Security/Sandbox: Difference between revisions
(→Content: Update Windows Level 4 policy) |
Alex gaynor (talk | contribs) (We have L3 on beta on Linux now!) |
||
Line 67: | Line 67: | ||
| [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)] | | [https://dxr.mozilla.org/mozilla-central/search?q=class+ContentSandboxPolicy&redirect=true&case=true Linux (content)] | ||
|style='text-align:center;' colspan="2"|Level 3 | |style='text-align:center;' colspan="2"|Level 3 | ||
|style='text-align:center;' colspan="1"|Level | |style='text-align:center;' colspan="1"|Level 3 | ||
|style='text-align:center;' colspan="1"| | |style='text-align:center;' colspan="1"| Fx57 | ||
|style='text-align:center;' colspan="1"|Level 2 | |style='text-align:center;' colspan="1"|Level 2 | ||
|style='text-align:center;' colspan="1"| Fx54 | |style='text-align:center;' colspan="1"| Fx54 |
Revision as of 13:57, 2 October 2017
Overview
Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.
Technical Docs
- Platform Specifics
- File Restrictions Bug Research
- OSX Filter Rule Set
- Hardening Research
- Process Model
Current Status
Sandbox | Trunk | Beta | Release | |||
---|---|---|---|---|---|---|
Level | Level | Version | Level | Version | ||
Windows (content) | Level 4 | Level 3 | Fx56 | Level 3 | Fx56 | |
Windows (compositor) | Level 0 [1] | |||||
Windows (GMP) | enabled | enabled | enabled | |||
Windows 64bit (NPAPI Plugin) | enabled | enabled | enabled | |||
OSX (content) | Level 3 | Level 3 | Fx56 | Level 3 | Fx56 | |
OSX (GMP) | enabled | enabled | enabled | |||
Linux (content) | Level 3 | Level 3 | Fx57 | Level 2 | Fx54 | |
Linux (GMP) | enabled | enabled | enabled |
A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.
DEPRECATION WARNING - The current level system will be replaced by a configuration system that allows for more fine grain control over sandbox settings. Current target for this change is Firefox 57.
[1] Level 1 available but disabled due to various regressions, see bug 1347710
Windows
Content
Sandbox security related setting are grouped together and associated with a security level. Lower level values indicate a less restrictive sandbox.
Sandbox Feature | Level 0 | Level 1 | Level 2 |
---|---|---|---|
Job Level | JOB_NONE | JOB_NONE | JOB_INTERACTIVE |
Access Token Level | USER_NON_ADMIN | USER_NON_ADMIN | USER_INTERACTIVE |
Alternate Desktop | no | no | no |
Alternate Windows Station | no | no | no |
Initial Integrity Level | INTEGRITY_LEVEL_MEDIUM | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_MEDIUM | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW |
Mitigations | None |
MITIGATION_BOTTOM_UP_ASLR |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations | None |
MITIGATION_STRICT_HANDLE_CHECKS |
MITIGATION_STRICT_HANDLE_CHECKS |
Sandbox Feature | Level 3 | Level 4 |
---|---|---|
Job Level | JOB_RESTRICTED | JOB_LOCKDOWN |
Access Token Level | USER_LIMITED | USER_LIMITED |
Alternate Desktop | no | YES |
Alternate Windows Station | no | no |
Initial Integrity Level | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations |
MITIGATION_STRICT_HANDLE_CHECKS |
MITIGATION_STRICT_HANDLE_CHECKS |
Gecko Media Plugin
Sandbox Feature | Level |
---|---|
Job Level | JOB_LOCKDOWN |
Access Token Level | USER_LOCKDOWN, USER_RESTRICTED[1] |
Initial Integrity Level | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_UNTRUSTED |
Alternate desktop | yes |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations |
MITIGATION_STRICT_HANDLE_CHECKS |
[1] depends on the media plugin
64-bit Plugin
Sandbox Feature | Level |
---|---|
Job Level | JOB_UNPROTECTED |
Access Token Level | USER_INTERACTIVE |
Initial Integrity Level | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_LOW |
Alternate desktop | no |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations |
OSX
Content Levels
Job Level | What's Blocked by the Sandbox? |
---|---|
Level 1 [1] |
|
Level 2 |
|
Level 3 |
|
[1] Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.
See How security.sandbox.content.level Affects File Access and Filter rules for more details.
Gecko Media Plugins
Linux
Content Levels
Job Level | What's Blocked by the Sandbox? |
---|---|
Level 1 |
|
Level 2 |
|
Level 3 |
|
Content Rules
Gecko Media Plugin
Customization Settings
The Linux sandbox allows some amount of control over the sandbox policy through various about:config settings. These are meant to allow more non-standard configurations and exotic distributions to stay working - without compiling custom versions of Firefox - even if they can't be directly supported by the default configuration.
See Activity Logging for information on how to debug these scenarios.
security.sandbox.content.level
- See Content Levels above. Reducing this can help identify sandboxing as the cause of a problem, but you're better of trying the more fine grained permissions below.
security.sandbox.content.read_path_whitelist
security.sandbox.content.write_path_whitelist
- Comma-separated list of additional paths that the content process is allowed to read from or write to, respectively.
security.sandbox.content.syscall_whitelist
- Comma-seperated list of additional system call numbers that should be allowed in the content process. These affect the seccomp-bpf filter.
Preferences
Process Type | Preference Type | Preference |
---|---|---|
Content | numerical | security.sandbox.content.level |
NPAPI Plugin | boolean | dom.ipc.plugins.sandbox-level.default dom.ipc.plugins.sandbox-level.<plugintype> |
Compositor | numerical | security.sandbox.gpu.level |
Media | Embedded | N/A |
Note - Levels greater than the current default for a particular process type are not implemented.
File System Restrictions
Sandboxing enforces file system write and read restrictions for XUL based add-on content (frame and process) scripts. To avoid issues as sandboxing features roll out add-on authors should update their legacy add-on code today such that content scripts no longer attempt to read or write from restricted locations. Note these restrictions do not affect WebExtension content script or XUL add-on script running in the browser process.
File system access rules for content processes, reverse precedence:
Location | Access Type | Restriction |
---|---|---|
file system | read/write | deny by default |
install location | write | deny |
install location | read | allow |
system library locations | write | deny |
system library locations | read | allow |
profile/* | read/write | deny by default |
profile/extensions | write | deny |
profile/extensions | read | allow |
Debugging Features
Activity Logging
The following prefs control sandbox logging. On Windows, output is sent to the Browser Console when available, and to a developer console attached to the running browser process. On OSX, once enabled, violation log entries are visible in the Console.app (/Applications/Utilities/Console.app). On Linux, once enabled, violation log entries are logged on the command line console.
security.sandbox.logging.enabled (boolean)
security.sandbox.windows.log.stackTraceDepth (integer, Windows specific)
The following environment variables also triggers sandbox logging output:
MOZ_SANDBOX_LOGGING=1
OSX Specific Sandbox Logging
On Mac, sandbox violation logging is disabled by default. To enable logging,
- Launch the OS X Console app (/Applications/Utilities/Console.app) and filter on "plugin-container".
- Either set the pref security.sandbox.logging.enabled=true and restart the browser OR launch the browser with the MOZ_SANDBOX_LOGGING environment variable set.
- If Console.app is not already running at the time of the sandbox violation, the violation is not reliably logged.
- As of build 56, where filesystem read access restrictions were tightened, running Firefox always triggers sandbox violations and these will be logged. For example, plugin-container attempts to access /Applications and /Users (bug 1378968). We want to address these when possible, but some violations are complicated to avoid or are triggered by OS X library code that can't be avoided yet.
Linux specific Sandbox Logging
The following environment variable triggers extra sandbox debugging output:
MOZ_SANDBOX_LOGGING=1
Environment variables
ENVIRONMENT VARIABLE | DESCRIPTION | PLATFORM |
---|---|---|
MOZ_DISABLE_CONTENT_SANDBOX | Disables content process sandboxing for debugging purposes. | All |
MOZ_DISABLE_GMP_SANDBOX | Disable media plugin sandbox for debugging purposes | All |
MOZ_DISABLE_NPAPI_SANDBOX | Disable 64-bit NPAPI process sandbox | Windows |
MOZ_DISABLE_GPU_SANDBOX | Disable GPU process sandbox | Windows |
Setting a custom environment in Windows
1) Close Firefox
2) Browser to the location of your Firefox install using Explorer
3) Shift + Right-click in the folder window where firefox.exe is located, select "Open command window here"
4) Add the environment variable(s) you wish to set to your command window -
set MOZ_DISABLE_NPAPI_SANDBOX=1
(return)
5) enter firefox.exe and press enter to launch Firefox with your custom environment
Local Build Options
To disable building the sandbox completely build with this in your mozconfig:
ac_add_options --disable-sandbox
To disable just the content sandbox parts:
ac_add_options --disable-content-sandbox
Bug Lists
Priorities
Security/Process Sandboxing Lists
Triage Lists
- Triage list: http://is.gd/Mfb8L9
- Lists any bug with sb?
- Lists sandboxing component bugs that are not tracked by a milestone
- Ignores sb+, sb-, and sb? bugs with needinfos
- meta bugs
- sb? Triage List: http://is.gd/B3KscF
- does not include needinfo bugs
- sb? needinfos: http://is.gd/dnSyBs
- webrtc specific sandboxing bugs: https://is.gd/c5bAe6
- sb tracking + 'webrtc'
Communication
Weekly Team Meeting | Thursday at 8:00am PT
|
IRC |
|
Newsgroup/Mailing List |
People
Engineering Management |
|
Project Management |
|
QA |
|
Development Team |
|
Repo Module Ownership
Links
- Electrolysis Wiki Page (lot of additional resource links)
- Chromium Sandbox
- Apple's Sandbox guide
- "Introducing Chrome's next-generation Linux sandbox" (seccomp-bpf related)
- Native Client on Wikipedia (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
- Features of Protected Mode in Internet Explorer
Research
B2G Archive
B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.