canmove, Confirmed users
1,220
edits
Security/Sandbox/Process model: Difference between revisions
Jump to navigation
Jump to search
list all process types
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) (list all process types) |
||
| Line 1: | Line 1: | ||
= Sandbox Architecture = | = Sandbox Architecture = | ||
Multi-process Firefox employs a process sandbox to protect against malicious content. In this model, untrusted content is run in a sandboxed low-rights process so that in the event of a compromise, access to full system functionality and data is prevented by a sandbox. This document aims to provide an overview of the sandbox implementation and outline the design implications for Gecko features. | Multi-process Firefox employs a process sandbox to protect against malicious content. In this model, untrusted content is run in a sandboxed low-rights process so that in the event of a compromise, access to full system functionality and data is prevented by a sandbox. This document aims to provide an overview of the sandbox implementation and outline the design implications for Gecko features. | ||
== Process Model == | == Process Model == | ||
For sandboxing to be an effective security control, Firefox is split into parent and child processes, such that the child processes responsible for running untrusted content can be restricted to limit damage in the event of compromise. The [https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Multiprocess_Firefox Electrolysis project] enabled moving parsing and execution of web content to a content process - and sandboxing is based off this process model. In general a child process is untrusted, and intended to run remote content. Each child process has a sandbox that prevents access to all but necessary system resources. The main focus of the sandbox project are child processes called "Web Content processes" - processes which parse and execute web content. However Firefox currently also makes use of several other types of sandboxed child process, and more are planned for future improvement. Below is a description of various processes used in Firefox. | For sandboxing to be an effective security control, Firefox is split into parent and child processes, such that the child processes responsible for running untrusted content can be restricted to limit damage in the event of compromise. The [https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Multiprocess_Firefox Electrolysis project] enabled moving parsing and execution of web content to a content process - and sandboxing is based off this process model. In general a child process is untrusted, and intended to run remote content. Each child process has a sandbox that prevents access to all but necessary system resources. The main focus of the sandbox project are child processes called "Web Content processes" - processes which parse and execute web content. However Firefox currently also makes use of several other types of sandboxed child process, and more are planned for future improvement. Below is a description of various processes used in Firefox. | ||
The type of content processes is defined in [https://searchfox.org/mozilla-central/source/xpcom/build/GeckoProcessTypes.h GeckoProcessTypes.h]: | |||
*Default: The main Firefox process which runs without a sandbox at full user privileges | |||
*Plugin: Used for running flash content on some platforms | |||
*Content: Used to run web content of various types. There are different remote types of content process (defined [https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.h#50 here]) including the following sub-types: | |||
** Web Content Processes: used for loading remote web content | |||
** File Content Process : used for loading web content hosted on file:// URIs | |||
** Privileged Content process: loads privileged content | |||
** Web Extension Content Process | |||
* IPDLUnitTest | |||
* GMPlugin : for loading DRM media in a highly sandboxed process | |||
* GPU (or Compositor) process: does compositing and talks to GPU hardware | |||
* VR: process which talks to VR hardware | |||
* RDD: Remote Data Decoder process is used to decode media in a seperate process | |||
* Socket: used for loading network data | |||
* RemoteSandboxBroker: part of the Chromium sandbox mechanism (? TBC) | |||
=== Chrome process (Parent) === | === Chrome process (Parent) === | ||
The Chrome (or "parent", "main" or "master) process - is named for where the browser’s “chrome” or UI is run - is the trusted process which controls interaction with the underlying operating system. The parent process is not sandboxed and has regular access to operating system in order to access files, devices and network resources as part of regular browser use. As such, this process should only ever run trusted code - all untrusted web content should be processed in a child process. The parent acts as a broker for privileged resource requests from the various child processes, mediating access to os resources - the checks which the parent applies prior to granting access to a resource are a critical part of the sandbox model (otherwise the child could ask the parent for a sensitive resource and bypass any sandbox restrictions). | The Chrome (or "parent", "main" or "master) process - is named for where the browser’s “chrome” or UI is run - is the trusted process which controls interaction with the underlying operating system. The parent process is not sandboxed and has regular access to operating system in order to access files, devices and network resources as part of regular browser use. As such, this process should only ever run trusted code - all untrusted web content should be processed in a child process. The parent acts as a broker for privileged resource requests from the various child processes, mediating access to os resources - the checks which the parent applies prior to granting access to a resource are a critical part of the sandbox model (otherwise the child could ask the parent for a sensitive resource and bypass any sandbox restrictions). | ||
===Web Content Processes === | ===Web Content Processes === | ||
| Line 22: | Line 37: | ||
* No access to dangerous APIs & syscalls which could compromise system integrity | * No access to dangerous APIs & syscalls which could compromise system integrity | ||
* Mediated access to system resources | * Mediated access to system resources | ||
=== File (File://) Content Process === | === File (File://) Content Process === | ||
| Line 32: | Line 43: | ||
Note that the reverse is not forbidden: content loaded from file:// is permitted to load remote web content. | Note that the reverse is not forbidden: content loaded from file:// is permitted to load remote web content. | ||
=== GPU Process === | === GPU Process === | ||
| Line 44: | Line 52: | ||
=== WebExtension Process === | === WebExtension Process === | ||
This is similar to the web content process, except that the content that is run here is the background pages of Web Extensions. The sandbox restrictions are the same as for Web Content, but there are many more APIs exposed to this process, to allow for Web Extensions to function. | This is similar to the web content process, except that the content that is run here is the background pages of Web Extensions. The sandbox restrictions are the same as for Web Content, but there are many more APIs exposed to this process, to allow for Web Extensions to function. | ||
=== Privileged Content Process === | |||
about:newtab is loaded in a separate content process. | |||
== Plugin Content Process == | == Plugin Content Process == | ||