MozillaWiki

Security/Sandbox: Difference between revisions

Page Discussion

Security/Sandbox (view source)

Revision as of 17:47, 6 February 2024

4,755 bytes added ,  6 February 2024
Remove Flash information and outdated Console.app details.
(I work on this!)
(Remove Flash information and outdated Console.app details.)
 
(76 intermediate revisions by 8 users not shown)
Line 3: Line 3:
[[File:550px-Sandboxing_basic_architecture.png|frameless|550px]]
[[File:550px-Sandboxing_basic_architecture.png|frameless|550px]]


Security Sandboxing makes use of [https://en.wikipedia.org/wiki/Child_process child processes] as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the [[Electrolysis]] wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.
Security Sandboxing makes use of [https://en.wikipedia.org/wiki/Child_process child processes] as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the [[Electrolysis]] wiki page, and its sucessor, [[Project Fission]]. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.


== Technical Docs ==
== Technical Docs ==


[https://wiki.mozilla.org/Security/Sandbox/Specifics Platform Specifics]
* [https://wiki.mozilla.org/Security/Sandbox/Specifics Platform Specifics]
* [https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access File Restrictions Bug Research]
* [https://wiki.mozilla.org/Security/Sandbox/Hardening Hardening Research]
* [https://wiki.mozilla.org/Security/Sandbox/Process_model Process Model]


= Current Status =
= Current Status =
Line 26: Line 29:
|-
|-
|colspan="1"|[https://dxr.mozilla.org/mozilla-central/search?q=SandboxBroker%3A%3ASetSecurityLevelForContentProcess&redirect=true&case=true Windows (content)]
|colspan="1"|[https://dxr.mozilla.org/mozilla-central/search?q=SandboxBroker%3A%3ASetSecurityLevelForContentProcess&redirect=true&case=true Windows (content)]
|style='text-align:center;' colspan="2"|Level 3
|style='text-align:center;' colspan="2"|Level 6
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Level 6
|style='text-align:center;' colspan="1"|Fx50
|style='text-align:center;' colspan="1"|Fx76
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Level 6
|style='text-align:center;' colspan="1"|Fx50
|style='text-align:center;' colspan="1"|Fx76
|-
|-
|colspan="1"| [https://dxr.mozilla.org/mozilla-central/search?q=SetSecurityLevelForGPUProcess&redirect=true Windows (compositor)]
|colspan="1"| [https://dxr.mozilla.org/mozilla-central/search?q=SetSecurityLevelForGPUProcess&redirect=true Windows (compositor)]
|style='text-align:center;' colspan="2"|Level 0 [1]
|style='text-align:center;' colspan="2"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|-
|-
Line 44: Line 47:
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|-
|-
| [https://dxr.mozilla.org/mozilla-central/search?q=SandboxBroker%3A%3ASetSecurityLevelForPluginProcess&redirect=true&case=true Windows 64bit (NPAPI Plugin)]
|colspan="1"|[https://searchfox.org/mozilla-central/search?q=symbol:_ZN7mozilla21AbstractSandboxBroker32SetSecurityLevelForSocketProcessEv&redirect=false Windows (Socket)]
|style='text-align:center;' colspan="2"|Level 1
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Fx75
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Fx75
|-
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyContent.h OSX (content)]
|style='text-align:center;' colspan="2"|Level 3
|style='text-align:center;' colspan="1"|Level 3
|style='text-align:center;' colspan="1"|Fx56
|style='text-align:center;' colspan="1"|Level 3
|style='text-align:center;' colspan="1"|Fx56
|-
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyGMP.h OSX (GMP)]
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|-
|-
| [https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h OSX (content)]
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyUtility.h OSX (RDD)]
|style='text-align:center;' colspan="2"|Level 3
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Fx52
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Fx52
|-
| [https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h OSX (GMP)]
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|-
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicySocket.h OSX (Socket)]
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|disabled
|style='text-align:center;' colspan="2"|disabled
|-
|-
| [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)]
| [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)]
|style='text-align:center;' colspan="2"|Level 3
|style='text-align:center;' colspan="2"|Level 4
|style='text-align:center;' colspan="1"|Level 2
|style='text-align:center;' colspan="1"|Level 4
|style='text-align:center;' colspan="1"| Fx54
|style='text-align:center;' colspan="1"| Fx60
|style='text-align:center;' colspan="1"|Level 2
|style='text-align:center;' colspan="1"|Level 4
|style='text-align:center;' colspan="1"| Fx54
|style='text-align:center;' colspan="1"| Fx60
|-
|-
| [https://dxr.mozilla.org/mozilla-central/search?q=class+GMPSandboxPolicy&redirect=true&case=true Linux (GMP)]
| [https://dxr.mozilla.org/mozilla-central/search?q=class+GMPSandboxPolicy&redirect=true&case=true Linux (GMP)]
Line 75: Line 90:


