Security/Sandbox

From MozillaWiki
< Security
Revision as of 19:11, 26 July 2017 by Gpascutto (talk | contribs) (Typo fix for spurious [1])
Jump to navigation Jump to search

Overview

550px-Sandboxing basic architecture.png

Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.

Technical Docs

Platform Specifics

Current Status

Sandbox Trunk Beta Release
Level Level Version Level Version
Windows (content) Level 3 Level 1 Fx50 Level 1 Fx50
Windows (compositor) Level 0 [1]
Windows (GMP) enabled enabled enabled
Windows 64bit (NPAPI Plugin) enabled enabled enabled
OSX (content) Level 3 Level 1 Fx52 Level 1 Fx52
OSX (GMP) enabled enabled enabled
Linux (content) Level 3 Level 2 Fx54 Level 2 Fx54
Linux (GMP) enabled enabled enabled

A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.

DEPRECATION WARNING - The current level system will be replaced by a configuration system that allows for more fine grain control over sandbox settings. Current target for this change is Firefox 57.

[1] Level 1 available but disabled due to various regressions, see bug 1347710

Windows

Content

Sandbox security related setting are grouped together and associated with a security level. Lower level values indicate a less restrictive sandbox.

Sandbox Feature Level 0 Level 1 Level 2
Job Level JOB_NONE JOB_NONE JOB_INTERACTIVE
Access Token Level USER_NON_ADMIN USER_NON_ADMIN USER_INTERACTIVE
Alternate Desktop no no no
Alternate Windows Station no no no
Initial Integrity Level INTEGRITY_LEVEL_MEDIUM INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_LOW
Delayed Integrity Level INTEGRITY_LEVEL_MEDIUM INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_LOW
Mitigations None

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP

Delayed Mitigations None

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER

Sandbox Feature Level 3 Level 10 Level 20
Job Level JOB_RESTRICTED JOB_RESTRICTED JOB_LOCKDOWN
Access Token Level USER_LIMITED USER_LIMITED USER_LOCKDOWN
Alternate Desktop no yes yes
Alternate Windows Station no yes yes
Initial Integrity Level INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_LOW
Delayed Integrity Level INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_LOW INTEGRITY_LEVEL_UNTRUSTED
Mitigations

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP
MITIGATION_EXTENSION_POINT_DISABLE

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP
MITIGATION_EXTENSION_POINT_DISABLE

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP
MITIGATION_EXTENSION_POINT_DISABLE

Delayed Mitigations

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER


Windows Feature Header

Gecko Media Plugin

Sandbox Feature Level
Job Level JOB_LOCKDOWN
Access Token Level USER_LOCKDOWN, USER_RESTRICTED[1]
Initial Integrity Level INTEGRITY_LEVEL_LOW
Delayed Integrity Level INTEGRITY_LEVEL_UNTRUSTED
Alternate desktop yes
Mitigations

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP

Delayed Mitigations

MITIGATION_STRICT_HANDLE_CHECKS
MITIGATION_DLL_SEARCH_ORDER

[1] depends on the media plugin

64-bit Plugin

Sandbox Feature Level
Job Level JOB_UNPROTECTED
Access Token Level USER_INTERACTIVE
Initial Integrity Level INTEGRITY_LEVEL_LOW
Delayed Integrity Level INTEGRITY_LEVEL_LOW
Alternate desktop no
Mitigations

MITIGATION_BOTTOM_UP_ASLR
MITIGATION_HEAP_TERMINATE
MITIGATION_SEHOP
MITIGATION_DEP_NO_ATL_THUNK
MITIGATION_DEP

Delayed Mitigations

OSX

Content Levels

Job Level What's Blocked by the Sandbox?
Level 1
  • write access to most of the filesystem
  • inbound/outbound network I/O
  • exec, fork
  • printing
Level 2
  • write access to most of the filesystem
  • inbound/outbound network I/O
  • exec, fork
  • printing
  • read access to the profile directory (apart from the chrome and extensions subdirectories)
  • read access to ~/Library
Level 3
  • write access to most of the filesystem
  • read access to most of the filesystem
    • read access to the profile directory (apart from the chrome and extensions subdirectories)
    • read access to the home directory
  • inbound/outbound network I/O
  • exec, fork
  • printing

[1] Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.

See How security.sandbox.content.level Affects File Access and Filter rules for more details.

Gecko Media Plugins

Filter rules

Linux

Content Levels

Job Level What's Blocked by the Sandbox?
Level 1
  • Many syscalls, including process creation
Level 2
  • Many syscalls, including process creation
  • Write access to the filesystem
    • Excludes shared memory, tempdir, video hardware
Level 3
  • Many syscalls, including process creation
  • Write access to the filesystem
    • Excludes shared memory, tempdir, video hardware
  • Read access to most of the filesystem
    • Excludes themes/GTK configuration, fonts, shared data and libraries

Content Rules

Filter ruleset

Filesystem access policy

Gecko Media Plugin

Filter ruleset

Preferences

Process Type Preference Type Preference
Content numerical security.sandbox.content.level
NPAPI Plugin boolean dom.ipc.plugins.sandbox-level.default
dom.ipc.plugins.sandbox-level.<plugintype>
Compositor numerical security.sandbox.gpu.level
Media Embedded N/A

Note - Levels greater than the current default for a particular process type are not implemented.

File System Restrictions

Sandboxing enforces file system write and read restrictions for XUL based add-on content (frame and process) scripts. To avoid issues as sandboxing features roll out add-on authors should update their legacy add-on code today such that content scripts no longer attempt to read or write from restricted locations. Note these restrictions do not affect WebExtension content script or XUL add-on script running in the browser process.

File system access rules for content processes, reverse precedence:

Location Access Type Restriction
file system read/write deny by default
install location write deny
install location read allow
system library locations write deny
system library locations read allow
profile/* read/write deny by default
profile/extensions write deny
profile/extensions read allow

Debugging Features

Activity Logging

The following prefs control sandbox logging. Output is sent to the Browser Console when available, and to a developer console attached to the running browser process. 

security.sandbox.logging.enabled (boolean)

security.sandbox.windows.log.stackTraceDepth (integer, Windows specific)

The following environment variables also triggers sandbox logging output: 

MOZ_SANDBOX_LOGGING=1

OSX Specific

Sandbox violation logging is on by default when the sandbox is enabled. Use the Console.app application to view the logs.

Environment variables

ENVIRONMENT VARIABLE DESCRIPTION PLATFORM
MOZ_DISABLE_CONTENT_SANDBOX Disables content process sandboxing for debugging purposes. All
MOZ_DISABLE_GMP_SANDBOX Disable media plugin sandbox for debugging purposes All
MOZ_DISABLE_NPAPI_SANDBOX Disable 64-bit NPAPI process sandbox Windows
MOZ_DISABLE_GPU_SANDBOX Disable GPU process sandbox Windows

Setting a custom environment in Windows

1) Close Firefox
2) Browser to the location of your Firefox install using Explorer
3) Shift + Right-click in the folder window where firefox.exe is located, select "Open command window here"
4) Add the environment variable(s) you wish to set to your command window -

set MOZ_DISABLE_NPAPI_SANDBOX=1(return)

5) enter firefox.exe and press enter to launch Firefox with your custom environment

Local Build Options

To disable building the sandbox completely build with this in your mozconfig:

ac_add_options --disable-sandbox

To disable just the content sandbox parts:

ac_add_options --disable-content-sandbox

Bug Lists

  • Windows Content Process
    • sbwc1
      • low integrity sandbox support
      • Roll out level 1 sandbox policy to release. (completed, fx50)
    • sbwc2
      • file:/// isolation
      • User token removal, to limit User directory file access
      • use JOB_RESTRICTED to apply further global restrictions
      • printing tests
      • roll out level 3 to release
    • Need to scope out future milestones including:
      • using an alternate desktop
      • using an alternate winstation and desktop
      • general file system (and registry) read access restrictions (USER_RESTRICTED / UESR_LOCKDOWN)
      • JOB_LOCKDOWN
      • reducing exposure to system APIs
      • running at untrusted integrity level
      • use of lowbox token / AppContainers
  • OSX Content Process
    • sbmc1
      • Roll out level 1 OSX security sandbox access ruleset. (completed, fx52)
      • Prevent file system write access
    • sbmc2
      • Home directory read access restrictions
      • file:/// isolation
      • roll out level2 OSX sandbox to release
    • sbmc3
      • TBD: Triage existing sandbox rules and define set to remove in milestone 3
      • File access: system /tmp and /var/folders/ and any other individual directories
      • Limit User directory file access
  • Linux Content Process
    • sblc1
      • enable (heavily perforated) seccomp-bpf filter by default in Nightly
    • sblc2
      • land basic file system broker
      • remove/restrict file system write access
      • roll out entry level file broker to release
    • sblc3
      • remove/restrict file system read access
      • file:/// isolation?
      • remote pulseaudio work (BLOCKED on media work, TBD)
    • sblc4
      • remove/restrict socket access/modification and solve X11 problem
    • sblc5
      • make use of chroot and user namespaces
  • Windows 64-bit NPAPI

Triage Lists

Communication

Weekly Team Meeting Thursday at 8:00am PT
  • Vidyo: "PlatInt" room
  • Invitation: Contact Jim Mathies to get added to the meeting invite list.
  • Meeting Notes Archive
IRC
  • Server: irc.mozilla.org
  • Channel: #boxing
Newsgroup/Mailing List

People

Engineering Management
  • Jim Mathies (jimm)
Project Management
  • TBD
QA
  • Tracy Walker (Quality Assurance Lead)
Development Team
  • Haik Aftandilian (haik)
  • Julian Hector (tedd)
  • Jim Mathies (jimm)
  • Bob Owen (bobowen)
  • David Parks (handyman)
  • Gian-Carlo Pascutto (gcp)
Other Teams

Repo Module Ownership

Links

Research

B2G Archive

B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.

Older

Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=Security/Sandbox&oldid=1176554"