Open Bug 1600189 Opened 1 year ago Updated 8 months ago

Cache linux sandbox read/write whitelists and `security.sandbox.content.force-namespace`

Categories

(Core :: Security: Process Sandboxing, task, P5)

Desktop
Linux
task

Tracking

()

Tracking Status
firefox72 --- affected

People

(Reporter: Gijs, Unassigned)

References

Details

security.sandbox.content.write_path_whitelist, security.sandbox.content.read_path_whitelist and security.sandbox.content.force-namespace are all accessed once per content process start.

We should cache these values.

The last one is easy; it's just a bool pref so we can just move it to staticprefs and have done with it (though this does make it accessible in about:config; that seems a reasonable trade-off...). It also looks like this pref has had the value false even on nightly for the past 2 years, so perhaps we don't need it anymore or it could be an ifdef?

The two other prefs are more annoying, because they're strings, and in any case they should probably be cached into the parsed (array?) data structures.

Priority: -- → P5
See Also: → 1639494

Bug 1644917 fixes the path allow lists; pref-dependent parts of the filesystem policy are now computed once and cached. (Actually once per factory object, which means at least twice because of the workaround in bug 1412090, but that will be fixed someday.)

force-namespace was intended for troubleshooting failures and maybe for manual testing, but I don't think it's ever been used; we could remove it.

Depends on: 1644917
OS: Unspecified → Linux
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.