Security/Sandbox/2014-07-24

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

24 July 2014

Standup/status

  • Windows sandboxing
    • OpenH264
      • Worked on lowering permissions for GMP sandbox: Made a patch that restricts all file access except for allowing read-only access to whichever plugin DLL the gmp process needs to load, uses USER_RESTRICTED_SAME_ACCESS token while initializing process but then switches to USER_LOCKDOWN, and sets process integrity to low before initializing the process (which enables UIPI) instead of waiting until we call `LowerToken`
    • Logging
      • Bug 1018966 - Warn only sandbox - made changes after bug 985252, tests failing on WIndows XP on try when run without --enable-content-sandbox, haven't got to the bottom of it yet.
      • Bug 1040059 - Registry access reporting not working - it appears to be the NtOpenKey(Ex) intercepts that cause the crash in ntdll.dll. If I comment those out the NtCreateKey one works fine. Can't see any obvious differences with Chromium code, so I've built Chromium and initially it looks like the intercepts work.
    • Content processes
      • Bug 1018988 - Temp directory - I'll upload the list of temp files used during the mochitests after the meeting - here we go Bug 1043470.
      • New bug 1042735 - for the registry access in test_dataChannel_basicAudio.htm - gcp is looking at it.
  • Linux/B2G
    • Good news: est. 5% of Linux desktop users don't have seccomp-bpf
      • And ⅓-½ of those are on unsupported distro versions
      • So that might be enough coverage to require it?
    • Also: 60% (as of Fx 30) have user namespaces → can use setuid sandbox w/o actual setuid root executable.
    • OpenH264 sandboxing just needs build peer review.
    • Have patches to separate sandbox into its own .so, to be able to import more Chromium code.
      • e.g., the file open broker, unsafe warn-only mode, setuid sandbox, …
  • Mac sandboxing
    • Steven is working on starting the sandbox from GMPChild::OnChannelConnected(), instead of from GMPChild:Init(), as we're doing on other platforms. This way IPC setup is guaranteed to be finished. He has a working patch, but it needs refinement and testing.

Round table

  • what signal gets sent when we violate the sandbox (the idea is we want to crash on sandbox violations, and have Breakpad produce stack traces).
    • Linux/B2G: SIGSYS, and crash reporter integration is already there
    • Mac: It's not SIGSYS. As best I can tell, we receive no notification at all.

Actions