Open Bug 1405092 Opened 7 years ago Updated 2 years ago

[mac] remove GPU iokit-open rules from content process

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox58

---

affected

People

(Reporter: Alex_Gaynor, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

Alex Gaynor [:Alex_Gaynor]

Reporter

Description

•

7 years ago

Right now the content process has direct access to the GPU via the following sandbox rules: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h?q=SandboxPolicies.h&redirect_type=direct#310-318 The (known) blockers to removing this are: - hardware video decoding - 2D canvas - WebGL These will need to be moved out of the content process - it's not yet clear whether they can move to parent safely, or if we need a GPU compositing process on macOS -- or some alternate design.

Jim Mathies [:jimm]

Updated

•

7 years ago

Priority: -- → P3

Jim Mathies [:jimm]

Updated

•

7 years ago

Whiteboard: sb+

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[mac] remove GPU iokit-open rules from content process

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Tracking

()

People

(Reporter: Alex_Gaynor, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated