Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Firefox: Is Seccomp enabled?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 420

PostPosted: Thu Jan 05, 2017 1:56 pm    Post subject: Firefox: Is Seccomp enabled? Reply with quote

Hi,

Firefox has a nice "sandboxing" feature: Seccomp-BPF. According to about:support, it is enabled (scroll all the way down). The three other sandboxing features are reported as "true" too.

According to Mozilla Wiki, the status of a process can be checked in the proc filesystem. However:

Code:
# pgrep firefox                   
1327
# grep Seccomp /proc/1327/status
  41   -CapAmb: 0000000000000000
  42   :Seccomp:        0
  43   -Cpus_allowed:   f


Which means not enabled. What is true?

Code:
# zgrep SECCOMP /proc/config.gz
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y


Kernel 4.4.39-gentoo.

Code:
# emerge -pv firefox

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] www-client/firefox-45.6.0::gentoo  USE="custom-cflags custom-optimization dbus ffmpeg gstreamer hardened hwaccel jemalloc3 jit pulseaudio startup-notification system-icu system-jpeg system-libevent system-sqlite -bindist -debug -gmp-autoupdate -gstreamer-0 (-neon) (-pgo) (-selinux) (-system-cairo) -system-harfbuzz -system-libvpx {-test} -wifi" L10N="de -ach -af -an -ar -as -ast -az -be -bg -bn-BD -bn-IN -br -bs -ca -cs -cy -da -el -en-GB -en-ZA -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -fi -fr -fy -ga -gd -gl -gu -he -hi -hr -hsb -hu -hy -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -ms -nb -nl -nn -or -pa -pl -pt-BR -pt-PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv -ta -te -th -tr -uk -uz -vi -xh -zh-CN -zh-TW" 0 KiB

_________________
My phrenologist says I'm stupid.
Back to top
View user's profile Send private message
Apheus
Guru
Guru


Joined: 12 Jul 2008
Posts: 420

PostPosted: Thu Mar 30, 2017 10:50 am    Post subject: Reply with quote

I found it: Seccomp-bpf is only relevant for the web content processes, so Electrolysis is required. Firefox needs to be compiled with the additional option "--enable-content-sandbox".

The sandbox level 0/1/2 can be changed with an integer "security.sandbox.content.level" in about:config. The value 0 means "off", 1 means "Seccomp-bpf with a larger whitelist of allowed system calls", 2 means "Seccomp-bpf with a stricter whitelist". If Seccomp-bpf is enabled, "about:support" shows an additional entry "Content process sandbox level 1|2" at the bottom.

With firefox 52. Ebuild diff:

Code:
$ diff -urw /usr/portage/www-client/firefox/firefox-52.0.1-r1.ebuild /usr/local/portage/www-client/firefox/firefox-52.0.1-r1.ebuild
--- /usr/portage/www-client/firefox/firefox-52.0.1-r1.ebuild    2017-03-21 20:45:53.000000000 +0100
+++ /usr/local/portage/www-client/firefox/firefox-52.0.1-r1.ebuild      2017-03-30 11:08:01.801089422 +0200
@@ -228,6 +228,9 @@
        echo "mk_add_options MOZ_OBJDIR=${BUILD_OBJ_DIR}" >> "${S}"/.mozconfig
        echo "mk_add_options XARGS=/usr/bin/xargs" >> "${S}"/.mozconfig
 
+       # sandbox
+       mozconfig_annotate '' --enable-content-sandbox
+
        # Finalize and report settings
        mozconfig_final


Checked with app-admin/checksec:

Code:
# checksec --proc 'Web Content'
* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)

  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.
  This, among other things, implies that shared libraries will be loaded to random
  addresses. Also for PIE-linked binaries, the location of code start is randomized.

  See the kernel file 'Documentation/sysctl/kernel.txt' for more details.

* Does the CPU support NX: Yes

         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
     Web Content  14626 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes


Highly experimental, I guess mozilla have a reason to enable it only on nightly builds by default.
_________________
My phrenologist says I'm stupid.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum