Overview

Security Sandboxing makes use of child processes as a security boundary. The process model, i.e. how Firefox is split into various processes and how these processes interact between each other is common to all platforms. For more information see the Electrolysis wiki page. The security aspects of a sandboxed child process are implemented on a per-platform basis. See the Platform Specifics section below for more information.

Technical Docs

• Platform Specifics
• File Restrictions Bug Research
• OSX Filter Rule Set
• Hardening Research
• Process Model

Current Status

Sandbox	Trunk		Beta		Release
	Level		Level	Version	Level	Version
Windows (content)	Level 4		Level 3	Fx56	Level 3	Fx56
Windows (compositor)	Level 0 [1]
Windows (GMP)	enabled		enabled		enabled
Windows 64bit (NPAPI Plugin)	enabled		enabled		enabled
OSX (content)	Level 3		Level 3	Fx56	Level 3	Fx56
OSX (GMP)	enabled		enabled		enabled
OSX (Flash NPAPI)	disabled		disabled		disabled
Linux (content)	Level 3		Level 3	Fx57	Level 3	Fx57
Linux (GMP)	enabled		enabled		enabled

A 'level' value reflects unique sandbox security settings for each platform and process. Most processes only have two "active" levels, the current setting and a lower (previous released) setting. Level settings other than these two values carry no guarantee of altering security behavior, level settings are primarily a release rollout debugging feature.

DEPRECATION WARNING - The current level system will be replaced by a configuration system that allows for more fine grain control over sandbox settings.

[1] Level 1 available but disabled due to various regressions, see bug 1347710

Windows

Content

Sandbox security related setting are grouped together and associated with a security level. Lower level values indicate a less restrictive sandbox.

Sandbox Feature	Level 0	Level 1	Level 2
Job Level	JOB_NONE	JOB_NONE	JOB_INTERACTIVE
Access Token Level	USER_NON_ADMIN	USER_NON_ADMIN	USER_INTERACTIVE
Alternate Desktop	no	no	no
Alternate Windows Station	no	no	no
Initial Integrity Level	INTEGRITY_LEVEL_MEDIUM	INTEGRITY_LEVEL_LOW	INTEGRITY_LEVEL_LOW
Delayed Integrity Level	INTEGRITY_LEVEL_MEDIUM	INTEGRITY_LEVEL_LOW	INTEGRITY_LEVEL_LOW
Mitigations	None	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP
Delayed Mitigations	None	MITIGATION_STRICT_HANDLE_CHECKS MITIGATION_DLL_SEARCH_ORDER	MITIGATION_STRICT_HANDLE_CHECKS MITIGATION_DLL_SEARCH_ORDER

Sandbox Feature	Level 3	Level 4
Job Level	JOB_RESTRICTED	JOB_LOCKDOWN
Access Token Level	USER_LIMITED	USER_LIMITED
Alternate Desktop	no	YES
Alternate Windows Station	no	no
Initial Integrity Level	INTEGRITY_LEVEL_LOW	INTEGRITY_LEVEL_LOW
Delayed Integrity Level	INTEGRITY_LEVEL_LOW	INTEGRITY_LEVEL_LOW
Mitigations	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP MITIGATION_EXTENSION_POINT_DISABLE	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP MITIGATION_EXTENSION_POINT_DISABLE MITIGATION_IMAGE_LOAD_NO_REMOTE MITIGATION_IMAGE_LOAD_NO_LOW_LABEL
Delayed Mitigations	MITIGATION_STRICT_HANDLE_CHECKS MITIGATION_DLL_SEARCH_ORDER	MITIGATION_STRICT_HANDLE_CHECKS MITIGATION_DLL_SEARCH_ORDER

Windows Feature Header

Gecko Media Plugin

Sandbox Feature	Level
Job Level	JOB_LOCKDOWN
Access Token Level	USER_LOCKDOWN, USER_RESTRICTED[1]
Initial Integrity Level	INTEGRITY_LEVEL_LOW
Delayed Integrity Level	INTEGRITY_LEVEL_UNTRUSTED
Alternate desktop	yes
Mitigations	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP
Delayed Mitigations	MITIGATION_STRICT_HANDLE_CHECKS MITIGATION_DLL_SEARCH_ORDER

[1] depends on the media plugin

64-bit Plugin

Sandbox Feature	Level
Job Level	JOB_UNPROTECTED
Access Token Level	USER_INTERACTIVE
Initial Integrity Level	INTEGRITY_LEVEL_LOW
Delayed Integrity Level	INTEGRITY_LEVEL_LOW
Alternate desktop	no
Mitigations	MITIGATION_BOTTOM_UP_ASLR MITIGATION_HEAP_TERMINATE MITIGATION_SEHOP MITIGATION_DEP_NO_ATL_THUNK MITIGATION_DEP
Delayed Mitigations

• Firefox/win64 Wiki Page
• Release Announcement
• Windows 64-bit builds

OSX

Content Levels

Level	What's Blocked by the Sandbox?
Level 1 [1]	write access to most of the filesystem inbound/outbound network I/O exec, fork printing
Level 2	write access to most of the filesystem inbound/outbound network I/O exec, fork printing read access to the profile directory (apart from the chrome and extensions subdirectories) read access to ~/Library
Level 3	write access to all of the filesystem read access to most of the filesystem read access to the profile directory (apart from the chrome and extensions subdirectories) read access to the home directory inbound/outbound network I/O exec, fork printing access to most system services

Note that the macOS sandbox is whitelist based, not blacklist, so this section is effectively the inverse of what we allow.

[1] Level 1 restrictions are a subset of level 2. Level 2 restrictions are a subset of level 3.

Gecko Media Plugins

Filter rules

NPAPI Flash Process

Enabled in Firefox starting with build 62. The Mac Flash sandbox is enabled at level 1. Some features are affected by the Sandbox and those are documented in "Changes affecting Adobe Flash on Firefox for Mac" on support.mozilla.org.

Level (dom.ipc.plugins.sandbox-level.flash)	What's Blocked by the Sandbox?
Level 1	write access to most of the filesystem exec, fork
Level 2	write access to most of the filesystem read access to most of the filesystem (with some read access allowed, triggered by Flash file dialog activity, however this does not work reliably) exec, fork printing
Level 3	write access to most of the filesystem read access to most of the filesystem (without any support for file dialogs) exec, fork printing

Linux

Content Levels

Job Level	What's Blocked by the Sandbox?
Level 1	Many syscalls, including process creation
Level 2	Many syscalls, including process creation Write access to the filesystem Excludes shared memory, tempdir, video hardware
Level 3	Many syscalls, including process creation Write access to the filesystem Excludes shared memory, tempdir, video hardware Read access to most of the filesystem Excludes themes/GTK configuration, fonts, shared data and libraries

Content Rules

Filter ruleset

Filesystem access policy

Gecko Media Plugin

Filter ruleset

Customization Settings

The Linux sandbox allows some amount of control over the sandbox policy through various about:config settings. These are meant to allow more non-standard configurations and exotic distributions to stay working - without compiling custom versions of Firefox - even if they can't be directly supported by the default configuration.

See Activity Logging for information on how to debug these scenarios.

security.sandbox.content.level

• See Content Levels above. Reducing this can help identify sandboxing as the cause of a problem, but you're better of trying the more fine grained permissions below.

security.sandbox.content.read_path_whitelist
security.sandbox.content.write_path_whitelist

• Comma-separated list of additional paths that the content process is allowed to read from or write to, respectively. To allow access to an entire directory tree (rather than just the directory itself), include a trailing / character.

security.sandbox.content.syscall_whitelist

• Comma-seperated list of additional system call numbers that should be allowed in the content process. These affect the seccomp-bpf filter.

Preferences

Process Type	Preference Type	Preference
Content	numerical	security.sandbox.content.level
Windows NPAPI Plugin	numerical	dom.ipc.plugins.sandbox-level.default dom.ipc.plugins.sandbox-level.<plugintype>
OS X NPAPI Plugin	numerical	dom.ipc.plugins.sandbox-level.default dom.ipc.plugins.sandbox-level.flash
Compositor	numerical	security.sandbox.gpu.level
Media	Embedded	N/A

Note - Levels greater than the current default for a particular process type are not implemented.

File System Restrictions

Sandboxing enforces file system write and read restrictions for XUL based add-on content (frame and process) scripts. To avoid issues as sandboxing features roll out add-on authors should update their legacy add-on code today such that content scripts no longer attempt to read or write from restricted locations. Note these restrictions do not affect WebExtension content script or XUL add-on script running in the browser process.

File system access rules for content processes, reverse precedence:

Location	Access Type	Restriction
file system	read/write	deny by default
install location	write	deny
install location	read	allow
system library locations	write	deny
system library locations	read	allow
profile/*	read/write	deny by default
profile/extensions	write	deny
profile/extensions	read	allow

Debugging Features

Activity Logging

The following prefs control sandbox logging. On Windows, output is sent to the Browser Console when available, and to a developer console attached to the running browser process. On OSX, once enabled, violation log entries are visible in the Console.app (/Applications/Utilities/Console.app). On Linux, once enabled, violation log entries are logged on the command line console.

security.sandbox.logging.enabled (boolean)

security.sandbox.windows.log.stackTraceDepth (integer, Windows specific)

The following environment variables also triggers sandbox logging output:

MOZ_SANDBOX_LOGGING=1

OSX Specific Sandbox Logging

On Mac, sandbox violation logging is disabled by default. To enable logging,

1. Launch the OS X Console app (/Applications/Utilities/Console.app) and filter on "plugin-container".
2. Either set the pref security.sandbox.logging.enabled=true and restart the browser OR launch the browser with the MOZ_SANDBOX_LOGGING environment variable set. Just setting the environment variable MOZ_SANDBOX_MAC_FLASH_LOGGING enables logging only for the OS X NPAPI Flash Plugin sandbox when it is enabled.

• If Console.app is not already running at the time of the sandbox violation, the violation is not reliably logged.
• As of build 56, where filesystem read access restrictions were tightened, running Firefox always triggers sandbox violations and these will be logged. For example, plugin-container attempts to access /Applications and /Users (bug 1378968). We want to address these when possible, but some violations are complicated to avoid or are triggered by OS X library code that can't be avoided yet.

Linux specific Sandbox Logging

The following environment variable triggers extra sandbox debugging output:

MOZ_SANDBOX_LOGGING=1

Environment variables

ENVIRONMENT VARIABLE	DESCRIPTION	PLATFORM
MOZ_DISABLE_CONTENT_SANDBOX	Disables content process sandboxing for debugging purposes.	All
MOZ_DISABLE_GMP_SANDBOX	Disable media plugin sandbox for debugging purposes	All
MOZ_DISABLE_NPAPI_SANDBOX	Disable 64-bit NPAPI process sandbox	Windows and Mac
MOZ_DISABLE_GPU_SANDBOX	Disable GPU process sandbox	Windows

Setting a custom environment in Windows

1) Close Firefox
2) Browser to the location of your Firefox install using Explorer
3) Shift + Right-click in the folder window where firefox.exe is located, select "Open command window here"
4) Add the environment variable(s) you wish to set to your command window -

set MOZ_DISABLE_NPAPI_SANDBOX=1(return)

5) enter firefox.exe and press enter to launch Firefox with your custom environment

Local Build Options

To disable building the sandbox completely build with this in your mozconfig:

ac_add_options --disable-sandbox

To disable just the content sandbox parts:

ac_add_options --disable-content-sandbox

Bug Lists

Priorities

• P1
• P2
• P3

Security/Process Sandboxing Lists

• Full bug list
• No priority set
• Metas

Triage Lists

• Sandboxing Triage List: https://is.gd/ghRoW8
  • Lists sandboxing component bugs that are not tracked by a milestone
  • Ignores previously triaged into either sb- or sb+
  • Ignores meta bugs and bugs with needinfos
• Global Triage List
  • Lists any bug in the database with sb?
  • Ignores bugs with needinfos
• sb+ triage list
  • Previously triaged bugs that have no milestone and no priority set
• sb? needinfos: http://is.gd/dnSyBs
• webrtc specific sandboxing bugs: https://is.gd/c5bAe6
  • sb tracking + 'webrtc'

Communication

Weekly Team Meeting	Thursday at 8:00am PT Vidyo: "PlatInt" room Invitation: Contact Jim Mathies to get added to the meeting invite list. Meeting Notes Archive
IRC	Server: irc.mozilla.org Channel: #boxing
Newsgroup/Mailing List	[email protected]

People

Engineering Management	Jim Mathies (jimm)
Project Management	TBD
QA	Tracy Walker (Quality Assurance Lead)
Development Team	Haik Aftandilian (haik) Jed Davis (jld) Alex Gaynor (Alex_Gaynor) Bob Owen (bobowen) David Parks (handyman) Stephen Pohl (spohl) Gian-Carlo Pascutto (gcp)

Repo Module Ownership

• Cross platform
• Windows
• OSX
• Linux/B2G

Links

• Electrolysis Wiki Page (lot of additional resource links)
• Chromium Sandbox
• Apple's Sandbox guide
• "Introducing Chrome's next-generation Linux sandbox" (seccomp-bpf related)
• Native Client on Wikipedia (Links to papers on Native Client's design and use of SFI, as well as papers on SFI itself.)
• Features of Protected Mode in Internet Explorer

Research

• Ian's Internal Research page (2012)

B2G Archive

• Firefox OS System Security page on MDN
• Sandboxing on b2g overview
• seccomp b2g filter perf data

B2G has always been “sandboxed” to some extent; every app/tab gets its own content process, which uses the Android security model: a separate uid per process, no group memberships, and kernel patches that require group membership for things like network access. But privilege escalation via kernel vulnerabilities is relatively common, so we also use the seccomp-bpf system call filter to reduce the attack surface that a compromised content process can directly access.

Older

• Old Meeting Notes