Closed Bug 1386019 Opened 7 years ago Closed 6 years ago

Remove PulseAudio-related content sandbox rules

Categories

(Core :: Security: Process Sandboxing, enhancement, P2)

Unspecified
Linux
enhancement

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 2 open bugs)

Details

(Whiteboard: sb+)

Attachments

(3 files)

There are a number of things in our content process sandbox policy that are allowed only because PulseAudio needs them.  Once bug 1362220 lands, we should go through and rip them all out.  Removing network/sockets access and chroot()ing content processes have their own bugs; this bug will cover everything else: system calls like fchown and umask, files like $XAUTHORITY (see bug 1384986 comment #5), and so on.
Priority: -- → P3
Whiteboard: sb+
No longer depends on: 1362220
Blocks: sb-audio
Assignee: nobody → jld
Priority: P3 → P2
Comment on attachment 8944633 [details]
Bug 1386019 - At sandbox level 4, remove syscalls used only by PulseAudio.

https://reviewboard.mozilla.org/r/214784/#review220566
Attachment #8944633 - Flags: review?(gpascutto) → review+
Comment on attachment 8944634 [details]
Bug 1386019 - Remove PulseAudio-specific sandbox broker rules when remoting audio.

https://reviewboard.mozilla.org/r/214786/#review220568
Attachment #8944634 - Flags: review?(gpascutto) → review+
Comment on attachment 8944635 [details]
Bug 1386019 - Also remove ALSA-related sandbox rules if ALSA is remoted.

https://reviewboard.mozilla.org/r/214788/#review220570
Attachment #8944635 - Flags: review?(gpascutto) → review+
Pushed by jedavis@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ff1469e83494
At sandbox level 4, remove syscalls used only by PulseAudio. r=gcp
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2836d5bc6bc
Remove PulseAudio-specific sandbox broker rules when remoting audio. r=gcp
https://hg.mozilla.org/integration/mozilla-inbound/rev/af41b725ff91
Also remove ALSA-related sandbox rules if ALSA is remoted. r=gcp
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: