firefox 54.0 fails to load pages because seccomp-bpf sandbox issue
The immediately visible effect is that loading a page results in a
Gah. Your tab just crashed.
message while printing error messages to the terminal like
[Parent 22602] WARNING: pipe error (42): Connection reset by peer: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 346
[Parent 22602] WARNING: pipe error (47): Connection reset by peer: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 346
###!!! [Parent][MessageChannel] Error: (msgtype=0x2C0082,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
[Parent 22602] WARNING: waitpid failed pid:22646 errno:10: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/base/process_util_posix.cc, line 276
what actually happens is that a helper process in the background
crashes
after installing a seccomp-bpf filter that prevents thread creation on
musl which eventually leads to a null pointer deref.
quick workaround is disabling the sandbox by env var
MOZ_DISABLE_CONTENT_SANDBOX=1
or white listing SYS_clone in about:config by changing the key
security.sandbox.content.syscall_whitelist
to 56 (clone syscall number on x86_64).
Note that the firefox sandbox code is based on the chromium sandbox
code so similar issues may come up there too, but that has different
set of policies now.
clone fails because CLONE_DETACHED is not set in flags_modern:
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp\#115
musl clone flags:
http://git.musl-libc.org/cgit/musl/tree/src/thread/pthread\_create.c\#n187
CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED
once clone is enabled other failures are visible:
Sandbox: seccomp sandbox violation: pid 14996, tid 15048, syscall 200, args 14996 26 0 6265608586624801 94763009463712 0.
Sandbox: seccomp sandbox violation: pid 14996, tid 14996, syscall 217, args 33 94763019661344 2048 9259542123273814144 94763019661312 18374403900871474943.
the first one is tkill (which should be allowed if tgkill is):
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp\#239
second one is getdents64 which should be allowed on 64bit archs, not
just on 32bit ones:
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilterUtil.h\#121
it seems to be unfixed upstream so should be reported there too.
(from redmine: issue id 7454, created on 2017-06-28, closed on 2019-05-03)
- Changesets:
- Revision 45f1983a by Timo Teräs on 2017-07-11T08:28:25Z:
testing/firefox: improve seccomp, use pthread_setname_np
ref #7454
- Revision a1d2eb58 by Natanael Copa on 2017-07-11T09:47:26Z:
main/alsa-lib: disable use of wordexp
wordexp will execute in a shell, which breaks firefox sandbox. The use
of wordexp is questionable so we disable use of wordexp by fooling
configure script that we dont have it.
ref #7454
- Revision 9e0f3ef7 by Natanael Copa on 2017-07-11T17:11:01Z:
main/alsa-lib: avoid using wordexp
wordexp implementation will execute /bin/sh (as suggested in posix).
This breaks firefox sandbox. We also need to expand ~/ so that alsa uses
~/.asoundrc so we cannot just trick the configurescript to think that we
dont have wordexp since the fallback code would not expand anything at
all.
ref #7454