Security/Sandbox

From MozillaWiki
< Security
Revision as of 20:29, 11 December 2013 by Gdestuynder (talk | contribs) (Created page with "thumb||alt=The fox cannot escape the box.|The fox is safe in the sandbox. The fox cannot escape. = Sandboxing Firefox = This page tracks and explain how...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The fox cannot escape the box.
The fox is safe in the sandbox. The fox cannot escape.

Sandboxing Firefox

This page tracks and explain how sandboxing is being worked on for Firefox (OS, Desktop, etc.) Sandboxes use the process as the security boundary. The process model, i.e. how we split Firefox into processes and how the processes interact between each other is common to all platforms. The implementation of the sandbox mechanism is independent, per platform. Firefox OS and Linux desktop Firefox use the same implementation.

Sandboxing basic architecture.png

Documentation

  • How to I make my code work safely in the sandbox?
  • How does the Linux and B2G (seccomp-bpf) sandbox work?
    • B2G details
    • [TODO] TLDR equivalent of the above for seccomp only
  • How does the Windows sandbox work?
    • [TODO] {{{1}}}

Roadmap (high-level)

This roadmap may evolve over time.

  1. Land sandbox implementation for all platforms with not-very-restrictive-whitelist
    1. [DONE] B2G
    2. [NEW] Windows
    3. [NEW] Linux
    4. [NEW] MacOS X (inactive)
    5. [NEW] Fennec (inactive)
  2. (Desktop) Help e10s Electrolysis
    1. FIXME
  3. Documentation efforts
    1. Sandbox implementations
      1. [ON TRACK] B2G
      2. [NEW] Windows
      3. {ok|Linux}}
      4. [NEW] MacOS X (inactive)
      5. [NEW] Fennec (inactive)
    2. Remoting
      1. [ON TRACK] Security/B2G/FirefoxOSCommsHardening
  4. Fix IPC issues
  5. Reduce whitelist by fixing/remoting APIs
    1. Achieve decent whitelist: No FS access, no process creation or no additional rights in child processes.
    2. Achieve good whitelist.

Status

Firefox OS / B2G

Firefox OS 1.2

Firefox OS 1.4

Dependencies (see bug 929277 for details):

Full Query
ID Summary Status
912791 [meta] Make seccomp b2g usable RESOLVED
921817 seccomp sandbox isn't enabled in non-preallocated child processes RESOLVED
925119 Gecko can call socketpair after sandbox initialization? RESOLVED
932098 seccomp-b2g support for ICS emulator / on TBPL RESOLVED
932104 Fix mochitests/reftests/... for b2g content process sandboxing RESOLVED
943774 The crash reporter doesn't work on seccomp-enabled non-profiling B2G builds. RESOLVED
948620 Add env variable to disable sandbox at runtime RESOLVED
967967 Children of Nuwa are being sandboxed twice and crashing. RESOLVED
969040 seccomp sandboxing doesn't affect non-main threads already started RESOLVED
970562 [Gonk][seccomp] seccomp violation: __NR_sched_getscheduler RESOLVED
971128 [Gonk][seccomp] seccomp violation: __NR_sched_yield RESOLVED
971635 [seccomp] Seccomp violation when taking a photo on Buri RESOLVED
983518 Homescreen sandbox crash on QRD kitkat RESOLVED
989172 Homescreen sandbox crash on QRD kitkat (again) RESOLVED

14 Total; 0 Open (0%); 14 Resolved (100%); 0 Verified (0%);


NeedABug

  • [NEW] enable build/test devices (tbpl) to test with sandboxing


Permissions burndown

See seccomp_filter.h for current list. Note: More syscalls could be removed as some of them, while not a direct security issue, may lead to access to a kernel bug, for example, see do_brk()'s CVE-2003-0961)

Decent whitelist

To remove for achieving a "decent whitelist".

fstat64(), stat64(), access() Med Information leak. Tells the process if a file/path exists, and its attributes (inode, etc. See man fstat64)
getdents64() Med Information leak. Lists directories.
open() High FS access: Open files.
unlink() High FS access: Delete files.
Good whitelist

To remove for achieving a "good whitelist".

ioctl() High Mainly used for GL/Graphics. To be removed or/and argument-filtered, see bug 920372
sigprocmask() Med Change signals. We don't want signals to be rerouted in general.
prctl() Med Change process attributes, including security relevant bits. Note: when removed, this means no child process can tighten it's whitelist further either.
getpriority(), setpriority() Med Access priority attributes from target processes.
sched_setscheduler() Med Change scheduling policy/params of target processes.


Linux Firefox

  • [DONE] Land Library bug 742434
  • [ON TRACK] Enable sandbox

Permissions burndown

Permission burn down list (see bug 942695 for details):

Full Query
ID Summary Status
742434 Enable seccomp-bpf for nightly desktop Firefox content processes on Linux RESOLVED
936274 Remove open() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942696 Remove access() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
942698 Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);


Windows Firefox

  • [DONE] Land Library bug 922756
  • [ON TRACK] Start using library to sandbox e10s processes unrestricted bug 925571
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

  • [ON TRACK] Use a separate Windows Desktop within the same Windows Station - bug 928061
  • [ON TRACK] Use a separate Windows Station + Desktop - bug 928055
  • [ON TRACK] Set low integrity on content processes for Windows sandboxing policy - bug 928062
  • more not yet posted

MacOS X Firefox

  • [NEW] Land Library -- bug 387248
  • [NEW] List and prioritize permissions to shut off
  • [NEW] Burn down permission list

Permission List:

TBD

Future work

These are some things that we need to attack next (after a basic sandbox).

  • GPU remoting
  • (Desktop) Accessibility support
  • Process Model
    • Parent process as enforcing + ACL check only?
  • Resource limits
  • (Desktop) DevTools support

Contact

Some folks from the SecurityEngineering team:

  • briansmith, mmc, keeler, grobinson, ckerschb, sid, and bbondy.

Some folks from the Firefox OS Security team:

  • pauljt and kang.


Additional resources

Sandboxing

Not up to date/Archived

Related projects

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox&oldid=786990"