Security/Sandbox

From MozillaWiki
Jump to navigation Jump to search
The fox cannot escape the box.
The fox is safe in the sandbox. The fox cannot escape.

Sandboxing Firefox

This page tracks and explain how sandboxing is being worked on for Firefox (OS, Desktop, etc.)


Sandboxes use the process as the security boundary. The process model, i.e. how we split Firefox into processes and how the processes interact between each other is common to all platforms.

The implementation of the sandbox mechanism is independent, per platform. Firefox OS and Linux desktop Firefox use the same implementation.

Sandboxing basic architecture.png

Documentation

Windows Sandbox overview

Source code overview

Relative to the root of mozilla-central, the sandbox exists at: ./security/sandbox

Linux related sandbox is inside the linux subfolder.

The core of the Windows sandbox is Google's chromium sandbox.

The chromium sandbox is based on the chromium base libraries (Gogole's code) which are located at: ./security/sandbox/chromium (excluding ./security/sandbox/chromium/base/shim/ which overrides some functionality to make it compatible with our SDK build settings, which is Mozilla code) The chromiums Windows sandbox itself (Google's code) is inside ./security/sandbox/win/src (excluding ./security/sandbox/win/src/sandboxbroker and ./security/sandbox/win/src/sandboxtarget subfolders, which is Mozilla code)

There are 2 processes when dealing with a sandboxed application:

1) The broker: The parent process that starts sandboxed children 2) The target: The child process that is sandboxed

Both processes make use of the chromium sandbox library, but they make use of it indirectly through 2 libraries (Mozilla code). This indirect use of the library is due to header conflicts with the ipc layer where it has a different, much older, non compatible, copy of the chromium base library:

1) For the broker, ./security/sandbox/win/src/sandboxbroker 1) For the target, ./security/sandbox/win/src/sandboxtarget

Build settings

To enable e10s you can use a normal mozilla-central build but you should enable this pref: browser.tabs.remote.autostart It's recommended to use a different profile for dev if you don't want to trash your existing profile.

The sandbox is in use by our e10s code when you build with this in your mozconfig: ac_add_options --enable-content-sandbox

You can add this environment variable to temporarily disable the content sandbox when e10s is enabled: MOZ_DISABLE_CONTENT_SANDBOX

Key source code locations

The sandboxed target process lowers its own privliges after initialization via this call: http://dxr.mozilla.org/mozilla-central/source/ipc/app/MozillaRuntimeMain.cpp#78

The call that starts the sandboxed process in Firefox is: http://dxr.mozilla.org/mozilla-central/source/ipc/glue/GeckoChildProcessHost.cpp#784

All of the code that sets policies can be found here: http://dxr.mozilla.org/mozilla-central/source/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

Roadmap (high-level)

This roadmap may evolve over time.

  1. Land sandbox implementation for all platforms with not-very-restrictive-whitelist
    1. [DONE] B2G
    2. [NEW] Windows
    3. [NEW] Linux
    4. [NEW] MacOS X (inactive)
    5. [NEW] Fennec (inactive)
  2. (Desktop) Help e10s Electrolysis
    1. FIXME
  3. Documentation efforts
    1. Sandbox implementations
      1. [ON TRACK] B2G
      2. [NEW] Windows
      3. {ok|Linux}}
      4. [NEW] MacOS X (inactive)
      5. [NEW] Fennec (inactive)
    2. Remoting
      1. [ON TRACK] Security/B2G/FirefoxOSCommsHardening
  4. Fix IPC issues
  5. Reduce whitelist by fixing/remoting APIs
    1. Achieve decent whitelist: No FS access, no process creation or no additional rights in child processes.
    2. Achieve good whitelist.

Status

Firefox OS / B2G

Firefox OS 1.2

Firefox OS 1.4

Dependencies (see bug 929277 for details):

Full Query
ID Summary Status
912791 [meta] Make seccomp b2g usable RESOLVED
921817 seccomp sandbox isn't enabled in non-preallocated child processes RESOLVED
925119 Gecko can call socketpair after sandbox initialization? RESOLVED
932098 seccomp-b2g support for ICS emulator / on TBPL RESOLVED
932104 Fix mochitests/reftests/... for b2g content process sandboxing RESOLVED
943774 The crash reporter doesn't work on seccomp-enabled non-profiling B2G builds. RESOLVED
948620 Add env variable to disable sandbox at runtime RESOLVED
967967 Children of Nuwa are being sandboxed twice and crashing. RESOLVED
969040 seccomp sandboxing doesn't affect non-main threads already started RESOLVED
970562 [Gonk][seccomp] seccomp violation: __NR_sched_getscheduler RESOLVED
971128 [Gonk][seccomp] seccomp violation: __NR_sched_yield RESOLVED
971635 [seccomp] Seccomp violation when taking a photo on Buri RESOLVED
983518 Homescreen sandbox crash on QRD kitkat RESOLVED
989172 Homescreen sandbox crash on QRD kitkat (again) RESOLVED

14 Total; 0 Open (0%); 14 Resolved (100%); 0 Verified (0%);


NeedABug

  • [NEW] enable build/test devices (tbpl) to test with sandboxing


Permissions burndown

See seccomp_filter.h for current list. Note: More syscalls could be removed as some of them, while not a direct security issue, may lead to access to a kernel bug, for example, see do_brk()'s CVE-2003-0961)

Decent whitelist

To remove for achieving a "decent whitelist".

fstat64(), stat64(), access() Med Information leak. Tells the process if a file/path exists, and its attributes (inode, etc. See man fstat64)
getdents64() Med Information leak. Lists directories.
open() High FS access: Open files.
unlink() High FS access: Delete files.
Good whitelist

To remove for achieving a "good whitelist".

ioctl() High Mainly used for GL/Graphics. To be removed or/and argument-filtered, see bug 920372
sigprocmask() Med Change signals. We don't want signals to be rerouted in general.
prctl() Med Change process attributes, including security relevant bits. Note: when removed, this means no child process can tighten it's whitelist further either.
getpriority(), setpriority() Med Access priority attributes from target processes.
sched_setscheduler() Med Change scheduling policy/params of target processes.


Linux Firefox

  • [DONE] Land Library bug 742434
  • [ON TRACK] Enable sandbox

Permissions burndown

Permission burn down list (see bug 942695 for details):

Full Query
ID Summary Status
742434 Enable seccomp-bpf for nightly desktop Firefox content processes on Linux RESOLVED
936274 Remove open() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942696 Remove access() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942698 Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);


Windows Firefox

  • [DONE] Land Library bug 922756
  • [DONE] Start using library to sandbox e10s processes unrestricted bug 925571
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

  • [DONE] Use a separate Windows Desktop within the same Windows Station - bug 928061
  • [ON TRACK] Use a separate Windows Station + Desktop - bug 928055
  • [ON TRACK] Set low integrity on content processes for Windows sandboxing policy - bug 928062
  • more not yet posted

MacOS X Firefox

  • [NEW] Land Library -- bug 387248
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

TBD

Future work

These are some things that we need to attack next (after a basic sandbox).

  • GPU remoting
  • (Desktop) Accessibility support
  • Process Model
    • Parent process as enforcing + ACL check only?
  • Resource limits
  • (Desktop) DevTools support

Contact

Some folks from the SecurityEngineering team:

  • briansmith, keeler, grobinson, ckerschb, sid, and bbondy.

Some folks from the Firefox OS Security team:

  • pauljt and kang.


Additional resources

Sandboxing

Not up to date/Archived

Related projects

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Sandbox&oldid=956327"