A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
DEPRECATION WARNING - The current level system will be replaced by a configuration system that allows for more fine grain control over sandbox settings. Current target for this change is Firefox 57.
[1] Level 1 available but disabled due to various regressions, see {{bug|1347710}}


== Windows ==
== Windows ==
Line 88: Line 99:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Sandbox Feature !! Level 0 !! Level 1 !! Level 2
! Sandbox Feature !! Level 5 !! Level 6 (default)
|-
|-
| Job Level || JOB_NONE || JOB_NONE || JOB_INTERACTIVE
| Job Level || JOB_LOCKDOWN || JOB_LOCKDOWN
|-
|-
| Access Token Level || USER_NON_ADMIN || USER_NON_ADMIN || USER_INTERACTIVE
| Access Token Level || USER_LIMITED || USER_LIMITED
|-
|-
| Alternate Desktop || no || no || no
| Alternate Desktop || YES || YES
|-
|-
| Alternate Windows Station || no || no || no
| Alternate Windows Station || YES || YES
|-
|-
| Initial Integrity Level || INTEGRITY_LEVEL_MEDIUM || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
| Initial Integrity Level || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
|-
|-
| Delayed Integrity Level || INTEGRITY_LEVEL_MEDIUM || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
|-
|-
| Mitigations || None ||
| Mitigations  
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CONTROL_FLOW_GUARD_DISABLE<br>
MITIGATION_WIN32K_DISABLE
||
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_BOTTOM_UP_ASLR<br>
Line 113: Line 131:
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CONTROL_FLOW_GUARD_DISABLE<br>
MITIGATION_WIN32K_DISABLE<br>
Locked Down Default DACL
|-
|-
| Delayed Mitigations || None ||
| Delayed Mitigations  
||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DLL_SEARCH_ORDER
MITIGATION_DLL_SEARCH_ORDER
Line 122: Line 148:
MITIGATION_DLL_SEARCH_ORDER
MITIGATION_DLL_SEARCH_ORDER
|}
|}
{| class="wikitable"
|-
! Sandbox Feature !! Level 3
|-
| Job Level || [http://searchfox.org/mozilla-central/rev/6c2dbacbba1d58b8679cee700fd0a54189e0cf1b/security/sandbox/chromium/sandbox/win/src/job.cc#38 JOB_RESTRICTED]
|-
| Access Token Level || USER_LIMITED
|-
| Alternate Desktop || no
|-
| Alternate Windows Station || no
|-
| Initial Integrity Level || INTEGRITY_LEVEL_LOW
|-
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW
|-
| Mitigations ||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP<br>
MITIGATION_EXTENSION_POINT_DISABLE
|-
| Delayed Mitigations ||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DLL_SEARCH_ORDER
|}


[http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h Windows Feature Header]
[http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h Windows Feature Header]


