Mozilla 2/Protected mode
Jim Mathies / Rob Strong
- Feature tracking bug
Overview and Motivations
Integrity is a new Windows security concept introduced with Windows Vista. Securable objects within the system, including processes and their associated windows, directories and files, and registry keys, are associated with one of a limited set of integrity levels. These integrity restrictions are independent of user level security restrictions.
In general, Integrity applies the general rule of "no write-up", implying objects with lower integrity do not have write access to objects with higher integrity. In addition, objects running at much lower integrity levels often have "no read-up" rules applied for higher integrity objects which restrict access completely.
Firefox currently runs at a default "medium" integrity level. The goal is to add support for running at both the default medium and a low "protected mode" integrity level without adversely effecting the browser's usability or user experience. The decision of which integrity level Fx runs would be left to the user through a user pref or command line option.
Three broad goals summarize the work required:
- Research the areas of the Mozilla codebase which would be affected by applications running at a "low" integrity.
- Add support for a medium integrity launch shim ("broker") for Firefox. (bug 396196)
- Augment the functionality of the broker to support interaction between a low integrity Firefox process and the os and applications running at higher integrity levels.
Potential Areas Affected / Issues
- application registration with the system
- dde implementation
- product updates
- helper and protocol handler app services involving launching of 3rd party apps
- directory services (default locations)
- general file access - write access restrictions to %userprofile%\AppData\LocalLow
- profile management / migration
- drag and drop
- copy paste
- registry access
- COM interfacing
- Windows api restrictions - api that communicate with objects of a higher integrity level. (cert, crypt, theming, networking, os settings)
- Security Zone Policy settings - Internet Explorer's broker makes decisions as to what integrity level a particular URL should execute within. Intranet and local resources are launched in a seperate medium level process. Whether or not Firefox must support similar decision making and functionality is unknown at this point.
Schedule and Milestones
It's hard to say at this point how long (or even how possible) protected mode is. The first work required is research and testing, followed by the implementation of a basic broker shim aimed at better OS integration. Conservatively this might land for Fx 3.1, with full support for running under protected mode landing in Fx 4.0. We might get farther for Fx 3.1 depending on how much work is involved. The shim should definitely land and be well tested before protected mode support is added.