Open Bug 1104619 (sb-audio) Opened 11 years ago Updated 3 months ago

[meta] Sandboxing improvements when audio playback & recording are remoted

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Product:
Core
Component:
Security: Process Sandboxing
Type:
enhancement

Tracking

()

People

(Reporter: gcp, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: meta)

No description provided.
Blocks: 1104615, 1096717, 1042735
Assignee: nobody → gpascutto
Component: Audio/Video → Audio/Video: MSG/cubeb/GMP
Component: Audio/Video: MediaStreamGraph → Audio/Video: cubeb
Rank: 20
Priority: -- → P2
Should this be tracked by sandboxing? It looks like this could fix Bug 1259283.
Whiteboard: sb?
Whiteboard: sb? → sblc1
Moving to sblc2 because this is currently not blocking enabling seccomp on nightly. However, it will allow us to revert the patch landed as part of Bug 1259508, once audio is remoted.
Whiteboard: sblc1 → sblc2
Blocks: 1285525
Discussed this with :gcp over irc, he is not currently working on it.
Assignee: gpascutto → julian.r.hector
We should have a look at how chromium does this before proceeding. Also don't hesitate to ask any question, this is full of gotchas. This is the code on the host side (= Chrome process for us): https://cs.chromium.org/chromium/src/content/browser/renderer_host/media/audio_input_renderer_host.cc?sq=package:chromium&rcl=1474529952&l=349
Flags: needinfo?(julian.r.hector)
Thank you very much. So far my approach is to remote the cubeb API found in cubeb.h. But I am currently dealing with a threading issue since I created a sync protocol. It seems that the Send method is called from a thread it can't block on. I probably have to do something similar to the LockAndDispatch [1] that :gcp did on PCameras, which makes this slightly more complicated. [1] http://searchfox.org/mozilla-central/rev/8910ca900f826a9b714607fd23bfa1b37a191eca/dom/media/systemservices/CamerasChild.cpp#188
Flags: needinfo?(julian.r.hector)
Blocks: 1309098
Assignee: julian.r.hector → nobody
Whiteboard: sblc2 → sblc3
Whiteboard: sblc3 → sblc3, sbmc3
Depends on: 1284816
Whiteboard: sblc3, sbmc3 → sblc5
Depends on: 1346665
No longer depends on: 1284816
Keywords: meta
Depends on: 1362220
No longer blocks: 1126437, 1359566, 1042735, 1096717, 1104615, 1285525, 1309098, 1321134
Depends on: 1126437, 1359566, 1042735, 1096717, 1104615, 1285525, 1309098, 1321134
Whiteboard: sblc5
Alias: sb-audio
Priority: P2 → P3
Component: Audio/Video: cubeb → Security: Process Sandboxing
Depends on: 1382448
Retitling this bug to match what its new purpose seems to be. The audio remoting discussed in previous comments seems to now be covered in bug 1362220.
Depends on: 1126437, 1213998
Summary: Sandboxing support for audio playback & recording → Sandboxing improvements when audio playback & recording are remoted
Depends on: 1405091
Summary: Sandboxing improvements when audio playback & recording are remoted → [meta] Sandboxing improvements when audio playback & recording are remoted
No longer depends on: 1567389
Severity: normal → S3

Audio access is remoted on Linux and has been for years now. The media.cubeb.sandbox pref still exists, and I think the media people might want to keep it around for troubleshooting or debugging, but we don't need to support flipping that pref without also explicitly turning off content sandboxing. I'm told that that's already the case on Windows. It also parallels what we did with WebGL remoting — if it's turned off then it's also necessary to explicitly turn off security.sandbox.content.headless (which is dangerous, especially on X11).

This has already sort of started happening to some extent; see bug 1604269 which didn't gate the change on sandbox level, and in general we don't test the semi-sandboxed configuration that currently results from flipping media.cubeb.sandbox (it's insecure and unsupported), so there could be other cases of accidental breakage as well.

There are three places the sandbox is weakened in response to that pref, which we could remove:

The last one is more complicated, because — tested on Debian using Pipewire — audio is broken without that workaround (the first objectionable syscall is umask) even if the sandbox isn't otherwise changed from the status quo. Removing that would mean that sandboxing would have to be turned off completely for non-remote audio, rather than just using an untested weak policy (level 3). Which brings me to the next set of things that we probably want to rip out:

  • Basically everything in SandboxFilter.cpp that's ifdef'ed on MOZ_PULSEAUDIO or MOZ_ALSA.
  • And anything with comments mentioning non-remote audio, if not already covered by the above.

When we do that, we'll want to make sure that crash reports record whether media.cubeb.sandbox was flipped, in case there's anyone using Nightly with weird pref settings.

See Also: → 1604269
Type: defect → enhancement
You need to log in before you can comment on or make changes to this bug.