=== Gecko Media Plugin ===
=== Gecko Media Plugin (GMP) ===


{| class="wikitable"
{| class="wikitable"
Line 178: Line 172:
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_NONSYSTEM_FONT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_CET_COMPAT_MODE<br>
Locked Down Default DACL
|-
|-
| Delayed Mitigations
| Delayed Mitigations
Line 189: Line 189:
[1] depends on the media plugin
[1] depends on the media plugin


=== 64-bit Plugin ===
=== Remote Data Decoder (RDD) ===


{| class="wikitable"
{| class="wikitable"
Line 195: Line 195:
! Sandbox Feature !! Level
! Sandbox Feature !! Level
|-
|-
| Job Level || JOB_UNPROTECTED
| Job Level || JOB_LOCKDOWN
|-
|-
| Access Token Level || USER_INTERACTIVE
| Access Token Level || USER_LIMITED
|-
|-
| Initial Integrity Level || INTEGRITY_LEVEL_LOW
| Initial Integrity Level || INTEGRITY_LEVEL_LOW
Line 203: Line 203:
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW
|-
|-
| Alternate desktop || no
| Alternate desktop || yes
|-
|-
| Mitigations
| Mitigations
Line 210: Line 210:
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_NONSYSTEM_FONT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CET_COMPAT_MODE<br>
Locked Down Default DACL
|-
|-
| Delayed Mitigations
| Delayed Mitigations
||
||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DYNAMIC_CODE_DISABLE<br>
MITIGATION_DLL_SEARCH_ORDER<br>
MITIGATION_FORCE_MS_SIGNED_BINS
|}
|}


Line 223: Line 234:
== OSX ==
== OSX ==


=== Content Levels ===
=== Content Levels for Web and File Content Processes ===
 
Mac content processes use sandbox level 3. File content processes (for file:/// origins) also use level 3 with additional rules to allow read access to the filesystem. Levels 1 and 2 can still be enabled in about:config, but they are not supported and using them is not recommended. Different sandbox levels were used for testing and debugging during rollout of Mac sandboxing features, but they now are planned to be removed. Mac sandboxing uses a white list policy for all process types. Each policy begins with a statement to deny all access to system resources and then specifies the allowed resources. The level 3 sandbox allows file system read metadata access with full read access for specific system directories and some user directories, access to the microphone, access to various system services, windowserver, named sysctls and iokit properties, and other miscellaneous items. Work is ongoing to remove access to the microphone, windowserver, and other system services where possible. The sandbox blocks write access to all of the file system, read access to the profile directory (apart from the chrome and extensions subdirectories, read access to the home directory, inbound/outbound network I/O, exec, fork, printing, video input devices such as cameras. Older sandbox levels 1 and 2 are less restrictive. Mainly, level 2 allows file-read access to all of the filesystem except the ~/Library directory. Level 1 allows all file-read access. Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.
 
The web and file content policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyContent.h SandboxPolicyContent.h]
 
=== Gecko Media Plugin Processes ===


{| class="wikitable"
The Gecko Media Plugins (GMP) policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyGMP.h SandboxPolicyGMP.h].
|-
! Job Level !! What's Blocked by the Sandbox?
|-
| Level 1 [1] ||
* write access to most of the filesystem
* inbound/outbound network I/O
* exec, fork
* printing
|-
| Level 2 ||
* write access to most of the filesystem
* inbound/outbound network I/O
* exec, fork
* printing
* read access to the profile directory (apart from the chrome and extensions subdirectories)
* read access to ~/Library
|-
| Level 3 ||
* write access to most of the filesystem
* read access to most of the filesystem
** read access to the profile directory (apart from the chrome and extensions subdirectories)
** read access to the home directory
* inbound/outbound network I/O
* exec, fork
* printing
|}


[1] Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.
=== Remote Data Decoder Processes ===


See [https://wiki.mozilla.org/Sandbox/OS_X_Rule_Set#How_security.sandbox.content.level_Affects_File_Access How security.sandbox.content.level Affects File Access] and [https://wiki.mozilla.org/Sandbox/OS_X_Rule_Set Filter rules] for more details.
The Remote Data Decoder (RDD) policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyUtility.h SandboxPolicyUtility.h].


