Closed Bug 1004011 Opened 7 years ago Closed 6 years ago
_FILTER _TSYNC if available
There are Linux kernel changes that have been sent upstream (but not yet accepted) from Chromium to allow atomically applying seccomp filters to all threads in a process: https://lkml.org/lkml/2014/4/17/637 Chromium already has code to do this, intended for use on Android: http://git.chromium.org/gitweb/?p=chromium/src.git;a=commitdiff;h=8c215f5b965930c1faa004834491e4e11c6b26d8 It would be nice if we could use this where available (and, perhaps, backport the patches to our own seccomp-enabled B2G devices) instead of our current signal-based approach.
Move process sandboxing bugs to the new Bugzilla component. (Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)
Component: Security → Security: Process Sandboxing
Assignee: nobody → jld
Depends on: 1137007
WIP; tested locally on nexus5-l and Ubuntu 14.04; will r? when/if it passes Try.
The last patch made chrooting not work, which is bad. This fixes that, does a little cleanup, and adds some more assertions.
Attachment #8646659 - Flags: review?(gdestuynder) → review+
You need to log in before you can comment on or make changes to this bug.