MozillaWiki

Security/Sandbox: Difference between revisions

Page Discussion

Security/Sandbox (view source)

Revision as of 16:53, 11 October 2024

889 bytes removed ,  11 October 2024
→‎Content: Update windows content sandbox levels
(Add mention of the socket process for Mac.)
(→‎Content: Update windows content sandbox levels)
 
(13 intermediate revisions by 3 users not shown)
Line 9: Line 9:
* [https://wiki.mozilla.org/Security/Sandbox/Specifics Platform Specifics]
* [https://wiki.mozilla.org/Security/Sandbox/Specifics Platform Specifics]
* [https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access File Restrictions Bug Research]
* [https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access File Restrictions Bug Research]
* [https://wiki.mozilla.org/Sandbox/OS_X_Rule_Set OSX Filter Rule Set]
* [https://wiki.mozilla.org/Security/Sandbox/Hardening Hardening Research]
* [https://wiki.mozilla.org/Security/Sandbox/Hardening Hardening Research]
* [https://wiki.mozilla.org/Security/Sandbox/Process_model Process Model]
* [https://wiki.mozilla.org/Security/Sandbox/Process_model Process Model]
Line 37: Line 36:
|-
|-
|colspan="1"| [https://dxr.mozilla.org/mozilla-central/search?q=SetSecurityLevelForGPUProcess&redirect=true Windows (compositor)]
|colspan="1"| [https://dxr.mozilla.org/mozilla-central/search?q=SetSecurityLevelForGPUProcess&redirect=true Windows (compositor)]
|style='text-align:center;' colspan="2"|Level 0 [1]
|style='text-align:center;' colspan="2"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|
|style='text-align:center;' colspan="1"|
|-
|-
Line 54: Line 53:
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Level 1
|style='text-align:center;' colspan="1"|Fx75
|style='text-align:center;' colspan="1"|Fx75
|-
| [https://dxr.mozilla.org/mozilla-central/search?q=SandboxBroker%3A%3ASetSecurityLevelForPluginProcess&redirect=true&case=true Windows 64bit (NPAPI Plugin)]
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|style='text-align:center;' colspan="2"|enabled
|-
|-
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyContent.h OSX (content)]
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyContent.h OSX (content)]
Line 81: Line 75:
|style='text-align:center;' colspan="2"|disabled
|style='text-align:center;' colspan="2"|disabled
|style='text-align:center;' colspan="2"|disabled
|style='text-align:center;' colspan="2"|disabled
|-
| [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyFlash.h OSX (Flash NPAPI)]
|style='text-align:center;' colspan="2"|Level 1
|style='text-align:center;' colspan="2"|Level 1
|style='text-align:center;' colspan="2"|Level 1
|-
|-
| [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)]
| [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)]
Line 101: Line 90:


A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
[1] Level 1 available but disabled due to various regressions with scrolling, see {{bug|1347710}}.


== Windows ==
== Windows ==
Line 112: Line 99:
{| class="wikitable"
{| class="wikitable"
|-
|-
! Sandbox Feature !! Level 0 !! Level 1 !! Level 2
! Sandbox Feature !! Level 6 !! Level 7 (Release) !! Level 8 (Nightly)
|-
|-
| Job Level || JOB_NONE || JOB_NONE || JOB_INTERACTIVE
| Job Level || JOB_LOCKDOWN || JOB_LOCKDOWN || JOB_LOCKDOWN
|-
|-
| Access Token Level || USER_NON_ADMIN || USER_NON_ADMIN || USER_INTERACTIVE
| Access Token Level || USER_LIMITED || USER_LIMITED || '''''USER_RESTRICTED'''''
|-
|-
| Alternate Desktop || no || no || no
| Alternate Desktop || YES || YES || YES
|-
|-
| Alternate Windows Station || no || no || no
| Alternate Windows Station || YES || YES || YES
|-
|-
| Initial Integrity Level || INTEGRITY_LEVEL_MEDIUM || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
| Initial Integrity Level || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
|-
|-
| Delayed Integrity Level || INTEGRITY_LEVEL_MEDIUM || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW || '''''INTEGRITY_LEVEL_UNTRUSTED''''' || INTEGRITY_LEVEL_UNTRUSTED
|-
| Mitigations || None ||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
|-
|-
| Delayed Mitigations || None ||
| Mitigations  
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DLL_SEARCH_ORDER
||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DLL_SEARCH_ORDER
|}
 
{| class="wikitable"
|-
! Sandbox Feature !! Level 3 !! Level 4 !! Level 5 !! Level 6
|-
| Job Level || [http://searchfox.org/mozilla-central/rev/6c2dbacbba1d58b8679cee700fd0a54189e0cf1b/security/sandbox/chromium/sandbox/win/src/job.cc#38 JOB_RESTRICTED] || JOB_LOCKDOWN || JOB_LOCKDOWN || JOB_LOCKDOWN
|-
| Access Token Level || USER_LIMITED || USER_LIMITED || USER_LIMITED || USER_LIMITED
|-
| Alternate Desktop || no || YES || YES || YES
|-
| Alternate Windows Station || no || no || no || no
|-
| Initial Integrity Level || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
|-
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW || INTEGRITY_LEVEL_LOW
|-
| Mitigations ||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP<br>
MITIGATION_EXTENSION_POINT_DISABLE
||
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_BOTTOM_UP_ASLR<br>
Line 178: Line 122:
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CONTROL_FLOW_GUARD_DISABLE<br>
MITIGATION_WIN32K_DISABLE<br>
Locked Down Default DACL
||
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_BOTTOM_UP_ASLR<br>
Line 188: Line 136:
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CONTROL_FLOW_GUARD_DISABLE<br>
MITIGATION_WIN32K_DISABLE<br>
Locked Down Default DACL
||
||
MITIGATION_BOTTOM_UP_ASLR<br>
MITIGATION_BOTTOM_UP_ASLR<br>
Line 199: Line 150:
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CONTROL_FLOW_GUARD_DISABLE<br>
MITIGATION_WIN32K_DISABLE<br>
Locked Down Default DACL
Locked Down Default DACL
|-
|-
| Delayed Mitigations ||
| Delayed Mitigations  
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DLL_SEARCH_ORDER
||
||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_STRICT_HANDLE_CHECKS<br>
Line 217: Line 168:
[http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h Windows Feature Header]
[http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h Windows Feature Header]


=== Gecko Media Plugin ===
=== Gecko Media Plugin (GMP) ===


{| class="wikitable"
{| class="wikitable"
Line 238: Line 189:
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_NONSYSTEM_FONT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_CET_COMPAT_MODE<br>
Locked Down Default DACL
|-
|-
| Delayed Mitigations
| Delayed Mitigations
Line 249: Line 206:
[1] depends on the media plugin
[1] depends on the media plugin


=== 64-bit Plugin ===
=== Remote Data Decoder (RDD) ===


{| class="wikitable"
{| class="wikitable"
Line 255: Line 212:
! Sandbox Feature !! Level
! Sandbox Feature !! Level
|-
|-
| Job Level || JOB_UNPROTECTED
| Job Level || JOB_LOCKDOWN
|-
|-
| Access Token Level || USER_INTERACTIVE
| Access Token Level || USER_LIMITED
|-
|-
| Initial Integrity Level || INTEGRITY_LEVEL_LOW
| Initial Integrity Level || INTEGRITY_LEVEL_LOW
Line 263: Line 220:
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW
| Delayed Integrity Level || INTEGRITY_LEVEL_LOW
|-
|-
| Alternate desktop || no
| Alternate desktop || yes
|-
|-
| Mitigations
| Mitigations
Line 270: Line 227:
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_HEAP_TERMINATE<br>
MITIGATION_SEHOP<br>
MITIGATION_SEHOP<br>
MITIGATION_EXTENSION_POINT_DISABLE<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP_NO_ATL_THUNK<br>
MITIGATION_DEP
MITIGATION_DEP<br>
MITIGATION_NONSYSTEM_FONT_DISABLE<br>
MITIGATION_IMAGE_LOAD_NO_REMOTE<br>
MITIGATION_IMAGE_LOAD_NO_LOW_LABEL<br>
MITIGATION_IMAGE_LOAD_PREFER_SYS32<br>
MITIGATION_CET_COMPAT_MODE<br>
Locked Down Default DACL
|-
|-
| Delayed Mitigations
| Delayed Mitigations
||
||
MITIGATION_STRICT_HANDLE_CHECKS<br>
MITIGATION_DYNAMIC_CODE_DISABLE<br>
MITIGATION_DLL_SEARCH_ORDER<br>
MITIGATION_FORCE_MS_SIGNED_BINS
|}
|}


Line 300: Line 268:


The socket process policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicySocket.h SandboxPolicySocket.h]. At this time (May 2020), the socket process sandbox is only used on the Nightly channel and only for WebRTC networking.
The socket process policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicySocket.h SandboxPolicySocket.h]. At this time (May 2020), the socket process sandbox is only used on the Nightly channel and only for WebRTC networking.
=== NPAPI Flash Process ===
Enabled in Firefox starting with build 62. The Mac Flash sandbox is enabled at level 1. Some features are affected by the Sandbox and those are documented in [https://support.mozilla.org/en-US/kb/changes-affecting-adobe-flash-firefox-mac "Changes affecting Adobe Flash on Firefox for Mac" on support.mozilla.org]. The Flash policy is defined in [https://searchfox.org/mozilla-central/source/security/sandbox/mac/SandboxPolicyFlash.h SandboxPolicyFlash.h].


== Linux ==
== Linux ==
Line 329: Line 293:
* Everything from level 1-3
* Everything from level 1-3
* Network access including local sockets
* Network access including local sockets
** Excludes X11 socket
* System V IPC
* System V IPC
** Unless fgxlrx or VirtualGL is in use
** Unless fgxlrx or VirtualGL is in use
Line 371: Line 334:
|-
|-
| Windows NPAPI Plugin || numerical || dom.ipc.plugins.sandbox-level.default<br>dom.ipc.plugins.sandbox-level.<plugintype>
| Windows NPAPI Plugin || numerical || dom.ipc.plugins.sandbox-level.default<br>dom.ipc.plugins.sandbox-level.<plugintype>
|-
| OS X NPAPI Plugin || numerical || dom.ipc.plugins.sandbox-level.default<br>dom.ipc.plugins.sandbox-level.flash
|-
|-
| Compositor || numerical || security.sandbox.gpu.level
| Compositor || numerical || security.sandbox.gpu.level
Line 426: Line 387:


# Launch the OS X Console app (/Applications/Utilities/Console.app) and filter on "plugin-container".
# Launch the OS X Console app (/Applications/Utilities/Console.app) and filter on "plugin-container".
# Either set the pref '''security.sandbox.logging.enabled=true''' and restart the browser OR launch the browser with the '''MOZ_SANDBOX_LOGGING''' environment variable set. Just setting the environment variable '''MOZ_SANDBOX_MAC_FLASH_LOGGING''' enables logging only for the OS X NPAPI Flash Plugin sandbox when it is enabled.
# Either set the pref '''security.sandbox.logging.enabled=true''' and restart the browser OR launch the browser with the '''MOZ_SANDBOX_LOGGING''' environment variable set.
 
* If Console.app is not already running at the time of the sandbox violation, the violation is not reliably logged.
* As of build 56, where filesystem read access restrictions were tightened, running Firefox always triggers sandbox violations and these will be logged. For example, plugin-container attempts to access /Applications and /Users (bug 1378968). We want to address these when possible, but some violations are complicated to avoid or are triggered by OS X library code that can't be avoided yet.


=== Linux specific Sandbox Logging ===
=== Linux specific Sandbox Logging ===
Line 457: Line 415:
|Disable GPU process sandbox
|Disable GPU process sandbox
|Windows
|Windows
|-
|MOZ_DISABLE_RDD_SANDBOX
|Disable Data Decoder process sandbox
|All
|-
|MOZ_DISABLE_SOCKET_PROCESS_SANDBOX
|Disable Socket Process process sandbox
|All
|}
|}


Line 503: Line 469:
* webrtc specific sandboxing bugs: https://is.gd/c5bAe6
* webrtc specific sandboxing bugs: https://is.gd/c5bAe6
** sb tracking + 'webrtc'
** sb tracking + 'webrtc'
= Roadmap =
==2020 H1 - Main work focus==
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1464032 Remote Canvas Drawing operations],
** Prerequisite for win32k.sys lockdown.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1381938 Remote Form widget drawing],
** Prerequisite for win32k.sys lockdown.
** Follow-ups in [https://bugzilla.mozilla.org/show_bug.cgi?id=1615105 Bug for defaulting it on]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1642621 Remote WebGL drawing],
** See also [https://bugzilla.mozilla.org/show_bug.cgi?id=1632249 Out-of-process WebGL compositing].
** Follow-ups in [https://bugzilla.mozilla.org/show_bug.cgi?id=1642621 Make it shippable bug].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1347710 Sandbox the GPU Process].
** Stalled on non-reproducible [https://bugzilla.mozilla.org/show_bug.cgi?id=1630860 field issues].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1400317 Remote Look and Feel + Theming].
** Prerequisite for win32k.sys lockdown.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1550900 Shared memory with read-only and read/write mode].
** Security and memory usage win.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1440203 Use memfd_create for shared memory].
** Performance win and would solve many issues with people running into problems with the default docker/kubernetes configurations that only give a tiny amount of shared memory.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1620118 Enable further telemetry for third-party process injection].
==2020 H2 - Main work focus==
* Carry-over of win32k.sys lockdown prerequisites from 2020 H1.
* Carry-over of stalled GPU sandboxing work.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1381019 Remaining win32k.sys blockers].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1620114 Enable CIG in RDD].
** Investigate/experiment with feasibility of shipping CIG in content.


= Communication =
= Communication =
Line 509: Line 503:
  | Weekly Team Meeting
  | Weekly Team Meeting
|| Thursday at 8:00am PT
|| Thursday at 8:00am PT
* Vidyo: "PlatInt" room
* Zoom: By invitation, ask gcp@mozilla.com
* Invitation: Contact Jim Mathies to get added to the meeting invite list.
* [https://wiki.mozilla.org/Security/Sandbox/Meeting_Notes Meeting Notes Archive]
* [https://wiki.mozilla.org/Security/Sandbox/Meeting_Notes Meeting Notes Archive]
|-
|-
| IRC
| Matrix
||
* Server: irc.mozilla.org
* Channel: [irc://irc.mozilla.org/e10s #boxing]
|-
| Newsgroup/Mailing List
||  
||  
* [mailto:boxing@lists.mozilla.org boxing@lists.mozilla.org]
* Server: chat.mozilla.org
* Channel: [https://chat.mozilla.org/#/room/#hardening:mozilla.org #hardening]
|-
|-
|}
|}
Line 529: Line 518:
| Engineering Management
| Engineering Management
||
||
* Jim Mathies (jimm)
* Gian-Carlo Pascutto (gcp)
|-
|-
| Project Management
| Project Management
||
||
* TBD
* N/A
|-
|-
| QA
| QA
||
||
* Tracy Walker (Quality Assurance Lead)
* N/A
|-
|-
| Development Team
| Development Team
Line 543: Line 532:
* Haik Aftandilian (haik)
* Haik Aftandilian (haik)
* Jed Davis (jld)
* Jed Davis (jld)
* Alex Gaynor (Alex_Gaynor)
* Chris Martin (cmartin)
* Bob Owen (bobowen)
* Bob Owen (bobowen)
* David Parks (handyman)
* David Parks (handyman)
Line 551: Line 540:


= Repo Module Ownership =
= Repo Module Ownership =
* [[Modules/Core#Sandboxing|Cross platform]]
* [[Modules/Core#Sandboxing_-_Windows|Windows]]
* [[Modules/Core#Sandboxing_-_Windows|Windows]]
* [[Modules/Core#Sandboxing_-_OSX|OSX]]
* [[Modules/Core#Sandboxing_-_OSX|OSX]]
* [[Modules/Core#Sandboxing_-_Linux_.26_B2G|Linux/B2G]]
* [[Modules/Core#Sandboxing_-_Linux|Linux]]


= Links =
= Links =
Line 565: Line 553:
* [http://en.wikipedia.org/wiki/Google_Native_Client Native Client on Wikipedia] (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
* [http://en.wikipedia.org/wiki/Google_Native_Client Native Client on Wikipedia] (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ff966517%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 Features of Protected Mode in Internet Explorer]
* [https://msdn.microsoft.com/en-us/library/windows/desktop/ff966517%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 Features of Protected Mode in Internet Explorer]
== Research ==
* [https://intranet.mozilla.org/User:Imelven@mozilla.com/Sandboxing Ian's Internal Research page (2012)]


== B2G Archive ==
== B2G Archive ==
Line 575: Line 560:


B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access.  But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.
B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access.  But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.
== Older ==
* [https://docs.google.com/a/mozilla.com/document/d/1qS4Q1goehqy-55hIQEsEA_XY3lF4xfFColNKQm37KSg/edit?usp=sharing Old Meeting Notes]
Bobowen
284

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1227315...1252121"