New issue
Advanced search Search tips

Issue 738129 link

Starred by 2 users
Status: Fixed
Owner:
kerrnel@chromium.org
Closed: Oct 2
Cc:
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug

Blocked on:
issue 707375


Sign in to add a comment

Sandbox policy on OS X may allow reading MAC addresses

Reported by jeda...@mozilla.com, Jun 29 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce the problem:
I haven't tested this yet, but I think an attacker with control over a sandboxed renderer on OS X can get MAC addresses via getifaddrs() or equivalent.

What is the expected behavior?
The sandbox would hide personally identifying network addresses if possible.  For example, the Linux sandbox unshares the network namespace, so from its point of view the physical network interfaces don't exist.

What went wrong?
 https://crbug.com/11325  added (allow sysctl-read), which allows all sysctls, including the one used by getifaddrs().  Even if this doesn't expose MAC addresses directly, there are also non-privacy-enabled IPv6 addresses which encode it.

Did this work before? No 

Chrome version: 59.0.3071.109  Channel: n/a
OS Version: OS X 10.10
Flash Version: 

This is also described in https://bugzilla.mozilla.org/show_bug.cgi?id=1376976, which was briefly public before being restricted.  (Firefox sandboxing isn't yet at a point where something this minor would normally be considered security-sensitive for us.)

Newer versions of OS X allow forms like (allow sysctl-read (sysctl-name "hw.physicalcpu_max")) but this might not be present on older versions.

Comment 1 by elawrence@chromium.org, Jun 30 2017

Components: Internals>Sandbox
Seems more like a minor privacy issue rather than a security issue, but interesting to determine if this could be blocked.

Comment 2 by rsesek@chromium.org, Jun 30 2017

Blockedon: 707375
Owner: kerrnel@chromium.org
Status: Assigned (was: Unconfirmed)
This will be fixed by our v2 Mac sandbox.

Comment 3 by jialiul@chromium.org, Jul 4 2017

Labels: -Type-Bug-Security Type-Bug
Change bug type to "Bug".
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 24 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e96523ae3dee27d2af4d48fbfcc12881aa8e721

commit 9e96523ae3dee27d2af4d48fbfcc12881aa8e721
Author: Greg Kerr <kerrnel@chromium.org>
Date: Mon Jul 24 22:44:22 2017

Unit test the real V2 sandbox profile.

This unit tests the real V2 sandbox profile for certain resource access
that should be banned, and also allows the bots to verify the profile
against all macOS versions.

Bug:  738129 , 689306 , 37285 
Change-Id: I775104464225a1521e37b1e7abce9be2b8f355cb
Reviewed-on: https://chromium-review.googlesource.com/576157
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#489111}
[add] https://crrev.com/9e96523ae3dee27d2af4d48fbfcc12881aa8e721/content/renderer/sandbox_mac_v2_unittest.mm
[modify] https://crrev.com/9e96523ae3dee27d2af4d48fbfcc12881aa8e721/content/test/BUILD.gn
[modify] https://crrev.com/9e96523ae3dee27d2af4d48fbfcc12881aa8e721/sandbox/mac/sandbox_mac_compiler_v2_unittest.mm

Comment 5 by kerrnel@chromium.org, Oct 2

Status: Fixed (was: Assigned)
The V2 sandbox shipped, so this is fixed.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 3

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 9

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment