A security review of the multi-process features of B2G. Related bugs: Bug 714861

Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 4 (P2) - Mozilla Initiative Operational: 0 - N/A User: 5 - Blocker Privacy: 4 - Critical Engineering: 3 - Major Reputational: 3 - Major Priority Score: 60

This is really a tracking bug for review work related to multiprocess. Adding blockers to this, which contain the review actions related to multi-process. Some high level notes: Feature: Basically <frame> s can be loaded Out Of Process (OOP) in B2G, which results in a forked B2G (gecko) process running with reduced rights. Currently only the System App can create these frames by setting the remote attribute to be true. (i.e. other apps setting remote='true' has no effect). Threats Brainstorming --------- * Too many processes created and phone gets DoS. ** Only the system app can set remote=true * Bypass child process initialization * Leaked file descriptors can be used to access resources as parent process (note: made a spearate "quick" review: https://bugzilla.mozilla.org/show_bug.cgi?id=753107 * Special child process types have full privileges and can be used to compromise the system (such as the camera) * Some APIs require the child to have more than IPDL resources access (webgl, camera library, ...). Those could be abused by the child process * eventually this ability will be tied to a permissions (open-remote-window) but this hasnt landed yet (819882) * child process is compomised and send spurious messages to the parent - (see bug 777602)

This work has been superseded by the sandboxing project.