firefox 54.0 fails to load pages because seccomp-bpf sandbox issue
The immediately visible effect is that loading a page results in a
Gah. Your tab just crashed.
message while printing error messages to the terminal like
[Parent 22602] WARNING: pipe error (42): Connection reset by peer: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 346 [Parent 22602] WARNING: pipe error (47): Connection reset by peer: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 346 ###!!! [Parent][MessageChannel] Error: (msgtype=0x2C0082,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv [Parent 22602] WARNING: waitpid failed pid:22646 errno:10: file /home/buildozer/aports/testing/firefox/src/firefox-54.0/ipc/chromium/src/base/process_util_posix.cc, line 276
what actually happens is that a helper process in the background
after installing a seccomp-bpf filter that prevents thread creation on
musl which eventually leads to a null pointer deref.
quick workaround is disabling the sandbox by env var
or white listing SYS_clone in about:config by changing the key
to 56 (clone syscall number on x86_64).
Note that the firefox sandbox code is based on the chromium sandbox
code so similar issues may come up there too, but that has different
set of policies now.
clone fails because CLONE_DETACHED is not set in flags_modern:
musl clone flags:
once clone is enabled other failures are visible:
Sandbox: seccomp sandbox violation: pid 14996, tid 15048, syscall 200, args 14996 26 0 6265608586624801 94763009463712 0. Sandbox: seccomp sandbox violation: pid 14996, tid 14996, syscall 217, args 33 94763019661344 2048 9259542123273814144 94763019661312 18374403900871474943.
the first one is tkill (which should be allowed if tgkill is):
second one is getdents64 which should be allowed on 64bit archs, not just on 32bit ones:
it seems to be unfixed upstream so should be reported there too.
(from redmine: issue id 7454, created on 2017-06-28, closed on 2019-05-03)
- Revision 45f1983a by Timo Teräs on 2017-07-11T08:28:25Z:
testing/firefox: improve seccomp, use pthread_setname_np ref #7454
- Revision a1d2eb58 by Natanael Copa on 2017-07-11T09:47:26Z:
main/alsa-lib: disable use of wordexp wordexp will execute in a shell, which breaks firefox sandbox. The use of wordexp is questionable so we disable use of wordexp by fooling configure script that we dont have it. ref #7454
- Revision 9e0f3ef7 by Natanael Copa on 2017-07-11T17:11:01Z:
main/alsa-lib: avoid using wordexp wordexp implementation will execute /bin/sh (as suggested in posix). This breaks firefox sandbox. We also need to expand ~/ so that alsa uses ~/.asoundrc so we cannot just trick the configurescript to think that we dont have wordexp since the fallback code would not expand anything at all. ref #7454