Overview

Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.

Current Status

Note that a 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.

[1] Level 1 available but disabled due to various regressions, see bug 1347710

Windows

Content

Sandbox security related setting are grouped together and associated with a security level. Lower level values indicate a less restrictive sandbox.

Windows Feature Header

Gecko Media Plugin

[1] depends on the media plugin

64-bit Plugin

• Firefox/win64 Wiki Page
• Release Announcement
• Windows 64-bit builds

OSX

Content Levels

[1] Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.

See How security.sandbox.content.level Affects File Access and Filter rules for more details.

Gecko Media Plugins

Filter rules

Linux

Content

Filter ruleset

Filesystem access policy

Gecko Media Plugin

Filter ruleset

Preferences

Note - Levels greater than the current default for a particular process type are not implemented.

File System Restrictions

Sandboxing enforces file system write and read restrictions for XUL based add-on content (frame and process) scripts. To avoid issues as sandboxing features roll out add-on authors should update their legacy add-on code today such that content scripts no longer attempt to read or write from restricted locations. Note these restrictions do not affect WebExtension content script or XUL add-on script running in the browser process.

File system access rules for content processes, reverse precedence:

Debugging Features

Activity Logging

The following prefs control sandbox logging. Output is sent to the Browser Console when available, and to a developer console attached to the running browser process.

security.sandbox.logging.enabled (boolean)

security.sandbox.windows.log.stackTraceDepth (integer, Windows specific)

The following environment variables also triggers sandbox logging output:

MOZ_SANDBOX_LOGGING=1

OSX Specific

Sandbox violation logging is on by default when the sandbox is enabled. Use the Console.app application to view the logs.

Environment variables

Setting a custom environment in Windows

1) Close Firefox
2) Browser to the location of your Firefox install using Explorer
3) Shift + Right-click in the folder window where firefox.exe is located, select "Open command window here"
4) Add the environment variable(s) you wish to set to your command window -

set MOZ_DISABLE_NPAPI_SANDBOX=1(return)

5) enter firefox.exe and press enter to launch Firefox with your custom environment

Local Build Options

To disable building the sandbox completely build with this in your mozconfig:

ac_add_options --disable-sandbox

To disable just the content sandbox parts:

ac_add_options --disable-content-sandbox

Platform Specifics

Windows

Source Code Overview

The core of the Windows sandbox is Google's chromium sandbox. Relative to the root of mozilla-central, the sandbox exists at:

security/sandbox

The chromium sandbox is based on the chromium base libraries (Google's code) which are located at:

security/sandbox/chromium/base

There is also partial/shim code to get the base code compiling with our SDK build settings or to limit the base code by reducing dependencies at:

security/sandbox/chromium-shim/base

The chromium Windows sandbox itself (Google's code) is located at:

security/sandbox/chromium/sandbox/win

Processes Overview

There are 2 processes when dealing with a sandboxed application:

1. The broker: The parent process that starts sandboxed children
2. The target: The child process that is sandboxed

Both processes make use of the chromium sandbox library, but they make use of it indirectly through 2 libraries (Mozilla code). This indirect use of the library is due to header conflicts with the ipc layer where it has a different, much older, non compatible, copy of the chromium base library (bug 925471):

1. For the broker, ./security/sandbox/win/src/sandboxbroker
2. For the target, ./security/sandbox/win/src/sandboxtarget

Key source code locations

The sandboxed target process lowers its own privileges after initialization via these calls:
Content process
GMP process
NPAPI process

Level descriptions header:
http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h

The call that starts the sandboxed process in Firefox is:
https://dxr.mozilla.org/mozilla-central/rev/918df3a0bc1c/ipc/glue/GeckoChildProcessHost.cpp#1030

All of the code that sets policies can be found here:
http://dxr.mozilla.org/mozilla-central/source/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp

OSX

The OSX sandbox is based on the TrustedBSD MAC Framework. It is undocumented and considered private by Apple.

• Mozilla OSX Sandbox Ruleset wiki page
• OSX Sandbox
• OSX sandbox policy language

Linux

Linux sandboxing technologies generally fall into two categories: those that act on the semantics of operations (e.g., what happens when a filesystem path is resolved) and those that affect raw system calls (e.g., what happens when syscall #83 is invoked). There's a more detailed explanation in the blog post announcing seccomp-bpf, which is the main syscall-filtering facility.

We're primarily using seccomp-bpf because it's the only thing that's available everywhere (>99% of the Linux Firefox userbase, at last count). There are some weaknesses to using only seccomp-bpf:

• The possibility of overlooking obscure corner cases, like unnamed datagram sockets, that could allow privilege escalation.

• The seccomp-bpf policy can act on argument values, but can't dereference pointer arguments, like the path to open(); in such cases it's necessary to intercept the syscall and message an unsandboxed broker to validate and perform the operation, which adds latency and attack surface.

Semantic isolation, like changing the filesystem root or creating a separate network stack with no access to the real network (unsharing the network namespace), has traditionally required superuser privileges. There are two ways to get around this: unprivileged user namespaces and a setuid-root helper executable.

We're using unprivileged user namespaces for additional security where available; they don't require any system-level setup, and 88% of Linux Firefoxes are on a kernel that supports them, according to telemetry. The reason we don't require it (as, for example, gaol does) is the other 12%: some distributions disable the feature because it has its own security risks. (Briefly: it makes subtle changes to authorization semantics, and it exposes kernel attack surface that's normally restricted to root; both of these have led to local privilege escalation vulnerabilities in the past.)

But shipping a setuid-root executable *also* doesn't work for everyone: we support downloading and running Firefox as a regular user, without having it installed as a system package. There are also some changes that would be needed to how we create child processes and set up IPC communication with them, and invoke the chroot helper; and it complicates testing. Chromium used this approach in 2009 because there was no other choice; they would prefer to remove it but don't seem to have a timeline for doing so.

At the time of this writing (June 2017), namespace sandboxing is used only for media plugins (EME CDMs and OpenH264): content processes can't use any of it at least until audio is remoted.

Bug Lists

• Windows Content Process
  • sbwc1
    • low integrity sandbox support
    • Roll out level 1 sandbox policy to release. (completed, fx50)
  • sbwc2
    • file:/// isolation
    • User token removal, to limit User directory file access
    • use JOB_RESTRICTED to apply further global restrictions
    • printing tests
    • roll out level 3 to release
  • Need to scope out future milestones including:
    • using an alternate desktop
    • using an alternate winstation and desktop
    • general file system (and registry) read access restrictions (USER_RESTRICTED / UESR_LOCKDOWN)
    • JOB_LOCKDOWN
    • reducing exposure to system APIs
    • running at untrusted integrity level
    • use of lowbox token / AppContainers

• OSX Content Process
  • sbmc1
    • Roll out level 1 OSX security sandbox access ruleset. (completed, fx52)
    • Prevent file system write access
  • sbmc2
    • Home directory read access restrictions
    • file:/// isolation
    • roll out level2 OSX sandbox to release
  • sbmc3
    • TBD: Triage existing sandbox rules and define set to remove in milestone 3
    • File access: system /tmp and /var/folders/ and any other individual directories
    • Limit User directory file access

• Linux Content Process
  • sblc1
    • enable (heavily perforated) seccomp-bpf filter by default in Nightly
  • sblc2
    • land basic file system broker
    • remove/restrict file system write access
    • roll out entry level file broker to release
  • sblc3
    • remove/restrict file system read access
    • file:/// isolation?
    • remote pulseaudio work (BLOCKED on media work, TBD)
  • sblc4
    • remove/restrict socket access/modification and solve X11 problem
  • sblc5
    • make use of chroot and user namespaces

• Windows 64-bit NPAPI
  • sbwn1
  • (completed, fx52)

Triage Lists

• Triage list: http://is.gd/Mfb8L9
  • Lists any bug with sb?
  • Lists sandboxing component bugs that are not tracked by a milestone
  • Ignores sb+, sb-, and sb? bugs with needinfos
  • meta bugs
• sb? Triage List: http://is.gd/B3KscF
  • does not include needinfo bugs
• sb? needinfos: http://is.gd/dnSyBs
• webrtc specific sandboxing bugs: https://is.gd/c5bAe6
  • sb tracking + 'webrtc'

Communication

People

Repo Module Ownership

• Cross platform
• Windows
• OSX
• Linux/B2G

Links

• Electrolysis Wiki Page (lot of additional resource links)
• Chromium Sandbox
• Apple's Sandbox guide
• "Introducing Chrome's next-generation Linux sandbox" (seccomp-bpf related)
• Native Client on Wikipedia (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
• Features of Protected Mode in Internet Explorer

Research

• Ian's Internal Research page (2012)

B2G Archive

• Firefox OS System Security page on MDN
• Sandboxing on b2g overview
• seccomp b2g filter perf data

B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.

Older

• Old Meeting Notes