Closed
Bug 969559
Opened 11 years ago
Closed 11 years ago
Set delayed restricted integrity in child process to block off pipe and file access after LowerToken call
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: bbondy, Assigned: bbondy)
References
Details
Attachments
(1 file, 1 obsolete file)
|
12.25 KB,
patch
|
bugzilla
:
review+
|
Details | Diff | Splinter Review |
We need to set the delayed integrity token to restricted.
Then we need to move the LowerToken call to after the initial pipes are setup.
After this, no new pipes or files can be created.
---
I'm also creating a new call in the sandbox broker in this bug for:
AllowPipe(const wchar_t *aPath)
This allows creation of a pipe path, but does not seem to help when connecting to one. That being said this function isn't currently used, but it should remain for future use.
|
Assignee | |
Comment 1•11 years ago
|
||
This review is only for the xpcom def changes and the toolkit/xre change.
I'll pass this patch through cpeterson after your review as well for the rest.
Basically the sandbox lib needs to be linked directly to the sandboxed exe, but I need a call to LowerToken from within something from something detected in xul.dll. So I pass a function pointer up to call when needed for enabling the sandbox.
The sandbox can't be enabled too early because we need pipes connected first.
Attachment #8372505 -
Flags: review?(benjamin)
|
||
Comment 2•11 years ago
|
||
Comment on attachment 8372505 [details] [diff] [review]
Patch rev1
>diff --git a/toolkit/xre/nsEmbedFunctions.cpp b/toolkit/xre/nsEmbedFunctions.cpp
>+void(*geckoChildProcessCreated)();
This is a variable, it should be named "gGeckoChildProcessCreatedCallback" or something to make it clear. Although see more general API comments below.
>diff --git a/xpcom/build/nsXULAppAPI.h b/xpcom/build/nsXULAppAPI.h
>+XRE_API(nsresult,
>+ XRE_InitChildProcessCallback, (int aArgc,
>+ char* aArgv[],
>+ GeckoProcessType aProcess,
>+ void(*GeckoChildProcessCreated)()))
This is very under-documented, and in particular "GeckoChildProcessCreated" is a weird name for this: I would have expected this API to do initialization, call the callback, and then start the event loop, but that's not what it does. This callback is something specific to launching the sandbox, right?
As I understand it, this has to be a callback because the sandbox code has to live in the child container (plugin-runtime.exe) but the code which calls it has to live in libxul.so. Is that correct? If so, can we just make this an API to set/get a specific function pointer and not modify XRE_InitChildProcess at all?
Style: the function pointer is hard to read. Please use a typedef (or just use PRFuncPtr) to make this easier to read.
Also I hate that any of this lives in nsXULAppAPI since it is very specific to our content-process code. It should really live in a private header.
Attachment #8372505 -
Flags: review?(benjamin) → review-
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #2)
> Comment on attachment 8372505 [details] [diff] [review]
> Patch rev1
>
> >diff --git a/toolkit/xre/nsEmbedFunctions.cpp b/toolkit/xre/nsEmbedFunctions.cpp
>
> This callback is something specific to launching the
> sandbox, right?
Yep I'll name it better.
> As I understand it, this has to be a callback because the sandbox code has
> to live in the child container (plugin-runtime.exe) but the code which calls
> it has to live in libxul.so. Is that correct?
Yes.
> If so, can we just make this
> an API to set/get a specific function pointer and not modify
> XRE_InitChildProcess at all?
Yep, I can do that instead.
> Style: the function pointer is hard to read. Please use a typedef (or just
> use PRFuncPtr) to make this easier to read.
No problem,will do.
> Also I hate that any of this lives in nsXULAppAPI since it is very specific
> to our content-process code. It should really live in a private header.
Will do, thanks for the feedback.
|
|
Assignee | |
Comment 4•11 years ago
|
||
Created a new sandboxTarget.h file which contains a singleton. It is class imported into the exe and exported from xul.dll. It allows setting a function pointer from the exe and then later calling it when ready in the dll. Note: The singleton instance is shared between both modules.
Attachment #8372505 -
Attachment is obsolete: true
Attachment #8374959 -
Flags: review?(cpeterson)
|
||
Comment 5•11 years ago
|
||
Comment on attachment 8374959 [details] [diff] [review]
Patch rev2
Review of attachment 8374959 [details] [diff] [review]:
-----------------------------------------------------------------
I am definitely not the right person to review this code. <:)
::: security/sandbox/win/src/sandboxtarget/sandboxTarget.h
@@ +39,5 @@
> + mStartSandboxCallback = aStartSandboxCallback;
> + }
> +
> + /**
> + * Called by the library that wants to start the sandbox, wich in turns
s/wich/which/
Attachment #8374959 -
Flags: review?(cpeterson)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8374959 -
Flags: review?(aklotz)
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8374959 [details] [diff] [review]
Patch rev2
Review of attachment 8374959 [details] [diff] [review]:
-----------------------------------------------------------------
::: security/sandbox/win/src/sandboxtarget/sandboxTarget.h
@@ +39,5 @@
> + mStartSandboxCallback = aStartSandboxCallback;
> + }
> +
> + /**
> + * Called by the library that wants to start the sandbox, wich in turns
s/turns/turn/
Attachment #8374959 -
Flags: review?(aklotz) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
Target Milestone: --- → mozilla30
|
||
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 9•11 years ago
|
||
Comment on attachment 8374959 [details] [diff] [review]
Patch rev2
Review of attachment 8374959 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/ipc/ContentChild.cpp
@@ +582,5 @@
> +
> +#if defined(MOZ_CONTENT_SANDBOX)
> +#if defined(XP_WIN)
> + mozilla::SandboxTarget::Instance()->StartSandbox();
> +#else if defined(XP_UNIX) && !defined(XP_MACOSX)
Slight typo here: should be #elif. This is treated as #else; the rest of the line is discarded.
Using --enable-warnings-as-errors seems to catch this, at least with GCC, but only if --enable-content-sandbox is also set to turn on the surrounding #if, and nothing on TBPL has both of those.
At the moment it's not burning the tree, and I have a patch in progress that changes these ifdefs (and so will fix this as a side-effect), but I wanted to mention it here in case it's relevant for uplifts or anything like that.
|
|
Assignee | |
Comment 10•11 years ago
|
||
Thanks Jed!
You need to log in
before you can comment on or make changes to this bug.
Description
•