Closed Bug 967967 Opened 10 years ago Closed 10 years ago

Children of Nuwa are being sandboxed twice and crashing.

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Project Flags:
blocking-b2g 1.3+
Tracking Flags:
Tracking Status
firefox28 --- wontfix
firefox29 --- wontfix
firefox30 --- fixed
b2g-v1.3 --- fixed
b2g-v1.4 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(1 file)

bug967967-sandbox-nuwa-fix-hg0.diff
1.15 KB, patch
khuey
: review+
Details | Diff | Splinter Review 
Currently seccomp sandboxing is broken with Nuwa, because the content process is created in a preallocated-like state through ContentParent::RecvAddNewProcess, which sets mOSPrivileges to PRIVILEGES_DEFAULT (meaning unprivileged).  However, the grandchild process still has uid/gid 0 at this point, and it is later sent a SetProcessPrivileges to drop privileges.  This combines with the fix for bug 921817 to make the process sandbox itself before dropping permissions, which violates the sandbox (setuid and setgid aren't on the whitelist).

So I think the ContentParent should be constructed with mOSPrivileges == PRIVILEGES_INHERIT (meaning the parent process's privilege level) instead.  I tested this, and the content processes are still correctly deprivileged — the final privileges are obtained from PrivilegesForApp and passed to MaybeTakePreallocatedAppProcess, in CreateBrowserOrApp.

I'll attach the one-line patch once this bug has a number.
I notice that we don't ever update mOSPrivileges, and nothing else seems to use its value.  It's not entirely clear from bug 782456 what the intent behind it was.
(In reply to Jed Davis [:jld] from comment #1)
> Created attachment 8370486 [details] [diff] [review]
> bug967967-sandbox-nuwa-fix-hg0.diff

I applied that change to B2G/gecko/dom/ipc/ContentParent.cpp.  Phone now boots.  But there is no keyboard in any app.
Blocks: Nuwa
(In reply to Worik Stanton from comment #3)
> (In reply to Jed Davis [:jld] from comment #1)
> > Created attachment 8370486 [details] [diff] [review]
> > bug967967-sandbox-nuwa-fix-hg0.diff
> 
> I applied that change to B2G/gecko/dom/ipc/ContentParent.cpp.  Phone now
> boots.  But there is no keyboard in any app.

The keyboard issue is a separate problem being tracked elsewhere in a different bug.

What device did you test this on?
Attachment #8370486 - Flags: review?(bent.mozilla) → review+
Can we consider this for approval on b2g28? This will unblock Keon testing with nuwa enabled on b2g28, so this would really helpful to get on that branch when nuwa gets uplifted. We have many l10n testers reliant on keons working for localization testing, so I'd rather not block them in their testing here when nuwa gets enabled on 1.3.
blocking-b2g: --- → 1.3?
blocking-b2g: 1.3? → 1.3+
(In reply to Jason Smith [:jsmith] from comment #4)
> (In reply to Worik Stanton from comment #3)
> > (In reply to Jed Davis [:jld] from comment #1)
> > > Created attachment 8370486 [details] [diff] [review]
> > > bug967967-sandbox-nuwa-fix-hg0.diff
> > 
> > I applied that change to B2G/gecko/dom/ipc/ContentParent.cpp.  Phone now
> > boots.  But there is no keyboard in any app.
> 
> The keyboard issue is a separate problem being tracked elsewhere in a
> different bug.
> 
> What device did you test this on?

Excuse me.  On a Keon.
https://hg.mozilla.org/mozilla-central/rev/b8e0889a9454
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: