Policy on Linux can be bypassed by setting MOZ_SYSTEM_CONFIG directory
Categories
(Firefox :: Enterprise Policies, defect, P1)
Tracking
()
People
(Reporter: mkaply, Assigned: mkaply)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
|
Details | Review |
In bug 1785278 we added basic autoconfig support for the snap.
A change was added to policy to read policies from the system config directory, but that could be overridden by an environment variable for testing purposes.
That should not have been put in policy.
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Not sure on the threat model here. Users can set LD_PRELOAD or other environmental variables already, and achieve the same effect (with more effort)
|
||
Comment 3•2 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #0)
A change was added to policy to read policies from the system config directory, but that could be overridden by an environment variable for testing purposes.
That should not have been put in policy.
This patch will regress the approach proposed in #1795998 which is using this environment variable to provide an alternative policy path which is accessible from within the Flatpak sandbox.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Did we decide that there was no way to have the Flatpak sandbox access the standard /etc/firefox location?
I'm not sure why we need to add a new location for policies for Flatpak, I thought it would read policies from the same central location.
|
||
Comment 5•2 years ago
|
||
/etc/firefox is problematic for flatpak sandboxing because it's not possible to grant access only to /etc/firefox but to whole /etc directory which may contain stuff which sanboxed apps has no business to touch. Relying on /etc/firefox would mean ff flatpak would need permission for /etc forever which is at odds with the stricter permissions goal: https://bugzilla.mozilla.org/show_bug.cgi?id=1726217
Similar problem was fixed for flatpak chromium without providing access to /etc so same thing for ff should be doable.
|
|
Assignee | |
Comment 6•2 years ago
|
||
What I can do is make this check only happen if we are a packaged app:
if (Services.sysinfo.getProperty("isPackagedApp"))
which is similar to the CPP changes.
|
|
||
Comment 7•2 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #6)
What I can do is make this check only happen if we are a packaged app:
if (Services.sysinfo.getProperty("isPackagedApp"))
which is similar to the CPP changes.
We could also hardcode the Flatpak path (I suggested /app/etc/firefox) or prefix /app in the case Flatpak is detected?
|
|
Assignee | |
Comment 8•2 years ago
|
||
We could also hardcode the Flatpak path (I suggested /app/etc/firefox) or prefix /app in the case Flatpak is detected?
I think the quickest fix is the isPackagedApp. I'll do that today.
We might rethink based on your other patch, but I'd like to get something in.
|
||
Updated•2 years ago
|
|
||
Comment 9•2 years ago
|
||
I'm also for the hardcoded path as Robert suggested. We could then use the unmaintained extension to mount the system config files to the /app/etc/firefox location.
|
|
Assignee | |
Comment 10•2 years ago
|
||
I don't currently have a way to detect Flatpak versus Snap in JS, but I'll see what I can figure out.
|
|
Assignee | |
Comment 11•2 years ago
|
||
We're not going to fix this before 110.
|
|
||
Comment 12•2 years ago
|
||
Set release status flags based on info from the regressing bug 1785278
|
|
||
Comment 13•2 years ago
|
||
The following patch is waiting for review from an inactive reviewer:
| ID | Title | Author | Reviewer Status |
|---|---|---|---|
| D167860 | Bug 1812339 - Always use /etc directory on Linux for policy. r?gerard-majax | mkaply | gerard-majax: Back Feb 28, 2023 |
:mkaply, could you please find another reviewer?
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
|
|
||
Comment 14•2 years ago
•
|
||
:mkaply do you think you'll have a patch in time for 111, wondering if we still need to track this?
Or, will it land later and ride the trains
|
|
Assignee | |
Comment 15•2 years ago
|
||
Yes, patch is done and going for review today.
|
|
Assignee | |
Comment 16•2 years ago
|
||
|
||
Comment 17•2 years ago
|
||
Hey :mkaply, Do we still want to land this for the 111 cycle, or can we push this to 112?
|
|
Assignee | |
Comment 18•2 years ago
|
||
I'm having trouble getting the right fix for this, but I want to do something. I'm going to go back to the temporary simple patch for now. Thanks for pinging.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 19•2 years ago
|
||
I've landed the old patch while I figure things. I'll request uplift once it clears.
|
||
Comment 20•2 years ago
|
||
|
||
Comment 21•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 22•2 years ago
|
||
The patch landed in nightly and beta is affected.
:mkaply, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox111towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 23•2 years ago
|
||
Comment on attachment 9314107 [details]
Bug 1812339 - Always use /etc directory on Linux for policy. r?gerard-majax
Beta/Release Uplift Approval Request
- User impact if declined: Users can bypass policy on Linux
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce: Doesn't need verification because it's just backing out a patch
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just reverts code to what it was before.
- String changes made/needed:
- Is Android affected?: No
|
|
||
Comment 24•2 years ago
|
||
Comment on attachment 9314107 [details]
Bug 1812339 - Always use /etc directory on Linux for policy. r?gerard-majax
Approved for 111.0b8
|
|
||
Comment 25•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Updated•2 years ago
|
Description
•