Ship untrusted integrity on content process and extension process for Windows to release
Categories
(Core :: Security: Process Sandboxing, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox128 | --- | fixed |
People
(Reporter: Tom25519, Assigned: bobowen)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
Now Google Chrome set untrusted integrity on content process and extension process on Windows. I think Firefox should also do this.
Note: If some extensions need to run in "low" integrity level, once firefox could run every extension in separate processes (https://bugzilla.mozilla.org/show_bug.cgi?id=1827085), we could run them in "low" integrity level, and others run in "untrusted".
Or, if extension needs to read/write files on local disk which need higher integrity level, parent process as broker, extension call it to do that, all exrension processes have "untrusted" integrity level.
|
Assignee | |
Comment 3•2 years ago
|
||
This has been a long term goal of ours, although I don't think we already had a specific bug, so thanks for this one.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 4•9 months ago
|
||
These pass due to fallback caused by untrusted integrity.
|
|
Assignee | |
Comment 5•9 months ago
|
||
Leaving the NIGHTLY_BUILD #if because I will soon be using level 8 for
USER_RESTRICTED access token level.
(In reply to Bob Owen (:bobowen) from comment #5)
Created attachment 9405250 [details]
Bug 1831036 p2: Ship untrusted integrity on Windows content process sandbox. r=handyman!Leaving the NIGHTLY_BUILD #if because I will soon be using level 8 for
USER_RESTRICTED access token level.
What's the difference between untrusted integrity and USER_RESTRICTED access token level?
|
|
Assignee | |
Comment 8•9 months ago
|
||
(In reply to Tom25519 from comment #7)
(In reply to Bob Owen (:bobowen) from comment #5)
Created attachment 9405250 [details]
Bug 1831036 p2: Ship untrusted integrity on Windows content process sandbox. r=handyman!Leaving the NIGHTLY_BUILD #if because I will soon be using level 8 for
USER_RESTRICTED access token level.What's the difference between untrusted integrity and USER_RESTRICTED access token level?
They both affect access checks in different ways.
The access token levels (like USER_RESTRICTED) remove more and more SIDs from the restricted SIDs list on the process's access token. As well (in general) as making those SIDs only available for deny checks. Access checks have to pass for both the normal and restricted list of SIDs.
Integrity levels are a separate mechanism, where a token with a lower integrity level only gets certain access to resources with higher integrity levels.
Apart from the Microsoft documentation on these things, there is also the chromium sandbox doc.
|
||
Comment 9•9 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0a945b0cb21c
https://hg.mozilla.org/mozilla-central/rev/f7432a10815f
|
|
Assignee | |
Comment 10•8 months ago
|
||
Release Note Request (optional, but appreciated)
[Why is this notable]: Windows content process sandbox improvement.
[Affects Firefox for Android]: No
[Suggested wording]: To further restrict any write access that the content processes have on Windows we have reduced their integrity level from low to untrusted.
[Links (documentation, blog post, etc)]:
Description
•