Open Bug 1660102 Opened 5 years ago Updated 8 months ago

[meta] seccomp-bpf in GeckoView

Categories

(GeckoView :: General, enhancement, P2)

Product:
GeckoView
Component:
General
Platform:
Unspecified
Android
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: bugzilla, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: meta, Whiteboard: [sandboxing] [geckoview:2022q4?])

Metabug for implementing seccomp-bpf sandbox in GeckoView.

Tracking this bug for Android Fission, but it doesn't need to block Android Fission MVP.

Fission Milestone: --- → Future
Whiteboard: [fission:android:m4]
Whiteboard: [fission:android:m4] → [fission:android]

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:fluffyemily, maybe it's time to close this bug?

Flags: needinfo?(etoop)
Severity: -- → N/A

Redirect a needinfo that is pending on an inactive user to the triage owner.
:amoya, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(etoop) → needinfo?(amoya)
Flags: needinfo?(amoya)
Priority: -- → P2
Whiteboard: [fission:android] → [sandboxing]

We may want to work on this seccomp-bpf bug in Q4 after implementing android:isolatedProcess (bug 1565196) in Q3.

Fission Milestone: Future → ---
Whiteboard: [sandboxing] → [sandboxing] [geckoview:2022q4?]

Moving isolated process bugs to the new GeckoView::Sandboxing component.

Component: General → Sandboxing
Component: Sandboxing → General

Does this strictly depend on android:isolatedProcess. If so why?

(In reply to Jeff Muizelaar [:jrmuizel] from comment #6)

Does this strictly depend on android:isolatedProcess. If so why?

I'm also wondering about this. On desktop, we're able to do something vaguely similar to isolatedProcess — chrooting to an empty directory and unsharing namespaces — despite still needing access to some parts of the filesystem, and seccomp-bpf is what allows this: we intercept syscalls like open and instead do socket-based IPC to the parent process, which performs operations on the child process's behalf if permitted by our policy, and this is generally transparent to the code making those syscalls. In bug 1498614 comment #1 I wondered if something similar might be helpful on Android to enable isolatedProcess; the answer to that question might be “no”, but I thought I should mention it as a possibility.

Also possibly useful to know: seccomp-bpf support in Gecko was first implemented for B2G, and there's still a certain amount of #ifdef ANDROID code lying around, which is likely somewhat bit-rotted by now, but it could be helpful if/when we try to use seccomp on regular Android.

You need to log in before you can comment on or make changes to this bug.