Closed Bug 1640345 Opened 5 years ago Closed 4 years ago

Add pref to prevent content processes from connecting to the X server

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Desktop
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

Attachments

(1 file)

Bug 1640345 - Add a hidden pref to prevent sandboxed content processes from connecting to the X server.
(deleted), text/x-phabricator-request
Details

If we had a pref to set MOZ_HEADLESS for content processes (as described in bug 1129492 comment #21) and turn off the file broker rules that allow brokered connections to the X server (needed for some GL interposition layers), then that could be combined with the widget.disable-native-theme-for-content pref to yield a browser where:

  1. Content processes shouldn't be able to communicate directly with the X server
  2. WebGL and Flash are broken
  3. A lot of automated tests are broken because of the widget theme change

So that configuration isn't shippable yet, but it could be useful for use cases that weren't going to use WebGL or Flash anyway, and for experimenting to see if anything else is broken that we don't know about.

Priority: -- → P1

This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:

  1. Sets the MOZ_HEADLESS env var for content processes, so that they
    don't initialize GTK and don't connect to the X server.

  2. Disallows brokered access to parts of the filesystem used only for
    graphics -- most critically connecting to the X11 socket itself, but
    also opening GPU device nodes and the parts of sysfs used by Mesa, for
    example.

This is experimental; use at your own risk.

Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content

Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.

Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f8b6494d3eb Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp

See bug 1644917 comment #6.

Flags: needinfo?(jld)
Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5980f36397c5 Add a hidden pref to prevent sandboxed content processes from connecting to the X server. r=gcp

https://hg.mozilla.org/mozilla-central/rev/5980f36397c5

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: