Closed
Bug 579388
Opened 14 years ago
Closed 8 years ago
e10s: Remote nsOSHelperAppService
Categories
(Firefox :: File Handling, defect)
Firefox
File Handling
Tracking
()
RESOLVED
FIXED
Firefox 50
People
(Reporter: mwu, Unassigned)
References
Details
(Whiteboard: sblc1)
Attachments
(3 files)
nsOSHelperAppService on Android requires access to the JRE, which is not available in the child process.
Reporter | ||
Updated•14 years ago
|
OS: Linux → All
Hardware: x86_64 → All
Updated•10 years ago
|
tracking-e10s:
--- → +
Updated•10 years ago
|
Blocks: old-e10s-m2, core-e10s
Updated•10 years ago
|
Comment 1•9 years ago
|
||
The "unix" implementation (desktop Linux and similar) is a problem for sandboxing: it reads the mailcap file and runs shell commands specified there (the "test" field) in response to web content accessing properties of navigator.mimeTypes.
Blocks: desktop-seccomp
Comment 3•8 years ago
|
||
(In reply to Jed Davis [:jld] [⏰PDT; UTC-7] from comment #1) > The "unix" implementation (desktop Linux and similar) is a problem for > sandboxing: it reads the mailcap file and runs shell commands specified > there (the "test" field) in response to web content accessing properties of > navigator.mimeTypes. The use of this code seems to be triggered from https://dxr.mozilla.org/mozilla-central/source/uriloader/exthandler/nsExternalHelperAppService.cpp#2716 https://dxr.mozilla.org/mozilla-central/source/uriloader/exthandler/nsExternalHelperAppService.cpp#2624 But that code seems to currently run in the parent: [Parent 8919] WARNING: The dialog should nullify the dialog progress listener: file /home/morbo/git/gecko-dev/uriloader/exthandler/nsExternalHelperAppService.cpp, line 216 We couldn't produce a seccomp (fork/execve) violation by feeding Firefox unknown mimetypes, so I think this no longer blocks sandboxing on Linux.
Comment 4•8 years ago
|
||
This bug seems to be filed a while back, :mwu or :jld does either of you know if this is still an issue regarding sandboxing or if this code has already been remoted in the meantime?
Flags: needinfo?(mwu.code)
Flags: needinfo?(jld)
Comment 5•8 years ago
|
||
If I recall correctly, I ran into this just by starting Firefox with the content process under seccomp-bpf, not by doing anything special. So if it's not obviously broken now, that could mean it changed at some point in the ~15 months since comment #1. (In hindsight I wish I'd attached a stack trace so we'd have a better idea of what parts of the codebase were involved.)
Flags: needinfo?(jld)
Comment 6•8 years ago
|
||
AFAICT these services have been remoted through PExternalHelperApp and PHandlerService in bug 562444. I debugged this on Windows and found that calls to GetTypeFromExtension were occurring in the parent. In comment 1 jld mentions navigator.mimeTypes. Need to look into the functionality of that.
Comment 7•8 years ago
|
||
navigator.mimeTypes appears to be plugin related.
Comment 8•8 years ago
|
||
(In reply to Michael Wu [:mwu] from comment #0) > nsOSHelperAppService on Android requires access to the JRE, which is not > available in the child process. Also the original bug was android related. I think we can untrack this from the linux seccompp nightly landing.
Comment 9•8 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #8) > Also the original bug was android related. I think we can untrack this from > the linux seccompp nightly landing. Unraveling a few things here: I think I did not recall correctly in comment #5, and I was thinking of something else that reproduced just by starting the browser. Rereading the comment about web content accessing navigator.mimeTypes… that was probably me going to some well-known webpage that tried to do feature detection, and extracting the navigator.mimeTypes part of it from the stack trace. As for whether comment #1 and comment #0 are the same bug… I have no idea. At the time, they seemed to be the same problem (nsOSHelperAppService accessing a system content-type registry directly from the content process), and since this bug was still open I assumed that the manifestation I was seeing was a duplicate. But if bug 562444 fixed the Android version of this, then maybe not? In any case, whether or not that comment should have been a separate bug is independent of whether it's still a seccomp-bpf blocker.
