Consider removing the security.turn_off_all_security_so_that_viruses_can_take_over_this_computer pref
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: jandem, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: sec-audit)
Attachments
(1 file, 1 obsolete file)
Updated•11 years ago
|
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Updated•10 years ago
|
Comment 6•10 years ago
|
||
Comment 8•10 years ago
|
||
Comment 9•10 years ago
|
||
Comment 10•10 years ago
|
||
Comment 11•10 years ago
|
||
Comment 12•10 years ago
|
||
Comment 13•10 years ago
|
||
Comment 14•10 years ago
|
||
Comment 15•10 years ago
|
||
Comment 16•10 years ago
|
||
Comment 17•10 years ago
|
||
Comment 18•10 years ago
|
||
Comment 19•10 years ago
|
||
Comment 20•10 years ago
|
||
Comment 21•10 years ago
|
||
Updated•10 years ago
|
Comment 22•10 years ago
|
||
Comment 23•10 years ago
|
||
Comment 24•10 years ago
|
||
Comment 25•10 years ago
|
||
Comment 26•10 years ago
|
||
Comment 27•10 years ago
|
||
Comment 28•10 years ago
|
||
Updated•5 years ago
|
Comment 29•4 years ago
|
||
I killed enablePrivilege (bug 1448967) and forcePermissiveCOWs (bug 1481640), but now IsInAutomation usage proliferates all over the tree to implement test-only danger features ☹
Comment 30•4 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #29)
I killed enablePrivilege (bug 1448967) and forcePermissiveCOWs (bug 1481640),
Awesome work!
but now IsInAutomation usage proliferates all over the tree to implement test-only danger features ☹
Indeed! I didn't realize how many people had started using it. That said, a cursory glance suggests that a lot of the use-cases are just about behaving differently under testing, rather than doing something directly unsafe. Would be worth looking through the list more carefully and identifying any cases that look particularly dangerous.
Comment 31•4 years ago
|
||
I think the following usages are particularly unsafe.
- Enables unsigned add-ons, WebExtensions experiments, and add-on sideloading:
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/toolkit/mozapps/extensions/internal/AddonSettings.jsm#38
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/toolkit/mozapps/extensions/internal/AddonSettings.jsm#92
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/toolkit/mozapps/extensions/internal/AddonSettings.jsm#112 - Allows loading untrusted URLs in parent process:
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/docshell/base/nsDocShell.cpp#8962
"security.allow_unsafe_parent_loads" was added by bug 1560178 that is security confidential.
Comment 32•4 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #31)
I think the following usages are particularly unsafe.
- Enables unsigned add-ons, WebExtensions experiments, and add-on sideloading:
Not so worried about these. The threat model here is that an attacker has limited ability to flip some bits in memory. If they're in the position to position a malicious addon to be loaded by Firefox, we've probably lost anyway.
- Allows loading untrusted URLs in parent process:
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/docshell/base/nsDocShell.cpp#8962
This seems like it could more-plausibly be used as part of a sandbox escape. Gijs, how easy would it be to get rid of this?
Comment 33•4 years ago
•
|
||
(In reply to Bobby Holley (:bholley) from comment #32)
(In reply to Masatoshi Kimura [:emk] from comment #31)
I think the following usages are particularly unsafe.
- Enables unsigned add-ons, WebExtensions experiments, and add-on sideloading:
Not so worried about these. The threat model here is that an attacker has limited ability to flip some bits in memory. If they're in the position to position a malicious addon to be loaded by Firefox, we've probably lost anyway.
- Allows loading untrusted URLs in parent process:
https://searchfox.org/mozilla-central/rev/559b25eb41c1cbffcb90a34e008b8288312fcd25/docshell/base/nsDocShell.cpp#8962This seems like it could more-plausibly be used as part of a sandbox escape. Gijs, how easy would it be to get rid of this?
It would require fixing all the tests that flip security.allow_unsafe_parent_loads
. It's not impossible, though some of those are tedious. Relevant bugs:
bug 1565545
bug 1565276
bug 1565279
Though it looks like we might need some more.
I'm not sure how easy this is for webextension code. My understanding is that we're running some tests with parent-process loads in part to verify that we're not breaking the webextensions code if they run in the parent process, because that is how things work in Fenix. Given e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1626349 , I don't know how hard it is to stop doing that, or what test coverage we lose if we stop running the specific tests that flip these prefs in the parent process configuration.
Comment 34•4 years ago
|
||
(In reply to :Gijs (he/him) from comment #33)
It would require fixing all the tests that flip
security.allow_unsafe_parent_loads
. It's not impossible, though some of those are tedious. Relevant bugs:bug 1565545
bug 1565276
bug 1565279Though it looks like we might need some more.
I'm not sure how easy this is for webextension code. My understanding is that we're running some tests with parent-process loads in part to verify that we're not breaking the webextensions code if they run in the parent process, because that is how things work in Fenix. Given e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1626349 , I don't know how hard it is to stop doing that, or what test coverage we lose if we stop running the specific tests that flip these prefs in the parent process configuration.
Shane, do you know what the state of the webextension tests here is?
Comment 35•4 years ago
|
||
I just added a patch to remove allow_unsafe_parent_loads in the few places it's used in extensions. There is still a mozaddonmanager api test, as well as tests in devtools. Probably best to ping others for those. I'll see if I can dig into the AOM api issue.
Updated•2 years ago
|
Description
•