Closed Bug 1594656 Opened 2 years ago Closed 2 years ago

about:support shows broken information for sandboxing


(Core :: Security: Process Sandboxing, defect, P5)




Tracking Status
firefox72 --- fixed


(Reporter: gaston, Assigned: gcp)



(3 files)

Displays the string coming from but ... in a broken way, to say the least.

removing all those null bits and rebuilding the string says sandboxTypeError: Cc[';1'] is undefined

Just a cosmetic thing for a Tier3 platform, sure, but what could be improved there ? There's no way for a process itself to know after the fact if it's been pledged/unveiled on OpenBSD, that kind of introspection is not available on purpose, but since we call those syscalls we can store the params used/information somewhere and display it ?

That feels strange to me as shouldnt be reached on OpenBSD, unless AppConstants.platform lies for us...

Priority: -- → P5

removing all those null bits and rebuilding the string says sandboxTypeError: Cc[';1'] is undefined

Sounds like a bug with assuming unixy platforms are always using seccomp filtering, which of course only Linux is.

Oops, should have checked your link. Indeed the code is properly conditional on "linux", so it does look like AppConstants lies.

Anything using GTK widgets is identified as "linux". I don't think we want to change that as almost all the code assumes the platforms are "win", "macos", "android" or "linux". (And Android is Linux of course, but as it is not using GTK, it's not "linux" to us).

I think I want to add an AppConstant for either OpenBSD or for "platform with seccomp" so we can fix that part.

Hah, how.. infortunate. Pretty sure lots of things depend on this hidden behaviour... so yeah maybe matching on seccomp or by sandbox type would be better.

Landry, can you check if this patch resolves the issues?

Flags: needinfo?(landry)
Pushed by
Don't display seccomp-bpf info on non-Linux. r=jld,froydnj
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Assignee: nobody → gpascutto

Finally got around to test this, and it nicely displays the sandbox level now. Thanks :gcp !

Flags: needinfo?(landry)
You need to log in before you can comment on or make changes to this bug.