Re: Enabling filesystem read-restrictions for content process sandbox

2017-07-26 Thread Gian-Carlo Pascutto 
On 06-07-17 16:07, Alex Gaynor wrote:
> Hi dev-platform,
> 
> On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm
> delighted
> to announce that starting later this week, our macOS and Windows nightly
> builds
> will prohibit read access to most of the filesystem in the content process!
...
> We're looking forward to also shipping this for Linux soon.

This is now shipping in current Nightly.

-- 
GCP
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Enabling filesystem read-restrictions for content process sandbox

2017-07-21 Thread Haik Aftandilian 
On Fri, Jul 21, 2017 at 7:48 AM, Andrea Marchesini 
wrote:

> There are some APIs able to read files in the content process using
> nsFileInputStream: FileReader is one of them.
> The file is opened on the parent process (because of a FilePicker, or
> Entries API), the file descriptor is sent to the content process where the
> reading happens.
> Is this supported yet?
>

​Yes, reading from a file descriptor opened in the parent should continue
to work.

Haik​



>
> On Fri, Jul 21, 2017 at 3:44 PM,  wrote:
>
> > As a follow-up to this, tomorrow's (2017-07-22) Nightly will have this
> > enabled for the Windows content process sandbox as well.
> >
> > On Windows this removes access that the User gains via their own SID.
> > So generally things under their home directory (C:\Users\\).
> > With exceptions for the Firefox installation directory and the chrome
> > directory in the profile.
> >
> > There are a few other restrictions included as well, for example reading
> > and writing to the clipboard.
> >
> > If you hit any issues on Windows after tomorrow that disappear when you
> > set the pref security.sandbox.content.level to 2 or lower, please file a
> > bug to block https://bugzilla.mozilla.org/show_bug.cgi?id=1366697.
> >
> > Cheers,
> > Bob
> >
> >
> > On Thursday, 6 July 2017 15:07:50 UTC+1, Alex Gaynor  wrote:
> > > Hi dev-platform,
> > >
> > > On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm
> > > delighted
> > > to announce that starting later this week, our macOS and Windows
> nightly
> > > builds
> > > will prohibit read access to most of the filesystem in the content
> > process!
> > >
> > > What does this mean for you? First and foremost, a more secure browser!
> > > Second,
> > > it means that if you see bugs, please report them, our goal is to put
> > this
> > > on
> > > the trains for 56! If you run into anything, please file it as a
> blocker
> > for
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1377522 .
> > >
> > > Finally, it means that in code you're writing, you should not expect to
> > be
> > > able
> > > to read from the filesystem in the content process -- with the
> exception
> > of
> > > inside the .app bundle, or in the chrome/ subdirectory of the profile
> > > directory.
> > >
> > > If you need access to a file in content, you should plan on remoting
> that
> > > to the
> > > parent process. When designing these APIs, please be careful to ensure
> > the
> > > parent process is able to perform appropriate permissions checks such
> > that
> > > the
> > > IPC mechanism isn't able to bypass the sandbox's goal of preventing a
> > > malicious
> > > content process from accessing the entire file system.
> > >
> > > This represents the culmination of a lot of work by a lot of folks,
> both
> > on
> > > our
> > > team and on many other teams who helped out with refactoring their code
> > --
> > > thank
> > > you!
> > >
> > > We're looking forward to also shipping this for Linux soon.
> > >
> > > Cheers,
> > > Alex
> >
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Enabling filesystem read-restrictions for content process sandbox

2017-07-21 Thread Andrea Marchesini 
There are some APIs able to read files in the content process using
nsFileInputStream: FileReader is one of them.
The file is opened on the parent process (because of a FilePicker, or
Entries API), the file descriptor is sent to the content process where the
reading happens.
Is this supported yet?

On Fri, Jul 21, 2017 at 3:44 PM,  wrote:

> As a follow-up to this, tomorrow's (2017-07-22) Nightly will have this
> enabled for the Windows content process sandbox as well.
>
> On Windows this removes access that the User gains via their own SID.
> So generally things under their home directory (C:\Users\\).
> With exceptions for the Firefox installation directory and the chrome
> directory in the profile.
>
> There are a few other restrictions included as well, for example reading
> and writing to the clipboard.
>
> If you hit any issues on Windows after tomorrow that disappear when you
> set the pref security.sandbox.content.level to 2 or lower, please file a
> bug to block https://bugzilla.mozilla.org/show_bug.cgi?id=1366697.
>
> Cheers,
> Bob
>
>
> On Thursday, 6 July 2017 15:07:50 UTC+1, Alex Gaynor  wrote:
> > Hi dev-platform,
> >
> > On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm
> > delighted
> > to announce that starting later this week, our macOS and Windows nightly
> > builds
> > will prohibit read access to most of the filesystem in the content
> process!
> >
> > What does this mean for you? First and foremost, a more secure browser!
> > Second,
> > it means that if you see bugs, please report them, our goal is to put
> this
> > on
> > the trains for 56! If you run into anything, please file it as a blocker
> for
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1377522 .
> >
> > Finally, it means that in code you're writing, you should not expect to
> be
> > able
> > to read from the filesystem in the content process -- with the exception
> of
> > inside the .app bundle, or in the chrome/ subdirectory of the profile
> > directory.
> >
> > If you need access to a file in content, you should plan on remoting that
> > to the
> > parent process. When designing these APIs, please be careful to ensure
> the
> > parent process is able to perform appropriate permissions checks such
> that
> > the
> > IPC mechanism isn't able to bypass the sandbox's goal of preventing a
> > malicious
> > content process from accessing the entire file system.
> >
> > This represents the culmination of a lot of work by a lot of folks, both
> on
> > our
> > team and on many other teams who helped out with refactoring their code
> --
> > thank
> > you!
> >
> > We're looking forward to also shipping this for Linux soon.
> >
> > Cheers,
> > Alex
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Enabling filesystem read-restrictions for content process sandbox

2017-07-21 Thread bowen 
As a follow-up to this, tomorrow's (2017-07-22) Nightly will have this enabled 
for the Windows content process sandbox as well.

On Windows this removes access that the User gains via their own SID.
So generally things under their home directory (C:\Users\\).
With exceptions for the Firefox installation directory and the chrome directory 
in the profile.

There are a few other restrictions included as well, for example reading and 
writing to the clipboard.

If you hit any issues on Windows after tomorrow that disappear when you set the 
pref security.sandbox.content.level to 2 or lower, please file a bug to block 
https://bugzilla.mozilla.org/show_bug.cgi?id=1366697.

Cheers,
Bob


On Thursday, 6 July 2017 15:07:50 UTC+1, Alex Gaynor  wrote:
> Hi dev-platform,
> 
> On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm
> delighted
> to announce that starting later this week, our macOS and Windows nightly
> builds
> will prohibit read access to most of the filesystem in the content process!
> 
> What does this mean for you? First and foremost, a more secure browser!
> Second,
> it means that if you see bugs, please report them, our goal is to put this
> on
> the trains for 56! If you run into anything, please file it as a blocker for
> https://bugzilla.mozilla.org/show_bug.cgi?id=1377522 .
> 
> Finally, it means that in code you're writing, you should not expect to be
> able
> to read from the filesystem in the content process -- with the exception of
> inside the .app bundle, or in the chrome/ subdirectory of the profile
> directory.
> 
> If you need access to a file in content, you should plan on remoting that
> to the
> parent process. When designing these APIs, please be careful to ensure the
> parent process is able to perform appropriate permissions checks such that
> the
> IPC mechanism isn't able to bypass the sandbox's goal of preventing a
> malicious
> content process from accessing the entire file system.
> 
> This represents the culmination of a lot of work by a lot of folks, both on
> our
> team and on many other teams who helped out with refactoring their code --
> thank
> you!
> 
> We're looking forward to also shipping this for Linux soon.
> 
> Cheers,
> Alex

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Enabling filesystem read-restrictions for content process sandbox

2017-07-06 Thread Frederik Braun 
Hooray, this is great news!


On 06.07.2017 16:07, Alex Gaynor wrote:
> Hi dev-platform,
> 
> On behalf of the Runtime Content Isolation (aka sandboxing) team, I'm
> delighted
> to announce that starting later this week, our macOS and Windows nightly
> builds
> will prohibit read access to most of the filesystem in the content process!
> 
> What does this mean for you? First and foremost, a more secure browser!
> Second,
> it means that if you see bugs, please report them, our goal is to put this
> on
> the trains for 56! If you run into anything, please file it as a blocker for
> https://bugzilla.mozilla.org/show_bug.cgi?id=1377522 .
> 
> Finally, it means that in code you're writing, you should not expect to be
> able
> to read from the filesystem in the content process -- with the exception of
> inside the .app bundle, or in the chrome/ subdirectory of the profile
> directory.
> 
> If you need access to a file in content, you should plan on remoting that
> to the
> parent process. When designing these APIs, please be careful to ensure the
> parent process is able to perform appropriate permissions checks such that
> the
> IPC mechanism isn't able to bypass the sandbox's goal of preventing a
> malicious
> content process from accessing the entire file system.
> 
> This represents the culmination of a lot of work by a lot of folks, both on
> our
> team and on many other teams who helped out with refactoring their code --
> thank
> you!
> 
> We're looking forward to also shipping this for Linux soon.
> 
> Cheers,
> Alex
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
> 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform