Page MenuHomePhabricator
Create Task
Maniphest T143336

Investigate better protection modes for electron render service (xvfb setuid)
Closed, ResolvedPublic
Actions

Description

Currently, electron is run inside xvfb, which requires setuid permissions. This makes it incompatible with firejail, which means that we don't get as much protection as we would like for this service.

Lets track options for improving on this situation, and remind ourselves to address the issue.

Headless Chrome eliminating xvfb

The Chrome folks have started work on a headless mode, which would eliminate the need for xvfb: https://phabricator.wikimedia.org/T134205
https://bugs.chromium.org/p/chromium/issues/detail?id=625577 tracks full-page screenshots

Details

SubjectRepoBranchLines +/-
PDF Render Service: Role and moduleoperations/puppetproduction+431 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved JhernandezT148358 Prepare for November user research
 Resolved atgoT148359 Complete Wikilater prototype for testing
 DeclinedNoneT149627 Update Wikilater to use Electron service in production
 ResolvedNoneT148364 Complete Quickfact prototype for testing
 DeclinedNoneT149628 Update Flashcard to use Electron service in production
 Resolved JKatzWMFT150871 [EPIC] (Proposal) Replicate core OCG features and sunset OCG service
 ResolvedNoneT135643 Show tables in pdfs (#9)
 ResolvedWMDE-FischT135616 Investigate underlying issues with tables in PDF rendering
 ResolvedAddshoreT135613 [GTWL] Include hint about excluded tables when generating a PDF
 InvalidNoneT137431 Improve patch to show tables in pdfs
 InvalidNoneT137432 Add a table appendix to pdfs
 ResolvedTobi_WMDE_SWT142201 Create a mediawiki extension for browser-based rendered pdf support
 ResolvedTobi_WMDE_SWT142202 Only render single articles, and not collections or books
 Resolvedgabriel-wmdeT142204 Investigate what is needed to use browser based rendering for books
ResolvedAddshoreT145413 Request repository for browser-based rendered pdf support extension
 ResolvedTobi_WMDE_SWT146894 Replace "Printable version" with link to ElectronPdfService
 ResolvedTobi_WMDE_SWT146895 Implement SpecialPage according to mockup
 ResolvedTobi_WMDE_SWT147842 Update extension documentation on mw.org
 DeclinedNoneT149086 Implement caching for ElectronPdfService extension
 ResolvedTobi_WMDE_SWT149189 Add and enable basic browsertests
 Resolved GWickeT142226 Productize the Electron PDF render service & create a REST API end point
 Resolved mobrovacT143336 Investigate better protection modes for electron render service (xvfb setuid)
 Resolved Lea_WMDET143410 Voices from the Community about current pdf use
 ResolvedAddshoreT150326 Track numbers for Electron- vs. OCG-Rendering

Event Timeline

GWicke created this task.Aug 18 2016, 4:49 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptAug 18 2016, 4:49 PM
GWicke renamed this task from Investigate better protection modes for electron render service to Investigate better protection modes for electron render service (xvfb setuid).Aug 18 2016, 4:50 PM
mobrovac changed the task status from Open to Stalled.Aug 18 2016, 4:53 PM
mobrovac removed mobrovac as the assignee of this task.
mobrovac removed a project: Service-deployment-requests.

Setting as stalled, since there is no real action on our side for the moment.

mobrovac edited parent tasks, added: T142226: Productize the Electron PDF render service & create a REST API end point; removed: T143129: New service request - PDF Render.Aug 18 2016, 4:55 PM
Gilles subscribed.Oct 13 2016, 5:00 AM

Has Electron gone through security review at least?

GWicke added a comment.Oct 13 2016, 5:57 AM

Some leads on firejail support:

GWicke triaged this task as High priority.Oct 18 2016, 2:52 PM
GWicke edited projects, added Services (next); removed Services.
dpatrick subscribed.Oct 18 2016, 6:14 PM
GWicke mentioned this in T142226: Productize the Electron PDF render service & create a REST API end point.Oct 18 2016, 7:02 PM
GWicke claimed this task.Oct 25 2016, 9:03 PM
GWicke added a comment.EditedOct 25 2016, 10:31 PM

I got the electron render service running in firejail on the pdf.services labs instance. This avoids the use of xvfb, and instead uses a dummy & unprivileged Xorg server, plus xpra for isolation. Notes:

  • apt-get install xpra firejail
  • Disable anything non-essential in /etc/xpra/xpra.conf:
#
# This is the default configuration file for Xpra
#
# You can provide default values for most command line
# options here.
# Each user can also define its own options in the file
# ~/xpra/xpra.conf which will take precedence over this file.
# Most options can also be overriden on the xpra command line.
# See "xpra -h" or the man page for details.
#
# Syntax:
# - Options which can be turned on or off will accept
#   the following values: 1, 0, true, false, yes, no
# - Options which can accept multiple values
#   may just be specified multiple times.
# - You may break a long line into multiple lines
#   by ending each line with a backslash '\'.


################################################################################
# General Options

# Enable clipboard forwarding:
clipboard = no

# Enable forwarding of notifications:
notifications = no

# Enable forwarding of system tray icons:
system-tray = no

# Forward sound output to clients:
speaker = no

# Debugging:
#debug =
#debug = keyboard,clipboard,tray

# Send ping packets more regularly (every second):
pings = no


################################################################################
# Picture Encoding

# Encodings allowed:
# (not all encodings may be available in your environment):
#encodings = h264, vp8, png, png/P, png/L, webp, rgb, jpeg, h265, vp9
#encodings = all
#encodings = rgb
encodings = all

# Default encoding
# (not all encodings may be available in your environment):
#encoding = h264
#encoding = vp8
#encoding = png
#encoding = jpeg
#encoding = rgb
#encoding = webp

# Used by the server to encode video:
# video-encoders = x264, vpx, nvenc
# video-encoders = none
# video-encoders = all
video-encoders = all

# Used by both the client and server for colourspace conversion:
# csc-modules = swscale, cython, opencl
# csc-modules = none
# csc-modules = all
csc-modules = all

# Used the client for decoding:
# video-decoders = avcodec2, vpx
# video-decoders = avcodec, vpx
# video-decoders = none
# video-decoders = all
video-decoders = all

# Use fixed quality
# (value is a percentage or "auto"):
#quality = 80
quality = auto

# For auto quality only:
#min-quality = 50
min-quality = 30

# Use fixed speed
# (value is a percentage or "auto"):
#speed = 90
speed = auto

# For auto speed only:
#min-speed = 20
min-speed = 0

# Idle delay in seconds before doing an automatic lossless refresh:
auto-refresh-delay = 0.15

# Default DPI:
dpi = 96


################################################################################
# Sound Encoding

# Codec(s) to use for forwarding speaker sound:
#speaker-codec = mp3
#speaker-codec = flac
#speaker-codec = wav
#speaker-codec = wavpack
#speaker-codec = speex
#speaker-codec = opus

# Forward sound input to server:
# microphone = yes

# Codec(s) to use for forwarding microphone sound:
#microphone-codec = mp3
#microphone-codec = flac
#microphone-codec = wav
#microphone-codec = wavpack
#microphone-codec = speex
#microphone-codec = opus


################################################################################
# Network Connection

# Enable shared memory transfers:
mmap = yes

# Use server group ownership for mmap file:
mmap-group = no

# Share session with other users:
sharing = no

# Compressors:
#compressors = all
#compressors = none
#compressors = zlib
compressors = lz4, zlib, lzo

# Default compression (0 to 9):
compression_level = 1

# Packet encoders (at least one is required):
#packet-encoders = bencode
#packet-encoders = all
packet-encoders = rencode, bencode, yaml

# Socket directory:
#socket-dir = /tmp
#socket-dir = ~/.xpra


################################################################################
# Client Options

# OpenGL accelerated rendering:
#opengl = yes
#opengl = no
opengl = no

# Client window title:
title = @title@ on @client-machine@

# Icon used by the system tray:
#tray-icon = /path/to/icon.png

# Keyboard synchronization:
keyboard-sync = yes

# Client ssh command:
#ssh = /usr/bin/ssh

# Key Shortcuts:
key-shortcut = Meta+Shift+F4:quit
key-shortcut = Meta+Shift+F8:magic_key
key-shortcut = Meta+Shift+F11:show_session_info


########################################################################
# Server Options:

# Commands to start by default
#  (may be specified more than once):
# examples:
#start-child = /usr/bin/xterm
#start-child = /usr/bin/xeyes
# Xsession can take care of initializing dbus, keyring-daemon,
# gpg-agent or whatever else might be usually started together with X
#start-child = /etc/X11/Xsession true

# Video encoders loaded by the server
# (all of them unless specified)
# examples:
#video-encoders=x264,vpx,nvenc
#video-encoders=x264

# Colourspace conversion modules loaded by the server
# (all of them unless specified)
# examples:
#csc-modules=swscale,cython,opencl
#csc-modules=swscale

# Where to send non xpra clients:
# (can be used to share the port with a web server)
#tcp-proxy = 127.0.0.1:80

# Log file:
log-file = $DISPLAY.log

# Publish sessions:
mdns = no

# Input methods
# To disable input method completely:
#input-method=none
# To keep the environment unchanged:
#input-method=keep
# Other possible options:
#input-method=IBus
#input-method=SCIM
#input-method=uim
input-method=none

# Start a pulseaudio server with each session:
pulseaudio = no

# pulseaudio server start command:
pulseaudio-command = pulseaudio --start --daemonize=false --system=false \
                --exit-idle-time=-1 -n --load=module-suspend-on-idle \
                --load=module-null-sink --load=module-native-protocol-unix \
                --log-level=2 --log-target=stderr

# Virtual display command:
# - Old Xvfb option:
# xvfb=Xvfb +extension Composite -screen 0 3840x2560x24+32 -nolisten tcp -noreset -auth $XAUTHORITY
# - With Xorg 1.12 or newer and the dummy driver:
# xvfb=/usr/bin/Xorg -dpi 96 -noreset -nolisten tcp +extension GLX +extension RANDR +extension RENDER -logfile ${HOME}/.xpra/Xorg.${DISPLAY}.log -config /etc/xpra/xorg.conf
#
# Selecting virtual X server:
xvfb=Xorg -dpi 96 -noreset -nolisten tcp +extension GLX +extension RANDR +extension RENDER -logfile ${HOME}/.xpra/Xorg.${DISPLAY}.log -config /etc/xpra/xorg.conf

# Does the xvfb command support the "-displayfd" argument?
displayfd = yes
  • From within the electron-render-service checkout, start the service via: CONCURRENCY=6 TIMEOUT=1200 RENDERER_ACCESS_KEY=secret firejail --noprofile --whitelist=/home/gwicke/electron-render-service --whitelist=/home/gwicke/.fonts.conf --x11=xpra /home/gwicke/electron-render-service/bin/electron-render-service.js
    • .fonts.conf is needed to enable anti-aliasing.
Gilles added a subscriber: MoritzMuehlenhoff.Oct 26 2016, 6:46 AM

Afaik --noprofile removes a lot of protections we usually have in place. Eg. this is the profile currently used for thumbor: https://phab.wmfusercontent.org/file/data/hckmlkhjilkrjff7gn6k/PHID-FILE-4bb4ss23mafhmkvcapd5/thumbor.profile.firejail

@MoritzMuehlenhoff might be able to provide somed advice about how firejail should be set up.

GWicke added a comment.Oct 26 2016, 2:46 PM

I added --noprofile to get around this error:

libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported

This might be related to the sandbox layering discussed in https://github.com/netblue30/firejail/issues/554. Chrome provides a sandbox very similar to firejail itself, which means that firejail's chrome profile focuses on adding to this, rather than replacing it.

GWicke added a comment.EditedOct 26 2016, 3:24 PM

Looking into this some more, I followed the hints in this discussion and added netlink to the protocol line in /etc/firejail/default.profile:

protocol unix,inet,inet6,netlink

With this change, the service starts without requiring the --noprofile option.

MoritzMuehlenhoff added a comment.Oct 28 2016, 9:17 AM

FWIW, I'm currently in the process of packaging firejail 0.9.44 for jessie and trusty, there have been quite a few X11-related changes between the 0.9.40 version that was previously in the archive.

mobrovac mentioned this in T148576: Security review request: Electron render service.Nov 9 2016, 2:31 PM
mobrovac claimed this task.Nov 14 2016, 1:53 PM
mobrovac edited projects, added Services (doing); removed Services (next).

Thank you @GWicke for the awesome work-around! I am currently in the process of integrating firejail as part of T143129: New service request - PDF Render so assigning to myself.

MoritzMuehlenhoff added a comment.Nov 14 2016, 1:55 PM

Just for the record, firejail 0.9.44 is available on carbon.

gerritbot added a comment.Nov 14 2016, 4:35 PM

Change 305256 had a related patch set uploaded (by Mobrovac):
PDF Render Service: Role and module

https://gerrit.wikimedia.org/r/305256

gerritbot added a project: Patch-For-Review.Nov 14 2016, 4:35 PM
gerritbot added a comment.Nov 22 2016, 11:42 AM

Change 305256 merged by Giuseppe Lavagetto:
PDF Render Service: Role and module

https://gerrit.wikimedia.org/r/305256

mobrovac closed this task as Resolved.Nov 22 2016, 12:27 PM
mobrovac edited projects, added Services (done); removed Patch-For-Review, Services (doing).

The integration has been completed, resolving.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits