Closed Bug 845191 (b2g-no-root) Opened 12 years ago Closed 8 years ago

Tracking: Run "system app" with minimal privileges

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: cjones, Unassigned, NeedInfo)

References

(Depends on 2 open bugs)

Details

(Whiteboard: [tech-p1])

Attachments

(4 files)

supervisor.patch
23.08 KB, patch
kang
: feedback?
Details | Diff | Splinter Review
Changes in gecko for the supervisor parent and child side
73.25 KB, patch
Details | Diff | Splinter Review
Changes in gonk-misc
363 bytes, patch
Details | Diff | Splinter Review
Changes to B2G/system/core
2.46 KB, patch
Details | Diff | Splinter Review
Currently it runs with, ahem, elevated privileges. We're not being good UNIX-ists. Since we do some, ah, scary links like run JITs and layout engines in that code, it puts the system at unnecessary risk. We should be running this process as system.system. The work to get there isn't trivial, but thankfully not rocket science either. Will be posting a plan in the form of dep bugs asap.
Needed for unarguable competitive parity in security. We wouldn't ship without parity in v1, but we made a tradeoff (content in VM vs. elevated-privs system app) that makes the comparison arguable.
Whiteboard: [tech-p1]
Assignee: nobody → marta
Our idea is to start the supervisor process during the startup (from b2g.init.rc) /done/ which then forks and calls the b2g but lowering it rights /done/. Supervisor creates a socket which is then used to communicate with the system /done/. Every time a communictaion is needed the socet is reopened /done/ and the request is communicated to the supervisor /done/. Probably you will prefer setting up the whole ipdl communication, but I first want to identify all the parts of the code that need to be moved to the supervisor. If you will insist on the ipdl communication, I will need help with this. As to the parts I already identified - the reboot code is moved to the supervisor from the following files: ./system/core/libcutils/android_reboot.c ./gecko/hal/linux/LinuxPower.cpp ./device/qcom/common/updater/firmware.c ./bootable/recovery/tools/ota/check-lost+found.c Now I'm working on identifying the other parts - update, sysctl, etc. Any help would be appriciated - e.g. if you worked on one of this parts and you know where the code is.
Attached patch supervisor.patchSplinter Review
Attachment #802971 - Flags: review?
Who should be reviewing this patch?
Fabrice, any suggestions for reviewer?
Flags: needinfo?(fabrice)
I would have said kang, not sure why he switched from r? to f? ...
Flags: needinfo?(fabrice)
Kang, any eta on review here?
Flags: needinfo?(gdestuynder)
hi - im not reviewing it :marta wanted a feedback rather than actual review when we discussed it, so i switched the flag to feedback. If you look at the patch you'll see if not ready for review. I think marta wants feedback on the way the patch works - and validate that its the way to go. It needs cleanup and more work to have all of the "root" functionality backed into the supervisor.
Flags: needinfo?(gdestuynder) → needinfo?(marta)
Yes that is very right. If anyone would be up for help, I will be at Taipei workweek, so we can team up.
Flags: needinfo?(marta)
Marta - as per my email, Julian is going to take a look at continuing this work,
Assignee: marta → jhector
On the keon I got with some changes b2g running as system:system and nuwa running as root:root and b2g starts up and I get to the homescreen. I can do some stuff, but reboot/shutdown etc are not working yet. But there is some progress so far. I also started a wiki article [1] where I track on what I am working on etc. [1] https://wiki.mozilla.org/User:Tedd/B2G_Supervisor
So, this is the current state of the development. I pushed all commits to my branch in my github for gecko and gonk-misc, here are the two links for it: https://github.com/jhector/gecko-dev/tree/supervisor https://github.com/jhector/gonk-misc/tree/supervisor More information about the development can be found here: https://wiki.mozilla.org/User:Tedd/B2G_Supervisor Since the supervisor process doesn't actually have anything to do with gecko code, it might be preferable to have it in a separate project which can be added to B2G/system/ and just have the b2g side implemented in gecko. So far, I modified some file permissions and made the b2g process be part of certain groups (explained in the wiki). I remoted a couple of the wifi operations like loading driver or start/stop supplicant. The code might be very optimized since I rushed it a little to get more done. Wifi isn't working yet, I have trouble getting into the settings for wifi to actually choose a wifi to connect to. I included parts of strace dumps in the wiki to see what doesn't work (it also tries to open the wifi interface etc) For supervisor to build it needs libfdio.so which can be cloned from here: https://github.com/tdz/platform_system_libfdio it needs to go in B2G/system/libfdio. The parent side of supervisor is implemented in B2G/gecko/b2g/supervisor and the child side of it (b2g side) is implemented in B2G/gecko/ipc/supervisor/ I don't know how much time I will be able to spent on that project since I will have to work on my bachelor thesis, but I hope it is easy to pick it up at the current state. If anyone needs any more information and opinion or questions, I updated my bugzilla mail to my private one, so feel free to contact me.
has to be applied to B2G/system/core
I almost forgot, strace is not working on the flame device (SIGBUS error with invalid address alignment) but the supervisor builds on the keon as well where strace is working. Might be very helpful to identify more places in the code that are not working.
Assignee: julian.r.hector → nobody
hi, I am interested in working on this project. I had a word with Stéphanie Ouillon who directed me to few bugs including this one. I have gone through the security architecture of FxOS. I also thoroughly read the research papers published by FxOS team in IEEE xplore. I found this project as a very good one proving to be a great learning experience for me. Since I am a rep, I can request a device for testing purpose. I am planning this project along with bug 790923 What else do I need to get started with this project ?
Few of my concerns: 1.Can initial patches be tested on Simulator ? 2.Can "Alcatel Onetouch Firec" device serve the purpose of testing? As of now, I am devoid of a device. How would it be possible to get the device for the project?
Flags: needinfo?(cjones.bugs)
This can probably be closed
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: