940863 - Should we expose access to TmpD to child processes over IPC?

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

There are a bunch of things that try to open or create temporary files in content processes: MediaCache, the profiler, memory reporting, the file upload form element tests, and possibly more that we haven't tripped over yet.

One possibility, which I'd been wondering about and which was also suggested in bug 906996 comment 9 by roc, is to make the directory service resolve TmpD to a special nsIFile subclass that remotes access through the parent, like what PRemoteOpenFile currently does for certain read-only files (although we may want to remote the write operations instead of passing back a file descriptor, to be able to impose space usage limits, for example).

The advantage is that this "fixes" everything without having to make potentially invasive per-subsystem changes.  The disadvantage is that this kind of general facility could allow an attacker to do things they might not be able to do with more specialized IPC interfaces.  (On the other hand, it would be just one IPC interface to audit instead of N.)

The other end of the spectrum would be to design a higher-level IPC interface for each temporary file user, and (effectively) move more of its file I/O code into the parent.  More work, but it might make the security people happier.  

There may also be a meaingful intermediate solution to be had.

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

The answer the question this bug asks might be “no”.  NS_OpenAnonymousTemporaryFile (bug 965724) can just be remoted opaquely, the memory reporting is already remoted with the parent opening the file, and I think the same thing can be done with the profiler.

I *think* that just leaves some SpecialPowers stuff in the test suite, which isn't worth increasing the attack surface for (or could maybe be enabled only if tests are running; or maybe there's already something for letting tests elevate privileges like that).

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

Move process sandboxing bugs to the new Bugzilla component.

(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)

Comment 3

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

(In reply to Jed Davis [:jld] from comment #1)
> The answer the question this bug asks might be “no”.

It is.  NS_OpenAnonymousTemporaryFile should handle the remaining non-test use cases (except the profiler, but there are plans for that), and tests can use SpecialPowers itself to run arbitrary code in the parent process.