[Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes
- Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 29 Jan 2023 19:39:28 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269234
Bug ID: 269234
Summary: www/chromium: Sandboxing cleanup and basic Capsicum
support for renderer processes
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: chromium@FreeBSD.org
Reporter: sigsys@gmail.com
Assignee: chromium@FreeBSD.org
Flags: maintainer-feedback?(chromium@FreeBSD.org)
Created attachment 239789
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239789&action=edit
Chromium port basic Capsicum support
The patchset already supports different backends for OpenBSD and FreeBSD
sandboxing, but some files were still including the OpenBSD-specific headers
and the preprocessor guards in the FreeBSD header were the same as the OpenBSD
ones. So this patch clears that up.
And it adds rudimentary Capsicum support for the renderer processes (which IIUC
should be the most important processes to sandbox). It limits the stdio FDs
(important since they could be TTYs), but does not limit any other FDs. And
tbh, I do not know what kind of FDs they could be passed and how dangerous
their ioctls could be. But it seems to work without issues (so far) and should
be better than nothing.
--
You are receiving this mail because:
You are the assignee for the bug.