FoxInABox
Documentation
Status
We have a plan. Take the e10s code, slap the Chromium sandbox around the content process, and get AdBlockPlus working with it.
FoxInABox/ThingsThatShouldWork
Tracking: bug 925570.
Platform specific:
FxOS / B2G
- [DONE] Land Library bug 742434
- [DONE] Tie in to process model bug 790923
- [ON TRACK] List and prioritize permissions to shut off
- [ON TRACK] Burn down permission list
- [ON TRACK] implement unit tests for sandbox
- [ON TRACK] enable build/test devices (tbpl) to test with sandboxing
Dependencies (see bug 918680 for details):
13 Total; 1 Open (7.69%); 12 Resolved (92.31%); 0 Verified (0%);
Permission Burndown permission list (see http://hg.mozilla.org/mozilla-central/file/40c7c53fe9b0/security/sandbox/seccomp_filter.h for current list):
| ioctl() | High | Mainly used for GL/Graphics. To be removed or/and argument-filtered, see bug 920372 |
| fstat64(), stat64(), access() | Med | Information leak. Tells the process if a file/path exists, and its attributes (inode, etc. See man fstat64) |
| getdents64() | Med | Information leak. Lists directories. |
| sigprocmask() | Med | Change signals. We don't want signals to be rerouted in general. |
| open() | High | FS access: Open files. |
| prctl() | Med | Change process attributes, including security relevant bits. Note: when removed, this means no child process can tighten it's whitelist further either. |
| unlink() | High | FS access: Delete files. |
| getpriority(), setpriority() | Med | Access priority attributes from target processes. |
| sched_setscheduler() | Med | Change scheduling policy/params of target processes. |
Note: More syscalls could be removed as some of them, while not a direct security issue, may lead to access to a kernel bug, for example, see do_brk()'s CVE-2003-0961)
Linux Firefox
- [DONE] Land Library bug 742434
- [ON TRACK] Tie in to process model
- [ON TRACK] List and prioritize permissions to shut off
- [ON TRACK] Burn down permission list
Permission List:
| TBD |
Windows Firefox
- [ON TRACK] Land Library bug 922756
- [NEW] Tie in to process model
- [NEW] List and prioritize permissions to shut off
- [NEW] Burn down permission list
Permission List:
- [ON TRACK] Use a separate Windows Desktop within the same Windows Station - bug 928061
- [ON TRACK] Use a separate Windows Station + Desktop - bug 928055
- [ON TRACK] Set low integrity on content processes for Windows sandboxing policy - bug 928062
- more not yet posted
MacOS X Firefox
- [NEW] Land Library -- bug 387248
- [NEW] Tie in to process model
- [NEW] List and prioritize permissions to shut off
- [NEW] Burn down permission list
Permission List:
| TBD |
Additional Pieces
These are some things that we need to attack next (after a basic sandbox).
- GPU remoting (TBD)
- Accessibility support
- Addon support path
- Process Model (evolving? 2? Per-Tab?)
- Incremental tightening plan
- Child process resource limits
- DevTools support
Resources
Sandboxing
- Features/Security/Low_rights_Firefox -- bug 730956
- Ian's sandboxing page
- Servo
- Chromium Sandbox
- seccomp sandboxing on b2g
- Apple's Sandbox guide
Related projects
- Electrolysis
- Embedding/IPCLiteAPI, https://github.com/tmeshkova/mozilla-central
- Native Client on Wikipedia - has links to papers on Native Client's design and use of SFI, as well as papers on SFI itself
- AMO/Squeaky, or Make Addons Awesome
How things work
Who we are
Some folks from the SecurityEngineering team: briansmith, mmc, keeler, grobinson, ckerschb, sid, and bbondy.
- Mailing list: boxing@lists.mozilla.org
- IRC: irc.mozilla.org #boxing