Use AppContainer (Low Box token) to remove network access in the sandbox
Categories
(Core :: Security: Process Sandboxing, enhancement, P3)
Tracking
()
People
(Reporter: Tom25519, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Steps to reproduce:
https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications-
The AppContainer environment is a restrictive process execution environment that can be used for legacy applications to provide resource security. An application running in an AppContainer can only access resources specifically granted to it. As a result, applications implemented in an AppContainer cannot be hacked to allow malicious actions outside of the limited assigned resources.
Expected results:
I think Firefox could use it to enhance sandbox
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: Process Sandboxing' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•2 years ago
|
||
I know LPAC (low privileged app container) is on our radar but I'm not 100% sure that's the same thing.
We can roadmap this but USER_LOCKDOWN/USER_RESTRICTED are probably more important.
Comment 3•2 years ago
|
||
The Chromium doc explains the nuance:
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md#Less-Privileged-App-Container-LPAC
Updated•2 years ago
|
Updated•2 years ago
|
Description
•