- 1 Overview
- 2 Current Status
- 3 Preferences
- 4 File System Restrictions
- 5 Debugging Features
- 6 Platform Specifics
- 7 Bug Lists
- 8 Communication
- 9 People
- 10 Repo Module Ownership
- 11 Links
Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.
|Windows (content)||Level 2||Level 1||Fx50||Level 1||Fx50||Level 1||Fx50|
|Windows (compositor)||Level 1|
|Windows 64bit (NPAPI Plugin)||enabled||enabled||enabled||enabled|
|OSX (content)||Level 2||Level 1||Fx52||Level 1||Fx52||Level 1||Fx52|
|Linux (content)||Level 2||Level 2||Fx54||Level 2||Fx54|
Note that a 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
Sandbox security related setting are grouped together and associated with a security level. Lower level values indicate a less restrictive sandbox.
|Sandbox Feature||Level 0||Level 1||Level 2|
|Access Token Level||USER_NON_ADMIN||USER_NON_ADMIN||USER_INTERACTIVE|
|Alternate Windows Station||no||no||no|
|Initial Integrity Level||INTEGRITY_LEVEL_MEDIUM||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_LOW|
|Delayed Integrity Level||INTEGRITY_LEVEL_MEDIUM||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_LOW|
|Sandbox Feature||Level 3*||Level 10||Level 20|
|Access Token Level||USER_LIMITED||USER_LIMITED||USER_LOCKDOWN|
|Alternate Windows Station||no||yes||yes|
|Initial Integrity Level||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_LOW|
|Delayed Integrity Level||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_LOW||INTEGRITY_LEVEL_UNTRUSTED|
* Not implemented yet.
** Might be dropped.
Gecko Media Plugin
|Access Token Level||USER_LOCKDOWN, USER_RESTRICTED|
|Initial Integrity Level||INTEGRITY_LEVEL_LOW|
|Delayed Integrity Level||INTEGRITY_LEVEL_UNTRUSTED|
 depends on the media plugin
|Access Token Level||USER_INTERACTIVE|
|Initial Integrity Level||INTEGRITY_LEVEL_LOW|
|Delayed Integrity Level||INTEGRITY_LEVEL_LOW|
|Job Level||What's Blocked by the Sandbox?|
|Level 1 ||
 Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.
See How security.sandbox.content.level Affects File Access and Filter rules for more details.
Gecko Media Plugins
Gecko Media Plugin
|Process Type||Preference Type||Preference|
|NPAPI Plugin||boolean|| dom.ipc.plugins.sandbox-level.default|
Note - Levels greater than the current default for a particular process type are not implemented.
File System Restrictions
Sandboxing enforces file system write and read restrictions for XUL based add-on content (frame and process) scripts. To avoid issues as sandboxing features roll out add-on authors should update their legacy add-on code today such that content scripts no longer attempt to read or write from restricted locations. Note these restrictions do not affect WebExtension content script or XUL add-on script running in the browser process.
File system access rules for content processes, reverse precedence:
|file system||read/write||deny by default|
|system library locations||write||deny|
|system library locations||read||allow|
|profile/*||read/write||deny by default|
The following prefs control sandbox logging. Output is sent to the Browser Console when available, and to a developer console attached to the running browser process.
security.sandbox.windows.log.stackTraceDepth (integer, Windows specific)
The following environment variables also triggers sandbox logging output:
Sandbox violation logging is on by default when the sandbox is enabled. Use the Console.app application to view the logs.
|MOZ_DISABLE_CONTENT_SANDBOX||Disables content process sandboxing for debugging purposes.||All|
|MOZ_DISABLE_GMP_SANDBOX||Disable media plugin sandbox for debugging purposes||All|
|MOZ_DISABLE_NPAPI_SANDBOX||Disable 64-bit NPAPI process sandbox||Windows|
|MOZ_DISABLE_GPU_SANDBOX||Disable GPU process sandbox||Windows|
|MOZ_ALLOW_WEAKER_SANDBOX||Specific to 64-bit Plugin sandbox, allows 64-bit NPAPI sandbox level to drop below 2.||Windows|
Local Build Options
To disable building the sandbox completely build with this in your mozconfig:
To disable just the content sandbox parts:
Source Code Overview
The core of the Windows sandbox is Google's chromium sandbox. Relative to the root of mozilla-central, the sandbox exists at:
The chromium sandbox is based on the chromium base libraries (Google's code) which are located at:
There is also partial/shim code to get the base code compiling with our SDK build settings or to limit the base code by reducing dependencies at:
The chromium Windows sandbox itself (Google's code) is located at:
There are 2 processes when dealing with a sandboxed application:
- The broker: The parent process that starts sandboxed children
- The target: The child process that is sandboxed
Both processes make use of the chromium sandbox library, but they make use of it indirectly through 2 libraries (Mozilla code). This indirect use of the library is due to header conflicts with the ipc layer where it has a different, much older, non compatible, copy of the chromium base library (bug 925471):
- For the broker, ./security/sandbox/win/src/sandboxbroker
- For the target, ./security/sandbox/win/src/sandboxtarget
Key source code locations
Level descriptions header:
The call that starts the sandboxed process in Firefox is:
All of the code that sets policies can be found here:
The OSX sandbox is based on the TrustedBSD MAC Framework. It is undocumented and considered private by Apple.
Seccomp stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible.
Seccomp-BPF is a more recent extension to seccomp, which allows filtering system calls with BPF (Berkeley Packet Filter) programs. Most of our Linux user base have systems that support seccomp-bpf.
These filters can be used to allow or deny an arbitrary set of system calls, as well as filter on system call arguments (numeric values only; pointer arguments can't be dereferenced). Additionally, instead of simply terminating the process, the filter can raise a signal, which allows the signal handler to simulate the effect of a disallowed system call (or simply gather more information on the failure for debugging purposes). Seccomp-bpf is available since Linux version 3.5 and is usable on the ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions.
For limitations that apply to the semantics of system calls (e.g., “can this process access the filesystem”, not “can this process use system call #83”) we require unprivileged user namespaces, which a large majority of desktop users don't support. Specifically: chroot()ing into a deleted directory to revoke FS access, and namespace unsharing for networking, SysV IPC if possible, and process IDs.
- Windows Content Process
- low integrity sandbox support
- Roll out level 1 sandbox policy to release. (completed, fx50)
- file:/// isolation
- User token removal, to limit User directory file access
- use JOB_RESTRICTED to apply further global restrictions
- printing tests
- roll out level 3 to release
- Need to scope out future milestones including:
- using an alternate desktop
- using an alternate winstation and desktop
- general file system (and registry) read access restrictions (USER_RESTRICTED / UESR_LOCKDOWN)
- reducing exposure to system APIs
- running at untrusted integrity level
- use of lowbox token / AppContainers
- OSX Content Process
- Roll out level 1 OSX security sandbox access ruleset. (completed, fx52)
- Prevent file system write access
- Home directory read access restrictions
- file:/// isolation
- roll out level2 OSX sandbox to release
- TBD: Triage existing sandbox rules and define set to remove in milestone 3
- File access: system /tmp and /var/folders/ and any other individual directories
- Limit User directory file access
- Linux Content Process
- enable (heavily perforated) seccomp-bpf filter by default in Nightly
- land basic file system broker
- remove/restrict file system write access
- roll out entry level file broker to release
- remove/restrict file system read access
- file:/// isolation?
- remote pulseaudio work (BLOCKED on media work, TBD)
- remove/restrict socket access/modification and solve X11 problem
- make use of chroot and user namespaces
- Windows 64-bit NPAPI
- (completed, fx52)
- Triage list: http://is.gd/Mfb8L9
- Lists any bug with sb?
- Lists sandboxing component bugs that are not tracked by a milestone
- Ignores sb+, sb-, and sb? bugs with needinfos
- meta bugs
- sb? Triage List: http://is.gd/B3KscF
- does not include needinfo bugs
- sb? needinfos: http://is.gd/dnSyBs
- webrtc specific sandboxing bugs: https://is.gd/c5bAe6
- sb tracking + 'webrtc'
|Weekly Team Meeting|| Thursday at 8:00am PT
Repo Module Ownership
- Electrolysis Wiki Page (lot of additional resource links)
- Chromium Sandbox
- Apple's Sandbox guide
- "Introducing Chrome's next-generation Linux sandbox" (seccomp-bpf related)
- Native Client on Wikipedia (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
- Features of Protected Mode in Internet Explorer
B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.