FoxInABox: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
(→‎Who we are: Fix list address.)
Line 136: Line 136:
Some folks from the [[SecurityEngineering]] team: briansmith, mmc, keeler, grobinson, ckerschb, sid, and bbondy.
Some folks from the [[SecurityEngineering]] team: briansmith, mmc, keeler, grobinson, ckerschb, sid, and bbondy.


* Mailing list: boxing@lists.mozilla.org
* Mailing list: boxing@mozilla.org
* IRC: irc.mozilla.org #boxing
* IRC: irc.mozilla.org #boxing

Revision as of 21:37, 11 December 2013

The fox cannot escape the box.
The fox is safe in the sandbox. The fox cannot escape.

Sandboxing Firefox

This page tracks and explain how sandboxing is being worked on for Firefox (OS, Desktop, etc.)

Status

Tracking bug for desktop Firefox: bug 925570. Tracking bug for Firefox OS: bug 790923.

Firefox OS / B2G

  • [DONE] Land Library bug 742434
  • [DONE] Tie in to process model bug 790923
  • [ON TRACK] List and prioritize permissions to shut off
  • [ON TRACK] Burn down permission list
  • [ON TRACK] implement unit tests for sandbox
  • [ON TRACK] enable build/test devices (tbpl) to test with sandboxing

Dependencies (see bug 918680 for details):

Full Query
ID Summary Status
898117 layers IPC infrastructure allows child to trigger parent-process UAF RESOLVED
898563 Parent side of APZC messaging needs to be hardened against malicious children RESOLVED
906996 Remove unlink() from seccomp-bpf whitelist RESOLVED
923530 Consistently handle IPDL actor death in Gfx NEW
927633 Make child processes access UA overrides through IPC RESOLVED
930258 Remove open() from seccomp whitelist on B2G RESOLVED
931086 IPC: crash while randomly closing a pipe [@mozilla::layers::CompositorParent::NotifyShadowTreeTransaction] RESOLVED
940863 Should we expose access to TmpD to child processes over IPC? RESOLVED
947784 Move "mobilenetwork" permission check to parent and create a sandbox safe implementation RESOLVED
948574 [e10s] remote nsISiteSecurityService::IsSecureHost/IsSecureURI RESOLVED
951405 re-work certificate error page loading so that child processes never need nsISiteSecurityService (even remotely) RESOLVED
973987 Notifications do not go through the parent RESOLVED
1121295 Reduce B2G content process sandbox filesystem broker whitelist RESOLVED

13 Total; 1 Open (7.69%); 12 Resolved (92.31%); 0 Verified (0%);


Permission Burndown permission list (see http://hg.mozilla.org/mozilla-central/file/40c7c53fe9b0/security/sandbox/seccomp_filter.h for current list):

ioctl() High Mainly used for GL/Graphics. To be removed or/and argument-filtered, see bug 920372
fstat64(), stat64(), access() Med Information leak. Tells the process if a file/path exists, and its attributes (inode, etc. See man fstat64)
getdents64() Med Information leak. Lists directories.
sigprocmask() Med Change signals. We don't want signals to be rerouted in general.
open() High FS access: Open files.
prctl() Med Change process attributes, including security relevant bits. Note: when removed, this means no child process can tighten it's whitelist further either.
unlink() High FS access: Delete files.
getpriority(), setpriority() Med Access priority attributes from target processes.
sched_setscheduler() Med Change scheduling policy/params of target processes.

Note: More syscalls could be removed as some of them, while not a direct security issue, may lead to access to a kernel bug, for example, see do_brk()'s CVE-2003-0961)


Linux Firefox

  • [DONE] Land Library bug 742434
  • [DONE] Tie in to process model
  • [ON TRACK] List and prioritize permissions to shut off
  • [ON TRACK] Burn down permission list

Permission burn down list (see bug 942695 for details):

Full Query
ID Summary Status
742434 Enable seccomp-bpf for nightly desktop Firefox content processes on Linux RESOLVED
936274 Remove open() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942696 Remove access() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942698 Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);


Windows Firefox

  • [DONE] Land Library bug 922756
  • [ON TRACK] Start using library to sandbox e10s processes unrestricted bug 925571
  • [NEW] Tie in to process model
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

  • [ON TRACK] Use a separate Windows Desktop within the same Windows Station - bug 928061
  • [ON TRACK] Use a separate Windows Station + Desktop - bug 928055
  • [ON TRACK] Set low integrity on content processes for Windows sandboxing policy - bug 928062
  • more not yet posted

MacOS X Firefox

  • [NEW] Land Library -- bug 387248
  • [NEW] Tie in to process model
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

TBD

Common to all platforms

  • [ON TRACK] Add a preference to selectively enable/disable content sandboxing -- bug 928042

Additional Pieces

These are some things that we need to attack next (after a basic sandbox).

  • GPU remoting (TBD)
  • Accessibility support
  • Addon support path
  • Process Model (evolving? 2? Per-Tab?)
  • Incremental tightening plan
  • Child process resource limits
  • DevTools support

Resources

Sandboxing

Archived

Related projects

How things work

Who we are

Some folks from the SecurityEngineering team: briansmith, mmc, keeler, grobinson, ckerschb, sid, and bbondy.

  • Mailing list: boxing@mozilla.org
  • IRC: irc.mozilla.org #boxing
Retrieved from "https://wiki.allizom.org/index.php?title=FoxInABox&oldid=787073"