In FirefoxOS (Boot2Gecko), the main system process, b2g, is running as root user. b2g is exposed to a lot of input that is controlled by a potential attacker, which makes it a good target to escalate to root privileges. Therefore it is desired to have b2g run with non-root privileges (see b2g-no-root). This document should give an overview about potential threats, status of the supervisor development and future work.

Threats

One of the main questions is, what do we gain by running b2g as non-root user? Here some examples of potential threats of a malicious root user:

• load kernel modules (install a rootkit)
• overclock CPU (physically break the phone)
• modifications that survive a factory reset (for example Cerberus for Android)
• larger attack surface on the kernel

Development

b2g has been running with root privileges from the beginning, so developers didn't pay much attention to what they do that requires root permissions. Currently, we drop the privileges of b2g to system and see what doesn't work.

Changes

This section will cover the changes that have been made so far, to the system as well as to the code.

Filesystem

Some directories or files require system as their owner, so that b2g can access them:

Code

Some things can only be changed during runtime by the program. We need to call setgroups() before lowering our privileges to system, since on Android we can't add the system user to groups by default. After we added ourself to the right groups, we need to call setresuid() to drop all our privileges to system (this includes the EUID, if it isn't dropped as well, we could recover root privileges). We need to add ourself to the following groups (defined in: B2G/system/core/include/private/android_filesystem_config.h).