Closed Bug 846047 Opened 12 years ago Closed 10 years ago

Prevent nested subprocesses from attacking each other and their parent

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: cjones, Unassigned)

References

Details

When we launch subprocesses from existing content processes, the parent process will run as "nobody" and can't change the real uid/gid of new processes it spawns. This means that the launched subprocesses will run with the same real uid/gid as the parent. This isn't the end of the world security-wise, but it means that a compromised process will be able to ptrace its parent and siblings and force them to do things it otherwise couldn't do itself. The easiest way to mitigate this is with ptrace - use seccomp to disable ptrace in all processes by default - use seccomp to disable fork/exec in processes that don't have mozbrowser privileges
Did Ubuntu's ptrace hardening patches ever make it into upstream? https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection They disallow ptrace except from parent->child by default.
We don't currently have this patch. Instead, each child runs with a different user id when the platform permits it (ie, it works on Firefox OS) so that childs can't ptrace one another.
(In reply to Chris Jones [:cjones] mostly inactive; ni?/f?/r? if you need me from comment #0) > When we launch subprocesses from existing content processes As far as I know we're not currently launching subprocesses from content processes — except on desktop, for plugins, and bug 641685 exists for us to stop doing that. Is this bug still needed? (Also, for the sake of completeness: a process can also use PR_SET_DUMPABLE to opt out of being ptraceable.)
Flags: needinfo?(jschoenick)
Bug 641685 will indeed remove spawning plugin processes from content processes.
Flags: needinfo?(jschoenick)
And "nested content processes" are created by the parent (or Nuwa), not by the process that's their logical parent. So there's nothing left to do here.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.