Open Bug 1737092 Opened 7 months ago Updated 7 months ago

Reduce the sandbox policy for non-Clearkey EME plugins

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Unspecified
Linux
enhancement

Tracking

()

People

(Reporter: jld, Unassigned)

References

Details

The GeckoMediaPlugin sandbox policy has gained a few additions apparently needed for the use of NSS in the Clearkey CDM which aren't needed for third-party plugins like Widevine, and some of which are a little worrying with respect to privacy implications (e.g., reading /etc/ld.so.cache).

The policy should vary by plugin type to fix that, either boolean NSS-vs-not or more generally — there are some also things we added for Widevine that aren't needed elsewhere, although that's less of a security/privacy concern.

Severity: -- → S4
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.