Closed Bug 1004011 Opened 7 years ago Closed 6 years ago

Support SECCOMP_FILTER_TSYNC if available

Categories

(Core :: Security: Process Sandboxing, defect)

All
Gonk (Firefox OS)
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox43 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

There are Linux kernel changes that have been sent upstream (but not yet accepted) from Chromium to allow atomically applying seccomp filters to all threads in a process: https://lkml.org/lkml/2014/4/17/637

Chromium already has code to do this, intended for use on Android: http://git.chromium.org/gitweb/?p=chromium/src.git;a=commitdiff;h=8c215f5b965930c1faa004834491e4e11c6b26d8

It would be nice if we could use this where available (and, perhaps, backport the patches to our own seccomp-enabled B2G devices) instead of our current signal-based approach.
Move process sandboxing bugs to the new Bugzilla component.

(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)
Component: Security → Security: Process Sandboxing
See Also: → 1176099
Assignee: nobody → jld
Depends on: 1137007
Attached patch bug1004011-tsync-hg0.diff (obsolete) — Splinter Review
WIP; tested locally on nexus5-l and Ubuntu 14.04; will r? when/if it passes Try.
The last patch made chrooting not work, which is bad.  This fixes that, does a little cleanup, and adds some more assertions.
Attachment #8644528 - Attachment is obsolete: true
Attachment #8646659 - Flags: review?(gdestuynder)
Attachment #8646659 - Flags: review?(gdestuynder) → review+
https://hg.mozilla.org/mozilla-central/rev/d9a56e97c6b1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
See Also: → 1194841
You need to log in before you can comment on or make changes to this bug.