'm not clear that gets us closer to where we want to be.

(In reply to Gian-Carlo Pascutto [:gcp] from comment #4)

chrooting (which would require a setuid binary otherwise), and also IPC and network isolation for processes where that is possible. Because of the above, it's defense in depth. (I think there's also experimental patches for PID isolation, somewhere...)

For me it sounds important.

Ah, that's cool. Arch (and derivatives) is/was another holdout.

Main Arch kernel enabled user namespaces long time ago. There is optional linux-hardened flavor which still disables them but it's rather niche dedicated for sophisticated users.

(In reply to Gian-Carlo Pascutto [:gcp] from comment #5)

Right now we just fork(), so replacing that with flatpak-spawn would cause a massive increase in memory usage? You would no longer have CoW sharing of memory. I suspect this only deals with launching the main process (or WebKit would have the same memory usage problem?), and it's not clear to me the "Flatpak Sandbox" it's creating is comparable to what we have now (even with just seccomp-bpf). We launch our subprocesses with specific, nailed down sandboxes. So I'm not clear that gets us closer to where we want to be.

The goal is to replicate missing sandbox features within flatpak rather than replace whole ff sandbox. Flatpak allows to spawn subprocesses with more restricted sandboxes than otiginal one without direct access to user namespaces through flatpak-spawn.

Here's patch from chromium which transforms native, namespaces based sandbox to flatpak-spawn:
https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch

Main Arch kernel enabled user namespaces long time ago.

Ah, great. I'm happy we held out on shipping the setuid root solution then :-)

Flatpak allows to spawn subprocesses ...through flatpak-spawn.

Yes, but as explained above, flatpak-spawn is not fork() so this would cause a massive increase in Firefox memory usage. Unlike the WebKit patch, the Chromium patches are much closer to our level of sandboxing and kind of illustrate this, from skimming it (so this might be entirely wrong) Chromium works around this by first spawning an intermediate (zygote) process with flatpak-spawn to get the right isolation and then fork()-ing off of that. Our equivalent of that would be finishing bug 1609882 and then finding some way to deal with the various sandbox levels we have (which are a bit more fine grained than Chromium, for some processes, IIRC).

Alternatively, you could hack up the WebKit method and accept the memory usage regressions. (Don't think we'd want to go that route for a default build)

See Also: → 1882881
See Also: → 1909616
Depends on: 1874689

So now that forkserver lands, this means flatpak-spawn can be used optimally?

Duplicate of this bug: 1981001

Meanwhile nothing real happened here for four years, freshly upgraded org.mozilla.firefox refuses to start on my openSUSE/MicroOS (needless to add that flatpaked Firefox was working for me until yesterday).

mitmanek:~ $ flatpak run org.mozilla.firefox 
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
mitmanek:~ $ LANG=en_GB flatpak info org.mozilla.firefox 

Firefox - Fast, Private & Safe Web Browser

          ID: org.mozilla.firefox
         Ref: app/org.mozilla.firefox/x86_64/stable
        Arch: x86_64
      Branch: stable
     Version: 144.0
     License: MPL-2.0
      Origin: flathub
  Collection: org.flathub.Stable
Installation: user
   Installed: 300.8 MB
     Runtime: org.freedesktop.Platform/x86_64/24.08
         Sdk: org.freedesktop.Sdk/x86_64/24.08

      Commit: 16c8616b99af926c91734bd73ea6a2644965d02b6336ebdf11dd952dea097865
      Parent: 83102f67e8674a8a3d4c4134c9bbda695a0bbede915957a6a99eceeb00e82953
     Subject: Export org.mozilla.firefox
        Date: 2025-10-14 12:33:10 +0000
mitmanek:~ $