Comment 10•8 years ago
|
||
(In reply to Jed Davis [:jld] [away until 06-01] [⏰MDT; UTC-6] from comment #9) > As for whether comment #1 and comment #0 are the same bug… I have no idea. > At the time, they seemed to be the same problem (nsOSHelperAppService > accessing a system content-type registry directly from the content process), > and since this bug was still open I assumed that the manifestation I was > seeing was a duplicate. But if bug 562444 fixed the Android version of > this, then maybe not? In any case, whether or not that comment should have > been a separate bug is independent of whether it's still a seccomp-bpf > blocker. http://mxr.mozilla.org/mozilla-central/source/uriloader/exthandler/unix/nsOSHelperAppService.cpp http://mxr.mozilla.org/mozilla-central/source/uriloader/exthandler/nsExternalHelperAppService.cpp This code definitely accesses local files still. Open question is if nsExternalHelperAppService (which calls into nsOSHelperAppService) tries to do this in the content process.
Comment 11•8 years ago
|
||
When debugging some of the test failures with seccomp-bpf enabled, I came across a failure which seems to trigger this bug. When running: uriloader/exthandler/tests/mochitest/test_badMimeType.html, content will crash because of a seccomp violation trying to fork/exec using sys_clone. I attached with gdb and tried to trace it back, it was executing 'test -x /usr/bin/vim'. When running the test with NSPR_LOG_MODULES="HelperAppService:4", I get the following output: > [Main Thread]: D/HelperAppService -- UnescapeCommand > [Main Thread]: D/HelperAppService Command to escape: 'test -x /usr/bin/vim' > [Main Thread]: D/HelperAppService UnescapeCommand really needs some work -- it should actually do some unescaping > [Main Thread]: D/HelperAppService Escaped command: 'test -x /usr/bin/vim' > [Main Thread]: D/HelperAppService Running Test: test -x /usr/bin/vim Which is handled here: https://dxr.mozilla.org/mozilla-central/rev/ec20b463c04f57a4bfca1edb987fcb9e9707c364/uriloader/exthandler/unix/nsOSHelperAppService.cpp#1069 So the test case definitely shows that this is still executed in the content process, which blocks seccomp from being enabled on nightly. :jimm, do you know anybody who could pick this up? And since it is an issue on desktop linux, should it be tracked for e10s? I don't know the code at all and it would take me a while, but I think we want to get seccomp on nightly asap, what do you think?
Flags: needinfo?(jmathies)
Whiteboard: sblc1
Comment 12•8 years ago
|
||
I've done some work in here, it can be a bit confusing because the uriloader c++ code implements various xpcom interfaces, one of which is defined by an idl over in netwerk. Overall though it doesn't look like there's an issue here. I did quick survey of the use of the routines in the unix implementation of nsOSHelperAppService and found that local file access was restricted to two public methods of nsIMIMEService - Interfaces: --------------------------- nsIExternalHelperAppService (urihandler) nsIExternalProtocolService (urihandler) nsIMIMEService (netwerk) Methods: --------------------------- GetFromTypeAndExtension (nsIMIMEService) GetMIMEInfoFromOS GetFromType, GetFromExtension - file access GetTypeFromExtension (nsIMIMEService) GetMIMEInfoFromOS GetFromType, GetFromExtension - file access GetProtocolHandlerInfo (nsIExternalProtocolService) GetProtocolHandlerInfoFromOS (nsGNOMERegistry use) ExternalProtocolHandlerExists (nsIExternalProtocolService) OSProtocolHandlerExists (nsGNOMERegistry use) GetApplicationDescription (nsIExternalProtocolService) GetApplicationDescription (nsGNOMERegistry use) local file read base helpers in nsOSHelperAppService ---------------------------------------------------- GetFromExtension GetFileTokenForPath - file access GetFromExtension LookUpHandlerAndDescription DoLookUpHandlerAndDescription GetFileLocation - path env GetHandlerAndDescriptionFromMailcapFile GetHandlerAndDescriptionFromMailcapFile - file access GetFromExtension LookUpTypeAndDescription GetFileLocation GetTypeAndDescriptionFromMimetypesFile - file access GetFromType GetFileTokenForPath - file access GetFromType DoLookUpHandlerAndDescription GetFileLocation GetHandlerAndDescriptionFromMailcapFile GetHandlerAndDescriptionFromMailcapFile - file access GetFromType LookUpExtensionsAndDescription GetFileLocation GetTypeAndDescriptionFromMimetypesFile - file access Poking around for uses if these two methods, I don't see cases where these two methods get called from content - http://mxr.mozilla.org/mozilla-central/search?string=GetFromTypeAndExtension http://mxr.mozilla.org/mozilla-central/search?string=GetTypeFromExtension (Lets try to confirm this through some debugging.) The test you found that failed looks like a crash test that tries to load nsIMIMEService in content, which we will not allow content to do. We can disable this test to work around it. http://mxr.mozilla.org/mozilla-central/source/uriloader/exthandler/tests/mochitest/test_badMimeType.html Thoughts?
Flags: needinfo?(jmathies)
Comment 13•8 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #12) > The test you found that failed looks like a crash test that tries to load > nsIMIMEService in content, which we will not allow content to do. Should that interface be marked main_process_scriptable_only? (See also bug 997325.)
Comment 14•8 years ago
|
||
So basically, the test creates a scenario (using nsIMIMEService in content) that doesn't occur in release because we don't use it this way in content?
Comment 15•8 years ago
|
||
This would also explain, why :gcp and I couldn't trigger a crash.
Comment 16•8 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #12) > We can disable this test to work around it. > Slight preference for "just" fixing the test. Removing test coverage on features can end up backfiring.
Comment 17•8 years ago
|
||
As well as doing what jld says in comment 13, for that matter.
Comment 18•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/59316/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/59316/
Comment 19•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/59318/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/59318/
Comment 20•8 years ago
|
||
Comment on attachment 8762858 [details] Bug 579388 - nsIMIMEService should run in chrome. Review request updated; see interdiff: https://reviewboard.mozilla.org/r/59316/diff/1-2/
Attachment #8762858 -
Flags: review?(jocheng)
Attachment #8762859 -
Flags: review?(jocheng)
Comment 21•8 years ago
|
||
Comment on attachment 8762859 [details] Bug 579388 - Only allow nsIMIMEService scripting from chrome. Review request updated; see interdiff: https://reviewboard.mozilla.org/r/59318/diff/1-2/
Updated•8 years ago
|
Attachment #8762858 -
Flags: review?(jocheng) → review?(jaas)
Updated•8 years ago
|
Attachment #8762859 -
Flags: review?(jocheng) → review?(jaas)
Updated•8 years ago
|
Product: Core → Firefox
Version: Trunk → unspecified
Attachment #8762858 -
Flags: review?(jaas) → review+
Comment 22•8 years ago
|
||
Comment on attachment 8762858 [details] Bug 579388 - nsIMIMEService should run in chrome. https://reviewboard.mozilla.org/r/59316/#review57792
Comment 23•8 years ago
|
||
Comment on attachment 8762859 [details] Bug 579388 - Only allow nsIMIMEService scripting from chrome. https://reviewboard.mozilla.org/r/59318/#review57794
Attachment #8762859 -
Flags: review?(jaas) → review+
Comment 24•8 years ago
|
||
This is the first time I've reviewed something with Review Board. I hope I did it correctly. I'm struggling to understand what the point of that additional UI disaster is over the old review system, but this isn't really the place for that discussion...
Comment 25•8 years ago
|
||
Pushed by gpascutto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f276538c9493 nsIMIMEService should run in chrome. r=jaas+18821 https://hg.mozilla.org/integration/autoland/rev/a1eab626db95 Only allow nsIMIMEService scripting from chrome. r=jaas+18821
Comment 26•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f276538c9493 https://hg.mozilla.org/mozilla-central/rev/a1eab626db95
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
You need to log in
before you can comment on or make changes to this bug.
Description
•