724330 - [OOPP] plugin-container process should run under Low integrity mode

Status: RESOLVED WORKSFORME

(Core Graveyard :: Plug-ins, defect)

Description

[Radek 'sysKin' Czyz]

Windows Vista and 7 allow starting processes under Low Integrity privileges, limiting their access to standard user-accessible locations and visualising some of the filesystem for them.

Mozilla did all the hard work to separate plugin-container.exe out, but then left this process under Medium Integrity level (same as browser's).

I see no bug for changing that, or tracking why it's hard. So, here it is.

There exists bug 266533 which is about running entire browser under Low Integrity. This bug is not a dup of that, it might be a subset. It's only about plugin-container.exe

Comment 1

[Boris Zbarsky [:bzbarsky]]

I'm fairly certain that both Flash and Java do things that are impossible to do in Low Integrity mode, though it's worth double-checking.

At that point, what would be the use of sandboxing some limited subset of other plug-ins that no one actually uses?

Comment 2

[Georg Fritzsche [:gfritzsche]]

(In reply to Boris Zbarsky [:bz] from comment #1)
> I'm fairly certain that both Flash and Java do things that are impossible to
> do in Low Integrity mode, though it's worth double-checking.

I'm sure that, even if Flash & Java would not be affected, we would break other plugins that don't expect to have limited privileges.

If anything we might think about doing this for certain plugins which are known to continue to work, although even that will be risky.

Comment 3

[Joseph D. Wagner]

IMHO, the greater risk is in not doing this.  Does IE run Flash and Java in low integrity mode?  If so, then Firefox is less secure than IE.

Comment 4

[Benjamin Smedberg]

We are shipping a strong sandbox on Flash-win64 and Flash has a sandbox on win32. Non-Flash plugins are deprecated. I'm going to close this as not tracking anything in particular nowadays.