Closed Bug 1445664 Opened 7 years ago Closed 7 years ago

firefox.js comments are outdated

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla61

Tracking Flags:

Tracking

Status

firefox61

---

fixed

People

(Reporter: gcp, Assigned: gcp)

Details

Attachments

(1 file)

Bug 1445664 - Update firefox.js comments about Linux sandboxing. 7 years ago Gian-Carlo Pascutto [:gcp] 59 bytes, text/x-review-board-request	jld : review+	Details

Gian-Carlo Pascutto [:gcp]

Assignee

Description

•

7 years ago

The comments about sandboxing in firefox.js are rather outdated, we should update that.

Jim Mathies [:jimm]

Updated

•

7 years ago

Priority: -- → P3

Comment hidden (mozreview-request)

Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧

Comment 2

•

7 years ago

mozreview-review

Comment on attachment 8959185 [details] Bug 1445664 - Update firefox.js comments about Linux sandboxing. https://reviewboard.mozilla.org/r/228064/#review233998 Thanks for fixing this. ::: browser/app/profile/firefox.js:1097 (Diff revision 1) > // its Windows/Mac counterpart, but on Linux it's an integer which means: > // 0 -> "no sandbox" > // 1 -> "content sandbox using seccomp-bpf when available" > // 2 -> "seccomp-bpf + write file broker" > // 3 -> "seccomp-bpf + read/write file brokering" > -// 4 -> all of the above + network/socket restrictions > +// 4 -> all of the above + network/socket/ipc restrictions + chroot SysV IPC is restricted at level 1 (if we don't detect something that needs it), not 4. It's one of the few things PulseAudio *doesn't* use (but ALSA does).

Attachment #8959185 - Flags: review?(jld) → review+

Gian-Carlo Pascutto [:gcp]

Assignee

Comment 3

•

7 years ago

>SysV IPC is restricted at level 1 (if we don't detect something that needs it), not 4 I was thinking of IPC namespaces when I wrote this. SysV IPC calls fall under "seccomp-bpf".

Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧

Comment 4

•

7 years ago

(In reply to Gian-Carlo Pascutto [:gcp] from comment #3) > >SysV IPC is restricted at level 1 (if we don't detect something that needs it), not 4 > > I was thinking of IPC namespaces when I wrote this. SysV IPC calls fall > under "seccomp-bpf". CLONE_NEWIPC is also set at level 1.

Comment hidden (mozreview-request)

Pulsebot

Comment 7

•

7 years ago

Pushed by gpascutto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1226c13b7722 Update firefox.js comments about Linux sandboxing. r=jld

Andrei Ciure[:aciure]

Comment 8

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/1226c13b7722

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox61: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla61

Sylvestre Ledru [:Sylvestre]

Updated

•

7 years ago

Assignee: nobody → gpascutto

You need to log in before you can comment on or make changes to this bug.

Bugzilla

firefox.js comments are outdated

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Tracking

()

People

(Reporter: gcp, Assigned: gcp)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Comment 8

Updated

Attachment

General

Description

File Name

Content Type