Security/Sandbox
Overview
Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.
Current Status
Sandbox | Trunk | Aurora | Beta | Release | ||||
---|---|---|---|---|---|---|---|---|
Level | Level | Version | Level | Version | Level | Version | ||
Windows (content) | Level 2 | Level 1 | Fx50 | Level 1 | Fx50 | |||
Windows (GMP) | enabled | enabled | enabled | enabled | ||||
Windows 64bit (NPAPI Plugin) | enabled | enabled | enabled | enabled | ||||
OSX (content) | Level 2 | |||||||
OSX (GMP) | enabled | enabled | enabled | enabled | ||||
Linux (content) | Level 2 | |||||||
Linux (GMP) | enabled | enabled | enabled | enabled |
DXR search for the current sandbox preferences.
Windows
Content
Sandbox Feature | Level 0 | Level 1 | Level 2 | Level 10 | Level 20 |
---|---|---|---|---|---|
Job Level | JOB_NONE | JOB_NONE | JOB_INTERACTIVE | JOB_RESTRICTED | JOB_LOCKDOWN |
Access Token Level | USER_NON_ADMIN | USER_NON_ADMIN | USER_INTERACTIVE | USER_LIMITED | USER_LOCKDOWN |
Alternate Desktop | yes | yes | |||
Initial Integrity Level | INTEGRITY_LEVEL_MEDIUM | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_MEDIUM | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_LOW | INTEGRITY_LEVEL_UNTRUSTED |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
MITIGATION_BOTTOM_UP_ASLR |
MITIGATION_BOTTOM_UP_ASLR |
MITIGATION_BOTTOM_UP_ASLR | |
Delayed Mitigations |
MITIGATION_STRICT_HANDLE_CHECKS |
MITIGATION_STRICT_HANDLE_CHECKS |
MITIGATION_STRICT_HANDLE_CHECKS |
MITIGATION_STRICT_HANDLE_CHECKS |
Gecko Media Plugin
Sandbox Feature | Level |
---|---|
Job Level | JOB_LOCKDOWN |
Access Token Level | USER_LOCKDOWN, USER_RESTRICTED[1] |
Initial Integrity Level | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_UNTRUSTED |
Alternate desktop | yes |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations |
MITIGATION_STRICT_HANDLE_CHECKS |
[1] depends on the media plugin
64-bit Plugin
Released with known issues that break certain Flash features. If you're testing 64-bit builds and come across Flash issues please file a bug.
Sandbox Feature | Level |
---|---|
Job Level | JOB_UNPROTECTED |
Access Token Level | USER_INTERACTIVE |
Initial Integrity Level | INTEGRITY_LEVEL_LOW |
Delayed Integrity Level | INTEGRITY_LEVEL_LOW |
Alternate desktop | no |
Mitigations |
MITIGATION_BOTTOM_UP_ASLR |
Delayed Mitigations |
OSX
Content
Gecko Media Plugins
Linux
Content
Gecko Media Plugin
Platform Specifics
Windows
Source Code Overview
The core of the Windows sandbox is Google's chromium sandbox. Relative to the root of mozilla-central, the sandbox exists at:
security/sandbox
The chromium sandbox is based on the chromium base libraries (Google's code) which are located at:
security/sandbox/chromium/base
There is also partial/shim code to get the base code compiling with our SDK build settings or to limit the base code by reducing dependencies at:
security/sandbox/chromium-shim/base
The chromium Windows sandbox itself (Google's code) is located at:
security/sandbox/chromium/sandbox/win
Processes Overview
There are 2 processes when dealing with a sandboxed application:
- The broker: The parent process that starts sandboxed children
- The target: The child process that is sandboxed
Both processes make use of the chromium sandbox library, but they make use of it indirectly through 2 libraries (Mozilla code). This indirect use of the library is due to header conflicts with the ipc layer where it has a different, much older, non compatible, copy of the chromium base library:
- For the broker, ./security/sandbox/win/src/sandboxbroker
- For the target, ./security/sandbox/win/src/sandboxtarget
Build settings
To disable building the sandbox completely build with this in your mozconfig:
ac_add_options --disable-sandbox
To disable just the content sandbox parts:
ac_add_options --disable-content-sandbox
Environment variables
Disable content process sandbox | MOZ_DISABLE_CONTENT_SANDBOX |
Disable media plugin sandbox | MOZ_DISABLE_GMP_SANDBOX |
Disable NPAPI process sandbox | MOZ_DISABLE_NPAPI_SANDBOX |
Allow weaker than default sandbox level | MOZ_ALLOW_WEAKER_SANDBOX |
Enable sandbox logging | MOZ_WIN_SANDBOX_LOGGING |
Key source code locations
The sandboxed target process lowers its own privileges after initialization via these calls:
Content process
GMP process
NPAPI process
Level descriptions header:
http://mxr.mozilla.org/mozilla-central/source/security/sandbox/chromium/sandbox/win/src/security_level.h
The call that starts the sandboxed process in Firefox is:
https://dxr.mozilla.org/mozilla-central/rev/918df3a0bc1c/ipc/glue/GeckoChildProcessHost.cpp#1030
All of the code that sets policies can be found here:
http://dxr.mozilla.org/mozilla-central/source/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
OSX
The OSX sandbox is based on the TrustedBSD MAC Framework. It is undocumented and considered private by Apple.
Linux
Seccomp stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible.
Seccomp-BPF is a more recent extension to seccomp, which allows filtering system calls with BPF (Berkeley Packet Filter) programs. Most of our Linux user base have systems that support seccomp-bpf.
These filters can be used to allow or deny an arbitrary set of system calls, as well as filter on system call arguments (numeric values only; pointer arguments can't be dereferenced). Additionally, instead of simply terminating the process, the filter can raise a signal, which allows the signal handler to simulate the effect of a disallowed system call (or simply gather more information on the failure for debugging purposes). Seccomp-bpf is available since Linux version 3.5 and is usable on the ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions.
For limitations that apply to the semantics of system calls (e.g., “can this process access the filesystem”, not “can this process use system call #83”) we require unprivileged user namespaces, which a large majority of desktop users don't support. Specifically: chroot()ing into a deleted directory to revoke FS access, and namespace unsharing for networking, SysV IPC if possible, and process IDs.
Bug Lists
Milestones
- Windows Content Process
- OSX Content Process
- sbmc1
- Roll out weak OSX security sandbox access ruleset
- Prevent file system write access
- sbmc2
- Home directory read access
- file:/// isolation?
- sbmc3
- TBD: Triage existing sandbox rules and define set to remove in milestone 3
- File access: system /tmp and /var/folders/ and any other individual directories
- sbmc1
- Linux Content Process
- sblc1
- enable (heavily perforated) seccomp-bpf filter by default in Nightly
- sblc2
- file system broker
- remove/restrict file system write access
- sblc3
- remove/restrict file system read access
- file:/// isolation?
- sblc4
- remove/restrict socket access/modification and solve X11 problem
- sblc5
- make use of chroot and user namespaces
- sblc1
- Windows 64-bit NPAPI
Triage Lists
- Triage list: http://is.gd/Mfb8L9
- Lists any bug with sb?
- Lists sandboxing component bugs that are not tracked by a milestone
- Ignores sb+, sb-, and sb? bugs with needinfos
- meta bugs
- sb? Triage List: http://is.gd/B3KscF
- does not include needinfo bugs
- sb? needinfos: http://is.gd/dnSyBs
Tracking Bugs
- Sandboxing Component
- bug 925570 Process sandboxing work
- bug 1011491 Tighten Windows GMP sandbox policies
- bug 1066612 Apply Chromium sandbox "process-level mitigations" to GMP process
- bug 1105816 Tighten Windows content sandbox policy
- bug 1083344 Tighten rules for Mac OS content process sandbox on 10.9 and 10.10
- bug 1149706 Remaining issues for content process sandboxing on the Mac
- bug 1123755 Tighten Windows NPAPI process sandbox policy
- bug 1196384 (sandbox-fs) Deny file system access for content processes
- bug 1124817 Move file access and API usage away from content process
- bug 1280415 Content sandbox issues on nightly desktop Firefox
Communication
Weekly Team Meeting | Thursday at 8:00am PT
|
IRC |
|
Newsgroup/Mailing List |
People
Engineering Management |
|
Project Management |
|
QA |
|
Development Team |
|
Other Teams |
|
Repo Module Ownership
Links
- Electrolysis Wiki Page (lot of additional resource links)
- Chromium Sandbox
- Apple's Sandbox guide
- "Introducing Chrome's next-generation Linux sandbox" (seccomp-bpf related)
- Native Client on Wikipedia (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
- Features of Protected Mode in Internet Explorer
Research
B2G Archive
B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.