bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-15 07:43:35 +00:00
Code Issues Releases Wiki Activity

Cleanup and add script

Browse Source
This commit is contained in:
Bernd Schoolmann
2025-08-24 05:10:52 +02:00
parent dec1c55e94
commit 022e89a3cd
4 changed files with 61 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/desktop/memory_security/src/isolate.rs
View File

@@ -15,7 +15,7 @@ const RLIMIT_CORE: c_uint = 4;
const PR_SET_DUMPABLE: c_int = 4;
/// Prevents a process crash from creating a coredump on disk
pub(crate) fn disable_coredumps() -> () {
pub(crate) fn disable_coredumps() {
let rlimit = libc::rlimit {
rlim_cur: 0,
rlim_max: 0,
@@ -23,17 +23,14 @@ pub(crate) fn disable_coredumps() -> () {
if unsafe { libc::setrlimit(RLIMIT_CORE, &rlimit) } != 0 {
let e = std::io::Error::last_os_error();
eprintln!("[Process Isolation] Failed to disable core dumping: {}", e);
eprintln!("[Process Isolation] Failed to disable core dumping: {e}");
}
}
/// Prevents other process from accessing env, memory, attaching debugger
pub(crate) fn isolate_process() -> () {
pub(crate) fn isolate_process() {
if unsafe { libc::prctl(PR_SET_DUMPABLE, 0) } != 0 {
let e = std::io::Error::last_os_error();
eprintln!(
"[Process Isolation] Failed to disable memory dumping: {}",
e
);
eprintln!("[Process Isolation] Failed to disable memory dumping: {e}");
}
}

27
apps/desktop/memory_security/src/lib.rs
View File

@@ -17,26 +17,29 @@ unsafe extern "C" {
/// processes would be hooked. With this work-around all processes in the tree are hooked
#[unsafe(no_mangle)]
unsafe extern "C" fn unsetenv(name: *const c_char) -> i32 {
let name_str = std::ffi::CStr::from_ptr(name).to_str().unwrap();
let original_unsetenv: unsafe extern "C" fn(*const c_char) -> i32 =
std::mem::transmute(dlsym(libc::RTLD_NEXT, c"unsetenv".as_ptr()));
unsafe {
let name_str = std::ffi::CStr::from_ptr(name).to_str().unwrap();
let original_unsetenv: unsafe extern "C" fn(*const c_char) -> i32 =
std::mem::transmute(dlsym(libc::RTLD_NEXT, c"unsetenv".as_ptr()));
if name_str == "LD_PRELOAD" {
// This env variable is provided by the flatpak configuration
let ld_preload = std::env::var("MEMORY_SECURITY_LD_PRELOAD").unwrap_or_default();
std::env::set_var("LD_PRELOAD", ld_preload);
return 0;
if name_str == "LD_PRELOAD" {
// This env variable is provided by the flatpak configuration
let ld_preload = std::env::var("MEMORY_SECURITY_LD_PRELOAD").unwrap_or_default();
std::env::set_var("LD_PRELOAD", ld_preload);
return 0;
}
original_unsetenv(name)
}
original_unsetenv(name)
}
// Hooks the shared object being loaded into the process
#[ctor::ctor]
fn preload_init() {
let pid = unsafe { libc::getpid() };
unsafe {
println!("[memory-security] Enabling memory security for process {}", pid);
isolate::disable_memory_access();
println!("[memory-security] Enabling memory security for process {pid}");
isolate::isolate_process();
isolate::disable_coredumps();
}
}

40
apps/desktop/memory_security/test_isolation.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# This script tests the memory isolation status of bitwarden-desktop processes. The script will print "isolated"
# if the memory is not accessible by other processes.
CURRENT_USER=$(whoami)
# Find processes with "bitwarden" in the command
pids=$(pgrep -f bitwarden)
if [[ -z "$pids" ]]; then
echo "No bitwarden processes found."
exit 0
fi
for pid in $pids; do
# Get process info: command, PPID, RSS memory
read cmd ppid rss <<<$(ps -o comm=,ppid=,rss= -p "$pid")
# Explicitly skip if the command line does not contain "bitwarden"
if ! grep -q "bitwarden" <<<"$cmd"; then
continue
fi
# Check ownership of /proc/$pid/environ
owner=$(stat -c "%U" /proc/$pid/environ 2>/dev/null)
if [[ "$owner" == "root" ]]; then
status="isolated"
elif [[ "$owner" == "$CURRENT_USER" ]]; then
status="insecure"
else
status="unknown-owner:$owner"
fi
# Convert memory to MB
mem_mb=$((rss / 1024))
echo "PID: $pid | CMD: $cmd | Mem: ${mem_mb}MB | Owner: $owner | Status: $status"
done

3
apps/desktop/package.json
View File

@@ -34,9 +34,10 @@
"build:renderer:watch": "cross-env NODE_ENV=development webpack --config webpack.renderer.js --watch",
"electron": "node ./scripts/start.js",
"electron:ignore": "node ./scripts/start.js --ignore-certificate-errors",
"flatpak:dev": "npm run clean:dist && electron-builder --dir -p never && flatpak-builder --force-clean --install --user ../../.flatpak/ ./resources/com.bitwarden.desktop.devel.yaml && flatpak run com.bitwarden.desktop",
"clean:dist": "rimraf ./dist",
"pack:dir": "npm run clean:dist && electron-builder --dir -p never",
"pack:lin:flatpak": "npm run clean:dist && electron-builder --dir -p never && flatpak-builder --repo=build/.repo build/.flatpak ./resources/com.bitwarden.desktop.devel.yaml --install-deps-from=flathub --force-clean && flatpak build-bundle ./build/.repo/ ./dist/com.bitwarden.desktop.flatpak com.bitwarden.desktop",
"pack:lin:flatpak": "npm run clean:dist && electron-builder --dir -p never && flatpak-builder --repo=../../.flatpak-repo ../../.flatpak ./resources/com.bitwarden.desktop.devel.yaml --install-deps-from=flathub --force-clean && flatpak build-bundle ../../.flatpak-repo/ ./dist/com.bitwarden.desktop.flatpak com.bitwarden.desktop",
"pack:lin": "npm run clean:dist && electron-builder --linux --x64 -p never && export SNAP_FILE=$(realpath ./dist/bitwarden_*.snap) && unsquashfs -d ./dist/tmp-snap/ $SNAP_FILE && mkdir -p ./dist/tmp-snap/meta/polkit/ && cp ./resources/com.bitwarden.desktop.policy ./dist/tmp-snap/meta/polkit/polkit.com.bitwarden.desktop.policy && rm $SNAP_FILE && snap pack --compression=lzo ./dist/tmp-snap/ && mv ./*.snap ./dist/ && rm -rf ./dist/tmp-snap/",
"pack:lin:arm64": "npm run clean:dist && electron-builder --dir -p never && tar -czvf ./dist/bitwarden_desktop_arm64.tar.gz -C ./dist/linux-arm64-unpacked/ .",
"pack:mac": "npm run clean:dist && electron-builder --mac --universal -p never",