140132 2015-01-06 11:06:27 -0800 [GTK] SeccompFilters: trap more filesystem access system calls 2016-09-21 05:27:28 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) PC Linux RESOLVED WONTFIX P2 Enhancement --- 140072 1 mcatanzaro mcatanzaro cgarcia mcatanzaro tmpsantos oldest_to_newest 1059064 0 mcatanzaro 2015-01-06 11:06:27 -0800 Before we enable seccomp filters by default in the GTK+ port, we should trap more system calls. Currently, we trap open, openat, and creat so that we only allow access to particular files. Research the other system calls that operate on the filesystem to determine what we need to trap and what we don't. The Chrome sandbox blocks all system calls that Chrome doesn't use, to reduce the kernel attack space. That would be great theoretically, but I think it's too ambitious for our purposes, as it would be quite difficult to maintain unless we start bundling all of our dependencies like Chrome does. For now, let's simply trap filesystem system calls so that a compromised web process needs a separate kernel exploit if it wants to vacuum up the user's personal data. 1079473 1 mcatanzaro 2015-03-23 15:31:21 -0700 The upcoming patch implements a whitelist of syscalls to not block; i.e. it is much more aggressive (and more secure) than the approach I recommend in comment #0. Caveats: * This increases the potential for breakage. If a whitelist of filesystem locations may not work on any distros except those we test it on, a syscall whitelist is extremely unlikely to work. * This probably makes it difficult or impossible to write web extensions. We must add API to allow extensions to whitelist syscalls (bug #140073) or else give up on whitelisting syscalls, because we're obviously not going to give up on web extensions. * The patch includes a list of calls that should be trapped but which are not yet trapped: i.e. whitelisted, but audited by the broker process. That is future work. 1079479 2 249289 mcatanzaro 2015-03-23 15:39:03 -0700 Created attachment 249289 [GTK] SeccompFilters: Use a syscall whitelist for the web process 249289 2015-03-23 15:39:03 -0700 2015-03-23 15:39:03 -0700 [GTK] SeccompFilters: Use a syscall whitelist for the web process bug-140132-20150323173827.patch text/plain 6398 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMTgxODI1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggY2MzYjUyOGEzZTgwZmEy NTJlNmE0Y2UwZmI2MzMwYWM3MmFkNTk2Yi4uOWYyNTU5NmQzMTI1MTdlODdlZTllM2I4MDRlMzkz YmNjNGE0M2IzMCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDE4IEBACiAyMDE1LTAzLTIzICBNaWNo YWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AaWdhbGlhLmNvbT4KIAorICAgICAgICBbR1RLXSBT ZWNjb21wRmlsdGVyczogVXNlIGEgc3lzY2FsbCB3aGl0ZWxpc3QgZm9yIHRoZSB3ZWIgcHJvY2Vz cworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTQwMTMy CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2hpdGVs aXN0IGEgZmV3IHN5c2NhbGxzIHRvIG5vdCBibG9jaywgcmF0aGVyIHRoYW4gYmxhY2tsaXN0aW5n IGp1c3QgYSBjb3VwbGUuCisKKyAgICAgICAgKiBXZWJQcm9jZXNzL2d0ay9TZWNjb21wRmlsdGVy c1dlYlByb2Nlc3NHdGsuY3BwOgorICAgICAgICAoV2ViS2l0OjpTZWNjb21wRmlsdGVyc1dlYlBy b2Nlc3NHdGs6OlNlY2NvbXBGaWx0ZXJzV2ViUHJvY2Vzc0d0ayk6CisgICAgICAgIChXZWJLaXQ6 OlNlY2NvbXBGaWx0ZXJzV2ViUHJvY2Vzc0d0azo6cGxhdGZvcm1Jbml0aWFsaXplKToKKworMjAx NS0wMy0yMyAgTWljaGFlbCBDYXRhbnphcm8gIDxtY2F0YW56YXJvQGlnYWxpYS5jb20+CisKICAg ICAgICAgW1NlY2NvbXBdIEZ1cnRoZXIgaW1wcm92ZW1lbnRzIHRvIGRlZmF1bHQgd2ViIHByb2Nl c3MgcG9saWN5CiAgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD0xNDI5ODcKIApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9ndGsvU2Vj Y29tcEZpbHRlcnNXZWJQcm9jZXNzR3RrLmNwcCBiL1NvdXJjZS9XZWJLaXQyL1dlYlByb2Nlc3Mv Z3RrL1NlY2NvbXBGaWx0ZXJzV2ViUHJvY2Vzc0d0ay5jcHAKaW5kZXggNjg0YzY1MDFmNDQ2NjI3 Y2ZjZGE0ZmE1YzQzMWMxZTIxNTk2ODU2Zi4uNDI5ZTU5YTkwM2I4NWI3ZTcyZWM1Y2ZhYmY4Yjk0 ZDk5Y2ViZWRjNyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9ndGsvU2Vj Y29tcEZpbHRlcnNXZWJQcm9jZXNzR3RrLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0Mi9XZWJQcm9j ZXNzL2d0ay9TZWNjb21wRmlsdGVyc1dlYlByb2Nlc3NHdGsuY3BwCkBAIC0zOCwyNCArMzgsMTE5 IEBACiBuYW1lc3BhY2UgV2ViS2l0IHsKIAogU2VjY29tcEZpbHRlcnNXZWJQcm9jZXNzR3RrOjpT ZWNjb21wRmlsdGVyc1dlYlByb2Nlc3NHdGsoY29uc3QgV2ViUHJvY2Vzc0NyZWF0aW9uUGFyYW1l dGVycyYgcGFyYW1ldGVycykKLSAgICA6IFNlY2NvbXBGaWx0ZXJzKEFsbG93KQorICAgIDogU2Vj Y29tcEZpbHRlcnMoVHJhcCkKIHsKICAgICBtX3BvbGljeS5hZGREZWZhdWx0V2ViUHJvY2Vzc1Bv bGljeShwYXJhbWV0ZXJzKTsKIH0KIAogdm9pZCBTZWNjb21wRmlsdGVyc1dlYlByb2Nlc3NHdGs6 OnBsYXRmb3JtSW5pdGlhbGl6ZSgpCiB7Ci0gICAgLy8gVE9ETzogV2Ugc2hvdWxkIGJsb2NrIGFs bCB0aGUgc3lzY2FsbHMgYW5kIHdoaXRlbGlzdAotICAgIC8vIHdoYXQgd2UgbmVlZCArIHRyYXAg d2hhdCBzaG91bGQgYmUgaGFuZGxlZCBieSB0aGUgYnJva2VyLgotICAgIGFkZFJ1bGUoIm9wZW4i LCBUcmFwKTsKLSAgICBhZGRSdWxlKCJvcGVuYXQiLCBUcmFwKTsKLSAgICBhZGRSdWxlKCJjcmVh dCIsIFRyYXApOworICAgIC8vICogVGhlIHNhbmRib3ggYXNzdW1lcyB0aGUgd2ViIHByb2Nlc3Mg aGFzIGJlZW4gY29tcHJvbWlzZWQsIGUuZy4gYnkgYQorICAgIC8vICAgbWFsZm9ybWVkIHdlYiBw YWdlLiBUaGUgZ29hbCBpcyB0byBtYWtlIGl0IG11Y2ggbW9yZSBkaWZmaWN1bHQgZm9yIGFuCisg ICAgLy8gICBhdHRhY2tlciBpbiBjb250cm9sIG9mIHRoZSB3ZWIgcHJvY2VzcyB0byBhY2Nlc3Mg dGhlIHVzZXIncyBwZXJzb25hbAorICAgIC8vICAgZmlsZXMuCisgICAgLy8gKiBUaGUgZ29hbCBp cyBub3QgdG8gYmUgcGVyZmVjdC4gV2UgYWxsb3cgdGhlIGF0dGFja2VyIGFjY2VzcyB0byBzb21l CisgICAgLy8gICBkaXJlY3RvcmllcyBoZSBjYW4gdXNlIHRvIGRvIGJhZCB0aGluZ3MsIHNpbXBs eSBiZWNhdXNlIHRoZSB3ZWIgcHJvY2VzcworICAgIC8vICAgbGVnaXRpbWF0ZWx5IG5lZWRzIGFj Y2VzcyB0byB0aGVzZSBsb2NhdGlvbnMuCisgICAgLy8gKiBTZWNjb21wIGZpbHRlcnMgcmVhbGx5 IHNob3VsZCBub3QgYmUgb3VyIG9ubHkgc2FuZGJveGluZyBtZWNoYW5pc20uCisgICAgLy8gICBX ZSBzaG91bGQgaW52ZXN0aWdhdGUgb3RoZXJzLgorICAgIC8vICogVW5saWtlIHRoZSBDaHJvbWl1 bSBzYW5kYm94LCB3ZSBkbyBub3QgY3VycmVudGx5IGF0dGVtcHQgdG8gcHJvdGVjdAorICAgIC8v ICAgYWdhaW5zdCBrZXJuZWwgdnVsbmVyYWJpbGl0aWVzLiBTdWNoIGEgc2FuZGJveCB3b3VsZCBm dXJ0aGVyIGF1ZGl0IHRoZQorICAgIC8vICAgcGFyYW1ldGVycyBwYXNzZWQgdG8gdGhlIGFsbG93 ZWQgc3lzY2FsbHMuIFRoaXMgd291bGQgYmUgcG90ZW50aWFsbHkKKyAgICAvLyAgIHZhbHVhYmxl IGZ1dHVyZSB3b3JrLgorICAgIC8vICogSWRlYWxseSB3ZSB3b3VsZCBhbHNvIGJsb2NrIHRoZSB3 ZWIgcHJvY2VzcyBmcm9tIGFjY2Vzc2luZyB0aGUKKyAgICAvLyAgIG5ldHdvcmssIGJ1dCB0aGUg d2ViIHByb2Nlc3MgY3VycmVudGx5IGJ5cGFzc2VzIHRoZSBuZXR3b3JrIHByb2Nlc3MKKyAgICAv LyAgIGZvciBzb21lIHRoaW5ncywgYW5kIHdlIHN0aWxsIHN1cHBvcnQgcnVubmluZyB3aXRoIG5v IG5ldHdvcmsgcHJvY2VzcworICAgIC8vICAgYXQgYWxsLgogCi0jaWYgVVNFKEdTVFJFQU1FUikK LSAgICBtX3BvbGljeS5hZGREaXJlY3RvcnlQZXJtaXNzaW9uKFN0cmluZzo6ZnJvbVVURjgoZ19n ZXRfdXNlcl9jYWNoZV9kaXIoKSkgKyAiL2dzdHJlYW1lci0xLjAiLCBTeXNjYWxsUG9saWN5OjpS ZWFkQW5kV3JpdGUpOwotICAgIG1fcG9saWN5LmFkZERpcmVjdG9yeVBlcm1pc3Npb24oU3RyaW5n Ojpmcm9tVVRGOChnX2dldF91c2VyX2RhdGFfZGlyKCkpICsgIi9nc3RyZWFtZXItMS4wIiwgU3lz Y2FsbFBvbGljeTo6UmVhZEFuZFdyaXRlKTsKLSAgICBtX3BvbGljeS5hZGREaXJlY3RvcnlQZXJt aXNzaW9uKFN0cmluZzo6ZnJvbVVURjgoTElCRVhFQ0RJUikgKyAiL2dzdHJlYW1lci0xLjAiLCBT eXNjYWxsUG9saWN5OjpSZWFkKTsKLSNlbmRpZgorICAgIC8vIFRPRE86IFRyYXAgdGhpcyB0byBw cm92aWRlIG1vcmUgYWNjdXJhdGUgcmVzdWx0cy4KKyAgICBhZGRSdWxlKCJhY2Nlc3MiLCBBbGxv dyk7CisKKyAgICAvLyBUT0RPOiBUaGVzZSBhcmUgcHJvYmFibHkgbm90IHNhZmUuIEZpZ3VyZSBv dXQgaG93IHRvIHRyYXAgYW5kIGF1ZGl0IHRoZXNlLgorICAgIGFkZFJ1bGUoImJpbmQiLCBBbGxv dyk7CisgICAgYWRkUnVsZSgiY2htb2QiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiY29ubmVjdCIs IEFsbG93KTsKKyAgICBhZGRSdWxlKCJnZXRkZW50cyIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJp b2N0bCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJraWxsIiwgQWxsb3cpOworICAgIGFkZFJ1bGUo Imxpc3RlbiIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJsc3RhdCIsIEFsbG93KTsKKyAgICBhZGRS dWxlKCJta2RpciIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJwcmN0bCIsIEFsbG93KTsKKyAgICBh ZGRSdWxlKCJyZWFkbGluayIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJyZW5hbWUiLCBBbGxvdyk7 CisgICAgYWRkUnVsZSgicm1kaXIiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgic2htYXQiLCBBbGxv dyk7CisgICAgYWRkUnVsZSgic2htY3RsIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoInNobWR0Iiwg QWxsb3cpOworICAgIGFkZFJ1bGUoInNobWdldCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJzb2Nr ZXQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgic3RhdCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJz dGF0ZnMiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgidW5saW5rIiwgQWxsb3cpOworCisgICAgLy8g VGhlc2Ugc2hvdWxkIGJlIHNhZmUsIHNhbnMgb3ZlcnNpZ2h0cyBvciBrZXJuZWwgdnVsbmVyYWJp bGl0aWVzLgorICAgIGFkZFJ1bGUoImNsb3NlIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImR1cCIs IEFsbG93KTsKKyAgICBhZGRSdWxlKCJkdXAyIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImR1cDMi LCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZXZlbnRmZCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJl dmVudGZkMiIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJleGl0IiwgQWxsb3cpOworICAgIGFkZFJ1 bGUoImV4aXRfZ3JvdXAiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZmFkdmlzZTY0IiwgQWxsb3cp OworICAgIGFkZFJ1bGUoImZzeW5jIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImZ1dGV4IiwgQWxs b3cpOworICAgIGFkZFJ1bGUoImdldGVnaWQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZ2V0ZXVp ZCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJnZXRwZWVybmFtZSIsIEFsbG93KTsKKyAgICBhZGRS dWxlKCJnZXRybGltaXQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZ2V0c29ja25hbWUiLCBBbGxv dyk7CisgICAgYWRkUnVsZSgiZ2V0c29ja29wdCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJnZXR0 aWQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZ2V0dWlkIiwgQWxsb3cpOworICAgIGFkZFJ1bGUo Im1hZHZpc2UiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgibWVtZmRfY3JlYXRlIiwgQWxsb3cpOwor ICAgIGFkZFJ1bGUoIm1wcm90ZWN0IiwgQWxsb3cpOworICAgIGFkZFJ1bGUoIm11bm1hcCIsIEFs bG93KTsKKyAgICBhZGRSdWxlKCJuYW5vc2xlZXAiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgicGlw ZSIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJwaXBlMiIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJz Y2hlZF95aWVsZCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJzZXRfcm9idXN0X2xpc3QiLCBBbGxv dyk7CisgICAgYWRkUnVsZSgic2V0c29ja29wdCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJzb2Nr ZXRwYWlyIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoInVuYW1lIiwgQWxsb3cpOworICAgIGFkZFJ1 bGUoIndhaXQ0IiwgQWxsb3cpOworCisgICAgLy8gVGhlc2Ugc2hvdWxkIGJlIHNhZmUgc2luY2Ug d2UgYXVkaXQgYWNjZXNzIHRvIGZpbGUgZGVzY3JpcHRvcnMuCisgICAgYWRkUnVsZSgiYWNjZXB0 IiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImFjY2VwdDQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgi ZmNudGwiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgiZnN0YXQiLCBBbGxvdyk7CisgICAgYWRkUnVs ZSgiZnN0YXRmcyIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJmdHJ1bmNhdGUiLCBBbGxvdyk7Cisg ICAgYWRkUnVsZSgiZ2V0cnVzYWdlIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImxzZWVrIiwgQWxs b3cpOworICAgIGFkZFJ1bGUoIm1tYXAiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgicG9sbCIsIEFs bG93KTsKKyAgICBhZGRSdWxlKCJwcG9sbCIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJwcmVhZDY0 IiwgQWxsb3cpOworICAgIGFkZFJ1bGUoInB3cml0ZTY0IiwgQWxsb3cpOworICAgIGFkZFJ1bGUo InJlYWQiLCBBbGxvdyk7CisgICAgYWRkUnVsZSgicmVhZHYiLCBBbGxvdyk7CisgICAgYWRkUnVs ZSgicmVjdmZyb20iLCBBbGxvdyk7CisgICAgYWRkUnVsZSgicmVjdm1zZyIsIEFsbG93KTsKKyAg ICBhZGRSdWxlKCJzZW5kbXNnIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoInNlbmRtbXNnIiwgQWxs b3cpOworICAgIGFkZFJ1bGUoInNlbmR0byIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJzaHV0ZG93 biIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJ3cml0ZSIsIEFsbG93KTsKKyAgICBhZGRSdWxlKCJ3 cml0ZXYiLCBBbGxvdyk7CisKKyAgICAvLyBUaGlzIHNob3VsZCBiZSBzYWZlIHNpbmNlIHRoZSBz dWJwcm9jZXNzIHdpbGwgYmUgdW5hYmxlIHRvIHVzZSB0cmFwcGVkIHN5c2NhbGxzLgorICAgIGFk ZFJ1bGUoImNsb25lIiwgQWxsb3cpOworICAgIGFkZFJ1bGUoImV4ZWN2ZSIsIEFsbG93KTsKIAog ICAgIG1fcG9saWN5LmFkZERpcmVjdG9yeVBlcm1pc3Npb24oU3RyaW5nOjpmcm9tVVRGOChnX2dl dF91c2VyX2RhdGFfZGlyKCkpICsgIi9ndmZzLW1ldGFkYXRhIiwgU3lzY2FsbFBvbGljeTo6UmVh ZEFuZFdyaXRlKTsKIAo=