=== Gecko Media Plugins ===
=== Socket Process ===


[https://dxr.mozilla.org/mozilla-central/search?q=pluginSandboxRules&redirect=false&case=true Filter rules]
The socket process policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicySocket.h SandboxPolicySocket.h]. At this time (May 2020), the socket process sandbox is only used on the Nightly channel and only for WebRTC networking.


== Linux ==
== Linux ==
Line 273: Line 264:
|-
|-
| Level 2 ||
| Level 2 ||
* Many syscalls, including process creation
* Everything from level 1
* Write access to the filesystem
* Write access to the filesystem
** Excludes shared memory, tempdir, video hardware
** Excludes shared memory, tempdir, video hardware
|-
|-
| Level 3 ||  
| Level 3 ||  
* Many syscalls, including process creation
* Everything from level 1-2
* Write access to the filesystem
** Excludes shared memory, tempdir, video hardware
* Read access to most of the filesystem
* Read access to most of the filesystem
** Excludes themes/GTK configuration, fonts, shared data and libraries
** Excludes themes/GTK configuration, fonts, shared data and libraries
|-
| Level 4 ||
* Everything from level 1-3
* Network access including local sockets
** Excludes X11 socket
* System V IPC
** Unless fgxlrx or VirtualGL is in use
* Uses chroot jail
* Uses Unprivileged User Namespaces (if available)
|}
|}


Line 289: Line 287:
[https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp?q=ContentSandboxPolicy Filter ruleset]
[https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp?q=ContentSandboxPolicy Filter ruleset]


[https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#118 Filesystem access policy]
[https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#203 Filesystem access policy]


=== Gecko Media Plugin ===
=== Gecko Media Plugin ===
Line 300: Line 298:


See [[Security/Sandbox#Linux_specific|Activity Logging]] for information on how to debug these scenarios.
See [[Security/Sandbox#Linux_specific|Activity Logging]] for information on how to debug these scenarios.
security.sandbox.content.level
* See [[Security/Sandbox#Content_Levels_2|Content Levels]] above. Reducing this can help identify sandboxing as the cause of a problem, but you're better of trying the more fine grained permissions below.


security.sandbox.content.read_path_whitelist<br/>
security.sandbox.content.read_path_whitelist<br/>
security.sandbox.content.write_path_whitelist
security.sandbox.content.write_path_whitelist
* Comma-separated list of additional paths that the content process is allowed to read from or write to, respectively.
* Comma-separated list of additional paths that the content process is allowed to read from or write to, respectively. To allow access to an entire directory tree (rather than just the directory itself), include a trailing <tt>/</tt> character.


security.sandbox.content.syscall_whitelist
security.sandbox.content.syscall_whitelist
Line 316: Line 317:
| Content || numerical || security.sandbox.content.level
| Content || numerical || security.sandbox.content.level
|-
|-
| NPAPI Plugin || boolean || dom.ipc.plugins.sandbox-level.default<br>dom.ipc.plugins.sandbox-level.<plugintype>
| Windows NPAPI Plugin || numerical || dom.ipc.plugins.sandbox-level.default<br>dom.ipc.plugins.sandbox-level.<plugintype>
|-
|-
| Compositor || numerical || security.sandbox.gpu.level
| Compositor || numerical || security.sandbox.gpu.level
Line 356: Line 357:
== Activity Logging ==
== Activity Logging ==


The following prefs control sandbox logging. Output is sent to the Browser Console when available, and to a developer console attached to the running browser process. <br/>
The following prefs control sandbox logging. On Windows, output is sent to the Browser Console when available, and to a developer console attached to the running browser process. On OSX, once enabled, violation log entries are visible in the Console.app (/Applications/Utilities/Console.app). On Linux, once enabled, violation log entries are logged on the command line console.<br/>


  security.sandbox.logging.enabled (boolean)<br/>
  security.sandbox.logging.enabled (boolean)<br/>
Line 365: Line 366:
  MOZ_SANDBOX_LOGGING=1
  MOZ_SANDBOX_LOGGING=1


=== OSX Specific ===
=== OSX Specific Sandbox Logging ===
 
On Mac, sandbox violation logging is disabled by default. To enable logging,


Sandbox violation logging is on by default when the sandbox is enabled. Use the Console.app application to [[Security/Sandbox/Testing/OSX|view the logs]].
# Launch the OS X Console app (/Applications/Utilities/Console.app) and filter on "plugin-container".
# Either set the pref '''security.sandbox.logging.enabled=true''' and restart the browser OR launch the browser with the '''MOZ_SANDBOX_LOGGING''' environment variable set.


=== Linux specific ===
=== Linux specific Sandbox Logging ===


The following environment variable triggers extra sandbox debugging output: <br/>
The following environment variable triggers extra sandbox debugging output: <br/>
Line 390: Line 394:
|MOZ_DISABLE_NPAPI_SANDBOX
|MOZ_DISABLE_NPAPI_SANDBOX
|Disable 64-bit NPAPI process sandbox
|Disable 64-bit NPAPI process sandbox
|Windows
|Windows and Mac
|-
|-
|MOZ_DISABLE_GPU_SANDBOX
|MOZ_DISABLE_GPU_SANDBOX
|Disable GPU process sandbox
|Disable GPU process sandbox
|Windows
|Windows
|-
|MOZ_DISABLE_RDD_SANDBOX
|Disable Data Decoder process sandbox
|All
|-
|MOZ_DISABLE_SOCKET_PROCESS_SANDBOX
|Disable Socket Process process sandbox
|All
|}
|}


Line 418: Line 430:
= Bug Lists =
= Bug Lists =


* Windows Content Process
== Priorities ==
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asbwc1 sbwc1]
* [https://bugzilla.mozilla.org/buglist.cgi?priority=P1&f1=keywords&o1=notsubstring&resolution=---&status_whiteboard_type=allwordssubstr&query_format=advanced&status_whiteboard=sb%2B&v1=meta&list_id=13711690 P1]
*** low integrity sandbox support
* [https://bugzilla.mozilla.org/buglist.cgi?list_id=13711673&o1=notsubstring&status_whiteboard_type=allwordssubstr&status_whiteboard=sb%2B&v1=meta&priority=P2&f1=keywords&resolution=---&query_format=advanced P2]
*** Roll out level 1 sandbox policy to release. (completed, fx50)
* [https://bugzilla.mozilla.org/buglist.cgi?priority=P3&f1=keywords&list_id=13711682&o1=notsubstring&resolution=---&status_whiteboard_type=allwordssubstr&query_format=advanced&status_whiteboard=sb%2B&v1=meta P3]
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asbwc2 sbwc2]
*** file:/// isolation
*** User token removal, to limit User directory file access
*** use JOB_RESTRICTED to apply further global restrictions
*** printing tests
*** roll out level 3 to release


* OSX Content Process
== Security/Process Sandboxing Lists ==
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asbmc1 sbmc1]
* [https://bugzilla.mozilla.org/buglist.cgi?product=Core&component=Security%3A%20Process%20Sandboxing&resolution=---&list_id=13711685 Full bug list]
*** Roll out level 1 OSX security sandbox access ruleset. (completed, fx52)
* [https://bugzilla.mozilla.org/buglist.cgi?priority=--&f1=keywords&list_id=13711696&o1=notsubstring&resolution=---&query_format=advanced&v1=meta&component=Security%3A%20Process%20Sandboxing&product=Core No priority set]
*** Prevent file system write access
* [https://bugzilla.mozilla.org/buglist.cgi?keywords=meta&keywords_type=allwords&resolution=---&query_format=advanced&component=Security%3A%20Process%20Sandboxing&product=Core&list_id=13711689 Metas]
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asbmc2 sbmc2]
*** Home directory read access restrictions
*** file:/// isolation
*** roll out level2 OSX sandbox to release
 
* Linux Content Process
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asblc1 sblc1]
*** enable (heavily perforated) seccomp-bpf filter by default in Nightly
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asblc2 sblc2]
*** land basic file system broker
*** remove/restrict file system write access
*** roll out entry level file broker to release
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asblc3 sblc3]
*** remove/restrict file system read access
*** file:/// isolation?
*** remote pulseaudio work (BLOCKED on media work, TBD)
 
* Windows 64-bit NPAPI
** [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3Asbwn1 sbwn1]
** (completed, fx52)


== Triage Lists ==
== Triage Lists ==
* Triage list: http://is.gd/Mfb8L9
* Sandboxing Triage List: https://is.gd/ghRoW8
** Lists any bug with sb?
** Lists sandboxing component bugs that are not tracked by a milestone
** Lists sandboxing component bugs that are not tracked by a milestone
** Ignores sb+, sb-, and sb? bugs with needinfos
** Ignores previously triaged into either sb- or sb+
** meta bugs
** Ignores meta bugs and bugs with needinfos
* sb? Triage List: http://is.gd/B3KscF
* Global [https://bugzilla.mozilla.org/buglist.cgi?f1=flagtypes.name&o3=notsubstring&list_id=13952603&v3=meta&o1=notsubstring&resolution=---&status_whiteboard_type=substring&query_format=advanced&f3=keywords&status_whiteboard=sb%3F&v1=needinfo Triage List]
** does not include needinfo bugs
** Lists any bug in the database with sb?
** Ignores bugs with needinfos
* sb+ [https://mzl.la/2CSaniE triage list]
** Previously triaged bugs that have no milestone and no priority set
* sb? needinfos: http://is.gd/dnSyBs
* sb? needinfos: http://is.gd/dnSyBs
* webrtc specific sandboxing bugs: https://is.gd/c5bAe6
* webrtc specific sandboxing bugs: https://is.gd/c5bAe6
** sb tracking + 'webrtc'
** sb tracking + 'webrtc'
= Roadmap =
==2020 H1 - Main work focus==
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1464032 Remote Canvas Drawing operations],
** Prerequisite for win32k.sys lockdown.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1381938 Remote Form widget drawing],
** Prerequisite for win32k.sys lockdown.
** Follow-ups in [https://bugzilla.mozilla.org/show_bug.cgi?id=1615105 Bug for defaulting it on]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1642621 Remote WebGL drawing],
** See also [https://bugzilla.mozilla.org/show_bug.cgi?id=1632249 Out-of-process WebGL compositing].
** Follow-ups in [https://bugzilla.mozilla.org/show_bug.cgi?id=1642621 Make it shippable bug].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1347710 Sandbox the GPU Process].
** Stalled on non-reproducible [https://bugzilla.mozilla.org/show_bug.cgi?id=1630860 field issues].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1400317 Remote Look and Feel + Theming].
** Prerequisite for win32k.sys lockdown.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1550900 Shared memory with read-only and read/write mode].
** Security and memory usage win.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1440203 Use memfd_create for shared memory].
** Performance win and would solve many issues with people running into problems with the default docker/kubernetes configurations that only give a tiny amount of shared memory.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1620118 Enable further telemetry for third-party process injection].
==2020 H2 - Main work focus==
* Carry-over of win32k.sys lockdown prerequisites from 2020 H1.
* Carry-over of stalled GPU sandboxing work.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1381019 Remaining win32k.sys blockers].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1620114 Enable CIG in RDD].
** Investigate/experiment with feasibility of shipping CIG in content.


= Communication =
= Communication =
Line 471: Line 487:
  | Weekly Team Meeting
  | Weekly Team Meeting
|| Thursday at 8:00am PT
|| Thursday at 8:00am PT
* Vidyo: "PlatInt" room
* Zoom: By invitation, ask gcp@mozilla.com
* Invitation: Contact Jim Mathies to get added to the meeting invite list.
* [https://wiki.mozilla.org/Security/Sandbox/Meeting_Notes Meeting Notes Archive]
* [https://wiki.mozilla.org/Security/Sandbox/Meeting_Notes Meeting Notes Archive]
|-
|-
| IRC
| Matrix
||  
||  
* Server: irc.mozilla.org
* Server: chat.mozilla.org
* Channel: [irc://irc.mozilla.org/e10s #boxing]
* Channel: [https://chat.mozilla.org/#/room/#hardening:mozilla.org #hardening]
|-
| Newsgroup/Mailing List
||
* [mailto:boxing@lists.mozilla.org boxing@lists.mozilla.org]
|-
|-
|}
|}
Line 491: Line 502:
| Engineering Management
| Engineering Management
||
||
* Jim Mathies (jimm)
* Gian-Carlo Pascutto (gcp)
|-
|-
| Project Management
| Project Management
||
||
* TBD
* N/A
|-
|-
| QA
| QA
||
||
* Tracy Walker (Quality Assurance Lead)
* N/A
|-
|-
| Development Team
| Development Team
||  
||  
* Haik Aftandilian (haik)
* Haik Aftandilian (haik)
* Alex Gaynor (Alex_Gaynor)
* Jed Davis (jld)
* Julian Hector (tedd)
* Chris Martin (cmartin)
* Jim Mathies (jimm)
* Bob Owen (bobowen)
* Bob Owen (bobowen)
* David Parks (handyman)
* David Parks (handyman)
* Stephen Pohl (spohl)
* Gian-Carlo Pascutto (gcp)
* Gian-Carlo Pascutto (gcp)
|-
| Other Teams
|
* kang, [[Security/OpSec]]
* Security Engineering [[SecurityEngineering]]
|}
|}


= Repo Module Ownership =
= Repo Module Ownership =
* [[Modules/Core#Sandboxing|Cross platform]]
* [[Modules/Core#Sandboxing_-_Windows|Windows]]
* [[Modules/Core#Sandboxing_-_Windows|Windows]]
* [[Modules/Core#Sandboxing_-_OSX|OSX]]
* [[Modules/Core#Sandboxing_-_OSX|OSX]]
* [[Modules/Core#Sandboxing_-_Linux_.26_B2G|Linux/B2G]]
* [[Modules/Core#Sandboxing_-_Linux|Linux]]


= Links =
= Links =


* [[Electrolysis]] Wiki Page (lot of additional resource links)
* [[Electrolysis]] Wiki Page (lot of additional resource links)
* [[Security/Sandbox/macOS_Release]] - description of what to do when a new macOS release comes out in order to find out what updates they made to the sandbox.
* [http://www.chromium.org/developers/design-documents/sandbox Chromium Sandbox]
* [http://www.chromium.org/developers/design-documents/sandbox Chromium Sandbox]
* [http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf Apple's Sandbox guide]
* [http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf Apple's Sandbox guide]
Line 531: Line 537:
* [http://en.wikipedia.org/wiki/Google_Native_Client Native Client on Wikipedia] (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
* [http://en.wikipedia.org/wiki/Google_Native_Client Native Client on Wikipedia] (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ff966517%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 Features of Protected Mode in Internet Explorer]
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ff966517%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 Features of Protected Mode in Internet Explorer]
== Research ==
* [https://intranet.mozilla.org/User:Imelven@mozilla.com/Sandboxing Ian's Internal Research page (2012)]


== B2G Archive ==
== B2G Archive ==
Line 541: Line 544:


B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access.  But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.
B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access.  But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.
== Older ==
* [https://docs.google.com/a/mozilla.com/document/d/1qS4Q1goehqy-55hIQEsEA_XY3lF4xfFColNKQm37KSg/edit?usp=sharing Old Meeting Notes]
Haftandilian
202

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1177317...1249919"