It seems that some firefox processes are running, but nothing visible shows up:

mitmanek:~ $ pgrep -f -a firefox/browser
55808 /app/lib/firefox/firefox-bin -contentproc -ipcHandle 0 -signalPipe 1 -initialChannelId {0f22ef83-d93c-4226-b919-7731995047eb} -parentPid 2 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 1 forkserver
55811 /app/lib/firefox/firefox-bin -contentproc -parentBuildID 20251009125714 -prefsHandle 0:47851 -prefMapHandle 1:290443 -sandboxReporter 2 -ipcHandle 3 -initialChannelId {2935a0e0-06e3-4a2a-a36a-952f07a77251} -parentPid 2 -crashReporter 4 -crashHelper 5 -appDir /app/lib/firefox/browser 2 socket
55863 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:47920 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {00478a7c-954c-4a63-a6cb-e70f5f327687} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 3 tab
55873 /app/lib/firefox/firefox-bin -contentproc -parentBuildID 20251009125714 -prefsHandle 0:47920 -prefMapHandle 1:290443 -sandboxReporter 2 -ipcHandle 3 -initialChannelId {bb029721-5977-4705-ad78-2ea3538b7e9e} -parentPid 2 -crashReporter 4 -crashHelper 5 -appDir /app/lib/firefox/browser 4 rdd
55919 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:37688 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {a4583c21-4229-438a-8c96-2113c1143f57} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 5 tab
55926 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:37688 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {d2063438-6326-4644-868c-5381bf163cac} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 6 tab
55941 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:37688 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {5fe4ffb1-09a8-46b0-abff-90bb741e7037} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 7 tab
55955 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:37688 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {61e30359-82d5-468e-92b5-48611c9a8d3a} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 8 tab
55988 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:37688 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {4c19e004-b616-4be6-bb23-f25d20dfcb04} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 9 tab
56198 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:58404 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {a0c25ada-e715-4ac2-8a8e-2cbc33dd20a6} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 10 tab
56292 /app/lib/firefox/firefox-bin -contentproc -parentBuildID 20251009125714 -sandboxingKind 0 -prefsHandle 0:58449 -prefMapHandle 1:290443 -sandboxReporter 2 -ipcHandle 3 -initialChannelId {175792b6-42f4-44a0-8e7a-bc9773876645} -parentPid 2 -crashReporter 4 -crashHelper 5 -appDir /app/lib/firefox/browser 11 utility
100226 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {f7599b59-bedd-42c6-8097-c1feb1e4bfdc} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 36 tab
162032 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48636 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {8b33dc5f-45e9-4c0d-a8a5-b87e30c9de8c} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 117 tab
178967 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48634 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {b6ce5ce3-809a-437b-b32c-73c5f4f5ee59} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 133 tab
200993 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48634 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {a45cd2c2-d022-4786-85a8-f5020bd6d952} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 145 tab
206108 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48634 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {c7366869-2bbb-4e54-ab76-22e85e04db11} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 146 tab
206963 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {77b15f02-fc53-46a3-8e48-e330bfda72ca} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 147 tab
211266 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {a672d093-9393-4ebc-a7f6-a20f4e5b98f3} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 155 tab
212024 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {553f6230-f592-4cef-ad53-dc28b988a149} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 157 tab
213046 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {5b33d697-ed7e-4bdb-8a74-24ae3814066e} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 158 tab
213426 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {0e35aae6-387c-480e-81b3-29da4a1e4bb4} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 159 tab
213786 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {e8d4ed31-71b0-47da-88c8-d7f3ec3b5b0d} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 160 tab
1160324 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {59da159d-3656-4770-8fab-a7cff3608268} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 625 tab
1165181 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {4ea23ea2-bbff-4cc2-a32b-f4fb7bb7ee9f} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 626 tab
1170103 /app/lib/firefox/firefox-bin -contentproc -isForBrowser -prefsHandle 0:48635 -prefMapHandle 1:290443 -jsInitHandle 2:224660 -parentBuildID 20251009125714 -sandboxReporter 3 -ipcHandle 4 -initialChannelId {b99dcd74-38db-47c8-b20b-8e7df943834d} -parentPid 2 -crashReporter 5 -crashHelper 6 -greomni /app/lib/firefox/omni.ja -appomni /app/lib/firefox/browser/omni.ja -appDir /app/lib/firefox/browser 627 tab
mitmanek:~ $

And no, there is no 1Password (or any other password-related extension) anywhere near my Firefox.

The CanCreateUserNamespace() clone() failure: EPERM is just warning that always show-up for firefox flatpak. It's not the cause of your problem.

Blocks: flatpak
You need to log in before you can comment on or make changes to this bug.