# Firefox: Is Seccomp enabled?

## Apheus

Hi,

Firefox has a nice "sandboxing" feature: Seccomp-BPF. According to about:support, it is enabled (scroll all the way down). The three other sandboxing features are reported as "true" too.

According to Mozilla Wiki, the status of a process can be checked in the proc filesystem. However:

```
# pgrep firefox                    

1327

# grep Seccomp /proc/1327/status

  41   -CapAmb: 0000000000000000

  42   :Seccomp:        0

  43   -Cpus_allowed:   f
```

Which means not enabled. What is true?

```
# zgrep SECCOMP /proc/config.gz 

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y

CONFIG_SECCOMP_FILTER=y

CONFIG_SECCOMP=y
```

Kernel 4.4.39-gentoo.

```
# emerge -pv firefox

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R    ] www-client/firefox-45.6.0::gentoo  USE="custom-cflags custom-optimization dbus ffmpeg gstreamer hardened hwaccel jemalloc3 jit pulseaudio startup-notification system-icu system-jpeg system-libevent system-sqlite -bindist -debug -gmp-autoupdate -gstreamer-0 (-neon) (-pgo) (-selinux) (-system-cairo) -system-harfbuzz -system-libvpx {-test} -wifi" L10N="de -ach -af -an -ar -as -ast -az -be -bg -bn-BD -bn-IN -br -bs -ca -cs -cy -da -el -en-GB -en-ZA -eo -es-AR -es-CL -es-ES -es-MX -et -eu -fa -fi -fr -fy -ga -gd -gl -gu -he -hi -hr -hsb -hu -hy -id -is -it -ja -kk -km -kn -ko -lt -lv -mai -mk -ml -mr -ms -nb -nl -nn -or -pa -pl -pt-BR -pt-PT -rm -ro -ru -si -sk -sl -son -sq -sr -sv -ta -te -th -tr -uk -uz -vi -xh -zh-CN -zh-TW" 0 KiB
```

----------

## Apheus

I found it: Seccomp-bpf is only relevant for the web content processes, so Electrolysis is required. Firefox needs to be compiled with the additional option "--enable-content-sandbox".

The sandbox level 0/1/2 can be changed with an integer "security.sandbox.content.level" in about:config. The value 0 means "off", 1 means "Seccomp-bpf with a larger whitelist of allowed system calls", 2 means "Seccomp-bpf with a stricter whitelist". If Seccomp-bpf is enabled, "about:support" shows an additional entry "Content process sandbox level 1|2" at the bottom.

With firefox 52. Ebuild diff:

```
$ diff -urw /usr/portage/www-client/firefox/firefox-52.0.1-r1.ebuild /usr/local/portage/www-client/firefox/firefox-52.0.1-r1.ebuild 

--- /usr/portage/www-client/firefox/firefox-52.0.1-r1.ebuild    2017-03-21 20:45:53.000000000 +0100

+++ /usr/local/portage/www-client/firefox/firefox-52.0.1-r1.ebuild      2017-03-30 11:08:01.801089422 +0200

@@ -228,6 +228,9 @@

        echo "mk_add_options MOZ_OBJDIR=${BUILD_OBJ_DIR}" >> "${S}"/.mozconfig

        echo "mk_add_options XARGS=/usr/bin/xargs" >> "${S}"/.mozconfig

 

+       # sandbox

+       mozconfig_annotate '' --enable-content-sandbox

+

        # Finalize and report settings

        mozconfig_final

```

Checked with app-admin/checksec:

```
# checksec --proc 'Web Content'

* System-wide ASLR (kernel.randomize_va_space): Full (Setting: 2)

  Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.

  This, among other things, implies that shared libraries will be loaded to random 

  addresses. Also for PIE-linked binaries, the location of code start is randomized.

  See the kernel file 'Documentation/sysctl/kernel.txt' for more details.

* Does the CPU support NX: Yes

         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY

     Web Content  14626 Full RELRO      Canary found            Seccomp-bpf      NX enabled    PIE enabled             Yes

```

Highly experimental, I guess mozilla have a reason to enable it only on nightly builds by default.

----------

