Closed
Bug 751017
Opened 13 years ago
Closed 12 years ago
[Security Review] Alarm API
Categories
(mozilla.org :: Security Assurance, task, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: dchanm+bugzilla)
References
()
Details
(Whiteboard: [start mm/dd/yyyy][target mm/dd/yyyy])
Security Template
|
Reporter | |
Comment 1•13 years ago
|
||
Probably too early for review - not aware of any bug for the Alarm API yet.
|
||
Updated•13 years ago
|
Assignee: nobody → ptheriault
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 2•13 years ago
|
||
This will be a very short review - its not really an API. The sole purpose is to allow an app to ask to have itself woken up at a future time.
Blocks: B2G-secreview
|
|
Reporter | |
Updated•13 years ago
|
Priority: -- → P1
|
|
Reporter | |
Updated•12 years ago
|
Priority: P1 → P2
|
Assignee | |
Updated•12 years ago
|
Assignee: ptheriault → dchan+bugzilla
|
|
Assignee | |
Comment 3•12 years ago
|
||
I did a manual review of the code and it follows the guidelines for securing webapis.
- Initialization of the navigator.mozAlarms property is guarded by both a preference and permissions check. [1]
- The preference is only set in b2g builds as of now, all other builds have the preference set to false [2][3]
- Messages of type "AlarmsManager:GetAll", "AlarmsManager:Add", "AlarmsManager:Remove" check that the message sender has the "alarms" permission. This prevents a compromise process from spoofing arbitrary alarms message. [4]
- The system message handler must either handle or launch the associated app within 30s otherwise the CPU wakelock is released. This prevents a "bad" alarm from draining too much battery [5]
I'm marking this review as RESOLVED, please reopen if there are objections.
[1] - http://mxr.mozilla.org/mozilla-central/source/dom/alarm/AlarmsManager.js#141
[2] - http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#401
[3] - http://mxr.mozilla.org/mozilla-central/source/modules/libpref/src/init/all.js#3814
[4] - http://mxr.mozilla.org/mozilla-central/source/dom/alarm/AlarmService.jsm#86
[5] - http://mxr.mozilla.org/mozilla-central/source/dom/alarm/AlarmService.jsm#291
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [start mm/dd/yyyy][target mm/dd/yyyy]
|
|
Assignee | |
Comment 4•12 years ago
|
||
I forgot to mention that apps can only remove their own alarms. Removal from the AlarmsDB requires that the requestID and manifestURL match. [1] There is an exception if the manifestURL is null, then it only checks the id. Removal from the queue requires that both the requestID and manifestURL match [2]
[1] - http://mxr.mozilla.org/mozilla-central/source/dom/alarm/AlarmDB.jsm#80
[2] - http://mxr.mozilla.org/mozilla-central/source/dom/alarm/AlarmService.jsm#189
|
|
Reporter | |
Comment 5•12 years ago
|
||
Note that I think this API needs to be hardened for the case when the child is compromised - see bug 821671.
You need to log in
before you can comment on or make changes to this bug.
Description
•